By Jonathan Yarden
Several years ago, I read a story about how authorities exposed a spy and later convicted him of espionage with evidence recovered from a used typewriter ribbon. Of course, simple typewriter ribbon imprints are nothing compared to the hidden information littered in application data files.
Regardless of whether recovered information is incriminating, any information leakage is a security threat. Any application that tracks changes to files has the potential to leak information when users share that file with someone else.
While Microsoft Word is one application that's capable of tracking changes, countless others exist—and it isn't a new problem. But it's important to note that tracking changes to data files is itself not a bad thing.
Being able to track changes, undo mistakes, and collaborate on document creation are essential features for business. The concept of groupware wouldn't even exist without features to track changes.
But these very features can often lead to the exposure of confidential information or reveal private thoughts or intentions. Microsoft even warns users of this issue.
A number of recent security incidents are the direct result of people looking at the hidden data in Word documents. Microsoft itself has been a victim, with potentially embarrassing information extracted from public documents and published on its own Web site.
But remember: The fault lies not with the ability to track changes but with the users' lack of understanding of the functionality. Tracking changes during the editing process can be important, but a final document should be completely free of all changes and hidden information, particularly if it's a public document or one that will travel outside of the company in some way.
Of course, e-mailing Word documents is a common practice for many organizations, so how can companies avoid this problem?
The first step is education. Few companies I asked even knew that Word tracks changes to documents. Both large and small companies unwittingly pass this hidden information in documents because they don't realize the tracking occurs.
Don't blame Microsoft—tracking changes is essential to collaboration, and this feature is a benefit. Instead, consider using a "working" document and a "final" document.
When you're ready to finalize a document, use a different format, such as a PDF or even plain text. PDFs are quite useful for high-resolution, unalterable Web documents, and I recommend them as an alternative to Word for final document creation for this reason.
How do people find this hidden application data? First, they can simply tell Word to display all changes. In addition, there are tools that can reveal changes and other hidden information.
Tools such as Antiword and Catdoc can reveal hidden application data in Word files, and they're popular because they allow UNIX users to view Word documents.
I'm not encouraging people to actively seek out hidden information in public or private Word documents, but it's important that organizations realize that these tools exist and that other people are using them.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.