Fortune 100 Files Expose User Names, Employee Email Addresses, Hidden Text, Track Changes and More, According to Bitform Technology Inc.

CHICAGO -- Study of publicly accessible files reveals the high percentage of Microsoft Office Microsoft's primary desktop applications for Windows and Mac. Depending on the package, it includes some combination of Word, Excel, PowerPoint, Access and Outlook along with various Internet and other utilities. files that contain sensitive metadata (1) (meta-data) Data that describes other data. The term may refer to detailed compilations such as data dictionaries and repositories that provide a substantial amount of information about each data element. and hidden information

A recent study conducted by Bitform Technology Inc., a software component developer of tools for content inspection and security, analyzed an·a·lyze
tr.v. an·a·lyzed, an·a·lyz·ing, an·a·lyz·es
1. To examine methodically by separating into parts and studying their interrelations.

2. Chemistry To make a chemical analysis of.

3. Microsoft(R) Word, PowerPoint and Excel files available on the Web sites of Fortune 100 companies, resulting in the identification of thousands of user IDs and email addresses See Internet address. , comments and track changes, hundreds of PowerPoint files containing obsolete text and speaker notes, and thousands of files that contain network paths.

For the study, Bitform analyzed 8,038 files for more than two dozen specific types of metadata and hidden information which have the potential to expose proprietary or confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job"
steer, tip, wind, hint, lead , breach corporate policies and open security holes. The study was performed to increase awareness and quantify Quantify - A performance analysis tool from Pure Software. the magnitude of this threat.

There are thousands of instances of information exposure that was likely not intended to be made public. Some interesting, but common examples include:

--A white paper from a computer manufacturer contains comments intended for internal review, acknowledges scalability issues of a partner product and how this presents a competitive disadvantage.

--A press kit document from an auto maker announcing the arrival of a new model contains more than 500 user names identified as Contributors under Author Information.

--A contract from a telecommunications company See telecom company. contains dozens of track changes - both insertions and deletions - potentially exposing negotiable NEGOTIABLE. That which is capable of being transferred by assignment; a thing, the title to which may be transferred by a sale and indorsement or delivery.
     2. terms.

--A customer presentation from an equipment manufacturer contains a comment that questions whether the facts in a slide are accurate, and the name of a prior presenter deleted Deleted

A security that is no longer included on a specified market. Sometimes referred to as "delisted".

Notes:
Reasons for delisting include violating regulations, failing to meet financial specifications set out by the stock exchange and going bankrupt. from the first slide but viewable as Fast Save data.

--An executive bio document from an aerospace company contains the executive's email display name and email address in the custom properties.

"As content-related security in general and the inside-out security threat in particular continue to gain focus, it's remarkable how much information is accidentally exposed through seemingly seem·ing
adj.
Apparent; ostensible.

n.
Outward appearance; semblance.

seeming·ly adv. benign documents that organizations generate every day," says Joe Keslin, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. and Co-founder of Bitform. "You don't have to expose your trade secrets to open your organization to potential harm. For instance, what we call Outlook Properties is a great example of information that you probably don't want to expose to the world. This includes a user's email display name, the subject line of the email that contained the file attachment See e-mail attachment. , and the sender's email address. As an executive, I don't want my employee's display names and email addresses made available to competitors, recruiters, social engineers, hackers or anyone else that we don't explicitly want to share this information with." Keslin points out the irony of companies spending significant dollars on solutions that protect against spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). , phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. and intrusion, yet provide fodder fodder

feed for herbivorous animals, usually used to describe dried leafy material such as hay. See also forage.

fodder beet
a root crop grown solely as a source of feed for cattle, possibly sheep. for these very threats by sharing proprietary information represented by the metadata and hidden information identified in the study.

The type of information most commonly exposed, as a percentage of the total documents analyzed, ranks as follows:

45.4% contain Author History - a list of user names of individuals who have opened and saved the document. These names are in addition to the Author Name found in the Properties Summary field, and cannot be seen through Word's interface.

36.7% of the files included a path associated with the user name indicating where the file was stored on a user's system.

30.9% contain printer information, which is the name of the default printer associated with the author's system. 18% of the files include printer information that also exposes a network share name.

14.4% of the documents include both an Author History and an associated network share name where the document was stored at some point in its lifecycle.

17.1% expose "Outlook Properties," which are custom properties that include a user's email display name, email address and the subject line from the email that included the file as an attachment.

13.6% of the files were PowerPoint presentations that included speaker notes.

10.1% contained Fast Save data - text from Word files and PowerPoint presentations that have been deleted (no longer visible through the application interface), but which are still part of the electronic file.

"This study raises a number of questions. The most obvious being whether organizations and individual users really understand what information is being shared when they distribute, email or publish an Office file," states Keslin. "By performing analysis on a well defined collection of files, we've been able to quantify this issue beyond the occasional incident that ends up in the press." Keslin also points out that the high rate of sensitive information exposure among Fortune 100 companies is alarming considering the significant IT resources available to them. "I suspect this problem is more severe for smaller companies that don't have the resources or processes to review the information that is made available to the public. Further, we've only looked at files that were available to anyone who visits a Fortune 100 Web site. I can only imagine what we'd find if we inspected files that are shared with third parties via email, posted to partner extranets or employee portals."

Detailed results of the study, including descriptions of the metadata and hidden information targets, and recommendations for minimizing these risks are available at www.bitform.net.

About Bitform.

Bitform develops software components that leverage the company's expertise in unstructured data Data that does not reside in fixed locations. Free-form text in a word processing document is a typical example. Contrast with structured data. See free-form database. . The company focuses on the unique challenge of accessing, managing and securing information locked inside complex file types, and delivers enabling technologies that can be adopted for use across a broad spectrum of applications. Bitform offers these solutions via licensing agreements with enterprise and commercial software developers, appliance manufacturers and application service providers. For more information, visit Bitform at www.bitform.net.

Bitform is a trademark of Bitform Technology Inc. All other trade names are the property of their respective owner.

COPYRIGHT 2005 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Publication:	Business Wire
Date:	Nov 29, 2005
Words:	972
Previous Article:	Alliance for Affinity Security Launches; Will Administer Health Care Accounts for Major U.S. Employers.
Next Article:	The Wall Street Journal to Honor Robert L. Bartley with Fellowship Program and Lecture Series.

Related Articles
Workshare Metawall. (Tools).(Brief Article)
Fighting spam.(Viewpoint)
X1 announces support for IBM Lotus Notes.(X1 Technologies L.L.C.)
Protect against snoops reading "erased" track changes and comments.(Technology Q&A)
Network security at home-questions & answers.(analysis)
Technology Q&A.
Spyware Defense[TM] introduces next generation Spyware protection.
Classified info protector unleashed.(new Document Detective software released)(Brief article)
Encryption: an alien concept? Aston Fallen, CEO of Steganos, explains how you can protect your privacy by hiding your secrets in pictures and...
Infosecurity Europe 2007.(DATABASE AND NETWORK INTELLIGENCE)