Full Report
R J Hillhouse (who has a fascinating background) found that when she double clicked a graph on a slide deck belonging to the office of national intelligence (available from the DIA website), the linked spreadsheet popped up.. This effectively revealed “the dollar amounts in tens of millions spent by the US Intelligence Community on contractors”. Aages ago lcamtuf highlighted info leakage through MS Office files, and it seems these days lots of folks are making lots of money selling blackbox, i will prevent data leakage in your organization type kit.. i haven’t looked in depth at too many of them but have to wonder how many of them would have caught the embedded spreadsheet at all..
Analysis Summary
# Incident Report: Unintentional Disclosure via Linked MS Office Document
## Executive Summary
An unintentional information disclosure occurred when an embedded spreadsheet, containing sensitive financial data on US Intelligence Community contractor spending, was revealed by simply double-clicking a graph within a publicly accessible PowerPoint presentation hosted on the DIA website. This incident highlights the risk of sensitive data leakage through seemingly benign linked components within standard document formats.
## Incident Details
- Discovery Date: June 10, 2007 (Date of publication of the finding)
- Incident Date: The incident relates to the initial public posting of the document, presumed prior to June 10, 2007.
- Affected Organization: Office of National Intelligence (ONI) / Defense Intelligence Agency (DIA) (Source hosting the file).
- Sector: Government/Intelligence/Defense.
- Geography: United States (Organization origin).
## Timeline of Events
### Initial Access
- Date/Time: Undetermined; occurred when the document was publicly posted online.
- Vector: Inadvertent publishing of a file containing embedded, linked sensitive data.
- Details: R J Hillhouse accessed a PowerPoint file (Everett.ppt) from the DIA website. Double-clicking a graph within the presentation automatically opened a linked, embedded spreadsheet.
### Lateral Movement
- Not applicable. This was a data leakage event via passive document structure, not an active network intrusion.
### Data Exfiltration/Impact
- The dollar amounts, in the tens of millions, spent by the US Intelligence Community on contractors were revealed.
### Detection & Response
- Discovery: Detected by R J Hillhouse through routine interaction (double-clicking a graph).
- Response actions taken: Not explicitly detailed in the source, but the finding was publicly disclosed by the researcher (June 10, 2007), which typically prompts immediate remediation by the owning agency (removal/correction of the file).
## Attack Methodology
This scenario describes information disclosure rather than a malicious attack:
- Initial Access: Passive access to a publicly available file (DIA website).
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: Automatic data retrieval initiated by user action (double-click) activating a document hyperlink/link to an embedded object.
- Exfiltration: Manual review/copying of the revealed spreadsheet data by the discoverer.
- Impact: Unintended information leakage.
## Impact Assessment
- Financial: Specific costs unknown, but potentially high due to the exposure of sensitive budgetary figures.
- Data Breach: Sensitive financial data detailing contractor spending within the US Intelligence Community (tens of millions of dollars).
- Operational: Minimal direct operational disruption to the intelligence community's ongoing work, but significant procedural impact regarding data handling best practices.
- Reputational: Exposure of sensitive contracting details to the public domain, impacting public trust in data security controls.
## Indicators of Compromise
- Behavioral indicators: User interaction (double-clicking a graph in a PPT) leading to the execution of an embedded or linked external file (spreadsheet).
- File indicators: The presence of linked/embedded spreadsheets within official PowerPoint documentation posted publicly.
## Response Actions
- Containment: The source file would need to be immediately taken offline or corrected by the DIA/ONI to prevent further passive discovery.
- Eradication steps: Identification and mitigation of the process that allowed linked sensitive data to be embedded in documents intended for public release.
- Recovery actions: Not applicable in the traditional sense, but involved verifying that no other publicly accessible documents contained similar embedded risks.
## Lessons Learned
- **Data Handling in Documents:** Embedded objects (like spreadsheets linked via charts in PowerPoint) often retain their underlying data structure, which can be exposed even if the primary document structure (the slide deck) is intentionally sanitized.
- **Public Release Vetting:** Documents intended for public release must undergo rigorous data sanitization that examines not just visible content, but *all* embedded, linked, or object data structures.
- **MS Office Vulnerabilities:** Familiarity with older attack vectors (like info leakage via MS Office document structures, previously highlighted by researchers like lcamtuf) remains relevant.
## Recommendations
- Implement mandatory pre-publication scanning tools capable of detecting and stripping embedded/linked file objects from documents slated for public release.
- Establish data loss prevention (DLP) controls specifically targeted at identifying document formats containing sensitive financial figures (even if embedded/linked).
- Review and sensitize staff responsible for public document releases regarding the creation and sanitization of complex Microsoft Office files.