defcon 17 tactical fingerprinting using foca
DESCRIPTION
Talk delivered by Chema Alonso and José Palazón "Palako" in Defcon 17 about "Tactical Fingerprinting using metadata, hidden info and lost data".TRANSCRIPT
Tactical Fingerprinting using metadata, hidden info and lost data using FOCA
Chema Alonso, José Palazón “Palako”
2003 – a piece of history
Irak war was about to start US wanted the UK to be an ally. US sent a document “proving” the
existence of massive destruction weapons
Tony Blair presented the document to the UK parliament.
Parliament asked Tony Blair “Has someone modified the document?”
He answered: No
2003 – MS Word bytes Tony Blair
What kind of data can be found? Metadata:
Information stored to give information about the document.
▪ For example: Creator, Organization, etc.. Hidden information:
Information internally stored by programs and not editable.
▪ For example: Template paths, Printers, db structure, etc… Lost data:
Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
▪ For example: Links to internal servers, data hidden by format, etc…
Metadata
Metadata Lifecycle
Lost Data
Hidden info
Wrong managementBad format conversionUnsecure options
New appsor program versions
Embeddedfiles
Search enginesSpidersDatabases
Embeddedfiles
Wrong managementBad format conversionUnsecure options
Metadata created by Google
Lost Data
Lost data everywhere
Public server
So… are people aware of this?
The answer is NO. Almost nobody is cleaning
documents. Companies publish thousands of
documents without cleaning them before with: Metadata. Hidden Info. Lost data.
Sample: FBI.gov
Total: 4841 files
Are they clean?
Total: 1075 files
How many files is my company publishing?
Sample: Printer info found in odf files returned by Google
Google Sets prediction
Sample: Info found in a PDF file
What files store Metadata, hidden info or lost data?
Office documents: Open Office documents. MS Office documents. PDF Documents.▪ XMP.
EPS Documents. Graphic documents.▪ EXIFF.▪ XMP.
And almost everything….
Pictures with GPS info..
EXIFREADER
http://www.takenet.or.jp/~ryuuji/
Demo: Looking for EXIF information in ODF file
Even Videos with users…
http://video.techrepublic.com.com/2422-14075_11-207247.html
And of course, printed txt
What can be found? Users:
Creators. Modifiers . Users in paths.
▪ C:\Documents and settings\jfoo\myfile
▪ /home/johnnyf Operating systems. Printers.
Local and remote. Paths.
Local and remote. Network info.
Shared Printers. Shared Folders. ACLS.
Internal Servers. NetBIOS Name. Domain Name. IP Address.
Database structures. Table names. Colum names.
Devices info. Mobiles. Photo cameras.
Private Info. Personal data.
History of use. Software versions.
How can metadata be extracted?
Info is in the file in raw format: Binary. ASCII .
Therefore Hex or ASCII editors can be used: HexEdit. Notepad++. Bintext
Special tools can be used: Exif redaer ExifTool Libextractor. Metagoofil. …
…or just open the file!
Tools: Libextractor
Tools: MetaGoofil
http://www.edge-security.com/metagoofil.php
Yes, also Google….
Your FBI user
Your UN user
Your Scotland Yard user
Your Carabinieri user
Your WhiteHouse user
Yes, we can!
Drawbacks
These tools only extract metadata. Not looking for Hidden Info. Not looking for lost data. Not post-analysis.
Only Metadata
http://gnunet.org/libextractor/demo.php3
Not very good with XML files (SWX, ODF, OOXML)
Google is [almost] GOD
Filetype or Extension?
Foca
Fingerprinting Organizations with Collected Archives. Search for documents in Google and Bing Automatic file downloading Capable of extracting Metadata, hidden
info and lost data Cluster information Analyzes the info to fingerprint the
network.
Demo: FOCA
FOCA Onlinehttp://www.informatica64.com/FOCA
Solutions?
First: Clean all public documents
Clean your documents:MSOffice 2k7
Clean your documents: MSOffice 2k3 & XP
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=144e54ed-d43e-42ca-bc7b-5446d34e5360
OLE Streams
In MS Office binary format files Store information about the OS Are not cleaned with these Tools FOCA finds this info
Demo: Looking for info in cleaned document
OpenOffice cleaning options
Only metadata Not cleaning hidden info Not cleaning lost data
Cleaning documents OOMetaExtractor
http://www.codeplex.org/oometaextractor
Demo: OpenOffice “Security” Options…
Are you safe relying on your users?
Second: Beg Google to delete all the cached files
Don´t trust your users!!!
Don´t complain about your job!!
PS: This file also has metadata
Thanks
Authors Chema Alonso▪ [email protected]
Jose Palazón “Palako”▪ [email protected]
Enrique Rando▪ [email protected]
Alejandro Martín▪ [email protected]
Francisco Oca▪ [email protected]
Antonio Guzmán▪ [email protected]