- May 4, 2016
- Posted by: Kerry Tomlinson, Archer News
- Categories: Cyberattack, Data Breach, Posts with image, Vulnerabilities
Expect to see more GIFs in use at work, at home, and by attackers who want to get into your computer.
Nikita Kronenberg speaks GIF—the short, stylized video clips that convey a quick and potentially emotion-filled message.
GIF stands for Graphics Interchange Format, but for Kronenberg, it is far more than just graphics.
“GIFs are a language to me,” she said. “They are a way to pantomime an expression or mood to another person that gives you a clear picture, in the least amount of time. You can’t get that with text alone.”
“You could text your friend, ‘You can do it!’” she added. “But an image of Rob Schneider saying it is going to be so much better.”
It’s a language the world is using more and more.
“Where I see it, every still image you see on the Internet will eventually move to a moving image,” said Alex Chung, co-founder of Giphy, a search engine for GIFs. “It will happen in the next five to ten years, where everything still will be moving.”
A video on Giphy’s site promotes the idea behind the GIF movement—“A picture is worth a 1000 feels,” it says.
“We all know this world is coming,” he said at the Collision 2016 tech conference in New Orleans last week. “That is going to allow another level of expression of humanity to go across media and the Internet.”
Chung and a friend launched Giphy in 2013, and were surprised to get 30,000 visitors on the first weekend, according to TalkingPointsMemo.com.
Now, Twitter, Facebook and even Tinder have integrated GIFs, and GIF-making apps abound. GIFs have transferred the world of politics, reported The New York Times. And now Giphy is worth $300 million, according to Fortune.
It’s not just a fad, according to Chung, and it’s more than just funny cat GIFs and America’s Funniest Home Videos.
“There’s a lot of complexity in how you express yourself,” he said.
“When you first start out, it’s very literal and humor-based,” he explained. “Now that they have the fluency of the language, they’re being super subtle in how they’re sending the information and communicating with people.”
One example—using GIFs from movies that connote a certain emotion, like “The Notebook,” which follows a lifelong love story and is considered to be deeply romantic.
“I could pull something from Ryan Gosling’s library of GIFs,” he said. “I’m talking to you in that ‘Notebook’ kind of way.”
“The more evolved that language becomes, as people get more comfortable with this, you’re going to see a lot more languages and small vocabularies and expressions being created visually.”
GIFs & security
GIFs have caught the attention of cyber attackers as well.
“They’re going to start speaking the language,” said Doug Jacobson, director of the Iowa State University Information Assurance Center.
Some e-mail spammers will put a small GIF in a message to you.
“If I embed a GIF into an e-mail, I can tell if you opened an e-mail,” said Jacobson.
“If your e-mail reader is set up to display GIFs automatically, which a lot of people do, I can tell when you opened your email. And there are companies that make a living out of doing that,” he added. “So then you may become more of a target.”
That could be useful for phishing attacks, he said—malicious hackers would know which tactics were most successful.
“You can use it for crafting better e-mail responses or e-mail messages,” Jacobson said. “It’s more enabling the additional phishing-type attacks, knowing that you’ve open your e-mail.”
GIFs can also hide secret, malicious code, cybersecurity experts say—not unlike the GIF where the very mop-like Hungarian Komondor dog masquerades as a mop, then suddenly sits up and begins to bark.
“The use of images to camouflage malware payloads is a common technique,” said Jerome Segura with cybersecurity company Malwarebytes.
“In some cases, files are simply renamed to appear as GIF images but are instead malicious executables,” he said. “In other instances, the images actually are images, but with embedded steganography [hidden code] that contains instructions or commands.”
The cyber security tools you use to protect your computer will help, according to Segura.
“In a lot of cases, security products are able to identify the malicious code, but it’s a technique that can still give the bad guys a small advantage to conceal their payload,” he said.
Tricks with GIFs
If you speak GIF, you might be picking out this one right about now—a clip of “Nyan cat,” a cartoon cat with the body of a pop-tart, flying through the air, shooting lasers at a man who is running for cover, emitting a trail of pixelated rainbow. The message—“danger.”
“Malware researchers are always discovering possible backdoors which allow commands to be run on remote machines,” said Kronenberg, who works for DEF CON, a well-known hacking conference.
She cited an attack reported in 2008 where the bad guys would create an image file that looks like a GIF—called a GIFAR—and load it onto a site like Facebook. Ultimately, through trickery, the image file would get your cookies and login as you.
That vulnerability was patched, she said, but that does not mean attackers won’t try a similar method in the future.
Hackers just revealed how “poisoned” GIFs can do damage through vulnerable image-processing software, said Kelly Lum, a security engineer at Tumblr who runs her own GIF-filled site, Infosec Reactions.
The software is called ImageMagick, and sites to resize, crop and tweak the images you upload, according to The Register. But a “poisoned selfie” can trick ImageMagick into giving up the goods.
“Basically, if an attacker can craft a malicious image, such as a GIF or PNG [Portable Network Graphics], and a website or user tries to run this ImageMagick software on it, they could potentially be exploited,” said Lum.
“From there hackers can start infiltrating the system to steal secrets, snoop on people’s accounts, and so on,” reported The Register.
ImageMagick has posted a fix for the problem on its site.
“This is just one example, but vulnerabilities in software that manipulate and/or display images are definitely possible and do happen, said Lum.
Attackers may use the popularity of GIFs to do damage, according to Kronenberg.
“GIFs could certainly be the enticement that opens the door,” she said.
One example—apps that let you turn your keyboard into a GIF keyboard, making it easy to search for and use GIFs while texting. But the keyboards can also leave you vulnerable.
“Third-party apps and keyboards like these if granted ‘full access’ permission to your data, can in turn transmit your every keystroke,” said Kronenberg. “Even if the developer is ethically sound, new exploits are always just around the corner. A bad actor could target the developer instead of bothering with you.”
“Basically all you have to do is find something that’s popular, make it easy for potential victims and they will ignore the risks,” she said.
All this may leave the GIF lover in search of a image of sadness, like the crying robot who asks, “Whyyyyy?“
Or it may give those who don’t speak GIF a reason to stay away.
But is doubtful that this new language will die out simply because because malicious hackers have decided GIFs are also a way to launch attacks, along with e-mail, Facebook, videos, text messages and the other digital platforms people use and rely on every day.
The co-founder of Giphy believes GIFs, and what he calls the “first humanist search engine,” will change the world.
“The Internet will become a different place. It will be more representational of what actually happens in the world,” said Chung.
As for Kronenberg, she is not giving up this method of communication that allows her to add new layers to the conversation.
“I’ve used GIFs for work, for friends, and especially for my enemies,” she said. “I try to pick a GIF that is relevant to the conversation, maybe a bit meta, maybe a little snarky, but they’re always totally me.”
And it may be a language you can already speak and understand.
“GIFs are self-explanatory. They’re as easy to get as emojis. Safely incorporating them into all social media and messaging would make me happy,” Kronenberg said.