Your data: Stolen through PIXELS

Can't detect what you can't see, Oz hacker says


Kiwicon Data loss prevention has been dealt a coup de grace with the development of a client-less system that can suck corporate data through monitors.

The research, to be detailed in a proof of concept at the Kiwicon hackerfest in Wellington on Friday December 12, bypasses all detection methods, its developer says.

The attack requires only that an attacker have physical access (but not necessarily authority to access) to a target machine, and install an off-the-shelf HDMI recording device and an Arduino keyboard.

So far, there's no way to prevent it, according to Ian Lattler in conversation with El Reg.

A local security governance bod at a blue chip company subsequently told Vulture South the technique which has been upgraded from previous incarnations quietly revealed in International Computer Security Symposium left no traces for real time security systems or forensics to analyse, and requires no installation.

"The attack means data can be extracted through the screen," Latter said ahead of his presentation.

"This works on the assumption that you have access to a computer but not access to the data, and these tools allow you to take the data outside of the target systems.

"The whole point of the client-less version is that there is no indicators of compromise on the application server or QR codes."

Previous incarnations spun sensitive data into QR codes using an agent installed on the target machine allowing both the codes and the installed agent to be to be potentially detected.

He previously made available a TGXf client that generated the QR codes and Android and iOS applications that could interpret the information on mobile devices.

His latest clientless TGXf version worked by using Bash to turn data into text that was funnelled and captured through video output and turned back into its initial state using optical character recognition.

It differed Latter said from existing work including 2012 research by NeoHapsis Labs that focused on HTML5 and JavaScript encoding which depended on a web browser and required access to raw video.

Latter who had built and reviewed corporate perimeters for major companies tipped off CERT Australia and the Office of the Australian Information Commissioner to his creation warning that it could result in Privacy Act breaches of outsourcing arrangements because it allowed offshore staff to siphon sensitive data.

There was virtually nothing the office or organisations could do to prevent the attacks, however.

"If this attack was done well, you would not see the attack itself," Latter said. "What I think you'd find is a loss of effectiveness of your organisation."

Latter's proof of concept to be demonstrated at the Wellington conference used an AverMedia Game Capture II device popular with video game players to save plays, and could capture 1920x1080 at 30 frames per second to MP4. ®

Similar topics


Other stories you might like

  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • A miserable work week spent toiling inside 'the metaverse'
    Nausea, eye strain, inability to take notes, migraines are just a few of Metaverse work 'perks'

    Sometimes it takes research to prove what was already suspected, like how utterly uncomfortable it would be to work in the metaverse.

    An international team of researchers conducted a study [PDF] to just such an end, putting participants in VR headsets and taking an inventory of their self-reported physical and mental states throughout a five day, eight-hour-a-day period spent in headsets and a virtual "office".

    Unlike a real job, participants were allowed to set their own work agendas and didn't perform standardized tasks yet even still had trouble undertaking these.

    Continue reading
  • Drone ship carrying yet more drones launches in China
    Zhuhai Cloud will carry 50 flying and diving machines it can control with minimal human assistance

    Chinese academics have christened an ocean research vessel that has a twist: it will sail the seas with a complement of aerial and ocean-going drones and no human crew.

    The Zhu Hai Yun, or Zhuhai Cloud, launched in Guangzhou after a year of construction. The 290-foot-long mothership can hit a top speed of 18 knots (about 20 miles per hour) and will carry 50 flying, surface, and submersible drones that launch and self-recover autonomously. 

    According to this blurb from the shipbuilder behind its construction, the Cloud will also be equipped with a variety of additional observational instruments "which can be deployed in batches in the target sea area, and carry out task-oriented adaptive networking to achieve three-dimensional view of specific targets." Most of the ship is an open deck where flying drones can land and be stored. The ship is also equipped with launch and recovery equipment for its aquatic craft. 

    Continue reading
  • World’s smallest remote-controlled robots are smaller than a flea
    So small, you can't feel it crawl

    Video Robot boffins have revealed they've created a half-millimeter wide remote-controlled walking robot that resembles a crab, and hope it will one day perform tasks in tiny crevices.

    In a paper published in the journal Science Robotics , the boffins said they had in mind applications like minimally invasive surgery or manipulation of cells or tissue in biological research.

    With a round tick-like body and 10 protruding legs, the smaller-than-a-flea robot crab can bend, twist, crawl, walk, turn and even jump. The machines can move at an average speed of half their body length per second - a huge challenge at such a small scale, said the boffins.

    Continue reading
  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading

Biting the hand that feeds IT © 1998–2022