PDF user slip-up gives DOD lesson in protecting classified information
- By Dawn S. Onley
- May 13, 2005
The mishandling of an Adobe Portable Document Format memo exposed not only classified information on the Web, but the risks involved when users fail to use software tools correctly.
Multi-National Force-Iraq is investigating how blocks of redacted classified information regarding the shooting, posted recently on its Web site, could be revealed by copying and pasting text into another file format.Second failure
That classified information re- vealed the second IT failure: Communication problems with voice over IP prevented an Army captain from passing along critical information to troops stationed at a checkpoint along a dangerous stretch of road in Baghdad.
Had the VOIP technology worked, it might have relaxed forces that were set up in battle positions on Route Irish, the road linking downtown Baghdad with Baghdad International Airport. U.S. troops fired on a car carrying Giuliana Sgrena'an Italian journalist who had just been released after being held hostage'and Nicola Calipari, an Italian special agent. Calipari died in the incident, while Sgrena and the car's driver suffered injuries.
Multi-National Force-Iraq issued a report April 30 in PDF, outlining its investigation of the shooting. That report was posted as an unclassified document, with blocks of classified redacted data obscured from public view. But an Italian blogger discovered that copying and pasting the classified sections into Microsoft Notepad re-vealed the blocked text.
MNF-I now is getting a primer on the proper ways to redact information.
'The procedures that we used [to safeguard the classified information] were inadequate,' Air Force Col. C. Donald Alston, MNF-I's chief of strategic communications, told the European and Pacific Stars and Stripes newspaper. 'We consider this a very serious matter.'
Army Lt. Col. Steven A. Boylan, who works in Multi-National Force-Iraq public affairs, said MNF-I is conducting an internal review to 'determine and to help ensure our processes are solid [and] appropriate for our operations.'Unused tool
The breach arose from not using a redaction tool with Adobe Acrobat, which MNF-I workers used to prepare the PDF, according to John Landwehr, the group manager for security solutions and strategy at Adobe Systems Inc. of San Jose, Calif. Acrobat doesn't include a redaction tool, but there are applications that work with it.
It appears the document's author 'simply changed the background color of the text to match the font,' Landwehr said. 'The underlying ASCII text is still there. Had they used an actual redaction tool in the PDF, the text would have been completely removed.'
Alan Paller, director of research for the SANS Institute of Bethesda, Md., said this type of user error is one that most people don't realize they are making.
'Any software package that allows the user to make substantial security errors should be changed,' Paller said. 'It would be very easy. When a document is made, the program, whether it is Adobe or Microsoft or whatever, should bring up a window to ask whether the user would like the history erased. But trying to teach people what to do and how to do it is unrealistic.'
'People are lulled into false safety with PDFs,' said Joe Fantuzzi, CEO and president of Workshare, a London-based document security company whose customers include the Army, Air Force and Defense Department.
Fantuzzi's company developed Workshare Professional software, which can add security to PDF and Microsoft documents.Permanent removal
A similar software package, Redax from Appligent of Lansdowne, Pa., also permanently deletes unwanted or protected information from a file, according to company president Virginia Gavin.
'Redax would also have re- moved XML metadata and custom information fields,' Gavin said. 'As it was, the military document was released with a tremendous amount of metadata regarding where the document originated.'
The classified information unintentionally released in the report showed a breakdown in communications with voice over IP between members of the command chain.
According to the redacted information, a checkpoint was set up on March 4 for a U.S. ambassador traveling to Camp Victory outside Baghdad. The convoy transporting the ambassador had initially decided to drive to the airport, due to harsh weather conditions, via Route Irish.
But the VIP decided to return to Baghdad by helicopter, rather than car, and problems with VOIP prevented troops from communicating a change in plans with each other.
FM radio was another means of communication available, the report said, but the captain did not attempt to use it.