Perimeter
8/3/2009
11:32 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

'FOCA' And The Power Of Metadata Analysis

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.I've written about it before because its impact is often misunderstood both from the publicity and security standpoint. On one hand, metadata provides the necessary data to help organize documents in enterprise document management systems. At the same time, if left in documents sent to others, it provides an unnecessary amount of extra information that could embarrass an organization or be used by an attacker to pull off a more targeted attack.

During the presentation "Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data Using FOCA" Sunday at Defcon, Chema Alonso and Jose Palazon discussed a tool called FOCA, which they had released at Black Hat Europe earlier this year. After watching the presentation, I'm shocked it hasn't received more attention from the security community. It is by far one of the best metadata collection and extraction tools I've seen.

Several other metadata extraction tools exist, like metagoofil, libextractor, and cewl, but FOCA combines nearly all their features and much more. It can perform searches using Google and Bing, then automatically downloads files and extracts data into an organized list.

One of the coolest features is the ability to "map the network" using data from collected files -- files that were either downloaded directly through the app or already on the hard drive, where they can be dragged and dropped into the FOCA interface. A basic network map is created based on server, host, and operating system information pulled from files.

Based on what Chema and Jose showed at Defcon, plus some of my own preliminary testing, I can tell you that FOCA is a tool I'll definitely be using regularly during risk assessments and pen-tests. It's a very powerful tool for enumerating files and metadata from both an offensive and defensive point of view.

Those of you who are not penetration testers can use it to see what information your organization is exposing to anyone who knows how to look. And you're likely to be quite surprised. As Chema said, "It's not a crime. The documents are public. We read public documents, just in a different way."

Now you can, too.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.