Rossander’s Security Reader

Shredding is the ultimate defense, right? Once it’s shredded, it’s gone!

No longer. It was always vulnerable if your attacker had the shredded chaff and plenty of free time. Think of the shredded embassy documents from the Iranian Hostage crisis of 1979. Those students reconstructed the pages with nothing more than scotch tape and patience. More recently, methamphetamine users have been hired by identity theft ringleaders to do the same thing.

Bill Wilson recently found a number of services which make the “unshredding” problem much more manageable. In the Enron case, the government hired ChurchStreet Technology to scan the chaff, then used computer algorithms to piece the documents together. They claim to take the recovery time from hundreds of hours down to mere minutes. It’s expensive but not terribly complicated.

So how do you fully protect your waste paper in this new environment?

1. If you’re still using a strip-cut shredder, get rid of it now. Upgrade to a cross-cut that chops the paper into very small bits of chaff.
2. Feed your pages into the shredder vertically, that is, with the words perpendicular to the shredder blades.
3. Don’t have unusual-colored paper. Or if you do, shred enough of it that it can’t be easily picked out. The rule in the army used to be no less than 20 sheets of any given paper type in each shred “lot”.
4. Stir the chaff before disposal. A careful opponent could exploit the fact that pieces from the same document tend to come out of the shredder close to each other and remain so in the waste bag. A few quick stirs can randomize the chaff and make reconstruction much harder.
5. Send the chaff to a paper recycler. Even the best reconstructors can’t bring a page back after it’s been turned into new paper pulp. Of course, you have to be sure that your waste isn’t intercepted before it hits the recycler but there are several bonded shredding companies that will do that for you.

How much is enough? It depends on who’s out to get you. For most home users and small businesses, step two is probably enough. If you really have something to hide, consider three and four and look into five when your shredding contract comes up for renewal. Find the right balance, remembering that identity theft is real but that most of us are not dealing with DoD nuclear secrets.

Bill Wilson writes a weekly newsletter for the Big I Virtual University, an arm of the Independent Agent’s Association. It’s filled with useful information and includes a technology column in almost every issue. If you have a small business, you should consider subscribing to his newsletter even if you’re not in insurance.

Google continues to roll out new applications to make sharing information easier. Kudos to them for some really creative programming. From a security point of view, though, you have to wonder what they are thinking.

Their Google Apps Team Edition allows employees to sign up for the Google Applications without any assistance or oversight from IT. Team Edition contains the core applications and collaboration services like the word processor, spreadsheet, Start page, Talk instant messaging and calendar, but does not include Gmail.

In any regulated or litigious industry, this is a recipe for disaster. You might save a few bucks on word processing and spreadsheet software but you’re going to pay far more the first time you have to comply with an electronic discovery request or get into a dispute based on the Terms & Conditions of the application. No only are you putting your confidential data in someone else’s hands and trusting to the security of their data center with little or no evidence of their worthiness of that trust, you’re also still exposing all your data to the Google search indexing algorithms. (For more, see the Tip from April 2007.)

Luckily, you can block the worst aspects of the application/data sharing without having to block off all of the google.com domain. If your internet filter has a category for filesharing or for “Network Storage and Backup”, make sure that category is blocked. You should also strongly consider blocking any category about “Web chat” so you don’t have to worry about electronic discovery requests for instant messages that you didn’t properly control.
Read more about Google Apps latest attempt to bypass the business at ComputerWorld.com.

Update to Suing the scareware vendors (27 Oct 2008)
The Federal Trade Commission has gotten a restraining order against two companies who were marketing scareware software. It’s very good to see law enforcement successfully prosecuting these scammers. Remember, however, that there are lots more out there. Always be suspicious of pop-up ‘alerts’ and ads warning you about “illegal porn content” or “compromised software” on your computer. Read more at the FTC’s consumer alert page.

We talked last week about the problems of holding onto old documents. Microsoft just made the problem even more complicated.

In the Service Pack 3 (SP3) update for Office 2003, Microsoft is blocking a number of older file formats so they can no longer be opened by MS products like Word, Excel or Powerpoint. Microsoft is walking away from it’s commitment to backwards-compatibility because many of the older file formats had weaknesses that could be exploited by hackers to insert viruses and other malicious code into your computer. By disabling the older formats, Microsoft reduces the vulnerability of the Office applications to some of those kinds of attacks.

The problem is that if you are keeping old files in their native format as part of your records retention plan, you may no longer be able to open them. (Worse, if you get sued and have to turn over those documents, the courts don’t care about format compatibilities. You still have the document – it’s your responsibility to make sure that they can be opened and evaluated.)

Microsoft has two workarounds for this problem – neither very good.

The first involves modifying your registry settings so your computer can still open the older formats. That is a high-risk action and I do not recommend it. Not only does it defeat the security advantage of the change, any mistake when editing the registry settings can corrupt your entire computer. Even Microsoft warns against it saying “Serious problems might occur if you modify the registry incorrectly.” and “Modify the registry at your own risk.”

The second is to convert all your historical documents to the newer format. Microsoft has some automated tools to help but the conversion process is much more labor-intensive and error-prone than I think Microsoft wants to admit. I would seriously question the business case for converting any but your most critical of official records.

There is a third option which I consider far better. Take this opportunity to check those old documents against your retention policy and clean out the ones that you should have gotten rid of long ago. For the few that you must retain, make sure that you are keeping your business records in a stable format. Don’t save files in their native MS Word document format – convert them to pdf or even tiff. Those formats are simpler and have far fewer holes that a hacker could exploit. They’re also designed to remain readable across many generations of software.

Call your IT team for instructions on how to convert an old file to an updated format.

Addendum:
Bill Wilson at IIABA’s Virtual University published the tip above in his newsletter and received the following question.
What are the file extensions that Microsoft has abandoned? I think it would be very helpful to know as we would then be able to do searches for those file types stored on our system. Thank you.

As Bill pointed out to the caller, the file extensions alone will not tell you which file formats have been disabled since Microsoft continues to use the same file extensions for the newer versions of it’s software. (A Word document carries the .doc extension whether it’s Word 1.2, Word 2003 or any version in between.) Microsoft has a little bit more information about the changes here but no new answers.

You can read another article about the problem at wired.com.
Thanks to Bill for finding those extra links.

Holding onto old documents is hard and far more expensive than most people realize.

In the paper world, the paper just keeps piling up. The paper must be protected from theft and damage (fire and water) and if it’s ever going to be useful again you need some sort of filing and record-keeping system. A proper records retention facility is expensive to run.

With electronic documents and cheap memory, many people started to think that we could now hold onto everything. A two-gigabyte thumbdrive can hold up to the equivalent of 400,000 pages of documents. That’s 80 boxes of copy paper. And, being electronic, I can type in a few keywords and let the computer find the document I want. No more filing! Right?

Not by a long shot. Memory may be cheap but usable storage isn’t.

Electronic storage costs explode as file formats change over time. For example, a first notice of a claim involving a minor child has to be kept for up to 24 years (the child’s age of majority plus four). What word processor were you using 24 years ago? What printer was the program compatible with? What operating system did it run on? What drivers did it need to operate? What hardware did it use? When was the last time you even saw a 5¼” floppy drive, much less an old 8″ floppy? How much can you afford to pay IT to keep a working version of every system and application in the company’s history?

And that’s assuming you can find the file in the first place. We are used to thinking of searching as being as easy as Google. In fact, searching for documents is very hard when documents are scattered across ad-hoc structures like personal hard-drives and departmental folders. Solutions that try to solve the ad-hoc storage (like Google Desktop) create new problems, especially around the security of the index.

Keeping old records also exposes you to legal costs down the road. Under the new electronic discovery rules, a company must search through all its old documents just to see if they hold anything that might possibly be relevant to the lawsuit. One class action lawsuit can run into millions of dollars just in search and review costs – and that’s even if you don’t find anything. If you do have a relevant document, now you have to convert it, produce it and defend it from anyone who tries to take your words out of context. That’s expensive.

• If your Records Retention Policy doesn’t explicitly require you to keep the record, don’t keep it. Throw it away and then you don’t have to worry about storage or formats. The cost of recreating those few useful things that we lose will be far less than the cost of hanging on to all the rest of the trash.
• If you do have to keep a document, think long and hard about what format to save it in. Convert the file to a more stable format such as pdf or even tiff. Those formats are designed to remain readable across many generations of software. Call your IT team for instructions on how to save a file to an alternate format.

Metadata is getting a lot of press lately, especially among companies that are wrestling with the new electronic discovery standards issued by the US Supreme Court. But what is it really?

Technically, metadata is data about other data. If the customer’s address is data, the number of entries in your address book is metadata. If the body of a Word document is data, the date you last opened the file is metadata. If the values in an Excel spreadsheet are data, the formulas in each cell are metadata.

From a legal point of view, metadata is everything about the document that’s not immediately visible when the document is printed. It includes all the MS Office "properties" like file size, author and character count. It also includes any hidden features such as the old versions that are still buried in the document when you leave the Track Changes option on. It includes formulae in spreadsheets and formatting commands like the print area.

For most normal uses, the metadata about a document is just background. We take it for granted and almost always ignore it. But if your metadata reveals facts that you wanted to keep private, it can be embarrassing and expensive. In one case, a major pharmaceutical company deleted some study data from a report – and got caught when the New England Journal of Medicine looked in the Tracked Changes to show the deleted comments. In another case, a confidential White House policy paper about Iraq was outed when a quick command revealed the report’s author. In yet another case, officials covered up classified information with black bars, not realizing that readers could easily uncover the text by copying it from under the black and pasting it elsewhere.

When you get into a legal situation, metadata becomes even more important. Metadata is used to show “who knew it and when they knew it” – to provide the context around the document in question. Metadata can either clear you or convict you. Because of its importance, metadata must be preserved and unaltered when you are collecting documents that will be used in court. This is hard because routine Windows operations will change the metadata just by opening the file. Make sure that you have the tools you need to keep metadata intact before you get into the lawsuit.

And, of course, be very careful before you post a document publicly. Make sure you clean out the metadata that you don’t want public.