More hidden information in posted Word docs

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

Microsoft isn’t the only group that’s waving its dirty laundry in the wind.

Last week I talked about the importance of stripping “hidden” information from Word documents before posting them on the Internet. I took you through a bunch of examples of docs on Microsoft’s own site that included detailed – in some cases potentially embarrassing – “metadata” that Microsoft itself has posted.

MS isn’t the only group that’s waving its dirty laundry in the wind. No sirreee.

That state Supreme Court I told you about last week still has documents on the Web that are filled with names and file locations and all sorts of detailed information about the Court’s data processing operations. (Those of you who wrote on behalf of other Supreme Courts – nope, you folks don’t work for the one I was talking about.)

This week, I was stunned to discover even more detailed information posted in docs related to the Department of Homeland Security. (The Dept of Homeland Security itself, dhs.gov, doesn’t appear to have any Word docs on its site. Bravo!) More about that in a moment.

The point of all of this: don’t post Word documents on the Web. Don’t do it. Even with the best intentions, using the latest tools, you or one of your co-workers will eventually slip up and stick something out there that you don’t want to be public knowledge. Any kid with a copy of Word can see an eyeful.

NEWT GINGRICH’S SPEECH

On September 9, 2003, Newt Gingrich gave a speech to the US House Committee on Homeland Security. If you download his speech from http://hsc.house.gov/files/Testimony%20Gingrich.doc , open it in Word, and click File | Properties | Custom, you’ll see that the file was last sent in an email message from Susan Sheybani with the Subject “for the website…thanks!”.

If you close the document, click File | Open, in the Files of Type box choose “Recover Text from Any File” and open the document again, you’ll see some of the people who edited the file:

Someone working with the i.d. AEI (American Enterprise Institute, which is credited as the author’s company) stored the file as C:Documents and SettingsmkesterMy DocumentsNewt researchNG 030904 MASTER.doc and there was a backup made at C:BackupAutoRecovery save of NG 030904 MASTER.asd

Rick Tyler edited it at C:Documents and SettingsrtylerApplication DataMicrosoftWordAutoRecovery save of NG 030909 MASTER DHS Testimony.asd and C:Documents and SettingsrtylerMy Documentsrtylergingrich communicationstestamoniesNG 030909 MASTER DHS Testimony.doc

Wm. D. Sanders (who’s credited as the document’s author) edited it at C:Documents and SettingsAdministratorLocal SettingsTempNG 030909 MASTER DHS Testimony.doc and C:Documents and SettingsAdministratorMy DocumentsHomeland SecurityNG 030909 Homeland Security Testimony.doc

Why are the file names and locations important? See the last section in this newsletter.

HOMELAND SECURITY ACT D WEB SITE

Download the file posted here. Open it normally, then click File | Properties | Custom. You’ll see that the file was last sent by email by Sharon Powell, [email protected], in an email message titled “Attachments for the Homeland Security ACTD Website”.

Close it, then open it with “Recover text from any file”: Adobe Photoshop was used to edit some of the pictures. (I sure hope ST Associates has an up-to-date license!) Lisa Dodaro (who apparently used a Mac) edited it a lot, storing the file at various times at:

D:Users:ldodaro:Documents:HLS:HLS C2 ACTDBROC 0#B2048-lad.doc

D:Users:ldodaro:Documents:Microsoft User Data:Word Work File A_22

D:Users:ldodaro:Documents:Microsoft User Data:Word Work File A_2998

Then it looks like her machine generated an AutoRecover file at

D:Users:ldodaro:Documents:Microsoft User Data:AutoRecovery save of HLS C2 ACT

Then she went back to:

D:Users:ldodaro:Documents:Microsoft User Data:Word Work File A_1318

D:Users:ldodaro:Documents:Microsoft User Data:Word Work File A_1974

Lisa wasn’t the only one who edited the doc. I also see:

[email protected]

Glenn Cooper

Cooper Consulting

JOINT FORCE HEADQUARTERS – HOMELAND SECURITY

JFHQ-HLS is “the Homeland Security component of US Northern Command coordinating the land and maritime defense of the continental United States, and military assistance to civil authorities. JFHQ-HLS is headquartered in Norfolk Va.”

If you download the (publicly available and widely advertised!) fact sheet posted here, you’ll find that it was edited by:

Whetston at C:DataWordJFHQ-HLS Fact Sheet_pino.doc

Parks at C:WINNTProfilesparksDesktopJFHQ-HLS Fact Sheet_final.doc and C:WINNTProfilesparksApplication DataMicrosoftWordAutoRecovery save of JFHQ-HLS Fact Sheet_final.asd and M:JFHQ HLSHLS CGPublic AffairsFact SheetsJFHQ-HLS Fact Sheet_final.doc

Falvo at M:JFHQ HLSHLS CGPublic AffairsFact SheetsJFHQ-HLS Fact Sheet_final.doc and H:Homeland SecurityMarketing MaterialsJFHQ-HLS Fact Sheet – Rev 12-02.doc

EllingtonA at S:public_sitedownloadsfact_sheetsdocjfhq-hls_word.doc

OTHER GAFFES

Lesseee… the most remarkable fact about the July, 2002, Report to the Speaker of the House regarding “Counterterrorism Intelligence Capabilities and Performance Prior to 9-11” (posted here) is that it appears the file was copied to diskette – twice – by someone working with the i.d. HPSCI. (Didn’t Mr. Casey have problems along those lines?)

Then there’s the “Testimony of J. Craig Lowery, Ph.D., Chief Security Architect, Software Product Group, Dell, Before the Subcommittee on Cybersecurity, Science, and Research & Development of the House Select Committee on Homeland Security Hearing on Cybersecurity: Industry’s Perspective July 15, 2003”. Man you’d think he would have security nailed, don’t you? Download the file here and see for yourself. Revision marks are still turned on. You can see every edit that was made.

The last person to email that file was Elizabeth Tobias, who (based on a quick Google) is/was an assistant to Dick Armey in the US House of Representatives. The file was edited, at various times, by people with the i.d.s:

Williams & Jensen

PAUL BROWNELL

KEVIN_REID

mtwinchek

Elizabeth Tobias

Craig_Lowery

MORE DETAILS FROM LAST WEEK

Last week I gave you a number of alternatives to posting raw Word docs on the Internet. You can buy a program that will strip all the data out of your docs. Or you can post in PDF format.

Many of you wrote to express your dislike of PDF. There are good reasons why PDF isn’t the ideal Web document format – and if you feel strongly enough about it, post in RTF! Just open the doc in Word, click File | Save As and in the Files of type box choose Rich Text Format. For that matter, most docs do just as well as plain ASCII text. Or you can take a clue from the Dept of Homeland Security’s (excellent!) Web site, and make everything available as a native Web page.

On the other hand, I wouldn’t save a document in the “Web page” format, or as XML. I haven’t dug through the code, but the round-tripping promises from Microsoft on both of those formats lead me to believe that all the hidden data gets buried in .XML and .HTM files, too.

Office Watch reader BM wrote to tell me that the presence of an ASD automatic recovery file in the internal list of files, inside a Word document, isn’t a sign that Word crashed and the person doing the editing picked up an autorecovered copy. It may only mean that Word saved an automatic recovery file. Fair nuff.

WHY FILE NAMES AND LOCATIONS MATTER

Finally, a personal note…

A little over a year ago, I ran a (long!) series of articles on Word’s “spy” fields – the gaping security hole Alex Gantman discovered, and Microsoft finally plugged with the security bulletin called MS02-059.

One of the key questions at the time: is it possible for a person outside an organization to know the precise name and folder location of a file inside an organization? If the answer is yes, it’s easy to construct a “spy field” that will silently grab the contents of the file and send it over the Internet to a specific Web site. If that answer is no, spy fields aren’t nearly as potent. (And if you’ve installed MS02-059, you shouldn’t be exposed at all.)

I contended, at the time, that it wasn’t all that difficult to find or guess at file names and locations. At least one major news organization tore me a new alimentary canal over that stance.

Now… Well, see for yourself. Looking at documents posted on the Web, by some people who should know a whole lot better, any schoolkid using Word can not only tell where files are located, and how servers and folders are hooked together, they can find the email addresses of the people who worked on the documents.

That news organization can kiss my re-routed patoutie.

I sure hope you have MS02-059 installed.

 

Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address