U.S. military security defeated by copy and paste

Experts are warning people to be careful with electronic documents that contain sensitive data after a breach in which classified U.S. military information thought to be hidden in a PDF document was uncovered.

Portions of the document had been "blacked out" by electronic means. But apparently, it was possible for outsiders to copy and paste the blacked-out sections into another file--and see the text that had been hidden.

		Related story Hidden text shows SCO prepped suit against BofA Plans revealed because Word displays file's "metadata."

The document is a report written after an investigation into the death of Italian citizen Nicola Calipari at a checkpoint in Iraq. It contains both classified and unclassified information about what happened at the traffic control points in Baghdad on March 4, the day of the incident. The U.S. military has since removed the document from the Internet, but not before it was copied and republished on several Web sites.

The military apparently made an error when it chose to use an electronic technique for obscuring certain words and paragraphs from the original document. (According to a report by the Associated Press, a representative of Adobe Systems, owner of the PDF format, has suggested that whoever attempted to censor the report did so by placing black rectangles over the text in question, rather than deleting the text.)

The technique used would indeed have protected the data if the document were being read online or printed. However, by an attacker selecting the blacked-out text and using the copy and paste functions, he or she could easily reproduce the document in its entirety on any word-processing application.

Samia Rauf, director at document security specialist Workshare in Asia-Pacific, said this kind of mistake is common--the information was hidden but not removed.

"(The military) had blacked out the text but not protected the document at the perimeter level," Raud said.

According to Rauf, the problems associated with hidden data are not restricted to the PDF format.

She said it is actually far more common for people to make this type of mistake when using an application like Microsoft Word.

"Every single Word document contains metadata, but the scary thing is that 90 percent of the population don't know it exists," Rauf said. "Metadata has a useful purpose. If a document crashes, you can do an autorecover and it will bring everything back for you.

"Anyone can make this mistake--we heard a story about a law firm losing its clients because documents went out with 'track changes' enabled."

This brings to mind an old oxymoron

"Military Intelligence." lol

[garbuck]

Military intelligence is to intelligence as ...

military music is to music.

What a shock..

Is it any wonder the world is in the state its in.. goverment "security" morons all across the planet.. versed in 10 year old technology, responsible for modern day systems. Hey.. the Dinasaurs are still ruling the world..

[Brainlock]

Don't Worry It Gets Better

Just think how many people in congress, the senate, the upper people in the Pentagon, and the higher officials in offices for our government really know how to use a computer? So now they decide we need National ID's too! Our Government is over the edge and the poor people in the military are blind followers of leaders that don't have a clue anymore. I feel sorry for out troops I just want them home!

[dstempfley]

Process failures

It's easy to make cracks about the general stupidity of the people involved or the military in general, but the fact of the matter is that there are some pretty smart people that have studied and put in place pretty serious procedures to prevent this type of disclosure. Procedures that obviously weren't followed. I wouldn't be surprised if some commander lost their job over this. I'm not associated with the military anymore, but I feel for the people that had to deal with this unauthorized disclosure.

To give a little insight to those who are not familiar with procedures for handling classified documents in electronic form. An electronic version of the original Secret document should never have touched an unclassified system. The secret and the unclassified system should be separated by and air gap (not electronic connection). The method that should have been followed is to redact the file on the secret system, print it from the secret system, then scan the redacted printout into an unclassified system. With a very small number of exceptions this is the approved way to prepare to release this type of document.

The problem is not the lack of intelligence of the personnel performing the release, they are probably very smart in the areas they have been trained in, but they clearly forgot to pay attention to the rules established by people who are smart in this particular area. I can only imagine how clearly established procedures were bypassed in this instance.