Perimeter
8/3/2009
11:32 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

'FOCA' And The Power Of Metadata Analysis

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.I've written about it before because its impact is often misunderstood both from the publicity and security standpoint. On one hand, metadata provides the necessary data to help organize documents in enterprise document management systems. At the same time, if left in documents sent to others, it provides an unnecessary amount of extra information that could embarrass an organization or be used by an attacker to pull off a more targeted attack.

During the presentation "Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data Using FOCA" Sunday at Defcon, Chema Alonso and Jose Palazon discussed a tool called FOCA, which they had released at Black Hat Europe earlier this year. After watching the presentation, I'm shocked it hasn't received more attention from the security community. It is by far one of the best metadata collection and extraction tools I've seen.

Several other metadata extraction tools exist, like metagoofil, libextractor, and cewl, but FOCA combines nearly all their features and much more. It can perform searches using Google and Bing, then automatically downloads files and extracts data into an organized list.

One of the coolest features is the ability to "map the network" using data from collected files -- files that were either downloaded directly through the app or already on the hard drive, where they can be dragged and dropped into the FOCA interface. A basic network map is created based on server, host, and operating system information pulled from files.

Based on what Chema and Jose showed at Defcon, plus some of my own preliminary testing, I can tell you that FOCA is a tool I'll definitely be using regularly during risk assessments and pen-tests. It's a very powerful tool for enumerating files and metadata from both an offensive and defensive point of view.

Those of you who are not penetration testers can use it to see what information your organization is exposing to anyone who knows how to look. And you're likely to be quite surprised. As Chema said, "It's not a crime. The documents are public. We read public documents, just in a different way."

Now you can, too.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio