Protection against FOCA by Aung Khant, http://yehg.net ====================================================== Download first FOCA Tool: http://www.informatica64.com/downloadfoca/ Vulnerability: ================= Even though FOCA tool, an excellent meta-data extraction and analysis tool, were out, nobody doesn't care about their leaked information such as - their softwares used to create their documents (PDF) - their Operating System users - their network shares Threats: ============= Vector: - network shares And how we exploit: - this allows attackers to draw a internal network diagram based on the shares that leak internal IP or internal hostname information Vector: - softwares used to create their documents (PDF,DOC) And how we exploit: - this allows attackers to (re)search for RCE (remote code execution) vulnerabilies in such softwares - this allows attackers to add additional information like Operation Systems leaked via their softwares like doPDF ver 6.0 build 224(Windows Server 2003 x64) Vector: their Operating System users And how we exploit: - social engineering attack - attackers will start from weakest users such as help desk - account compromise - attackers will look for any logged-in stuffs in SMTP, HTTP pages such as Outlook web mail loggin, SSL VPN loggin, possibly any protocol log-in to crack users with weak passwords. Successful compromise will lead to compromise of corporate data if there is no enforcement of strict password policy. - we, penetration testers, take advantage this in our internal penetration tests because we've already collected some good footprinting their internal networks and their users - ..etc Solutions ================= For enterprise http://www.metashieldprotector.com/ For SMEs, Use a dedicated Virtual Machine with document compression softwares (Nice PDF Compressor, FILEminimizer, PowerShrink ,..etc) But wait, Your documents have already been cached by proxy servers, ISP, ...etc. Then, use a server-side approach to prevent cache like: http://munckfish.net/blog/archive/2006/10/27/prevent-caching-of-static-content-using-apache-config/ Keywords: how to protect meta-data leakage, meta-data protection, meta-data leakage