Security threats Toolkit

Military secrets escape through PDF file

Munir Kotadia ZDNet Australia

Published: 05 May 2005 09:30 BST

Experts are warning people to be careful with electronic documents that contain sensitive data after a breach in which classified US military information thought to be hidden in a PDF document was uncovered.

Portions of the document had been "blacked out" by electronic means. But apparently, it was possible for outsiders to copy and paste the blacked-out sections into another file — and see the text that had been hidden.

The document is a report written after an investigation into the death of Italian citizen Nicola Calipari at a checkpoint in Iraq. It contains both classified and unclassified information about what happened at the traffic control points in Baghdad on 4 March, the day of the incident. The US military has since removed the document from the Internet, but not before it was copied and republished on several Web sites.

The military apparently made an error when it chose to use an electronic technique for obscuring certain words and paragraphs from the original document. According to a report by the Associated Press, a representative of Adobe, owner of the PDF format, has suggested that whoever attempted to censor the report did so by placing black rectangles over the text in question, rather than deleting the text.

The technique used would indeed have protected the data if the document were being read online or printed. However, by an attacker selecting the blacked-out text and using the copy and paste functions, he or she could easily reproduce the document in its entirety on any word-processing application.

Samia Rauf, director at document security specialist Workshare in Asia-Pacific, said this kind of mistake is common — the information was hidden but not removed.

"[The military] had blacked out the text but not protected the document at the perimeter level," Raud said.

According to Rauf, the problems associated with hidden data are not restricted to the PDF format.

She said it is actually far more common for people to make this type of mistake when using an application like Microsoft Word.

"Every single Word document contains metadata, but the scary thing is that 90 percent of the population don't know it exists," Rauf said. "Metadata has a useful purpose. If a document crashes, you can do an autorecover and it will bring everything back for you.

"Anyone can make this mistake — we heard a story about a law firm losing its clients because documents went out with 'track changes' enabled."

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.