RE: Hacking Pictures?

[Steve Armstrong <stevearmstrong () LOGICALLYSECURE COM>]

Eitan, Steven,

Most of the main social networks do strip the info, however, it is forums and smaller php based sites that do little 
upload validation and sanitation (why they are also susceptible to RFI vulnerabilities).

A quick check using freeware software will reveal who is not doing what.   I run this browser:  
http://www.snapfiles.com/get/exifbrowser.html when running a recon before a pentest while we are spidering the whole 
site  - it's quite slick and easy to use.

Steve Armstrong

Logically Secure Ltd | Cheltenham | Gloucestershire | England


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Eitan Adler
Sent: 23 January 2011 00:50
To: Steven Bonici
Cc: security-basics () securityfocus com
Subject: Re: Hacking Pictures?

On Fri, Jan 21, 2011 at 11:42 AM, Steven Bonici <sbonici () ilaonline org> wrote:
> I was speaking to someone from DHS (not a tech) and he was telling me
> that there are applications that can "look" at a picture taken from a
> cell phone and can get the location of where the picture was taken.
> Is this true?  If so, can someone provide more information?  If this
> can be done, people posting pictures from their cell phones to social
> sites should be aware of this...

Google EXIF data.
IMHO social networks should strip this data unless the user requested otherwise but not much can be done about the 
problem other than user education.



> Thanks - Steven

--
Eitan Adler

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

The information contained in this e-Mail and any subsequent correspondence is private and is intended solely for the 
intended recipient(s). The information in this communication may be confidential and/or legally privileged. Nothing in 
this e-mail is intended to conclude a contract on behalf of Logically Secure Ltd or make Logically Secure Ltd subject 
to any other legally binding commitments, unless the e-mail contains an express statement to the contrary or 
incorporates a formal Purchase Order. For persons other than the intended recipient any disclosure, copying, 
distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be 
unlawful. Registered in England and Wales No: 05967368. Registered Office: Festival House, Jessop Avenue, Cheltenham, 
Gloucestershire, GL50 3SH