Heartbleed plugin, ready for FaasT

Florence Broderick    10 April, 2014
There is a lot of good information about Hearbleed out there, there is little more to add. It is a extremely serious vulnerability, that has shaken the internet from the bottom up. Known as HeartbleedCVE-2014-0160, affects different versions of OpenSSL, from 1.0.1 to 1.0.1f and 1.0.2-beta1. It is fixed in 1.0.1g version.

Although media talked about 66% of affected sites, actually that is the figure corresponding to Apache and nginx market. Not all of them will use OpenSSL and, not all of them using it would be vulnerable. The problem has already been fixed in our Latch servers. By the way, we have renewed our certificates for the API connection. If you as a costumers were doing a certificate check on your side, you must update it with the new ones released yesterday

What can happen to me?
If a vulnerable version of OpenSSL is used, potentially, any user could be able to access an OpenSSL memory chunk. This means that, whatever is in memory in that moment, may be extracted by an attacker in a “clean”, easy and remote way. In other words, if this extracted memory chunk contains users, passwords or session cookies or even the private key for that server (something that depends on probability and on “brute force”)… this information would be exposed. Since an attacker may connect as many times as necessary, it seems serious indeed. So, the one attacked is not only the server, but its users, accounts, etc. Even depending on how SSL is configured, conversations between server and client could be retrospectively decrypted.

There are lots of scripts with proof of concepts that allow to, with just a click, attack vulnerable servers and, as a collateral effect, its users.

FaasT and Heartbleed
The Faast team has been getting with it during the last two days to adapt and create the code that checks if webs are indeed vulnerable. We already have this feature in our tool, as a plugin. FaasT tests the vulnerability with any OpenSSL used, even if its version claims to be safe.

HeartBleed real time detection, shown in FaasT vulnerabilities list

Faast features includes a way to show, as a picture, the evidence of a vulnerability exploited in a target. The evidence is shown both in the scanning report (in PDF) and the web interface.

Example of an evidence with FaasT

How to implement Oauth protocol in Powershell (an example with Latch)

Florence Broderick    9 April, 2014

Latch already counts with lots of SDKs and plugins, so you can implement it with different languages or use it with your favorite CMS. There is an “unofficial” bash implementation, even. But you may want to experiment with Latch and some Powershell scripting. Since Latch uses some kind of Oauth technique to authenticate, you may use this code to implement any other Oauth protocol with Powershell, with minor changes to this code.

Different SDKs and plugins developed so far

The best way to deal with this is to create a Powershell module that will export some functions. Creating a module is easy. Just use your editor of choice and write down the functions you need. You will need a Latch account, remember this is just as easy as:

  • Register for free here to get a Latch account in a couple of minutes. Register as a developer.
  • Create your account so you get your Secret and AppId.
  • Download the app for your smartphone: It is available for Android, iOS, Windows Phone and Firefox OS.

Coding

We will create some funcions so we can interact with the official API. First of all, the constants:

Set-Variable API_HOST -option Constant -value "https://latch.elevenpaths.com";
Set-Variable API_CHECK_STATUS_URL -option Constant -value "/api/0.6/status";
Set-Variable API_PAIR_URL -option Constant -value "/api/0.6/pair";
Set-Variable API_UNPAIR_URL -option Constant -value "/api/0.6/unpair";

This will be the code function for the other ones. It will get an URL, the AppId and the Secret. Will return the result (code is simplified):

function AuthenticationHeaders{
    param(
        [string] $url,
        [string] $applicationId,
        [string] $secretkey
         )

   $requestSignature="GET`n"

   $date = Get-Date -format u
   $date = $date.Substring(0,$date.Length-1)

   $requestSignature+=$date+"`n`n"+$url
   $sha = new-object System.Security.Cryptography.HMACSHA1
   $sha.Key = [Text.Encoding]::ASCII.GetBytes($secretkey)
   $seedBytes = [Text.Encoding]::ASCII.GetBytes($requestSignature)
   $digest = $sha.ComputeHash($seedBytes)
   $base64Encoded = [Convert]::Tobase64String($digest)
   $wc = New-Object system.net.webclient
   $wc.Headers.Add("Authorization","11PATHS " + "$($applicationId) $($base64Encoded)")
   $wc.Headers.Add("X-11Paths-Date", $date)
   Try 
   {
     $result = $wc.DownloadString($API_HOST+$url)
   }
   Catch
   {
     $ErrorMessage = $_.Exception.Message
     $FailedItem = $_.Exception.ItemName
     Break
 }
   return $result
}


Now you have the basics, the functionality is easier to achieve. For example, pairing an account would be just this:

function Pair{
   param(
         $applicationId,
         $secretkey,
         $pairingCode
         )

   $url = "$($API_PAIR_URL)/$($pairingCode)"

   $result = AuthenticationHeaders $url $applicationId $secretkey
   return $result
}

That will just basically call AuthenticationHeaders with the right parameters.

To check the status of the account (one of the most important features) just use this, using again the main AuthenticationHeaders function. 

function Status{
   param(
         $applicationId,
         $secretkey,
         $accountID
         )

   $url = "$($API_CHECK_STATUS_URL)/$($accountID)"

   $result = AuthenticationHeaders $url $applicationId $secretkey
   return $result
}

For unpairing:

function UnPair{

   param(
         $applicationId,
         $secretkey,
         $accountID
         )

   $url = "$($API_UNPAIR_URL)/$($accountID)"

   $result = AuthenticationHeaders $url $applicationId $secretkey
   return $result
}


How to use it

There is much more to do and functions to implement, that are left as an exercise to the reader. To use this code, insert a line in the module with the functions you want to export, like: 

Export-ModuleMember -Function Pair,UnPair,Status

Now, you can install this module, (just copying it to %UserProfile%DocumentsWindowsPowerShellModules, for example) and use it like this,. If you named it Latch.ps1, it would be, for example: 

$l = import-module Latch -ascustomobject
$applicationId="bqwRxYXXXXXXX"
$secretkey="6O6zi6PDPnLzfVZcXXXXXXXXXXXXXXX"
$accountID="543ac56903aee2bc7fa40c88ed274e1XXXXXXXXXXXXXXX"

$l.Pair($applicationId,$secretkey,$args[0])
$l.Status($applicationId,$secretkey,$accountID)
$l.UnPair($applicationId,$secretkey,$accountID)

This commands will return a JSON you can parse, just like the specifications in https://latch.elevenpaths.com suggest.

An example of using this scripts for pairing, getting the status and unparing

For another approach to this problem, the SDK for powershell may be used, that will be available soon.

Latch Event Monitor: New tool to integrate Latch with Windows Events

Florence Broderick    27 March, 2014

Latch Event Monitor is a tool that monitors events in Windows and gives the user the possibility of tracking in a very granular way Windows logs, and react accordingly to a preconfigured Latch response. 

This means that Latch Event Monitor will ask Latch servers what to do when a certain event is generated in a Windows machine. So the administrator has a tool to potentially react to events, and modify the behavior and scripts launched in any way, at any moment, just sliding a bar from his mobile device.
How it works

Latch Event Monitor works as a service and has a GUI to configure it. That means it still works and monitors logs even when no user is logged in. The service is constantly monitoring any event with the characteristics given by the user. When it occurs, it asks Latch servers and reacts in the way that the user has configured it.
It may as well be used as an alerting system, with no action associated to an event. So if an event occurs, a blocking message is sent by Latch to the mobile device, but no action is taken.

Latch Event Monitor with some configured rules

How to install it
No special instructions. Just accept the license and choose the path. If , for the sake of security, you do not want the service to run as SYSTEM, you may change it to whatever account you wish, as long as it has privileges to run as a service, and network access. More about how to achieve this, in the manual.

A config file is created in XML format. This file contains sensitive information. Take care with the permissions specially in shared computers.

Pairing with Latch
First of all, a Latch account has to be set with a pairing token. Go to Latch management and add the App ID and secret. A timeout is specified here. This means that if the computer is not connected to a network or, for any other reason it cannot get a response from Latch in the specified time limit (0 milliseconds by default which corresponds to no timeout) the “no response” action is applied.
How to add and configure an event
Each monitored event, may have this fileds:
  • Name (optional): Any name given to the event that is going to be monitored. The name is representative only to better identify the event on the list.
  • Log: Log tree source that Windows uses to classify logs. It is the same one you can find in eventvwr.msc. The success of your monitoring depends on this, so carefully choose which source you use. It is important to understand that some sources requires more privileges, like, for instance, “Security” so make sure that the account which the service runs under has such privileges. You have as many logs to choose from as Windows offers in eventvwr.msc
  • Source (optional): This field represents the source of event, present in eventvwr.msc. It’s optional.
  • Message: The text generated with an event goes through a matching system that can be used to discard or allow some events. If the string set matches, the Latch query will be launched. This is treated as a string, so “Starts with”, “Contains”… may be used to match.
  • Event ID: If the event id matches, it will go through the process of checking the string in the message body.
  • Operation ID: The operation ID used in Latch.
  • Actions.Open (optional): If the Latch query responds with an “on”, the process specified here will be launched, with the specified argument set (optional). 
  • Actions.Closed (optional): If the Latch query responds with an “off”, the process specified here will be launched, with the specified argument set (optional).
  • Actions.No response (optional): If the Latch query doesn’t respond (because there’s no connectivity, for instance, after the timeout declared in “Latch settings”), the process specified here will be launched, with the specified argument set (optional). 
Event details with VNC example

In a following post, we will talk about some examples.

The tool is available in C# and may be freely downloaded from: http://elevenpaths.com/downloads/LatchEM-installer.exe
We encourage you to use it.

Kevin Ashton just asks companies to use the IoT

Beatriz Sanz Baños    19 March, 2014

Acknowledged as the creator of the expression “Internet of Things” and precursor of a global standard system for Radio Frequency Identification (RFID), Kevin Ashton chatted with m2m Telefónica about the current situation with IoT.

A restless critic (he created a fake Twitter profile with over 80 thousand followers to call into question the current methods for measuring influence), he refutes expressions like ‘2014, the year of the Internet of things’: “I never know what that means. I think ‘the year of …’ is a more journalism than reality. Things will progress. They always have. I am not sure we ever want a ‘year of…’. How about a ‘century of’?”, he stresses.

Nonetheless, this writer and co-founder of the MIT Auto-ID Center and currently the President & CEO of Onnit, Inc., places less importance on the barriers to the development of these technologies and only urges companies to be daring enough to use The Internet of Things.

By 2009, you were arguing that IoT is not just a “bar code on steroids” or a “way to speed up toll roads”. You said then the IoT has the potential to change the world. What aspects should change immediately in our work, homes and life?

Few things change immediately. We will have —we do have— more sensors for health, energy, supply chain; a little more automation.

Fourteen years after your first IoT presentation, we’ve made a lot of progress, but still there are some barriers. What do you think are the most important limitations to the spread of the IoT? How can we overcome the barriers?

I don’t see barriers, just questions we haven’t finished answering. The next research areas, in no particular order, are probably parasitic power, machine learning, user interfaces to big data.

How can we manage the privacy and security issues?

Privacy is really boring. Give people a choice. If you want the benefit, you have to capture the data. If you don’t want the benefit, that’s OK too. But you don’t get the benefit unless you capture the data. Security is really interesting. How do we make cheap sensors that don’t give data to anyone and everyone? We still don’t have a great, practical answer for that.

A lack of standards in the industry means most devices on IoT are using existing connection methods (Wi-Fi, Bluetooth and the like) to connect to one another. Is this enough? Are these methods a limitation?

For most things, existing wireless communications standards are fine, and the small benefit of developing something new is not worth the huge cost of developing something new.

You created a global standard system for RFID many years ago. Today, many objects on the IoT can’t share data with one another, and can only be controlled from a single app or website. What is needed to develop these standards, this “universal glue to bind all the ‘things’ in Internet of Things to each other and to the cloud”?

Standards happen. Big rooms full of standards wonks are a last resort. The most important thing is open data access. If you can authorize anyone you want to access your data, and it is not unnecessarily complicated to get it and use it, the rest takes care of itself.

Do you think Google will play a role in establishing these standards? (taking into account its acquisition of Nest and the fact that its Android operating system is already powering most of the smart connected devices)

Is Android powering most smart devices? I am not sure that is true. It’s a cell phone standard, really. I think Google will play a huge role in the big data side of things. They excel at that -there is no other company that even comes close. In fact, I think they may be the only current player that will survive the shift to the Internet of Things. Most of the others are hopeless. I met senior people from Apple recently and they had no idea at all. Worse, they had no idea they had no idea. So, ten to twenty years from now, Google will still be standing, although not because of standards, but because Brin and Page are so smart. Apple, Microsoft, Dell, Cisco, Facebook, all those guys will either be gone or making money from their past. They are living the wrong paradigms.

You got interested in using RFID to help manage P&G’s supply chain. Now you are interested in clean-tech. Can the IoT combine all these things: process optimization, higher productivity, energy efficiency…?

Yep. IOT is about the physical world. Atoms, molecules, and electrons. Everything that’s not MP3s and cat videos, basically. (See comments above about Apple, Facebook.)

What should companies be doing today with IoT?

Using it. Even when it is not perfect. I see so many companies huddled around PowerPoint slides talking. They should do something instead. PowerPoint is procrastination. Procrastination is fear.

Eleven Paths on "Digital Futures" video series

AI of Things    6 March, 2014
Telefonica Digital produces a video series called Digital Futures, which are publicly available here http://youtube.com/telefonicadigital. On the latest episode, some relevant people from the world of security gives us some insights. The episode features our very own Jose Palazón, from Eleven Paths.
In this episode of Digital Futures, they have quizzed an ethical hacker, top researcher, cyber forensics pro and security guru on trends in hacking and cyber security that we all need to look out for, both as a business or a consumer. The video is in English with Spanish subtitles.
This is a special longer version on cyber security, and is featuring relevant people like David Day (senior lecturer and Consultant, information security and forensics in Sheffield Hallam University), Eduard Lucas (Senior editor at The Economist author of The Snowden Operation: Inside the West’s Greatest Intelligence Disaster), and Tim Holman, (CEO at 2-sec and president of ISSA-UK). And of course, Jose Palazón, responsible for Latch working properly.

https://youtube.googleapis.com/v/Q2yITznzXgg&source=uds

New tool: GmtCheck. Where does this Android App or applet come from?

Florence Broderick    10 February, 2014

 There are millions of malicious applets (JAR files) and Android apps (APK files) out there. Have you ever wondered where do they come from? Which country? At least, which is its time zone? In forensics, it may be interesting to check if this malicious app is made in Russia, Brazil, China, India or United States. Let’s see how.

The files inside the ZIP files
APK (Android apps) and applets (Java programs) are all the same format: a variation of a zip file. This means they share most of the PKzip specifications. When you zip a file, the “modification time” attribute of each file is stored inside the zip file. If you want to check, just open a zip file with any unzip tool.
The way zip files store files’ time is quite funny, and we will talk about it in some other post. The interesting part is that the time they store is the hour and date of the system they are compiled in. There are also files created just when the file is compiled with the system time associated. So, the system time of the creator is stored in files like the manifest (.mf), and some other. But, no “offset” is given with it. So, with this data by itself, we can’t tell which is the APK or JAR creator’s time zone. A file inside the zip modified or created at 23:45, means nothing by itself. 23:45 in which country?
Modification time in files inside an APK

Signed files and certificates
Some applets are signed, so they can escape from the Java sandbox and attack users. APK files are always signed, because Goolge Play and Android says they have to. When they are signed, a certificate is added inside zip files. This certificate is a PKCS structure in the META-INF folder. Inside there’s a RSA or DSA file (between others). Certificates may be self-signed. This is free and attackers do not have to prove to anyone who they are.

Attackers and certificates
Certificate date… “Valid from…”
Attackers hate CA signed certificates, but they love (and they have to use) self signed certificates. Because the can be disposal. They can create a self-signed certificate ad-hoc for an app and never use it again. For example, Eclipse and other platforms helps you creating an ad-hoc certificate when compiling an APK file, as a last step to upload it to Google Play.
Certificates store the date when they were creatd in a field. And here is the trick. They store it in UTC time, no matter what the system time is. Here is a certificate’s creation time and date in UTC time in “YYMMDDHHMMSSZ” format. Last Z corresponds to “zulu time” which is UTC or, practically, GMT+0 time zone.
ASN.1 view of a certificate date
As a funny thing, if the certificate contains a date further than 2049, they use generalized time format, which is the basically the same but with four digit year: YYYYMMDDHHMMSSZ.

Putting it all toghether
So we have the system time of the creator, and the GMT+0 time. We just have to assume files and certificate were created almost at the same time to make the math and calculate the time zone offset.
If a manifest or signature file is created at system time 16:00, Jan 1st 2014, and certificate UTC time is 15:00, Jan 1st 2014, assuming they were created at the exact same moment… we can say (unless the attacker changed its system time) that the attacker lives in GMT+1.
UTC Time – ZIPs file… gets the offset and thus, time zone (map from timeanddate.com)
The tool that makes it all for you
We have created a tool that calculates this for you. Just reads a .jar file (apk or applet) and, if signed:
* Will try to extract UTC time from the certificate.
* Will try to read the modification time of the last file created (usually signature file under META-INF folder).
* Will do the math and tell you which time zone the developer lives in, assuming certificate creation and compilation have been done at the very same moment.

Here are some examples:

A fraudulent app from Spain

Malware from U.S.A

Fake app from Hong Kong

This APK is a fake of an Indian app, Teen Patti poker

The tool is available in Python and a compiled C# .NET version. They both may be downloaded from http://elevenpaths.com/downloads/gmtcheck.zip


We encourage you to use it.

Sergio de los Santos

Detailed guides for Latch installation in WordPress, Joomla, Drupal, PrestaShop and RoundCube

Florence Broderick    5 February, 2014

We are working hard in Eleven Paths for next Mobile Word Congress in Barcelona, in late February. We have updated our official apps for Android, iPhone and Windows Phone with new features, languages and much more to come. But right now, we really want you as an administrator to try Latch in your website, CMS, platform or webmail system. We have written some detailed guides for administrators, so you can check how easy to install Latch is.

Right now, we have plugins (linked to their GitHub repository) for: WordPressJoomlaRedminePrestaShop, Drupal 6 & 7.Net Log inOpenVPNSSHRoundCubeSquirrelMailMoodle

    And we are preparing step by step guides for all of them, so you as an administrator can offer Latch to your users and protect them. Here they are uploaded to SlideShare, but you can download them if you want. More to come soon!


    Latch installation guide for WordPress from elevenpaths


    Latch installation guide for Roundcube from elevenpaths


    Latch installation guide for PrestaShop from elevenpaths


    Latch installation guide for Joomla  from elevenpaths


    Latch installation guide for Drupal 7  from elevenpaths


    Latch installation guide for Drupal 6 from elevenpaths

    Information leakages found in Google and Yahoo! (found with FaasT)

    Florence Broderick    3 February, 2014
    A few weeks ago, Manuel Fernández, developer and security auditor in Eleven Paths, found some DS_Store files served by some Google URLs while testing FaasT. Google awarded the discovery with a mention in its Hall of Fame. We have found as well some files with certain sensitive information in Yahoo! servers, but they never answered our call. What did we find exactly? and, was it important?
    We already know that when a company or pentesting team is running a pentest, all details available are important. The way they put them all together makes the different between a test with a big success  and a moderate one.

    During our tests with FaasT (to check if it could find something else in very exposed web pages like google.com, Yahoo!, apple.com…) we found some interesting data.

    Google.es with DS_Store available on their servers

    Thanks to FaasT, we found lots of .DS_Store files inside the search engine server. A DS_Store file may have internal paths inside, from the system of the user manipulating the web, dates, and new URLs that may be helpful for going further with the pentest.

    FaasT identifies this kind of mistakes and shows them in detail inside its web interface. Persistent pentesting will allow to detect, between many other things, this configuration mistakes that implies lowering security level, feedback for the pentest, and open new ways… so adding up all this details empowers and completes the test.
    When this leakage was detected in Google, we tried the DS_Store plugin in FaasT against the URL where they were detected, and we got an interesting list of new resources from them. In the figure below, there is an example as how FaasT shows elements found inside a .DS_Store file exposed in an URL. In this case, applied to our domain demofaast.elevenpaths.com and where new paths to PNG files can be found inside .DS_Store file.
    Example of how internal information inside in a DS_store file is shown with FaasT interface

    When analyzing Google .DS_Store files, we got the following information:

    • More than 40 new paths, storing data about Google GSA (Google Search Appliance) where the infrastructure, API documentation, or configuration was detailed.
    • More than 30 new PDF documents, not all of them publicly available.
    •  Some other .DS_Store files.
    • Some other HTML resources.

    Once Google was informed, the files were quickly removed and placed us in its Hall of Fame as a recognition for the little help improving their security.

    Yahoo! case

    This case is much more simple. We found some SVN files with very interesting information in them, inside a domain related with ads in Yahoo!. This is a snapshot with what we found in different paths inside the domain.

    Sensitive information in tw.adspecs.yahoo.com
    More sensitive information in tw.adspecs.yahoo.com

    Fundamentally, there were two URLs.

    http://tw.adspecs.yahoo.com/tc/adspec_ppt/tw_chi/.svn/entries
    http://tw.adspecs.yahoo.com/tc/adspec_ppt/.svn/entries
    Where you could find links to some files, like http://tw.adspecs.yahoo.com/tc/adspec_ppt/tw_chi/SynAd.zip
    From the text files themselves, following information was available (maybe obsolete, but interesting in any case for a pentest):
    • ssh user for svn.corp.yahoo.com (martinso)
    • svn user: (martinso)
    • an internal domain: svn.corp.yahoo.com
    • internal path:  /yahoo/adtech/asia/apac/adspecs/tc/adspec_ppt/tw_chi
    May days later after notifying Yahoo!, they removed the content. We never had an answer from them.

    Pablo González

    Eleven Paths with Latch, in Campus Party Brazil

    Florence Broderick    27 January, 2014

    This year is the seventh edition of Campus Party Brasil, that will take place in Sao Pablo, Brazil. For Eleven Paths, it will be a very special week in the Campus: a Hackathon will be organized,  where the contestants will put to the test the possibilities of our new Latch technology. Our Argentinian CSA, Claudio Caracciolo, from Eleven Paths, will give a presentation together with Leandro Bennaton about CiberSecurity on January 28th.

    Hackathon is born as an intend of Telefonica to generate a meeting, fun and learning place, based on the development of applications from Latch’s API, in order to integrate it to other platforms, or to give it different uses taking full advantage of its potential. The target is to generate new applications or implementations using Latct’s API, (which is perfectly documented on our website), on purpose to get the most out of the tool and of the imagination of the assistants to Campus Party Brazil 2014

    We hope really different applications will be developed at this edition of Hackathon, that is why we have proposed the following topics, not mutually exclusive:

    • Access Control for remote control account services to different operating systems, e-mail, CRM´s, etc.
    • Activate or deactivate accesses to administration account of a wi-fi routers.
    • Activate or deactivate SSID broadcast within a wi-fi net, or just turn on/off the net.
    • Activate or deactivate ignition key of a car, or make sure the car will not be turned on at certain range of hours.
    • Activate or deactivate a TOR, VPN, or Torrent client; or program a schedule in order to make it run under specific conditions or certain hours. 
    • Enable or disable RFID type access cards.
    • Activate or deactivate features of other phones or tablets. 

    Participants may compete in teams or individually. The results will be evaluated and there will be great prizes for the winners:

    • 1st. place: AlienWare laptop.
    • 2nd. place: A tablet (Ipad or Galaxy)
    • 3rd. place: A Smartphone (Iphone 5 or S/note3)
    The steps to participate in the hackathon that will be held since today, January 27th to January 29th, are:
    • Register for Campus Party to be able to access to the event.
    • Register for Latch Hackathon on https://www.elevenpaths.com/cpbr7
    • Access https://latch.elevenpaths.com and create an account and register for free, if you had not done it before.
    • Read the API documentation.
    • Develope based on the conditions and rules of Hackathon, , available on : http://www.vivo.com.br/campusparty 

    Good luck to all contestant. We expect great ideas and contributions.

    Metashield videotutorials… now on YouTube

    Florence Broderick    22 January, 2014
    Nowadays, most common information leaks occur through unseen channels such as metadata and unseen document information. Through these externally shared documents it is possible to obtain critical data from an organization that can allow an attacker to fingerprint its assets and computer network. The consequences of this leak may have economic impact and the organization reputation can be seriously harmed. Metashield is our bet to solve this.
    Metashield Protector lets you configure a security policy of metadata in the documents you are serving outside your organization. It provides a holistic solution to control the information leaks through its product portfolio.
    We have uploaded some Video tutorials to Youtube, with English subtitles, to make it clear how easy to install and use they are. We have different videos for different solutions.
    Metashield for IIS 
    Server based solution for sanitizing documents on the fly as they are served to users by Microsoft IIS web server. It deletes or replaces documents metadata on the fly, offering a normalized public image of the organization.

    Metashield for File Server
    Sanitizes documents hosted on file servers (FTP servers, etc.), automatically deleting their metadata and hidden information and optionally replacing it with the desired one.

    Metashield Forensics
    Do you suspect you have a compromised system due to unauthorized access to internal files and need a forensic analysis? MetaShield Forensics extracts digital and time-stamped evidences available in metadata for a later forensic analysis.

    Metashield for SharePoint
    Cleans data served by Microsoft SharePoint Servers. If your company provides ECM (Enterprise Content Management) services based on SharePoint this server based solution helps you prevent inadvertent information leak.

    Metashield for Client
    Professional solution for workstations. It allows to remove metadata from files, just right clicking on them. Ideal to clean files before sharing them with someone else.