CyberSecurity Institute

The password-protection feature in Microsoft Word – activated by clicking on Tools/Protect Document – can be bypassed, disabled or deleted at will, with the help of a simple programming tool called a hex editor.

Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies. He explained that one of his company’s hardware suppliers is Dell, which emails its quotes on a form protected-Word document.

Following Delbrouck’s revelations, Microsoft updated its Knowledge Base article 822924, titled ‘Overview of Office features that are intended to enable collaboration and that are not intended to increase security’ to include the following warning to users: “When you are using the ‘Password to Modify’ feature, a malicious user may still be able to gain access to your password.”

Instead of using the protect feature, Thorsten Delbrouck advises companies sending sensitive information to use digital signatures or a different document format altogether, such as Adobe’s PDF, which he has recommended to Dell in Germany.

More info: [url=http://www.silicon.com/hardware/desktops/0,39024645,39117653,00.htm?foo=Word%20hole%20exposed%20with%20no%20fix%20on%20the%20way%2001-07-2004]http://www.silicon.com/hardware/desktops/0,39024645,39117653,00.htm?foo=Word%20hole%20exposed%20with%20no%20fix%20on%20the%20way%2001-07-2004[/url]

There are growing concerns that personal information being used by data processors such as offshore call centres may be abused once it is taken outside the reach of EU law enforcement bodies. And David Naylor, partner at law firm Morrison & Foerster, believes these fears are not without foundation, despite rules which make it illegal.

Naylor said there are laws in place which mean companies generally cannot enter into outsourcing agreements where personal data is transferred outside Europe unless it is to a country which shares the same rigorous levels of data protection or the individuals concerned have consented to the transfer of their data abroad. In addition, the company transferring the data must ensure that the outsourcing service provider meets other key criteria, such as guaranteeing levels of security and employee reliability. However, he warned “there is definitely a significant danger that data could be misused once it is taken outside the EU, even though any data controller thinking they can do so without breaking UK law would probably be entirely wrong”.

With so much data being transferred via so many transactions it is often difficult to spot the legitimate from the illegal. By moving operations offshore and adding a further level of complexity to this equation it is almost inevitable breaches, both deliberate and accidental, will occur. Naylor said: “Data is flowing from country to country at incredible speeds in ever greater volumes and the ability of regulators to control that and to ensure rules are observed and laws are obeyed is far from limitless.”

More info:[url=http://www.silicon.com/software/security/0,39024655,39117625,00.htm]http://www.silicon.com/software/security/0,39024655,39117625,00.htm[/url]