by Jerry Askew, Chief Technology Officer, Loeb & Loeb, LLP
Do you know where your documents have been today? What if you could? More importantly, what if someone else was able to find out where your documents have been? A new technology exploit can do just that - and it promises to make "metadata" look like child's play.
Imagine for a moment that you are working on a highly confidential securities deal. In preparation for closing the deal, you pull up several forms, make the necessary changes and then e-mail the documents to your client for review. You didn't really think about where your forms came from - you just pulled them in from a similar deal that one of your partners did last month. What you didn't realize is that, somewhere in the documents' past, someone planted a web-bug inside one or more of the documents. The web-bug's job is to report back to its owner whenever the document is opened. When your client opens the document, the owner of the bug will be notified within a few seconds. In the case of your securities deal, the bug's owner will soon be on the phone with their stockbroker.
It's important to know what a web-bug is, but it's more important to know what a web-bug is not. A web-bug is not a virus and will not be detected or removed by a virus scanner. A web-bug isn't metadata; nor is it a macro -- Microsoft Word will not warn you about it. A web-bug is not a computer bug and will not be fixed in the next security patch for Microsoft Office, Windows, or anything else. A web-bug is simply a novel use of the underlying technology that unifies the data on the Internet and is fundamental to all web-enabled applications.
Now that you know what a web-bug is not, you are probably wondering exactly what this eavesdropping technological deviant is. A short review is necessary. Modern applications place a great emphasis on being "web-enabled" -- a term that means many things to many people. One aspect of web-enabling is to allow the incorporation of web- based content (e.g., web pages, images, sound, etc.) into your document, spreadsheet or presentation. Whenever a document containing web-based content is opened, the application must retrieve that content from the Internet for display. This behavior is what allows a web-bug to exist.
Web-bugs can be almost anything, but they typically exist as an image -- an invisible image to be more precise. A web designer can create an image as small as a dust speck, and then make it transparent. The bug would be about as noticeable as a speck of chalk dust on a whiteboard. The image is then embedded in a document, and the document is sent off to travel the world. Whenever the document is opened, it automatically and invisibly accesses the Internet to retrieve the embedded image. The server that hosts the image will record information about the access and notify the owner of the bug.
Web-bugs do have their limitations. A web-bug will not work unless the target computer is connected to the Internet at the time the document is opened. This is not really a serious limitation in today's connected world. Even so, the information that a web-bug can communicate is limited. Aside from simply knowing that a given bug has been activated, the bug's owner will know the Internet address of the system that opened the document, the type of browser that the target machine is using, and a few more trivial tidbits of information. A firewall will prevent the target machine's Internet address from being sent, substituting its own instead. Nevertheless, the bug's owner can still associate the address with a given company. One frightening possibility is that Internet "cookies" could be used to further identify the target machine and the person behind the keyboard.
So, what can be done to protect one's self from the prying eyes of a web-bug? A two-pronged defense is necessary:
* First, you should scan any documents, both when they arrive and prior to sending them out, for both metadata and web-bugs. Many commercially available law firm macro packages will scan for and eliminate metadata. As of this writing, I am not aware of any commercially available products that will detect web-bugs, so this must be done manually (or have your favorite IT guru write a macro). The process for Microsoft Word is fairly straightforward. Turn on Field Codes by selecting Tools from the menu bar, then Options. Check the box labeled "Field Codes" and click "OK". Now select "Edit" from the menu bar, then "Replace". In the Replace dialog, place your cursor in the "Find What" field and type "^d INCLUDEPICTURE" (there is a space after ^d and you should not include the quotes.) Make sure that the "Replace With" field is empty and click "Replace All". Note that this will delete all graphics (including web-bugs) in your document. If you need to be more selective about this process, you can use "Find Next" and "Replace" to step through the document. Each time you click "Find Next", the search should proceed to the next picture in the document. If the search stops on something other than a picture that you recognize, you may have encountered a web-bug. The suspect image can be removed by clicking "Replace".
* Second, you can install a personal firewall such as ZoneAlarm (www.zonealarm.com) or, for more advanced users, Tiny Personal Firewall (www.tinysoftware.com). Upon opening a bugged document, the firewall will warn you that Microsoft Word (or Excel, Powerpoint, etc.) is attempting to access the Internet. These applications normally have no reason to access the Internet, so such activity is suspicious and should be blocked.
The very existence of the web-bug raises serious confidentiality concerns. Fortunately, the potential for damage can be significantly reduced by consistently cleaning documents both upon receipt and before sending them out.