Metadata Security: MetaShield Protector

1,349 views

Published on

Sesión impartida por Chema Alonso, de Informática64, durante el SIMO Network 2009.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,349
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
57
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Metadata Security: MetaShield Protector

  1. 1. Chema Alonso, José Palazón “Palako”<br />Tactical Fingerprinting using metadata, hidden info and lost data using FOCA<br />
  2. 2. 2003 – a piece of history<br />Irak war was about to start<br />US wanted the UK to be an ally. <br />US sent a document “proving” the existence of massive destruction weapons <br />Tony Blair presented the document to the UK parliament.<br />Parliament asked Tony Blair “Has someone modified the document?”<br />He answered: No<br />
  3. 3. 2003 – MS Word bytes Tony Blair<br />
  4. 4. What kind of data can be found?<br />Metadata:<br />Information stored to give information about the document.<br />For example: Creator, Organization, etc..<br />Hidden information:<br />Information internally stored by programs and not editable.<br />For example: Template paths, Printers, db structure, etc…<br />Lost data:<br />Information which is in documents due to human mistakes or negligence, because it was not intended to be there.<br />For example: Links to internal servers, data hidden by format, etc…<br />
  5. 5. Metadata<br />Metadata Lifecycle<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />Wrongmanagement<br />Badformatconversion<br />Unsecureoptions<br />New apps<br />orprogram<br />versions<br />Searchengines<br />Spiders<br />Databases<br />Embedded<br />files<br />Hiddeninfo<br />Lost Data<br />Embedded<br />files<br />
  6. 6. Metadatacreatedby Google<br />
  7. 7. Lost Data<br />
  8. 8. Lost data everywhere<br />
  9. 9. Public server<br />
  10. 10. So… are people aware of this? <br />The answer is NO.<br />Almost nobody is cleaning documents.<br />Companies publish thousands of documents without cleaning them before with:<br />Metadata.<br />Hidden Info.<br />Lost data.<br />
  11. 11.
  12. 12. Sample: FBI.gov<br />Total: 4841 files<br />
  13. 13.
  14. 14. Are theyclean?<br />Total: 1075 files<br />
  15. 15. Howmany files is my companypublishing?<br />
  16. 16. Sample: Printer info found in odf files returned by Google<br />
  17. 17. Google Sets prediction<br />
  18. 18. Sample: Info found in a PDF file<br />
  19. 19. What files store Metadata, hidden info or lost data?<br />Office documents:<br />Open Office documents.<br />MS Office documents.<br />PDF Documents.<br />XMP.<br />EPS Documents.<br />Graphic documents.<br />EXIFF.<br />XMP.<br />And almost everything….<br />
  20. 20. Pictureswith GPS info..<br />EXIFREADER<br />http://www.takenet.or.jp/~ryuuji/<br />
  21. 21. Demo: Lookingfor EXIF information in ODF file<br />
  22. 22. Even Videos withusers…<br />http://video.techrepublic.com.com/2422-14075_11-207247.html<br />
  23. 23. And of course, printedtxt<br />
  24. 24. What can be found? <br />Users:<br />Creators.<br />Modifiers .<br />Users in paths.<br />C:Documents and settingsjfoomyfile<br />/home/johnnyf<br />Operating systems.<br />Printers.<br />Local and remote.<br />Paths.<br />Local and remote.<br />Network info.<br />Shared Printers.<br />Shared Folders.<br />ACLS.<br />Internal Servers.<br />NetBIOS Name.<br />Domain Name.<br />IP Address.<br />Database structures.<br />Table names.<br />Colum names.<br />Devices info.<br />Mobiles.<br />Photo cameras.<br />Private Info.<br />Personal data.<br />History of use.<br />Software versions.<br />
  25. 25. How can metadata be extracted?<br />Info is in the file in raw format:<br />Binary.<br />ASCII .<br />Therefore Hex or ASCII editors can be used:<br />HexEdit.<br />Notepad++.<br />Bintext<br />Special tools can be used:<br />Exifredaer<br />ExifTool<br />Libextractor.<br />Metagoofil.<br />…<br />…or just open the file!<br />
  26. 26. Tools: Libextractor<br />
  27. 27. Tools: MetaGoofil<br /><ul><li>http://www.edge-security.com/metagoofil.php</li></li></ul><li>Yes, also Google….<br />
  28. 28. Your FBI user<br />
  29. 29. Your UN user<br />
  30. 30. YourScotlandYarduser<br />
  31. 31. YourCarabinieriuser<br />
  32. 32. YourWhiteHouseuser<br />
  33. 33. Yes, we can!<br />
  34. 34. Drawbacks<br />These tools only extract metadata.<br />Not looking for Hidden Info.<br />Not looking for lost data.<br />Not post-analysis.<br />
  35. 35. OnlyMetadata<br />http://gnunet.org/libextractor/demo.php3<br />
  36. 36. Notverygoodwith XML files (SWX, ODF, OOXML)<br />
  37. 37. Google is [almost] GOD<br />
  38. 38. FiletypeorExtension?<br />
  39. 39. Foca<br />Fingerprinting Organizations with Collected Archives.<br />Search for documents in Google and Bing<br />Automatic file downloading<br />Capable of extracting Metadata, hidden info and lost data<br />Cluster information <br />Analyzes the info to fingerprint the network.<br />
  40. 40. Demo: FOCA<br />
  41. 41. FOCA Online<br />http://www.informatica64.com/FOCA<br />
  42. 42. Solutions?<br />
  43. 43. First: Cleanallpublicdocuments<br />
  44. 44. Clean your documents:MSOffice 2k7<br />
  45. 45. Clean your documents: MSOffice 2k3 & XP<br />http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360<br />
  46. 46. OLE Streams<br />In MS Office binaryformat files<br />Storeinformationaboutthe OS<br />Are notcleanedwiththese Tools<br />FOCA findsthisinfo<br />
  47. 47. Demo: Lookingforinfo in cleaneddocument<br />
  48. 48. OpenOfficecleaningoptions<br />Onlymetadata<br />Notcleaninghiddeninfo<br />Notcleaninglost data<br />
  49. 49. Cleaning documents<br />OOMetaExtractor<br />http://www.codeplex.org/oometaextractor<br />
  50. 50. Demo: OpenOffice “Security” Options…<br />
  51. 51. Are yousaferelyingonyourusers?<br />
  52. 52. IIS MetaShield Protector<br />http://www.metashieldprotector.com<br />
  53. 53. Second: Beg Google todeleteallthecached files<br />
  54. 54. Don´t trust your users!!!<br />
  55. 55. Don´tcomplainaboutyourjob!!<br />
  56. 56. PS: Thisfilealso has metadata<br />
  57. 57. Thanks<br />Authors<br />Chema Alonso<br />chema@informatica64.com<br />Jose Palazón “Palako”<br />palako@lateatral.com<br />Enrique Rando<br />Enrique.rando@juntadeandalucia.es<br />Alejandro Martín<br />amartin@informatica64.com<br />Francisco Oca<br />froca@informatica64.com<br />Antonio Guzmán<br />antonio.guzman@urjc.es<br />

×