Sign up for our weekly newsletter!
REGISTER NOW |
||
|
||
Digital Signatures Can Be Forged in PDF Docs![]() Larry Loeb, Author, 3/1/2019
Researchers at the Ruhr-University Bochum in Germany have figured out three different ways to forge digital signatures in PDF documents. The fakes will be treated as genuine on 21 of 22 desktop PDF viewer apps (running on Windows, MacOS and Linux) and five out of seven online PDF digital signing services. These include well-known apps, including Adobe Acrobat Reader, Foxit Reader and LibreOffice, as well as online services like DocuSign and Evotrust. Summarizing their six month-long research in a paper and a blog, the researchers note they have been working with Germany's Computer Emergency Response Team (BSI-CERT) to responsibly disclose the results to affected service providers. Signatures to PDF documents have come to be accepted in legally binding contracts since President Clinton signed the eSign Act. In 2014, the EU issued a regulation that gave such documents legal status in the EU as well. Adobe has said that it processed 8 billion such signatures in 2017. The researchers found three major attack methods. The first is Universal Signature Forgery (USF). This is a way for attackers to game the signature verification process so that it will display a fake panel/message that the signature is valid. The second is Incremental Saving Attack (ISA). Here, attackers will add content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking what has already been saved for the signature of that document. The last is Signature Wrapping (SWA). Similar to ISA, it will fool the signature validation process into "wrapping" around the attacker's additional content. This means the content added (the incremental update) has been digitally signed. The researchers found that there were two root causes why this sort of spoofing could be carried out. First, they said, "The specification does not provide any information with concrete procedure on how to validate signatures. There is no description of pitfalls and any security considerations. Thus, developers must implement the validation on their own without a best-common-practice information." Secondly, they found "The error tolerance of the PDF viewer is abused to create non-valid documents bypassing the validation, yet correctly displayed to the user." They came up with a verification algorithm. It's a concrete approach on how to compute the values necessary for the verification and how to detect manipulations after signing the PDF file. The specified algorithm must be applied for each signature within the PDF document. As an input, it requires the PDF file as a byte stream and the signature object. The approach will only work on the last revision that has been done to a PDF document, and does not verify any signatures that may have been done previously to that final revision. This problem can be serious, and enable some massive financial frauds. It is incumbent on the security team to verify that they have patched all applications affected, and that they are using services that have taken this problem seriously.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. |
Attackers have already begun to breach security at the BIOS level, according to a new report on BIOS security from Forrester Consulting.
The Sophos Managed Threat Response team found out that, where the Snatch ransomware is concerned, things just more ugly.
The Federal Bureau of Investigation's office in Portland, Ore., uses 'Tech Tuesday' to offer IoT security advice.
One of the most prevalent threats to the financial sector, the Dridex Trojan, was the subject of a recent alert.
Aviatrix, an enterprise VPN company with customers that include NASA, Shell and BT, has recently dealt with a vulnerability that was uncovered by Immersive Labs researcher and content engineer Alex Seymour.
Information Resources
upcoming Webinars
ARCHIVED
Top Tips for Blocking pwned [email protected]$$wOrds in Your Organization
Tuesday, October 29, 2019
12 p.m. New York/ 4:00 p.m. London Podcasts
Podcast: Infrastructure Hunting – Stopping Bad Actors in Their Tracks
Being able to effectively build a threat intelligence ecosystem or threat-hunting identification response requires both user and systems sophistication and capabilities. Security, orchestration, automation and response (SOAR) is a new technology designed to provide organizations a single comprehensive platform they can use to implement an intelligence driven security strategy.
Podcast: Digital Transformation, SD-WAN & Optimal Security
Dan Reis chats to Cybera's Josh Flynn about how to achieve digital transformation without sacrificing security. ![]() like us on facebook
|
|
![]() |
||
![]() |
Security Now
About Us
Contact Us
Help
Register
Events
Supporting Partners
Twitter
Facebook
RSS
Copyright © 2019 Light Reading, part of Informa Tech, a division of Informa PLC. All rights reserved. Privacy Policy | Cookie Policy | Terms of Use in partnership with
|