Attackers are hiding PHP scripts in EXIF headers of JPEG images to hack websites, just by uploading an image.

An unusual steganographic technique that an attacker can use to implant a malicious webshell on unsuspecting websites has been spotted in Latin America. According to research from Trustwave shared exclusively with Threatpost, a forensic investigation showed that an adversary is implanting PHP code into JPEG files’ EXIF headers in order to upload malware onto targeted websites.

Hiding malware in an image file is a well-known way to circumvent detection –many filters and gateways let image file formats pass without too much scrutiny. But the unique benefit of this specific technique is that it can be used to compromise even a fully patched, up-to-date website with no obvious vulnerabilities – just by uploading an image to a website.

“PHP provides a nice function that allows you to read out and parse EXIF data, so if you target a website that allows you to upload images and also uses PHP scripts, you can essentially upload any malware you want,” explained Karl Sigler, a security research manager at Trustwave SpiderLabs.He added, “Web-based firewalls and malware scanners and the like tend to whitelist image files. This is pretty smart, and we don’t see this technique that often.”



Public schools across the US continue to spend millions implementing AI-powered surveillance solutions alleged to prevent or mitigate violence. The only problem: most of them don’t work. US schools now rival China’s when it comes to ubiquitous surveillance, yet our students remain at the highest risk for violence among developed nations. What gives?

The ideas seem sound. Adults can’t possibly see and hear everything that happens on a school campus, so startups are marketing automated surveillance solutions to cover the gaps.


One company says their facial recognition systems could have prevented the Parkland massacre. Another startup specializing in gunshot detection says its ‘aggression detectors’ can alert staff to violence before it even happens. But politicians, public school administrators, and teachers might not be in the best position to determine the efficacy of these programs.

A recent report from Pro Publica and Wired showed that aggression detectors are basically useless. After extensive testing and experimentation they determined that these systems were inexplicably prone to both false-positives and missing auditory signs of aggression all together. According to their findings:

To test the algorithm, ProPublica purchased a microphone from Louroe Electronics and licensed the aggression detection software. We rewired the device so we could measure its output while testing pre-recorded audio clips. We then recorded high school students and examined which types of sounds set off the detector.

We found that higher-pitched, rough and strained vocalizations tended to trigger the algorithm. For example, it frequently triggered for sounds like laughing, coughing, cheering and loud discussions. While female high school students tended to trigger false positives when singing, laughing and speaking, their high-pitched shrieking often failed to do so.


The National Security Agency (NSA) has announced its intention to create a cybersecurity directorate this fall in a bid to defend the U.S. against foreign adversaries. It comes at a time of increasing election interference by foreign nations such as Russia as part of an ongoing strategy to destabilize the West.

According to the Wall Street Journal, the move forms part of a wider effort to more closely align the agency’s offensive and defensive operations. The NSA said via Twitter: “Start spreading the news, #NSA is operationalizing intelligence to secure the country.”

It is expected the NSA’s cybersecurity directorate, which will become operational on October 1, will be headed up by Anne Neuberger who already has a lead role at the U.S. intelligence agency.

The latest move by the NSA coincides with a broader fusion of the intelligence agency’s offensive and defensive portfolios, the Wall Street Journal said. This has been taking place for several years and expanded under U.S. Cyber Command and NSA chief General Paul Nakasone. 

Nakasone announced the new cybersecurity directorate on July 23 at the International Conference on Cyber Security at Fordham University. “Over the past couple years, as we did a number of different reorganizations, one of the things I think we lost was that emphasis on cybersecurity,” he said.

 source; pbs,org

“To FaceApp or not to FaceApp?” That’s the question the internet struggled with last week as it rode a rollercoaster of reactions to the latest social media challenge.

FaceApp kicked off last week with the “internet’s latest viral obsession” — upload your photo and watch yourself age instantaneously. By Wednesday, concerns had surfaced that millions of people may have inadvertently exposed their data to a surveillance state.

While celebrities were lobbing this social media challenge at each other, tech reporters began to remind users of FaceApp’s history. Two years ago when the app launched, coverage centered mostly around the photo-editing app’s quirky filters — including short-lived and offensive ethnicity filters. But talk also circulated around the company headquarters in Russia — a country that has tried to influence U.S. elections through internet hacking and social media trolling.

A quick glance at FaceApp’s terms of service agreement shows the company holds “perpetual, irrevocable” rights over its users’ app-generated photos, i.e. your selfie. And the worries expanded when it became clear FaceApp creates its identity-morphing images by uploading the photos to cloud servers rather than processing the data right there on a person’s phone. Senate Minority Leader Chuck Schumer called for the FBI to investigate the app.

But the hot take pendulum swung back.