Metadata - What is Unseen
•
3 likes•1,046 views
Slides from the ECU Security Research Institute seminar Monday 29 April 2013, presented by Professor Craig Valli. Our increasing interconnection networks and production of data of various types such as pictures and videos (artefacts), are producing an increasingly unseen amount of data. Metadata is data about an artefact that may, for instance, give away the location where a photo was taken, the device that created the artefact, or what operating systems and applications were used in the construction of the artefact. Furthermore, the device that transmitted the artefact may be reliably fingerprinted and identified by the applications and operating systems that it runs. Most organisations and individuals are unaware of the attendant risk that the production of artefacts with embedded metadata represents to privacy and security. This presentation will explore those risks and also demonstrate some of the capabilities of the tools publicly available to extract intelligence from metadata. Speaker Profile Professor Craig Valli is the Director of the ECU Security Research Institute (ECUSRI) at Edith Cowan University. Professor Valli has over 25 years experience in the IT industry. He conducts research and consults to industry and government on network security and digital forensics issues. His main consultancy focus is on securing networks and critical infrastructures, detection of network borne threats and forensic analysis of cyber security incidents. The ECU Security Research Institute (ECUSRI) is a research unit with Edith Cowan University.
Recommended
More Related Content
Viewers also liked
Viewers also liked (19)
Similar to Metadata - What is Unseen
Similar to Metadata - What is Unseen (20)
Recently uploaded
Recently uploaded (20)
Metadata - What is Unseen
- 1. Security Research Institute Edith Cowan University Metadata : What is Unseen Professor Craig Valli Security Research Institute SIG 29th April, 2013
- 2. Security Research Institute Edith Cowan University What is it in this context • Data in various forms that are embedded in a digital artefact or stream, typically unseen by the user. Including but not limited to – Your email address – Watermarks, logos etc – Server Drive mappings – Notes and edits (since thought to be deleted) – Your geolocation at time of save or capture – Cookies, web application specific data
- 3. Security Research Institute Edith Cowan University Why not remove? • What do you think feeds search engines? • It can be very useful for internal systems to search on attributes of documents • Can be used to prove provenance of a document • Can be used to provide an avenue for targetted deception
- 4. Security Research Institute Edith Cowan University Why remove? • It makes good sense from a security perspective, minimal information leakage is optimal • Because in some countries you are leaving yourself open to litigation and or breaches of law (US HIPPA, Privacy Acts, Data Protection) distributing documents with this data in them
- 5. Security Research Institute Edith Cowan University TCP/IP Stacks, Operating Systems • NMAP, p0f are network mappers that work by looking at the flags in your TCP/IP transmissions. They can reliably fingerprint – Your device – Your operating system – Your patch level of operating system
- 6. Security Research Institute Edith Cowan University Browsers • The addition of various plug-ins to a browser, in combination with IP numbers used, platform identifiers in the browser and the ubiquitous cookie can make browsers easy to uniquely identify – Mozilla/5.0 (Linux; U; Android 2.2; en-gb; GT-P1000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 – Mozilla/5.0 (Linux; U; Android 2.2; en-ca; SGH-T959D Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 – Mozilla/5.0 (Linux; U; Android 2.2; en-gb; GT-P1000 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 – Mozilla/5.0 (Linux; U; Android 2.0.1; en-us; Droid Build/ESD56) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
- 7. Security Research Institute Edith Cowan University Word Document Metadata • Comments, revision marks from tracked changes, versions, and ink annotations • Headers, footers, and watermarks • Document server properties • Email addresses • Usernames (ADS etc) • Hidden text (formatted as)
- 8. Security Research Institute Edith Cowan University PDF • Same same as before with Word plus... – Encryption and user access settings – Signature tags – location, signing authority, type of signing etc – Lets not forget executables – Can keep a full history of metadata in the file i.e just changing does not erase...
- 9. Security Research Institute Edith Cowan University Geotagging • The location data is typically stored within the EXIF records for the image using the EXIF Global Positioning System sub-IFD that uses the TIFF Private Tag 0x882 • Or the application generates the data using a combination of sources to locate e.g GPS and Wireless access points
- 10. Security Research Institute Edith Cowan University EXIF • The Exchangeable Image File format (EXIF) is a published industry specification for the image file format used by digital cameras • There are over 200 plus identifiers/tags, geo- location, device, serial number etc
- 11. Security Research Institute Edith Cowan University EXIF
- 12. Security Research Institute Edith Cowan University Social Media... • Most of these services are “free” in exchange for your data and metadata touch points. Just as in real world no free lunch in cyberspace. • Many of these services give full feeds of their data streams to developers (anyone) • Some of them rely on you to have turned on GPS/geolocation to access the service i.e no geo no service or you are just “checking in”
- 13. Security Research Institute Edith Cowan University Twitter – 140 characters not! •Links to previous tweets •Authors username •Authors screename •Authors biography •Authors location •Timezone •PlaceID, Printable Name, URL, Type, Bounding Box, Country of place tweet was made •Application that sent the tweet
- 14. Security Research Institute Edith Cowan University Google...
- 15. Security Research Institute Edith Cowan University Third Party Service Providers • Various service providers are now developing services that fingerprint your devices and you! • All perfectly legal , drawn from metadata and other sources.
- 16. Security Research Institute Edith Cowan University Some analysis tools • Metapicz – Google App - is one example of an online based tools that allow extraction data • Geosetter – http://www.geosetter.de/en/ Windows tool to edit/view Geo and other attributes • FOCA – harvester and analyser for metadata from websites • GeoIntelligence – home grown...
- 17. Security Research Institute Edith Cowan University Solutions • Make sure you turn off geo-location on your devices...unless you want to be tracked • Strip out metadata using a cleanser before sending documents in email or storing on websites, unless you’re setting honeyfiles.. • Use your browsers in anonymous modes on all your devices or set different browser-id strings • Be careful what extensions in use on browsers • Use some of the VM based anonymisers
- 18. Security Research Institute Edith Cowan University Software and Resources • Office 2010+ - Document Inspector • OpenOffice – http://oometaextractor.codeplex.com/ • Removing Sensitive Data for PDF http://tv.adobe.com/watch/learn-acrobat-x/removing- sensitive-information/
- 19. Security Research Institute Edith Cowan University References and Resources • Official 2.3 EXIF http://www.cipa.jp/english/hyoujunka/kikaku/pdf/DC-008- 2012_E.pdf • EXIF Tag list http://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/EXIF.ht ml • Hidden Data and Metadata in Adobe PDF Files http://www.nsa.gov/ia/_files/app/pdf_risks.pdf • Official PDF specification - http://www.adobe.com/devnet/pdf/pdf_reference.html