Meta Data and a PDF Self-Pwn
2021-02-04 | 6 min read
Pwn: verb, informal (especially in video gaming) utterly defeat (an opponent or rival); completely get the better of. "I can't wait to pwn some noobs in this game" – Oxford Languages
These days few things are more important than data. Organizations spend fortunes securing the ones and zeros that make up their crown jewels. Nation-states have entire industries devoted to the protection of their own data and the acquisition of data belonging to others. It isn’t just limited to companies and countries either – plenty of individuals obsess over privacy but in all too many cases all these efforts can be undone with just a little meta data.
Recently the European Commission inadvertently shared some information regarding its contract with a large pharmaceutical company that it did not intend to. They released a heavily redacted version of a contract, with the redactions intended to hide sensitive information. In this case they were trying to conceal aspects of an agreement that would potentially deny or delay now Brexit-ed UK access to vaccine produced in the EU, giving instead priority access to EU countries despite prior contractual agreements to the contrary.
This sensitive information, while removed from the main content of the doc, remained visible in the PDF Reader bookmarks tab. More detail via El Reg.
Not the first time something like this has happened and not the last. It is not just PDFs, but also other types of docs including Word and Powerpoint that can reveal things you may not intend to reveal. Ever get a new boss who rolls out a bunch of new initiatives only to find via meta data checks on the documentation that these fantastic plans are from a prior employer?
It isn’t just documents though. Social media and images can be problematic as well. Back when casual travel for tourism was still a thing, I advised would be social (over) sharers to post about their trips and vacations in the past tense, after they got back from whatever exotic locale they visited. Why? Because you probably don’t want to let the bad guys know that you are out of town and that those Christmas present unwrapping pics are good indicators to bad people where they might be able to pick up that new Xbox or Peloton or whatever.
Even though some social platforms will scrub geolocation data from posts or blow away EXIF data from images, not all of them do so. As an example, Parler, a platform similar to Twitter, not only didn’t scrub video and jpgs in any way but also was set up in such a way that crawling the site for content was very easy. This has created a situation of considerable exposure for a large number of people who were engaged in career limiting or potentially legally problematic activity posted on that site. Similarly there are popular platforms like Instagram which allow you to enable access to GPS such that your posts get geotagged. While useful for Instragramers looking to build their follower base and perhaps more importantly useful for those looking to mine data, this meta data has lead to the downfall of at least one congressman.
So the conclusion here would be that while you can build the most imposing infosec fortress imaginable with MFA and everything patched and updated and all best practices followed and so on, in the end one of the most important, and hardest to control parts of the overall system is the human component and that is the one most vulnerable to both intended and unintended exposure.
Speaking of the human factor – security and performance testing with CyPerf can help you ensure that everything has turned out as well – and as secure, as expected. Validate SD-WAN and cloud migration, find undocumented “features” from your provider like traffic shaping/throttling that may be impacting your network – and much much more.
Of course, while on the topic of the human factor and in particular human error, I can't help but mention that one of the more serious modes of exposure in an infosec type of environment is misconfiguration, which is where Threat Simulator comes in, allowing you to find, and with easy to follow steps, fix, common misconfigurations and other security problems leading to risk, vulnerabilty and exposure.
Learn more about Threat Simulator.