US military security defeated by copy and paste

The document was a report written after an investigation into the death of Italian citizen Nicola Calipari at a checkpoint in Iraq. The document contains both classified and unclassified information about what happened at the traffic control points in Baghdad on 4 March, the day of the incident. The US military has since removed the offending document from the Internet, but not before it had been copied and republished on several Web sites.

The military made an error when it chose to simply black-out certain words and paragraphs from the original classified document instead of removing the actual information. This means that if the document was read or printed, the 'censored' information would be safe. However, by selecting the document text and using the copy and paste function, the document could easily be reproduced in its entirety on any word processing application.

Samia Rauf, director at document security specialists Workshare in Asia Pacific, said this kind of mistake was common -- the information was hidden but not removed.

"[The US military] had blacked out the text but not protected the document at the perimeter level. Just PDF-ing a document on its own does not hide sensitive information. It needs to be stripped out at the core level," said Rauf.

According to Rauf, the problems associated with hidden data is not restricted to the PDF format. She said it is actually far more common for people to make this type of mistake when using an application like Microsoft Word.

"Every single Word document contains metadata but the scary thing is that 90 percent of the population don't know it exists. Metadata has a useful purpose. If a document crashes you can do an auto-recover and it will bring everything back for you. Anyone can make this mistake - we heard a story about a law firm losing its clients because documents went out with 'track changes' enabled," said Rauf.

The document is available in its original version here.