Security Basics mailing list archives
Re: Information Rights Management
From: "steve" <securityfocus () delahunty com>
Date: Tue, 10 Aug 2004 07:55:57 -0400
A related article: http://www.businessweek.com/cgi-bin/register/archive.cgi?c=&y=04&w=16&h=b3879047.htm Don't Let Word Give Away Your Secrets April 19, 2004 | Technology & You -- Hidden data can reveal too much about a document's murky past Check out http://www.cutepdf.com/Products/CutePDF/writer.asp to be able to print to PDF. Take a look at http://www.rightsmarket.com for a product that does basically what you are asking about below. Here is the policy we drafted where I work: Document Development and Release Policy Background. Microsoft Office®/Microsoft Word® (.doc) is clearly the most productive <insert company name> application for developing, updating, editing, and otherwise manipulating <insert company name> documents. However, if those documents are released to non-<insert company name> personnel (e.g. vendor or public), some risks may arise. Those risks entail an audit trail from document creation to final product that potentially includes the personnel involved in the document development, dates of origination and change, and accepted/rejected edits. Certain version information and editor details are still retrievable even if all edits have been accepted in a document, so accepting all edits is not enough protection. While seemingly harmless, this does expose some risk on <insert company name>'s behalf. Examples. It is likely that <insert company name> would not want others to know that <insert company name> used a template from another organization, since it would appear as if the other organization authored the <insert company name> document. <insert company name> may not want others to know who was involved in editing a document, parties editing within <insert company name> and outside. A common mistake when accepting edits is to assume that the document is clean for distribution when in fact Comments that were inserted are not removed. Policy. Given this risk, all <insert company name> documents released to third parties should be converted into Adobe Acrobat® (.pdf) format. With a simple utility installed, <insert company name> staff can easily convert a Word® document into an Acrobat® file or vice versa for any necessary changes. <insert company name> staff can utilize the utility to convert anything that can be printed into a Acrobat® file. Receiving parties can download and use the Acrobat® Reader free of charge from the Adobe website. Exceptions. In certain cases <insert company name> may wish to collaborate on Microsoft Word® documents with outside parties. In extreme cases <insert company name> may wish to leave revision checking intact for certain reasons. In other cases where Microsoft Word® documents need to be sent to outside parties, the <insert company name> sender should remove the edits and hidden data fully by using the Remove Hidden Data add-in of Microsoft Office. Implementation. <insert company name> IT has provided both an Adobe Acrobat® writer utility and the Remove Hidden Data add-in of Microsoft Office. For information or assistance with using either of those applications please contact the <insert company name> helpdesk. ----- Original Message ----- From: "The Janitor" <thejanitor () fastmail fm> To: <security-basics () securityfocus com> Sent: Monday, August 09, 2004 1:18 PM Subject: Re: Information Rights Management Hi Why not send password-protected PDFs? They're smaller as well. -- Best regards William
------------Original Message------------ From: "Philip Wagenaar" <p.wagenaar () accon nl> To: security-basics () securityfocus com Date: Mon, Aug-9-2004 6:00 PM Subject: Information Rights Management Hi, Rrecently we (our company) asked ourselves the question what if clients modify a document we send them (in ie. Word format) and change figured and numbers (ie. made more profit) and resend that document to another part (ie. an investor)? First of all, most topis on this list are very technical, but what is the use of a highly secure network if these weaknesses still exist? Microsoft Office 2003 uses Information Rights Management to protect office files from being altered and as I understand can also sign them digitally. If a client doesn't have Office 2003 they can use a browser plug-in from Microsoft to still view the document. This is as far as I know the only product for office enviroments that has protection against altering. (By the way, IRM is much more secure then the standard-passwords protection for office files). I looked at other solutions, like Pretty Good Privacy, but they are a hassle to work with. Maybe not for us, but for home users it is. Does anyone have experience with making sure that information (ie. office files) that leave the corporate network from being abused? I also came along a tool from Microsoft that removes all the extra information from Office files (ie. author, who viewed it, who edited it, etc, etc). Does anyone also know of a product that does this automaticly and intergrated with E-Mail clients? Met vriendelijke groet, Philip Wagenaar Junior Projectleider ICT AccoN Accountants & Adviseurs ICT Project Bureau Postbus 5090 6802 EB Arnhem The Netherlands tel. +31 (0)26-3842384 fax. +31 (0)26-3630222 mobile: +31 (0)6-25388935 MSN/E-mail: p.wagenaar () accon nl Yahoo: philip_wagenaar http://www.accon.nl ################################################################## Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde. De informatie hierin is vertrouwelijk, zodat het derden niet is toegestaan om daarvan kennis te nemen of dit te verstrekken aan andere derden. Indien u dit e-mail bericht ontvangt terwijl het niet voor u bestemd is, verzoeken wij u contact op te nemen met de afzender en de informatie te verwijderen van iedere computer. Bij voorbaat dank. ================================================================== The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and contains confidential information. Any review, retransmission or other use by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Thank you. ##################################################################
############################################################################ #########
This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal
############################################################################ #########
--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
--
. __________ NOD32 1.835 (20040806) Information __________ This message was checked by NOD32 antivirus system. part000.txt - is OK http://www.nod32.com
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Information Rights Management Philip Wagenaar (Aug 09)
- Re: Information Rights Management The Janitor (Aug 09)
- RE: Information Rights Management Wilfred Smith (Aug 10)
- Re: Information Rights Management steve (Aug 10)
- <Possible follow-ups>
- Re: Information Rights Management nee cee (Aug 10)
- Re: Information Rights Management The Janitor (Aug 09)