Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/13/2009
04:43 PM
50%
50%

Tech Insight: How Attackers Use Your Metadata Against You

Using easily accessible data about your files, bad guys can wreak havoc on your sensitive information

A Special Analysis For Dark Reading
First of Two Articles

To steal your identity, a cybercriminal doesn't have to have direct access to your bank account or other personal information. Often, he collects information about you from a variety of seemingly innocuous sources, then uses that data to map out a strategy to crack your online defenses and drain your accounts.

Such methods are well-known to security professionals. But what those same professionals often overlook is this approach also can be used to crack the defenses of sensitive business files, as well. Rather than trying to gain access to your data, itself, the bad guys are analyzing the so-called harmless information about your files -- collectively known as metadata -- and using it to develop attacks that can drain your business of its most sensitive information.

Metadata is a powerful feature of many document and file types, including Microsoft Office documents, PDFs, JPGs, ZIP files, and multimedia formats. Depending on the application and the file, metadata might contain information such as author names, user names, version of the software used to create the file, the user's operating system, and sometimes even the computer's MAC address. Armed with this data, an attacker can develop exploits that might work not only on a specific file, but on all similar file types in an enterprise.

Armed with this data, an attacker can target users, as well as the computing environment within their enterprises. Several instances of metadata mishaps have been in the news in recent years. In one case, attackers used data they collected from the "track changes" feature in Microsoft Word. In another case, they took advantage of failed attempts to black out data in PDF files.

These cases make it clear: Once your documents leave the internal network -- either through email or Web publishing -- those files and the metadata they contain are fair game for attackers.

Many security professionals know about metadata, but they don't really know how it can be used against their organizations. The first stage of leveraging metadata for an attack is gathering it. Both attackers and pen testers have a bevy of tools available solely for this purpose.

The simplest way to gather the data is by using the native tool that created the document. For example, Word Document metadata can be viewed within the Properties menu option in Microsoft Word, or by enabling the viewing of previous edits with the "Track Changes" option. Similarly, Adobe Acrobat can display PDF metadata.

While manual extraction of metadata using native tools is definitely effective, it is possible to miss some of the hidden metadata. Plus, the process is slow and monotonous. Two readily-available hacking tools -- MetaGooFil and CeWL -- were created to expedite the collection process by automating the search, download, and extraction of metadata from documents available on the Internet.

MetaGooFil was the first tool on the scene, and it uses Google to search for files of specific type. Once it finds and downloads files, the metadata is extracted and displayed in a HTML report that shows the information found in each file. The end of the report includes a summary of authors and file paths -- information that can be important later on, during other attack phases.

CeWL takes a different approach, spidering a Website to create a word list that can be used for password brute-forcing. It can also collect email addresses, authors, and user names from metadata found in Microsoft Office documents. Included with CeWL is a "Files Already Bagged" (FAB) tool that processes files already acquired.

Once collected, metadata can be used in many different attack techniques. Password brute-forcing is one of the most commmon. An attacker takes the word list created by CeWL and uses it against account names found in metadata. The actual account names can be found from the author field, email addresses, and file paths (e.g., C:\Documents and Settings\User007).

Metadata is also helpful in social engineering attacks. Knowing the five different authors of a document, an attacker can "drop names" via the phone to make his scheme seem more credible. Similarly, location information contained in photos could be mentioned, making the calls seem more legit.

Spear-phishing email could target all of the authors who worked on one particular document. Knowing which version of software was used to create the file, an attacker could also email client-side exploits to individuals who use particularly vulnerable versions of Microsoft Word or PowerPoint.

Metadata can also help with physical theft. For example, users may post images to Flickr or Twitter from a phone that enables geotagging. This information can give attackers the location about a target's home or business, and where he might be on a daily basis. Similarly, the MAC address of the system can indicate the type of hardware used, making it easier to identify mobile workers who are likely to have laptops that are kept in places where they might be easy to steal.

Metadata is commonly overlooked in corporate security defenses, but it can lead to disastrous results if used by a knowledgeable attacker. If you want to know more, read Larry Pesce's excellent GCIH certification paper, "Document Metadata, The Silent Killer." It's a great read for anyone who wants to learn more about the dangers of metadata.

In our next Tech Insight, we'll look at how you can build defenses that limit an attacker's ability to collect and use metadata.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.