T 2.54 Loss of confidentiality through hidden pieces of data

When data is communicated electronically or data media are transferred, it is not unusual for information that should not be passed on to leave the organisation. The following are some examples of possible reasons why information might be disclosed unintentionally:

• A file contains text passages that are formatted to be "hidden" or "invisible". Such text passages can include comments not intended to be seen by a recipient.
• Files created with standard software such as word processors or spreadsheet programs can contain a lot of additional information such as directory structures, version numbers, authors, comments, editing times, last print dates, document names and document descriptions. In particular, functions that allow several persons to work on a document simultaneously must be emphasised in this context. Such functions do not really delete the text passages overwritten or deleted from a document, but merely flags them as deleted so that later on another editor can undo some or all of the changes. Virtually all office software (Microsoft Office and OpenOffice, for example) offer this option. If the data contained in these changes is not removed before the document is passed on, the recipient could receive not just the actual document but a wealth of additional information as well.
  Virtually all the office packages available today provide "fast save" options for documents in which only the changes made to a document are saved. This has the result that only modifications made to a document are saved. This is quicker than a full save operation in which the office software saves the completely revised document. However, a full save requires less storage space on the hard disk than a fast save. The critical disadvantage, however, is the fact that a file saved using a fast save function can contain fragments of text that the author did not intend to pass on.
• Another way that information not intended for outsiders can be passed on is functions, which, for example, allow a table from a spreadsheet document to be embedded in a text document or presentation in such a way that the spreadsheet table can be edited directly in the text document. If such a text document is passed on, a lot more information from the spreadsheet document than is actually visible in the text document could also be passed on under certain circumstances.
  When a file is copied to a diskette, the physical memory area (block) needed is filled entirely. If the original file does not require an entire memory block, then the unused part of the block (after the end-of-file indicator) is filled up with any residual IT system data found.

• On z/OS systems, deleted members are not immediately overwritten in the library (PDS - Partitioned Dataset). Only the entry for the member in the PDS directory is deleted. The information relating to the old member is only overwritten once free space is required in the PDS. The data not yet overwritten can be read using a utility program.
• When files on a hard disk are deleted in a z/OS system, the files are flagged as deleted in the Volume Table of Content (VTOC), but the files themselves are not deleted from the hard disk. The files are not overwritten until new data needs to be saved on the hard disk and there is no more free space available. Someone who succeeds in reading the storage location of the file from the VTOC would be able to edit and restore the file using special programs. The same applies to tapes that are marked as empty tapes, but have not yet been overwritten.

Residual information on data media

On most file systems, files deleted by the user entering a delete command are not really deleted in the sense that the information no longer exists after the command has been executed. Normally, only the references to the file are deleted from the administration information of the file system (e.g. from the File Allocation Table in a FAT file system) and the blocks that belong to the file are marked as "free". The actual content of the blocks on the data medium is retained, however, and can be reconstructed with appropriate tools.

If data media are passed on to third parties, for example

• when a computer is taken out of service and sold,
• when a defective machine is sent in to be repaired or is replaced under the terms of the warranty, or
• when a data medium is handed over to a business partner when exchanging data media,

then sensitive information may be disclosed to the outside world.

Examples:

• Between 2000 and 2002, the researchers Simson Garfinkel and Abhi Shelat from MIT purchased a large number of second-hand hard disks from various dealers through the online auction house eBay and examined these to see what residual information they contained, if any. They found an alarming quantity of data, for example,
  • • internal company memos relating to personnel
    • a large number of credit card numbers
    • medical information
    • e-mails
  and many more. They published their results in an IEEE journal.
• While using a different editor, one user accidentally discovered several URLs, along with a user name and a password for a web server, in a file he was about to send. The address of a web document is called a URL (Uniform Request Locator). Access to the web page can be password-protected.
• Presentation slides created with Microsoft PowerPoint were handed over as files to a third party by a government agency. It was discovered later that, in addition to the presentations, the files also contained information about the user's computer environment, such as the names of the newsgroups to which he was subscribed and which news items he had already read. Among other things, the PowerPoint file contained the following entries:
  
  de.alt.drogen! s21718 0
  
  de.alt.dummschwatz! s125 0
• Two sales representatives from competing companies exchanged presentations they held at a business event. One of the PowerPoint documents contained a small table with end customer prices for products from that company. When the recipient opened the presentations, he discovered that the small table was part of an extensive spreadsheet document embedded in the presentation containing all the price calculations of the competing company.