Data leakage from Microsoft Windows Office Documents- Computer Security.
Data about data.
In the computing world, we talk about data in the sense that it is any encoded information. In the scientific world, raw data is information gathered from experiments and surveys without being processed. In both cases, when data is organised, analysed and filed it may simply be called information. But when you start adding extra inferred data which is used to help organise the information, this is called metadata.
Metadata is not normally an immediately visible of obvious part of a unit of information, but it is often tied to the data in a way that makes it an invisible part of the unit of data. A real-world example might be the information contained in the franking of a stamp on an envelope.
Forensic analysis will involve the study of metadata to try and verify or corroborate evidence. However, this information can also be used for nefarious purposes.
Data leakage and DLP
In security circles, data leakage is a term used to describe the unintentional, unwanted export of information from within an organisation to a place outside the control of that organisation. To try and combat this, astute organisations will employ a Data Leakage Prevention system (). DLP
DLP is quite difficult to implement because any specific information is representable in a myriad of ways. As an example, you might naively use DLP to check for the words "secret", "confidential", "restricted" and any other words that might mean that a particular document is classified using some scheme. This metadata has to be accurate for the DLP to catch it. If you rely on someone typing the word "restricted" then the spelling has to be correct or it could miss the leak. A defence against that problem would be to use fuzzy-logic, context sensitive analysis, and classification automation. It will now be obvious why DLP is difficult. Any classification system makes use of intentional and controlled metadata.
But there is a different kind of metadata. There is metadata that is uncontrolled, unintentional, automatic, and hidden from normal view.
Microsoft Office Metadata
When you create a word document, what you type is not the only information attached to the document. In many cases, any or all of the following are also part of the document, and is automatically added:
- Your name;
- Your initials;
- Your company or organization name;
- The name of your computer;
- The name of the network server or hard disk where you saved the document;
- Other file properties and summary information;
- Non-visible portions of embedded On-line and Linked Embedded (OLE) objects;
- Document revisions;
- Document versions;
- Template information;
- Hidden text;
Let's say you are a government employee preparing for a tender. There are three competing products, and you need to create a standard document to send to three different potential vendors. The three products are called "Trippyfault", "ExoGone" and "Elfenhut". It's natural to start writing this document from a previously similar template or well developed work. The original title of that document might be "Secret plans".
Although you alter the text, use global search and replace, and apparently remove all traces of references to "Secret plans", the final document could leave the organisation with unexpected information.
You might wonder why this is important. In most cases, it might not matter but it does look a little unprofessional. But what if a vendor found references to the name of some of the competition? If you did not want that information to be public, then it's an example of data leakage.
In MS Office product, there is a feature called fast save. When you have this option enabled, then deleted text might stay in the disk-version of the file. It's marked for deletion and is not displayed. Therefore, your deleted text can be viewed from within a hex editor.
What to do?
Some ideas are:
- Be aware of the issue.
- Get a to check your systems and processes. security auditor
- Turn off fast-save.
- Make sure there is no hidden text from "track-changes"
- Inspect 'properties' of the document and delete metadata.
- Install a DLP system into the network.
- Perhaps copy and paste the entire document into a new clean one.
- Export to pdf or HTML and send that format instead.