I realized what I did immediately.
Upon publishing my previous blog entry and viewing the refreshed page in my browser, one of my plug-ins alerted me to a personal operational security (OPSEC) lapse. I took that picture of my visual training map on my phone and did not bother to check the image for any personal or descriptive information before posting it.
What is my EXIF Telling the World?
I have an EXIF viewer plug-in installed in my browser which shows me available EXIF data for any image I mouse over. EXIF stands for exchangeable image file format (per the Wikipedia article) and is basically an image standard for digital cameras. EXIF data attached to a digital photo can include quite a lot of information about the camera settings, date and time, and image attributes.
To find out more about the EXIF in my image, I needed to dig into some Open Source Intelligence (OSINT). I utilized the fantastic OSINT Framework site.
The OSINT Framework led me to Jeffrey’s Image Metadata Viewer. I entered the URL for the image on my site and took a look at the results. The results are detailed, and not particularly overwhelming except for the details about the camera itself.
Hiding in Plain Sight
The EXIF data clearly shows that my camera is a Samsung, which you can extrapolate is likely a mobile phone. In fact, if you look up the model and software on Google, it will tell you exactly which model of phone I am using and which version of firmware is installed. This might not seem like much, but if someone was looking to target me, they could certainly customize their exploit to take advantage of something I have exposed that I use.
So What’s the Learning Opportunity?
You can’t remove all EXIF metadata from images, but you certainly can cleanup some of it. Right click on the image file o your computer and go to the properties menu, then look at the details.
- See the listing of the data embedded in the image file.
- Select the link to “Remove Properties and Personal Information”.
I cleaned up the camera model and software from my file and replaced the initial image in my blog post.
People Are Very Creative
One of the reasons I am aware of EXIF data is because of an online project called Stolen Camera Finder. This site uses uploaded images to create a database of EXIF attributes and then crawls the web to match images taken to the EXIF data. Let’s say you leave your camera on vacation in Key West, someone picks it up, uses it to take some photos of their friends, and posts them with a location tag to Instagram. When you upload the image EXIF from a photo on your computer taken with your camera, Stolen Camera Finder crawls Instagram and attempts to match the EXIF data. In some cases, the match can yield location data as well.
Everyone knows that once information is available online, it can and will be used. I believe there is good in the world and that data can be used to do positive things – like helping people reunite with a lost camera. It doesn’t take much for someone to use the same information for nefarious purposes though.
Think Before You Click
The oldest advice is the best advice. This was an excellent reminder for me to be careful with my personal operational security. For some reminders on ways to protect your online presence, visit the National Cyber Security Alliance’s Stay Safe Online website.