Connect with us

Technology

Certified PDFs can be secretly tampered with during the signing process, boffins find • The Register

Voice Of EU

Published

on

A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany.

The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract’s text as well as sign it, creating confusion down the line. While the addition of the second signature would be permitted, the tampering of the text should be detected and flagged up by application software – unless the second person uses the aforementioned techniques.

The exploits, dubbed Evil Annotation and Sneaky Signature, are detailed in a paper [PDF] and website by Ruhr University Bochum’s Simon Rohlmann, Dr Vladislav Mladenov, Dr Christian Mainka, and Professor Jörg Schwenk. The team were due to present their work at the 42nd IEEE Symposium on Security and Privacy, taking place online this week.

Their discovery would be a boon to scammers, and while the developers of major PDF-generation applications, such as Adobe, Libreoffice, and Foxit, have now patched their code to thwart the techniques, the makers of minor PDF tools have been slower to respond.

Using certified PDFs is increasingly common in business. The creator of such a document can allow some content changes, such as adding a digital signature or side notes, without tripping any alarms. However, the team found that some of these annotation fields can be manipulated to introduce new material and change the meaning of the text.

With the Evil Annotation attack, the boffins found three annotations – FreeText, Redact, and Stamp – could be subverted to allow images or new text to be inserted into a document without the creator being aware. “All three can be used to stealthily modify a certified document and inject malicious content,” their paper explained. “In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document.”

For documents where the annotations that are allowed to be added are more limited, Sneaky Signature comes into play. The second person to sign the document can do so, and then use that process to add additional information. That is to say, rather than abuse annotations, the signing process is exploited.

“If a certified document is opened in a common PDF application, signatures can only be added to free signature fields provided by the certifier. Adding empty signature fields is normally no longer possible within the application,” the paper states.

“However, the specification does not prohibit adding empty signature fields to a certified document. By using frameworks like Apache PDFBox2, empty signature fields can be placed anywhere in the document and filled with arbitrary content.”

The researchers tested 26 popular PDF tools, and found 24 of them were vulnerable to either both of the flaws or just one. The only viewers to get a clean bill of health for this issue were PDF Editor 6 Pro and PDFelement Pro.

The techniques described aren’t perfect: the alterations can be later discovered when the PDF files are compared, though by that point, whatever fraud was planned may have been successfully pulled off. In the case of someone inserting new payment details into an invoice or contract to siphon off funds, the money may be long gone by that point.

As a dark bonus, the team also found a security weakness that specifically hit Adobe products. This could be exploited to embed malicious code in documents with no warning to the recipient, thanks to Adobe’s JavaScript policies.

“Only certified documents may execute high privileged JavaScript code in Adobe products,” they said. “The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDFdocument.”

Adobe fixed this issue in the start of November following responsible disclosure of the flaw. Many of the other tested applications have also been patched, although some vendors haven’t responded – you can see the full list here. Make sure you’re up to date with your applications, if you can. ®

Source link

Technology

France hails victory as Facebook agrees to pay newspapers for content | France

Voice Of EU

Published

on

France has hailed a victory in its long-running quest for fairer action from tech companies after Facebook reached an agreement with a group of national and regional newspapers to pay for content shared by its users.

Facebook on Thursday announced a licensing agreement with the APIG alliance of French national and regional newspapers, which includes Le Parisien and Ouest-France as well as smaller titles. It said this meant “people on Facebook will be able to continue uploading and sharing news stories freely amongst their communities, whilst also ensuring that the copyright of our publishing partners is protected”.

France had been battling for two years to protect the publishing rights and revenue of its press and news agencies against what it termed the domination of powerful tech companies that share news content or show news stories in web searches.

In 2019 France became the first EU country to enact a directive on the publishing rights of media companies and news agencies, called “neighbouring rights”, which required large tech platforms to open talks with publishers seeking remuneration for use of news content. But it has taken long negotiations to reach agreements on paying publishers for content.

No detail was given of the exact amount agreed by Facebook and the APIG.

Pierre Louette, the head of the media group Les Echos-Le Parisien, led the alliance of newspapers who negotiated as a group with Facebook. He said the agreement was “the result of an outspoken and fruitful dialogue between publishers and a leading digital platform”. He said the terms agreed would allow Facebook to implement French law “while generating significant funding” for news publishers, notably the smallest ones.

Other newspapers, such as the national daily Le Monde, have negotiated their own deals in recent months. News agencies have also negotiated separately.

After the 2019 French directive to protect publishers’ rights, a copyright spat raged for more than a year in which French media groups sought to find common ground with international tech firms. Google initially refused to comply, saying media groups already benefited by receiving millions of visits to their websites. News outlets struggling with dwindling print subscriptions complained about not receiving a cut of the millions made from ads displayed alongside news stories, particularly on Google.

But this year Google announced it had reached a draft agreement with the APIG to pay publishers for a selection of content shown in its searches.

Facebook said that besides paying for French content, it would also launch a French news service, Facebook News, in January – a follow-up to similar services in the US and UK – to “give people a dedicated space to access content from trusted and reputable news sources”.

Facebook reached deals with most of Australia’s largest media companies earlier this year. Nine Entertainment, which includes the Sydney Morning Herald and the Age, said in its annual report that it was expecting “strong growth in the short-term” from its deals with Facebook and Google.

British newspapers including the Guardian signed up last year to a programme in which Facebook pays to license articles that appear on a dedicated news section on the social media site. Separately, in July Guardian Australia struck a deal with Facebook to license news content.

Source link

Continue Reading

Technology

Flight Simulator says Windows 11 has been downloaded on Xbox • The Register

Voice Of EU

Published

on

Boeing’s CST-100 Starliner capsule, designed to carry astronauts to and from the International Space Station, will not fly until the first half of next year at the earliest, as the manufacturing giant continues to tackle an issue with the spacecraft’s valves.

Things have not gone smoothly for Boeing. Its Starliner program has suffered numerous setbacks and delays. Just in August, a second unmanned test flight was scrapped after 13 of 24 valves in the spacecraft’s propulsion system jammed. In a briefing this week, Michelle Parker, chief engineer of space and launch at Boeing, shed more light on the errant components.

Boeing believes the valves malfunctioned due to weather issues, we were told. Florida, home to NASA’s Kennedy Space Center where the Starliner is being assembled and tested, is known for hot, humid summers. Parker explained that the chemicals from the spacecraft’s oxidizer reacted with water condensation inside the valves to form nitric acid. The acidity corroded the valves, causing them to stick.

Source link

Continue Reading

Technology

NUI Galway part of global team that detected giant collision in space

Voice Of EU

Published

on

The joint study between NUI Galway, MIT and Cambridge used the ALMA telescope to provide a ‘window to the composition of young planets’.

An astronomer from NUI Galway is part of an international team that for the first time found evidence of a planet’s atmosphere being stripped away by a giant collision in a nearby star system.

At just 95 light years from Earth, the young star named HD172555 was witness to a massive collision between two newly-formed planets in its planetary system which are estimated to be about the size of Earth.

Using the Atacama Large Millimeter/submillimeter Array (ALMA) radio telescope in Chile, the joint study between NUI Galway, Massachusetts Institute of Technology (MIT), and Cambridge University, studied the collision and unexpectedly detected a ring of carbon monoxide gas in the dust produced.

“This, for the first time, indicates that impacts can release large amounts of gas as well as dust, and that this gas can survive long enough to be detected,” said Dr Luca Matrà, an advisor for the study and lecturer at NUI Galway’s Centre for Astronomy.

Based on the amount of gas detected, the team was able to estimate that the size of the impact was likely massive and dated it to around 200,000 years ago. “This has the potential to revolutionise our understanding and observability of giant impacts,” Matrà added.

‘Window to composition of planets’

Findings of the study were published yesterday (20 October) in the journal Nature. It solves years of mystery around the unusual composition of dust observed by scientists in the region – indicating the aftermath of a planetary impact like the one that led to the formation of the moon.

The ALMA observatory used for the study consists of 66 radio telescopes working in unison. Ireland gained access to it after joining the European Southern Observatory (ESO) in 2018. In July, it was used in a study to understand how moons are formed.

Carbon monoxide gas was found orbiting in large amounts in the outer terrestrial planet region of the solar system. Matrà said that the amount of gas discovered is 10 to 20pc of the mass of Venus’ atmosphere, which “goes on to show the incredible sensitivity of the obersvations”.

“This puts forward gas observations as a viable detection method of terrestrial planet-forming collisions, and as a window to the composition of young planets,” she said.

Lead author Tajana Schneiderman of MIT said that this the first time scientists have detected the phenomenon of protoplanetary atmosphere being stripped away in a giant impact.

“Everyone is interested in observing a giant impact because we expect them to be common, but we don’t have evidence in a lot of systems for it. Now we have additional insight into these dynamics.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!