We capture them with our phones and many of you may have them stored on your computers, by the hundreds or even thousands. What’s more, we share them on social network sites for our friends to see, just as we love to see their images. Yes, we are talking about images in JPEG format. JPEG is popular because when the picture is compressed, it does not lose much quality. Yet, JPEG can be used by criminals to infiltrate an organisation’s network. Oh yeah, you read that right.
As far back as 2002, virus security experts have been talking about JPEGs posing a threat via infected images. It was reported at that time that a particular virus, W32 Perrun, had two parts to it: infected JPEG images that contain the virus payload and a vital program that extracts the code form the images and infects other JPEGs when they are opened.
Over the years there have been other reports of JPEG virus, where virus codes were hidden in pictures and executed when the image was viewed.
Move forward to the present. Things seem to have taken a more sinister turn.
At the recent RSA Conference in San Francisco, US, a security expert proved that this was a reality; that a cybercriminal could exploit a malicious JPEG to compromise Windows servers and access a company’s sensitive information.
What the security expert did was to change the attribute or metadata (see Definiton) that any JPEG file stores and included in it a malicious code. In the demo, he then got the image to infect the ‘corporate network’ similar to that of any US government agency network. The security expert did it simply by a form that allowed users to upload their profile picture to the alleged government agency web page. The file then became a gateway for the attacker. How simple!
Once the malicious JPEG was ‘implanted’ the cybercriminal’s administration permissions grew wider, allowing him to steal sensitive information or even take control of the network. By exploiting this advantage, the criminal could also plant malicious software in the system, thus compromising the organization further. According to the security expert, this attack also works in mixed environments with Windows and Linux.
So, with only a picture you can access any company’s network and steal confidential information, without anyone realizing that such a harmless file could wreak so much damage.
Definition
Metadata – a set of data that describes and gives information about other data, such as means of creation of the data; purpose of the data; time and date creation, etc.
Source
- Panda Security.
- PC Guide.
The Week That Was
- Fake PayPal payment – one of the most common used techniques is fake emails containing a warning and a prompt to act quickly. A phishing campaign is currently targeting users, to make them believe that a payment they received was reversed.
- Scammers target oil companies – using a sneaky attack to obtain usernames and passwords. It does not involve malware, but by opening a PDF file attached in an email, which leads to a series of actions that results in credentials being uploaded to a server.
- Plane hacked – a banned security researcher admitted to FBI that he once taken control of an airplane to made it fly sideways. He did this by hacking into the aircraft’s in-flight entertainment system (IFE).
- Microsoft, Adobe and Mozilla issue critical patch updates – Micorsoft – 13 patch updates that addresses a total of 48 vulnerabilities; Adobe – to fix a total of 52 vulnerabilities for its Flash Player, Adobe Reader and AIR; Mozilla Firefox – to fix 13 security flaws.