CASEScontact - solutions, tools & skills against latest security, cybercrime, hacking & malware threats

What's up?

Real life scenario

Internet & PC scenario

What is the threat or vulnerability?

Have you used your mobile to call someone whilst being in a public place, such as riding a train? Then you know that making calls in public places can represent a confidentiality risk.

Similarly, sending a Word file to another person can reveal embarrassing facts.

Tony Blair discovered that Word documents are notorious for revealing confidential information. These can be highly embarrassing. For instance, Word files about 'research' supporting the government's decision to going to war in Iraq revealed plagiarism by staff working for Tony Blair.

Problem & Solution

What does it mean to me? Am I vulnerable?

The Threat
is that Word may reveal information to a client that you never intended her to see.
Vulnerability
is due to many factors including Word files containing many kinds of information including text, graphics, tables, images and metadata. These might result in one exposing information unintentionally, especially when downgrading or sanitizing classified materials.
Impact
can result in embarrassment if not legal problems.

This guide provides the free tools, tips and more to reduce your risk for having Microsoft Word reveal information that you do not want to have revealed such as Name of Author, computer document was created on, changes that were made by whom, etc.

If I fix the problem - will it help me?
How

Hidden information such as, who wrote which parts of a document and when, are useful to author and co-authors, they are not supposed to reach readers of the document. A short description about the confidentiality and privacy issues regarding Word's hidden information is provided for your convenience right here:

Exposing sensitive information in a Word document - #1 - what is it about?

Basically you have two option. Either you can do the right thing right now with neither much trouble nor time being required to fix this problem or else, you take the risk to have a disaster on your hands sometime in the future. What option do you want to choose? The choice is yours but if you want to avoid the hassle, read on.

How can one describe the solution?

There are important lessons here for home users, SME owners and employees of all trades and professions. Consider briefly these four smart steps that you should follow to minimize the risks of revealing possibly embarrassing information with Word files:

Exposing sensitive information in a Word document - #2 - how to start protecting your secrets?

Does Microsoft offer me a solution?

Microsoft does have a partial solution for the problem, namely a tool that you can download for free here:

Exposing sensitive information in a Word document - #4 - CyTRAP Lab's Choice - free tool - Microsoft Remove Hidden Data V1.1

However, if you use an earlier version than Microsoft Office 2003, such as Word 2000, the above tool will not work for you. But read on, we have a free tool below that will do the job very nicely for older versions such as Word 97 and others.

Where can I get more help?

You can get more information by visiting

- WinCurity blog with information about better security, and
- EU-IST News blog with info for experts

Both of the above blogs allow you to search for such terms as backup, compliance, Windows, etc. and find more tips, freeware and guides regarding what you can do for better managing your risks.

What is the solution to this problem ?

Tip 1		When you are traveling you should always make sure that you bckup data files at least once a day for security reasons. CyTRAP Labs' choice - free tool - using Gmail drive shell extension as one more drive for important backups

Tip 2		But even if you do all the things we outlined above, it is wise to check somehow if you have done it right. One way to accomplish this in a somewhat easy fashion is to use a free tool that does most of the job for you. We have tested and selected a free tool for you here: Exposing sensitive information in a Word document - #3 - CyTRAP Lab's Choice - free tool - Doc Scrubber V1.1?

Tip 3		Following the above two tips will assure you with the following: Word will not reveal anything you do not want to have revealed about a document (e.g., who worked on it when), even after having left your current employer, your job replacement will not discover things that she does not need to know to fill your shoes.

Take another 2 minutes - More tricks to safeguard your information better

Tidbit 1		Redacting is the process of removing confidential, private, or restricted information from a document. You can redact a document in two ways, either using: additive approach, and hiding approach The more secure approach is, of course the former why additive redacting is more secure?
Tidbit 2		One approach to remove text is to black out the paragraph. A tool that allows you to do just that is offered by Microsoft. We tested the tool for you and provide you with more information, including where to get the free add-in here: CyTRAP Labs' choice - free tool - redaction tool for Office Word 2003 and 2007 Beta
Tidbit 3		If you have a document in Word and you want to remove text, the best way is still to follow Tips 1-3 above and, most importantly: remove the text or graphics from the file

Awareness and security culture

Parents & teacher		Pupils not only share the Word files with classmates but, as well, with many users on the internet. Unfortunately, this also means the risk for having school children's privacy jeopardized. Moreover, the likelihood that the confidentiality of school records of any kind and type are being violated increases. Best prevention is if you and your students/children understand a few facts and behave accordingly: follow Tip 1 above and abide by our four suggestions, thereby minimising the chances for having Word reveal information that is not theirs to know, when a student, parent or teacher begins working on a document, she needs to make sure that the options are set up according to our suggestions made under Tip 1, in particular: Exposing sensitive information in a Word document - #2 - how to start protecting your secrets? 4 steps to success, MOST IMPORTANT, before saving a file for the day or shipping it to another person in class or elsewhere, a final check must be undertaken to prevent the greatest mishaps. AND NO, just saving a Word document into pdf format will not do the trick alone. Whenever a Word file is given to somebody else, the person can get information he or she does not necessarily need (e.g., when did who work on the file). To avoid embarrassing discoveries about details proceed as outlined in Tips 1-3 above. Better safe than sorry.
Legal compliance & risk management		In principle, points a, b, c in the parents/teacher section above apply to every employee and employer. If you do not think this matters to you personally, it matters even more to you what your subordinates are doing in this regard. Both, Tony Blair and Anders Fogh Rasmussen found out that their subordinates' carelessness with Word documents can result in embarrassing situations that can cost a lot of political capital and, most importantly, may result in some people loosing their job. Hacking Password-Protected MS-Word Document - Tony Blair & Anders Fogh Rasmussen Re-Visited
Trends		Our digital lives have become increasingly vulnerable to various threats ranging from: - phishing, or - identity theft, etc. Comments we might have made 15 years ago in a Word file might cause us embarrassment today. Because of this we advice you to be careful with Word files. Remember, information stored in digital form today will, thanks to archiving, be available for many years to come.

CYTRAP resources - check it out - because it will help you better protect yourself

Related tips		CASEScontact.org guide UPDATE 2: Fighting off malware attacks the smart way, Data Recovery 101 - PART I - 'That's hot!' - Paris Hilton's recommendations from the World Economic Forum Davos - Risk Workshop, CASEScontact.org - Update 1 - 10 golden rules for better securing the home PC
Glossary		Please either sign in by clicking on 'Login as a guest' to get the definition, no registration required or else get a free registration to get access, its worth it. Layered security - what is it good for and how will it work best for my PC? What is availability of data? What is data confidentiality? Wht is integrity of information?, What is information security?, What is information assurance?, What is legal compliance? Why is additive redacting more secure?
Del.icio.us		Was this tip helpful to you? If yes, why not bookmark it at Del.icio.us

Technorati tags		AntiVirus, CASEScontact.org, computers and Internet, CyTRAP Labs, Datenschutz,Deutsch, hacking, information-security, Internet, Internetrecht, intrusion detection, law, legal, Linux, malware, Microsoft, privacy, rootkit, Sicherheit, redact, security, security advisory, security alert, software, spyware, tech, Windows, worm, compliance, legal compliance, text schwaerzer

Administrative

Author		Urs E. Gattiker - CyTRAP Labs

Revisions		1.0 - 2007-01-07 - First Version
Contact details		Web: http://CASEScontact.org E-mail: support01@CASEScontact.org Tel: +41(0)76-200-7778 or + 44(0)70-9237-6036 Fax: +44(0)70-9237-6036, dial 3 send fax

--END of ADVISORY - Important Info Below--

We recommend that you VERIFY ALL ADVISORIES you receive IMMEDIATELY, by clicking on the link provided at the top of this alert.

NO WARRANTY Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

Ride the rollercoaster successfully by subscribing to our alerts, tips, tools and skills training receiving them either via: 1) e-mail 2) RSS feeds, or else, just get a 3) free skills tune-up

NO WARRANTY Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

CASES writers & sponsors do not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Full DISCLAIMER notice at: http://www.casescontact.org/terms.php

UNSUBSCRIBE If you no longer wish to receive this TIP ADVISORY, please Unsubscribe at: http://www.casescontact.org/unsubscribe.php QUESTIONS, comments, ideas? Cheer us up at:Tips-Comments at CASEScontact.org CASEScontact.org -- Threat Alerts and Security Notices --clear and precise, no compromise - --currently hosted by Flashcable

-- END of TIP & Tricks ADVISORY-- Copyright (c) 2007 by CyTRAP labs - Urs E. Gattiker. All rights reserved.

Just the facts

Title		CASEScontact.org guide: Going on a long trip - making your laptop road worthy
Description		Prevent unintended disclosure of metadata, resulting in high-profile leaks of secrets with CASEScontact.org's effective remove hidden data guide that tells you how to: set-up Word templates to minimize the risk, and using various free tools to scrub confidential information from Word files It takes 15 minutes of your valuable time to go through this guide and implement the smart suggestions. And yes, the suggestions and tools we provide to protect your information works for your PC at home and at work. So read on and avoid possibly embarrassing leaks of your secrets.
CyTRAP LABs ID		CT210026
Date		2007-01-04
Systems affected		Windows 98/ME/2000/NT/XP/Vista and any user of Microsoft Word should care about this issue.
Version number		1.0
ISSN		1603-9866
Verify tip		http://casescontact.org/tips/210026
Risk assessment		High
Impact/Severity		High
Audio/Podcast files		CyTRAP radio show - Protecting your digital assets - Thursday, January 7, 2007

Why not get new tips and alerts by e-mail directly to your in-box? It's much more convenient: Your email: or press here.