How Hackers can Smuggle Out Your Company's Data, via Video

Ask yourself this: Is your company's sensitive data being stolen? Organisations concerned about data loss, deploy security software to protect information.

4 November 2014


Ask yourself this: Is your company's sensitive data being stolen? How would you know?

You see, it's not like the Mona Lisa being stolen from the Louvre in Paris. When it's your company's data that a thief is after, there won't be a gap on the wall where the painting used to be.

Organisations concerned that their precious data might be exfiltrated off their systems deploy data loss prevention software. It is designed to detect potential breaches, and monitor and block network traffic that might be unauthorised, or breach company standards.

So, for instance, if a computer on your network begins to transmit gigabytes of data to a consumer-grade file-sharing application (which isn't authorised for use by your staff), that is something you might want to know about. Just as you would hope to be alerted if a corporate database is copied to an unencrypted USB drive, or if someone forwards company confidential files containing customer information to a third-party webmail service.

The challenge for the data loss prevention software, of course, is to detect as much of the suspicious activity as possible whilst minimising false alarms and user inconvenience.

That's far from an easy thing to do.

At the same time, cyber-criminals are looking for methods to maximise their chances of successfully stealing data, from under the noses of their victims, without drawing attention to themselves.

In a nutshell, hackers are not just concerned about whether they might be spotted breaking into a network — they also want to be sure that they'll not be spotted sneaking out later. To be a successful data thief, you need a way to mask what you're up to.

One such method to disguise the secret transfer of files may be the one described by security researchers at Skyhigh Networks. They are warning that hackers are exfiltrating corporate data by smuggling it out via video-sharing websites.

Kaushik Narayan, CTO at Skyhigh Networks, wrote in a blog post how an unnamed organisation was struck by hackers using this technique.

The sophisticated attack worked by looking for confidential information (Social Security numbers, credit card numbers, intellectual property and so forth), then packaging and compressing the data up into multiple RAR archive segments, and finally, encrypting the resulting data and wrapping it into a video file.

The video file that was created at the end of the process played just like a normal video, and could be uploaded to a video-sharing website.

But obscured inside the videos was the stolen data that could be extracted by an outsider, decrypted, and reassembled to arrive back in its original form.

According to Skyhigh Networks, most data loss prevention solutions cannot hope to prevent thieves who operate in this way. Instead, they claim, the best defense is to analyse the routine usage behaviours shown by staff in regard to cloud services and detect anomalies.

Of course, it's also possible to put steps in place which prevent certain staff (maybe those outside of the marketing department?) from uploading videos to the Web.

But remember, attacks like this don't have to involve video. There are all manner of cloud services which could potentially be helping hackers steal your corporation's information.

Just last week, for instance, security researchers described how hackers could send commands to their malware, and retrieve stolen data, by using Gmail drafts.

And Skyhigh Networks has warned in the past about how even the 140 characters allowed by Twitter can be ample assistance for malware to steal data from your company's network.

“At a large financial institution, Skyhigh identified a single IP address at the company that was sending over 100,000 tweets per day. The corporate Twitter account only had few thousand tweets since inception. Investigating further, they discovered that it was malware exfiltrating data 140 characters at a time via a Twitter account.”

The message is loud and clear: if you have data that's worth stealing, chances are that there will be someone who is prepared to put effort into extracting it from your organisation.

The better defended you are, and the more you can protect your most sensitive data from unauthorised access, then the greater the chances that the thieves will find it too difficult to hack you and go looking for a softer target.

Graham Cluley

Graham Cluley

Graham Cluley is an award-winning veteran of the anti-virus industry, fighting cybercrime and raising awareness of computer security and privacy issues since the early 1990s. Find out more on his computer security blog or follow him on Twitter.