Your SlideShare is downloading. ×
0
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Defcon 17   Tactical Fingerprinting using Foca
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Defcon 17 Tactical Fingerprinting using Foca

7,693

Published on

Talk delivered by Chema Alonso and José Palazón "Palako" in Defcon 17 about "Tactical Fingerprinting using metadata, hidden info and lost data".

Talk delivered by Chema Alonso and José Palazón "Palako" in Defcon 17 about "Tactical Fingerprinting using metadata, hidden info and lost data".

Published in: Technology, Business
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
7,693
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
258
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Chema Alonso, José Palazón “Palako”<br />Tactical Fingerprinting using metadata, hidden info and lost data using FOCA<br />
  • 2. 2003 – a piece of history<br />Irak war was about to start<br />US wanted the UK to be an ally. <br />US sent a document “proving” the existence of massive destruction weapons <br />Tony Blair presented the document to the UK parliament.<br />Parliament asked Tony Blair “Has someone modified the document?”<br />He answered: No<br />
  • 3. 2003 – MS Word bytes Tony Blair<br />
  • 4. What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For example: Creator, Organization, etc..<br />Hidden information:<br />Information internally stored by programs and not editable.<br />For example: Template paths, Printers, db structure, etc…<br />Lost data:<br />Information which is in documents due to human mistakes or negligence, because it was not intended to be there.<br />For example: Links to internal servers, data hidden by format, etc…<br />
  • 5. Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />New apps<br />orprogram<br />versions<br />Searchengines<br />Spiders<br />Databases<br />Embedded<br />files<br />Hiddeninfo<br />Lost Data<br />Embedded<br />files<br />
  • 6. Metadatacreatedby Google<br />
  • 7. Lost Data<br />
  • 8. Lost data everywhere<br />
  • 9. Public server<br />
  • 10. So… are people aware of this? <br />The answer is NO.<br />Almost nobody is cleaning documents.<br />Companies publish thousands of documents without cleaning them before with:<br />Metadata.<br />Hidden Info.<br />Lost data.<br />
  • 11.
  • 12. Sample: FBI.gov<br />Total: 4841 files<br />
  • 13.
  • 14. Are theyclean?<br />Total: 1075 files<br />
  • 15. Howmany files is my companypublishing?<br />
  • 16. Sample: Printer info found in odf files returned by Google<br />
  • 17. Google Sets prediction<br />
  • 18. Sample: Info found in a PDF file<br />
  • 19. What files store Metadata, hidden info or lost data?<br />Office documents:<br />Open Office documents.<br />MS Office documents.<br />PDF Documents.<br />XMP.<br />EPS Documents.<br />Graphic documents.<br />EXIFF.<br />XMP.<br />And almost everything….<br />
  • 20. Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
  • 21. Demo: Lookingfor EXIF information in ODF file<br />
  • 22. Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
  • 23. And of course, printedtxt<br />
  • 24. What can be found? <br />Users:<br />Creators.<br />Modifiers .<br />Users in paths.<br />C:Documents and settingsjfoomyfile<br />/home/johnnyf<br />Operating systems.<br />Printers.<br />Local and remote.<br />Paths.<br />Local and remote.<br />Network info.<br />Shared Printers.<br />Shared Folders.<br />ACLS.<br />Internal Servers.<br />NetBIOS Name.<br />Domain Name.<br />IP Address.<br />Database structures.<br />Table names.<br />Colum names.<br />Devices info.<br />Mobiles.<br />Photo cameras.<br />Private Info.<br />Personal data.<br />History of use.<br />Software versions.<br />
  • 25. How can metadata be extracted?<br />Info is in the file in raw format:<br />Binary.<br />ASCII .<br />Therefore Hex or ASCII editors can be used:<br />HexEdit.<br />Notepad++.<br />Bintext<br />Special tools can be used:<br />Exifredaer<br />ExifTool<br />Libextractor.<br />Metagoofil.<br />…<br />…or just open the file!<br />
  • 26. Tools: Libextractor<br />
  • 27. Tools: MetaGoofil<br /><ul><li>http://www.edge-security.com/metagoofil.php</li></li></ul><li>Yes, also Google….<br />
  • 28. Your FBI user<br />
  • 29. Your UN user<br />
  • 30. YourScotlandYarduser<br />
  • 31. YourCarabinieriuser<br />
  • 32. YourWhiteHouseuser<br />
  • 33. Yes, we can!<br />
  • 34. Drawbacks<br />These tools only extract metadata.<br />Not looking for Hidden Info.<br />Not looking for lost data.<br />Not post-analysis.<br />
  • 35. OnlyMetadata<br />http://gnunet.org/libextractor/demo.php3<br />
  • 36. Notverygoodwith XML files (SWX, ODF, OOXML)<br />
  • 37. Google is [almost] GOD<br />
  • 38. FiletypeorExtension?<br />
  • 39. Foca<br />Fingerprinting Organizations with Collected Archives.<br />Search for documents in Google and Bing<br />Automatic file downloading<br />Capable of extracting Metadata, hidden info and lost data<br />Cluster information <br />Analyzes the info to fingerprint the network.<br />
  • 40. Demo: FOCA<br />
  • 41. FOCA Online<br />http://www.informatica64.com/FOCA<br />
  • 42. Solutions?<br />
  • 43. First: Cleanallpublicdocuments<br />
  • 44. Clean your documents:MSOffice 2k7<br />
  • 45. Clean your documents: MSOffice 2k3 &amp; XP<br />http://www.microsoft.com/downloads/details.aspx?displaylang=en&amp;FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360<br />
  • 46. OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />FOCA findsthisinfo<br />
  • 47. Demo: Lookingforinfo in cleaneddocument<br />
  • 48. OpenOfficecleaningoptions<br />Onlymetadata<br />Notcleaninghiddeninfo<br />Notcleaninglost data<br />
  • 49. Cleaning documents<br />OOMetaExtractor<br />http://www.codeplex.org/oometaextractor<br />
  • 50. Demo: OpenOffice “Security” Options…<br />
  • 51. Are yousaferelyingonyourusers?<br />
  • 52. IIS MetaShield Protector<br />http://www.metashieldprotector.com<br />
  • 53. Second: Beg Google todeleteallthecached files<br />
  • 54. Don´t trust your users!!!<br />
  • 55. Don´tcomplainaboutyourjob!!<br />
  • 56. PS: Thisfilealso has metadata<br />
  • 57. Thanks<br />Authors<br />Chema Alonso<br />chema@informatica64.com<br />Jose Palazón “Palako”<br />palako@lateatral.com<br />Enrique Rando<br />Enrique.rando@juntadeandalucia.es<br />Alejandro Martín<br />amartin@informatica64.com<br />Francisco Oca<br />froca@informatica64.com<br />Antonio Guzmán<br />antonio.guzman@urjc.es<br />

×