Perimeter
8/3/2009
11:32 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

'FOCA' And The Power Of Metadata Analysis

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.I've written about it before because its impact is often misunderstood both from the publicity and security standpoint. On one hand, metadata provides the necessary data to help organize documents in enterprise document management systems. At the same time, if left in documents sent to others, it provides an unnecessary amount of extra information that could embarrass an organization or be used by an attacker to pull off a more targeted attack.

During the presentation "Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data Using FOCA" Sunday at Defcon, Chema Alonso and Jose Palazon discussed a tool called FOCA, which they had released at Black Hat Europe earlier this year. After watching the presentation, I'm shocked it hasn't received more attention from the security community. It is by far one of the best metadata collection and extraction tools I've seen.

Several other metadata extraction tools exist, like metagoofil, libextractor, and cewl, but FOCA combines nearly all their features and much more. It can perform searches using Google and Bing, then automatically downloads files and extracts data into an organized list.

One of the coolest features is the ability to "map the network" using data from collected files -- files that were either downloaded directly through the app or already on the hard drive, where they can be dragged and dropped into the FOCA interface. A basic network map is created based on server, host, and operating system information pulled from files.

Based on what Chema and Jose showed at Defcon, plus some of my own preliminary testing, I can tell you that FOCA is a tool I'll definitely be using regularly during risk assessments and pen-tests. It's a very powerful tool for enumerating files and metadata from both an offensive and defensive point of view.

Those of you who are not penetration testers can use it to see what information your organization is exposing to anyone who knows how to look. And you're likely to be quite surprised. As Chema said, "It's not a crime. The documents are public. We read public documents, just in a different way."

Now you can, too.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web