Document security leaks….it’s time to end the plague
This week I read with great dismay about yet another classified PDF document leak that revealed sensitive information to the public. A heavily censored Pentagon report into the death of an Italian secret agent in Iraq was easily decrypted. It inadvertently revealed hidden tactics and names, including the U.S. soldier who killed the Italian agent in the incident.
The Pentagon published the report on its website over the weekend using Adobe Acrobat. The Acrobat user could not have imagined their electronic blacklines placed over classified information would later be removed. An Italian IT worker simply cut and pasted the Adobe PDF file into Microsoft Notepad and the blacklines were gone, revealing hidden content.
Another serious gaffe occurred in Palm Beach County Florida last February, when a health department employee inadvertently emailed a newsletter with an attached file containing the names of HIV patients. But the U.S. is not the only country with a red face when it comes to document security. We all remember the 'Dodgy Dossier' scandal of 2002 involving the U.K. government when several electronic trails about who researched weapons of mass destruction within the document were uncovered. That was a tricky time for Tony...
When will the public sector, and, for that matter, all organizations start getting the message that whilst technology (the internet, portals, email etc) is undoubtedly an excellent medium for communicating and collaborating with audiences via multiple document formats such as Microsoft Word, apparently safe 'read only' documents such as Adobe PDF are in fact also fertile breeding grounds for scandals, embarrassments, liabilities and lawsuits.
An Adobe spokesperson, quoted on the Pentagon incident in a U.S. Government Computer News article, said, "the information security breach arose from [an author] not using a third-party redaction tool in Adobe Acrobat." Personally, I find this comment daft. Something is inherently wrong with ‘security’ software that requires users to purchase a ‘third party’ product and then figure out how to use it to remove classified information. What mainstream user knows what redaction means anyway? Surely Adobe can come up with a better tale.
Organizations must come to realize any file format - including PDF - doesn't remove risky information leaks, it only masks them. File formats lull users and IT professionals into false security. The only way to stop the document leak plague is to protect documents independent of file format. IT has long accepted central security policies for ‘outside-in’ virus and spam attacks. The same is possible for ‘inside-out’ document attacks, malicious or otherwise.
Modern document security software manages rights (e.g. can I email or post this document?) content (e.g. classified names) and attributes (e.g. blacklines). Policy-based controls applied at the client and perimeter protects organizations and users against malicious and inadvertent exposures. Some of this software alerts users before making would-be catastrophic mistakes, educating them on why their common practices may lead to risky business. It's time to eradicate this plague of insecure documents and stop placing innocent victims at risk.
Joe Fantuzzi,
CEO, Workshare
