Are Instagram Photos Killing Your Cyber Security?

A picture is worth a thousand words, and an Instagram post could cost you much more than a thousand dollars due to steganography. Make sure you stay safe on social media with a few tricks to prevent leaks and cyber attack.

If you don’t know the difference in these two pictures, you are at risk for a cyber security attack.

Steganography is a word that not many know. It isn’t the study of the Stegosaurus, unfortunately. In fact, you can’t even find the word on Dictionary.com. It is, in fact, a real word, and means “the art or practice of concealing a message, image, or file within another message, image, or file” (Merriam-Webster). Basically, it’s hiding secret files in other, regular ones. And they could be any kind of file, from an audio file, a video, or even a picture.

What can be hidden in these steganographic files? According to McAfee Security, the files are usually downloaded in conjunction with other files, and serve as keys to download malware or other malicious content or cause a cyber attack. The problem is that these files could come from anywhere.

A common example is pirated software. “Free” versions of software often download as compressed files or folders. Even if the program itself is checked/scanned before opening or running, image files that were simultaneously downloaded along with the software can contain a key that will work alongside the software to inject malware on your PC.

Unfortunately, avoiding pirated software isn’t the only way to be safe from steganography. Stego, as it’s often called, is used by malware creators and users alike to share information covertly. More and more frequently people are using Instagram, Twitter and other social media platforms as the command and control center for the malware programs.

Here’s how it works: An image is digitally made up of pixels that each have a code that distinguishes them. Based on the order of the pixels, a message payload is encrypted. Only with a special key can the message payload be decrypted and used. This can be shared with others who know where to look, like maybe in a certain comment on a picture, or a certain tweet. One hacker group even used comments on Britney Spear’s Instagram account to communicate.

This isn’t a way for your Instagram account to get hacked, but it is a way for malware creators to avoid detection. Any Instagram user could view, like, screenshot, or comment on a stego post, and not be affected by the malware. But for those who know the code, the pictures are an intricate and amazing way to hide the command and control.

So how does this affect you? Why does the SMB community need to concern themselves with a way to stealthily communicate information through images? You could be broadcasting your own vulnerabilities to the world, and you don’t even know it.

It’s standard procedure to limit or monitor the use of 3rd-party websites, or maintain a credible reputation online, or create a strong cyber security environment to your company’s data. When a picture is sent through email, or even Instagram or Twitter, you never know what those pictures could be communicating. The solutions are few but necessary.

Though it may seem too simple to work, use an Instagram filter. This creates non-linear changes to colors and pixels and provides an effective defense to stego. You can also crop an image slightly to change the beginning and ending pixels, which causes the key to incorrectly compute the encrypted data. You can shift the image randomly, or slightly edit a few pixels.

They say a picture is worth a thousand words, but if you’re not careful, it could cost you a lot more than a thousand dollars if you are a victim of a cyber attack due to steganography.