Perimeter
8/3/2009
11:32 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

'FOCA' And The Power Of Metadata Analysis

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.

Metadata is an interesting -- and often unrealized -- problem for anyone who uses office applications, like Microsoft Office, OpenOffice, and Adobe Acrobat.I've written about it before because its impact is often misunderstood both from the publicity and security standpoint. On one hand, metadata provides the necessary data to help organize documents in enterprise document management systems. At the same time, if left in documents sent to others, it provides an unnecessary amount of extra information that could embarrass an organization or be used by an attacker to pull off a more targeted attack.

During the presentation "Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data Using FOCA" Sunday at Defcon, Chema Alonso and Jose Palazon discussed a tool called FOCA, which they had released at Black Hat Europe earlier this year. After watching the presentation, I'm shocked it hasn't received more attention from the security community. It is by far one of the best metadata collection and extraction tools I've seen.

Several other metadata extraction tools exist, like metagoofil, libextractor, and cewl, but FOCA combines nearly all their features and much more. It can perform searches using Google and Bing, then automatically downloads files and extracts data into an organized list.

One of the coolest features is the ability to "map the network" using data from collected files -- files that were either downloaded directly through the app or already on the hard drive, where they can be dragged and dropped into the FOCA interface. A basic network map is created based on server, host, and operating system information pulled from files.

Based on what Chema and Jose showed at Defcon, plus some of my own preliminary testing, I can tell you that FOCA is a tool I'll definitely be using regularly during risk assessments and pen-tests. It's a very powerful tool for enumerating files and metadata from both an offensive and defensive point of view.

Those of you who are not penetration testers can use it to see what information your organization is exposing to anyone who knows how to look. And you're likely to be quite surprised. As Chema said, "It's not a crime. The documents are public. We read public documents, just in a different way."

Now you can, too.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web