Metadata Security: MetaShield Protector
-
Upload
chema-alonso -
Category
Technology
-
view
993 -
download
1
description
Transcript of Metadata Security: MetaShield Protector
![Page 1: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/1.jpg)
Tactical Fingerprinting using metadata, hidden info and lost data using FOCA
Chema Alonso, José Palazón “Palako”
![Page 2: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/2.jpg)
2003 – a piece of history
Irak war was about to start US wanted the UK to be an ally. US sent a document “proving” the
existence of massive destruction weapons
Tony Blair presented the document to the UK parliament.
Parliament asked Tony Blair “Has someone modified the document?”
He answered: No
![Page 3: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/3.jpg)
2003 – MS Word bytes Tony Blair
![Page 4: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/4.jpg)
What kind of data can be found? Metadata:
Information stored to give information about the document.
▪ For example: Creator, Organization, etc.. Hidden information:
Information internally stored by programs and not editable.
▪ For example: Template paths, Printers, db structure, etc… Lost data:
Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
▪ For example: Links to internal servers, data hidden by format, etc…
![Page 5: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/5.jpg)
Metadata
Metadata Lifecycle
Lost Data
Hidden info
Wrong managementBad format conversionUnsecure options
New appsor program versions
Embeddedfiles
Search enginesSpidersDatabases
Embeddedfiles
Wrong managementBad format conversionUnsecure options
![Page 6: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/6.jpg)
Metadata created by Google
![Page 7: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/7.jpg)
Lost Data
![Page 8: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/8.jpg)
Lost data everywhere
![Page 9: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/9.jpg)
Public server
![Page 10: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/10.jpg)
So… are people aware of this?
The answer is NO. Almost nobody is cleaning
documents. Companies publish thousands of
documents without cleaning them before with: Metadata. Hidden Info. Lost data.
![Page 11: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/11.jpg)
![Page 12: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/12.jpg)
Sample: FBI.gov
Total: 4841 files
![Page 13: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/13.jpg)
![Page 14: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/14.jpg)
Are they clean?
Total: 1075 files
![Page 15: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/15.jpg)
How many files is my company publishing?
![Page 16: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/16.jpg)
Sample: Printer info found in odf files returned by Google
![Page 17: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/17.jpg)
Google Sets prediction
![Page 18: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/18.jpg)
Sample: Info found in a PDF file
![Page 19: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/19.jpg)
What files store Metadata, hidden info or lost data?
Office documents: Open Office documents. MS Office documents. PDF Documents.▪ XMP.
EPS Documents. Graphic documents.▪ EXIFF.▪ XMP.
And almost everything….
![Page 20: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/20.jpg)
Pictures with GPS info..
EXIFREADER
http://www.takenet.or.jp/~ryuuji/
![Page 21: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/21.jpg)
Demo: Looking for EXIF information in ODF file
![Page 22: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/22.jpg)
Even Videos with users…
http://video.techrepublic.com.com/2422-14075_11-207247.html
![Page 23: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/23.jpg)
And of course, printed txt
![Page 24: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/24.jpg)
What can be found? Users:
Creators. Modifiers . Users in paths.
▪ C:\Documents and settings\jfoo\myfile
▪ /home/johnnyf Operating systems. Printers.
Local and remote. Paths.
Local and remote. Network info.
Shared Printers. Shared Folders. ACLS.
Internal Servers. NetBIOS Name. Domain Name. IP Address.
Database structures. Table names. Colum names.
Devices info. Mobiles. Photo cameras.
Private Info. Personal data.
History of use. Software versions.
![Page 25: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/25.jpg)
How can metadata be extracted?
Info is in the file in raw format: Binary. ASCII .
Therefore Hex or ASCII editors can be used: HexEdit. Notepad++. Bintext
Special tools can be used: Exif redaer ExifTool Libextractor. Metagoofil. …
…or just open the file!
![Page 26: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/26.jpg)
Tools: Libextractor
![Page 27: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/27.jpg)
Tools: MetaGoofil
http://www.edge-security.com/metagoofil.php
![Page 28: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/28.jpg)
Yes, also Google….
![Page 29: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/29.jpg)
Your FBI user
![Page 30: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/30.jpg)
Your UN user
![Page 31: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/31.jpg)
Your Scotland Yard user
![Page 32: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/32.jpg)
Your Carabinieri user
![Page 33: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/33.jpg)
Your WhiteHouse user
![Page 34: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/34.jpg)
Yes, we can!
![Page 35: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/35.jpg)
Drawbacks
These tools only extract metadata. Not looking for Hidden Info. Not looking for lost data. Not post-analysis.
![Page 36: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/36.jpg)
Only Metadata
http://gnunet.org/libextractor/demo.php3
![Page 37: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/37.jpg)
Not very good with XML files (SWX, ODF, OOXML)
![Page 38: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/38.jpg)
Google is [almost] GOD
![Page 39: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/39.jpg)
Filetype or Extension?
![Page 40: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/40.jpg)
Foca
Fingerprinting Organizations with Collected Archives. Search for documents in Google and Bing Automatic file downloading Capable of extracting Metadata, hidden
info and lost data Cluster information Analyzes the info to fingerprint the
network.
![Page 41: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/41.jpg)
Demo: FOCA
![Page 42: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/42.jpg)
FOCA Onlinehttp://www.informatica64.com/FOCA
![Page 43: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/43.jpg)
Solutions?
![Page 44: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/44.jpg)
First: Clean all public documents
![Page 45: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/45.jpg)
Clean your documents:MSOffice 2k7
![Page 46: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/46.jpg)
Clean your documents: MSOffice 2k3 & XP
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360
![Page 47: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/47.jpg)
OLE Streams
In MS Office binary format files Store information about the OS Are not cleaned with these Tools FOCA finds this info
![Page 48: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/48.jpg)
Demo: Looking for info in cleaned document
![Page 49: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/49.jpg)
OpenOffice cleaning options
Only metadata Not cleaning hidden info Not cleaning lost data
![Page 50: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/50.jpg)
Cleaning documents OOMetaExtractor
http://www.codeplex.org/oometaextractor
![Page 51: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/51.jpg)
Demo: OpenOffice “Security” Options…
![Page 52: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/52.jpg)
Are you safe relying on your users?
![Page 54: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/54.jpg)
Second: Beg Google to delete all the cached files
![Page 55: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/55.jpg)
Don´t trust your users!!!
![Page 56: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/56.jpg)
Don´t complain about your job!!
![Page 57: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/57.jpg)
PS: This file also has metadata
![Page 58: Metadata Security: MetaShield Protector](https://reader036.fdocuments.net/reader036/viewer/2022062514/558c8c55d8b42a5c678b46fb/html5/thumbnails/58.jpg)
Thanks
Authors Chema Alonso▪ [email protected]
Jose Palazón “Palako”▪ [email protected]
Enrique Rando▪ [email protected]
Alejandro Martín▪ [email protected]
Francisco Oca▪ [email protected]
Antonio Guzmán▪ [email protected]