The News

↑ Grab this Headline Animator

10 December 2009

How the TSA Could Have Easily Avoided Its Recent Security Problem

The recent controversy over the accidental release of extremely sensitive security information by the TSA has been a huge embarrassment to the agency, and very likely revealed details about the TSA security process that could make it easier for individuals or groups to bring prohibited items into the secure areas of airport terminal or onto aircraft. It would also make it easier for someone to take steps to avoid extra screening at the airport.

TSA Problem Was Completely Avoidable
One step that the TSA reportedly took, putting five employees and contractors involved in the document release on administrative leave, may have only involved those who were responsible for preparing and releasing the document. Perhaps a more important issue is whether this problem could have been avoided. It is very likely that the problem was not only avoidable, but specific step-by-step procedures to avoid this kind of problem have been widely available to the US government for several years.

According to an article in Federal Computer Week, over the last few years, the US military in Iraq, the White House, and the US Department of Justice have all had similar situations where a improperly redacted document was released to the public, and the sensitive information within those documents were later uncovered.

In wake of those events, the National Security Agency (NSA) issued guidance to US federal agencies that included detailed instructions on how to process a word processing document in such a way that any sensitive information would be eliminated from the final PDF document. The report, titled “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF,” has been freely available to the public for several years, and the instructions in that document could have been used by the TSA to avoid their recent embarrassing episode.

Highlights of the NSA Report
Word processing documents such as Microsoft Word contain many kinds of information such as text, graphics, tables, images, and metadata, and more. This complex combination of data makes it easy to accidentally expose information, especially when someone does not properly remove sensitive information before the document is released to the public.

Techniques that work with printed documents, such as blacking out an area of text or graphics, or reducing the size of a graphic, often do not work with electronic documents because the information is still contained within the document. Most word processing documents also contain hidden information such as comments or prior versions of the document, that may also be very sensitive.

The NSA's document had very clear instructions that anyone could use to take an MS Word file or just about any other kind of word processing file and systematically remove any sensitive content, including metadata, before creating a PDF file for public distribution. Let's hope that the TSA has the good sense to follow the NSA's procedures, or something like it, the next time they redact a document.

Related Articles
TSA Releases Extremely Sensitive Security Information Online
Continued Fallout from TSA Release of Sensitive Security Information

Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original article on this topic
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News

No comments:

Post a Comment