Several years ago, I read a story about how authorities
exposed a spy and later convicted him of espionage with evidence recovered from
a used typewriter ribbon. Of course, simple typewriter ribbon imprints are
nothing compared to the hidden information littered in application data files.

Regardless of whether recovered information is
incriminating, any information leakage is a security threat. Any application
that tracks changes to files has the potential to leak information when users
share that file with someone else.

While Microsoft Word is one application that’s capable of
tracking changes, countless others exist—and it isn’t a new problem. But it’s
important to note that tracking changes to data files is itself not a bad
thing.

Being able to track changes, undo mistakes, and collaborate
on document creation are essential features for business. The concept of
groupware wouldn’t even exist without features to track changes.

But these very features can often lead to the exposure of
confidential information or reveal private thoughts or intentions. Microsoft
even warns users of this issue.

But remember: The fault lies not with the ability to track
changes but with the users’ lack of understanding of the functionality.
Tracking changes during the editing process can be important, but a final
document should be completely free of all changes and hidden information,
particularly if it’s a public document or one that will travel outside of the
company in some way.

Of course, e-mailing Word documents is a common practice for
many organizations, so how can companies avoid this problem?

The first step is education. Few companies I asked even knew
that Word tracks changes to documents. Both large and small companies
unwittingly pass this hidden information in documents because they don’t
realize the tracking occurs.

Don’t blame Microsoft—tracking changes is essential to
collaboration, and this feature is a benefit. Instead, consider using a
“working” document and a “final” document.

When you’re ready to finalize a document, use a different
format, such as a PDF or even plain text. PDFs are quite useful for
high-resolution, unalterable Web documents, and I recommend them as an
alternative to Word for final document creation for this reason.

How do people find this hidden application data? First, they
can simply tell Word to display all changes. In addition, there are tools that
can reveal changes and other hidden information. Tools such as Antiword and Catdoc
can reveal hidden application data in Word files, and they’re popular because
they allow UNIX users to view Word documents.

I’m not encouraging people to actively seek out hidden
information in public or private Word documents, but it’s important that
organizations realize that these tools exist and that other people are using
them.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.