Thursday, September 16, 2010

Data Leakage: Protection against FOCA

FOCA Tool: http://www.informatica64.com/downloadfoca/  




Vulnerability:Even though FOCA tool, an excellent meta-data extraction and analysis tool, were out, only a few cares about their leaked information such as - their softwares used to create their documents (PDF)- their Operating System users- their network sharesThreats:

Vector: network shares
And how we exploit:
- this allows attackers to draw a internal network diagram based on the shares that leak internal IP or internal hostname information

Vector: softwares used to create their documents (PDF,DOC)
And how we exploit:
- this allows attackers to (re)search for RCE (remote code execution) vulnerabilies in such softwares
- this allows attackers to add additional information like Operation Systems leaked via their softwares like doPDF ver 6.0 build 224(Windows Server 2003 x64)

Vector: their Operating System users
And how we exploit:

- social engineering attack
- attackers will start from weakest users such as help desk- account compromise - attackers will look for any logged-in stuffs in SMTP, HTTP pages such as Outlook web mail loggin, SSL VPN loggin, possibly any protocol log-in to crack users with weak passwords. Successful compromise will lead to compromise of corporate data if there is no enforcement of strict password policy. - we, penetration testers, take advantage this in our internal penetration tests because we've already collected some good footprinting their internal networks and their usersSolutions

For enterprise
http://www.metashieldprotector.com/For SMEs,Use a dedicated Virtual Machine with document compression softwares (Nice PDF Compressor, FILEminimizer, PowerShrink ,..etc)Last but not least,Your documents might have already been cached by proxy servers, ISP, ...etc.Then, use a server-side approach to prevent cache like:
http://munckfish.net/blog/archive/2006/10/27/prevent-caching-of-static-content-using-apache-config/

No comments:

Post a Comment