U.S. military security defeated by copy and paste

U.S. military security defeated by copy and paste

Summary: In the latest example of a snafu with "hidden" electronic text, sensitive data blacked out in a PDF document finds its way into the light.

SHARE:

Experts are warning people to be careful with electronic documents that contain sensitive data after a breach in which classified U.S. military information thought to be hidden in a PDF document was uncovered.

Portions of the document had been "blacked out" by electronic means. But apparently, it was possible for outsiders to copy and paste the blacked-out sections into another file--and see the text that had been hidden.

The document is a report written after an investigation into the death of Italian citizen Nicola Calipari at a checkpoint in Iraq. It contains both classified and unclassified information about what happened at the traffic control points in Baghdad on March 4, the day of the incident. The U.S. military has since removed the document from the Internet, but not before it was copied and republished on several Web sites.

The military apparently made an error when it chose to use an electronic technique for obscuring certain words and paragraphs from the original document. (According to a report by the Associated Press, a representative of Adobe Systems, owner of the PDF format, has suggested that whoever attempted to censor the report did so by placing black rectangles over the text in question, rather than deleting the text.)

The technique used would indeed have protected the data if the document were being read online or printed. However, by an attacker selecting the blacked-out text and using the copy and paste functions, he or she could easily reproduce the document in its entirety on any word-processing application.

Samia Rauf, director at document security specialist Workshare in Asia-Pacific, said this kind of mistake is common--the information was hidden but not removed.

"(The military) had blacked out the text but not protected the document at the perimeter level," Raud said.

According to Rauf, the problems associated with hidden data are not restricted to the PDF format.

She said it is actually far more common for people to make this type of mistake when using an application like Microsoft Word.

"Every single Word document contains metadata, but the scary thing is that 90 percent of the population don't know it exists," Rauf said. "Metadata has a useful purpose. If a document crashes, you can do an autorecover and it will bring everything back for you.

"Anyone can make this mistake--we heard a story about a law firm losing its clients because documents went out with 'track changes' enabled."

Topics: Networking, Data Management, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion