Bishop Fox have released a new tool to help you reveal sensitive information which has been redacted by the method of pixelation from a document.
In a blog post, lead researcher Dan Petro, who wrote the tool, explained that it was created in order to complete a challenge set by Jumspec, and also due to the use of pixelation being a “pet peeve” of his.
“Sometimes, people like to be clever and try some other redaction techniques like blurring, swirling, or pixelation,” lead researcher Dan Petro wrote. “But this is a mistake.”
“It’s just not a secure way to redact information,” he explained. “But you see it all the time out there on the internet, often by journalists.
What Is Pixelation?
Pixelization describes the process of partially lowering the resolution of an image to censor information. Many businesses share documents that are pixelated in order to protect private information, whether they be bank account numbers, photographs or other private information.
Pixelation used to be a simple and sufficient way to hide confidential information, now computers are smart enough to read these distorted images—even when your eye cannot. Pixelated documents are no longer safe!
The “Unredacter” Tool
Petro explained that assuming one already knows the font type for the original information and of the redacted text, “since the attacker in a realistic scenario would likely have received a full report”, his tool can be used to circumvent common issues when it comes to revealing redacted information.
These issues include character bleed over, when a letter shares more than one pixilation column, variable widths between letters, and font inconsistency, which can all make using an algorithm difficult.
Petro wrote: “…there’s an existing tool called Depix that tries to do exactly this through a really clever process of looking up what permutations of pixels could have resulted in certain pixelated blocks, given a De Bruijn sequence of the correct font.”
The “Unreducter” tool is not the first of its kind. Other similar tools were created in the past like Depix.
As you can see, just pixelating sensitive information is not enough to keep it safe. If you need to deduct sensitive information from an image do not blur it or pixelate it. Just color over it.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.