[ISN] White House accidentally exposes data in PDF file

From: InfoSec News (isn@private)
Date: Tue Dec 06 2005 - 22:17:23 PST


http://www.gcn.com/vol1_no1/daily-updates/37688-1.html

By Patience Wait 
GCN Staff
12/05/05 

Government agencies continue to stumble over security procedures
designed to conceal certain information embedded in documents posted
to the Internet.

In the latest error, the White House posted a copy of President Bush's
"Plan for Victory in Iraq," the heart of his speech last week at the
Naval Academy. But the Adobe portable document format file on the Web
site also contained the hidden name of the original author of the
document: Peter Feaver, a Duke University political science professor
who joined the National Security Council staff last June as a special
adviser.

The discovery that Feaver was the originator of the plan has stirred
controversy in Washington. The New York Times has reported that Feaver
co-authored an analysis of surveys regarding the popularity of the
Iraq war with the American public and concluded that citizens will
support the war, despite fairly heavy casualties, as long as they
believe it will ultimately succeed.

"The recent disclosure of the original authorship of the [plan]
document underscores once more why all organizations must put policy
and technology in place to prevent the leakage of damaging
information," said Joe Fantuzzi, CEO of Workshare Inc., a document
integrity solutions company based in San Francisco. It "is unfortunate
that the White House allowed this distraction to unnecessarily
politicize the debate over policy."

The White House did not return a phone call asking for comment.

Earlier this year, the Multi-National Force-Iraq issued a report on
the killing of an Italian security agent after he rescued a
countrywoman who had been held hostage by insurgents. The report,
posted to the Web as a PDF file, was supposed to be redacted but a
simple text cut and paste into other document formats revealed [1] the
redacted information. A military investigation later determined that
the disclosure was the result of user error.

In October, a U.N. report on the assassination of a popular Lebanese
politician opened an ongoing controversy [2] when a "technical error"  
allowed online readers to look at changes made to the document,
revealing that names of specific Syrian officials had been removed
from the final report.

"The complexity of technology continues to befuddle even sophisticated
users," Fantuzzi said. Organizations "must recognize that PDF is not
inherently secure, and policy, education and automation of document
security must be implemented to prevent these costly mistakes."

[1] http://www.gcn.com/24_11/news/35808-1.html
[2] http://www.gcn.com/vol1_no1/daily-updates/37416-1.html



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Tue Dec 06 2005 - 22:58:35 PST