VB.net ..... Help please...

Kimbot

Folks,

I am not sure if this is possible but looking for some info.
I have an App and basically on the screen that is opened there is some personal details that I don't want people copying from. Currently you can right click and choose copy on the fields, also you can highlight it and Ctrl-C it.

Is there any way possible that I can copy protect the fields??

(I am running Visual Studio 2005)

Cheers,
Jonny.

Evil Phil

Is this winforms or asp.net?

BostonB

Even if you protected it they can just take a screen capture of it.

Kimbot

Winforms.

I know they can take a screen shot of it. We are bringing in a watermark feature that would be unique so if they take a screenshot the user can be identified from the watermark.
The only security issue is the fields can be copied and pasted out of the form into a word doc and if we can stop that then we are more than likely sorted from a security point of view.

Evil Phil

I suppose it depends on what controls you're displaying the data in but a quick and easy solution may be to change them to labels. I'm an Asp.Net man myself so there's probably more to it than I know.

But whats to stop them writing the details down on a scrap of paper? As long as they can read the screen they can copy the details.

Ginger

Set the enabled property to false.. it cant be selected then

http://msdn2.microsoft.com/en-us/library/system.windows.forms.control.enabled.aspx

Kimbot

All the data is taken from a DB in the following form.....

Name:
D.O.B:
Location:

etc etc.

Just as long as they can't copy and paste out of the program I will be okay.

amen

use enabled=false

are your retrieves from the database encrypted?
could the user grab the data from the retrieve
what about writing the data down?

I don't really understand why preventing them from cutting and pasting is considered good enough

plus there may be business reasons why thay might want to cut & paste

Cantab.

amen wrote: »

use enabled=false

are your retrieves from the database encrypted?
could the user grab the data from the retrieve
what about writing the data down?

I don't really understand why preventing them from cutting and pasting is considered good enough

plus there may be business reasons why thay might want to cut & paste

watermarking is not safe. Watermarking is good at things like identifying bootleg copies of adobe photoshop - not at protecting sensitive info. Although I guess some watermarking is slightly better than none.

Ginger

We has the same issue when we were developing a document management system. Where do you draw the line over functionality vs security.

If we allowed printing people could still print the document out and hand it around. If we allowed saving same issue, and emailing documents was the same.

Certain level of trust and professionalism has to be assumed when dealing with sensitive data. If they have the right to see the data, then possibly you should look at their rights in copying the data down if its for business reasons

stevenmu

It should be possible to do, don't have access to Visual Studio or .net at the moment so I'll try and check this later, but you should be able to trap the copy and cut events. I can't remember exactly how to do this, but google should be able to help. At this point you should then either be able to pevent the data reaching the clipboard, or if not replace the clipboard text with something of your own (possibly a message saying that copying from the application is forbidden).

Kimbot

We have the copy and paste problem sorted. We disabled it from the clipboard so it can't be copied and pasted anymore.
Only problem now is Print Screen but even at that if the information gets leaked then its not too bad because the login appears on the screen so we have a log of what user went into those details and when they did.

Working for the government is a pain in the rear, all the stories about people leaking data out has caused us to do all this to make sure out data isn't leaked as it was before. We can trace most stuff but all our business requirements are now focused on security of our data to make sure staff aren't abusing the "Official secrecy act".

amen

staff aren't abusing the "Official secrecy act

1: i think by mentioning the above act and the fact that you have staff covered under it you have actually broken it!
2: what about all you development/db staff ? Are they covered? Can they access the database in Live ( or even in test?)
3: Is the data anonomised for test?
4: Do you record every user who accesses data even if they are just searching for something?
5: Are all portable media banned?
6: Are user data request regulary audited to see if the data they are looking up is related to their work?

there is more to data protection then just stopping people from cutting/pasting and printing

Kimbot

amen wrote: »

1: i think by mentioning the above act and the fact that you have staff covered under it you have actually broken it!
2: what about all you development/db staff ? Are they covered? Can they access the database in Live ( or even in test?)
3: Is the data anonomised for test?
4: Do you record every user who accesses data even if they are just searching for something?
5: Are all portable media banned?
6: Are user data request regulary audited to see if the data they are looking up is related to their work?

there is more to data protection then just stopping people from cutting/pasting and printing

1: Every person that works for the government has to agree to the Official secrecy act and everyone knows that (was even higlighted in the papers a good few times) so I haven't broken a thing.
2: Yes the developers can access everything in live and test.
3: We have Dummy data for test if thats what you mean.
4: Yes a log is updated each time a user views a record through the App.
5: Only IT staff have access to Hard Drive, CD Drive, Floppy Drive and flash drives. They will not be using the system.
6: Each user will be setup through another App based on security clearance asto what role they have within the first App.

We have covered most aspects of it just a big case hit the media a while back over the print screen and copy and paste thing (Before I started working there) so I am trying to close as many of the loopholes as I can.

BostonB

I don't think this is a case of really protecting data. As if someone really wants to copy data they can. Its just to make it difficult so that the developers are covered in case some asks why didn't you make it difficult to copy. All you need is to take a photo of the screen and feed it into some batch OCR program and you'll have all 90% of the text editable. Probably more importantly its about having an audit trail, and user log so that some else (other then the developers) can be made responsible for data leaks if they happen.

Lots of places use biometric scanning as certain parts of a system are accessed or just randomly as the application is used.