Connect with us

Technology

Certified PDFs can be secretly tampered with during the signing process, boffins find • The Register

Voice Of EU

Published

on

A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany.

The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract’s text as well as sign it, creating confusion down the line. While the addition of the second signature would be permitted, the tampering of the text should be detected and flagged up by application software – unless the second person uses the aforementioned techniques.

The exploits, dubbed Evil Annotation and Sneaky Signature, are detailed in a paper [PDF] and website by Ruhr University Bochum’s Simon Rohlmann, Dr Vladislav Mladenov, Dr Christian Mainka, and Professor Jörg Schwenk. The team were due to present their work at the 42nd IEEE Symposium on Security and Privacy, taking place online this week.

Their discovery would be a boon to scammers, and while the developers of major PDF-generation applications, such as Adobe, Libreoffice, and Foxit, have now patched their code to thwart the techniques, the makers of minor PDF tools have been slower to respond.

Using certified PDFs is increasingly common in business. The creator of such a document can allow some content changes, such as adding a digital signature or side notes, without tripping any alarms. However, the team found that some of these annotation fields can be manipulated to introduce new material and change the meaning of the text.

With the Evil Annotation attack, the boffins found three annotations – FreeText, Redact, and Stamp – could be subverted to allow images or new text to be inserted into a document without the creator being aware. “All three can be used to stealthily modify a certified document and inject malicious content,” their paper explained. “In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document.”

For documents where the annotations that are allowed to be added are more limited, Sneaky Signature comes into play. The second person to sign the document can do so, and then use that process to add additional information. That is to say, rather than abuse annotations, the signing process is exploited.

“If a certified document is opened in a common PDF application, signatures can only be added to free signature fields provided by the certifier. Adding empty signature fields is normally no longer possible within the application,” the paper states.

“However, the specification does not prohibit adding empty signature fields to a certified document. By using frameworks like Apache PDFBox2, empty signature fields can be placed anywhere in the document and filled with arbitrary content.”

The researchers tested 26 popular PDF tools, and found 24 of them were vulnerable to either both of the flaws or just one. The only viewers to get a clean bill of health for this issue were PDF Editor 6 Pro and PDFelement Pro.

The techniques described aren’t perfect: the alterations can be later discovered when the PDF files are compared, though by that point, whatever fraud was planned may have been successfully pulled off. In the case of someone inserting new payment details into an invoice or contract to siphon off funds, the money may be long gone by that point.

As a dark bonus, the team also found a security weakness that specifically hit Adobe products. This could be exploited to embed malicious code in documents with no warning to the recipient, thanks to Adobe’s JavaScript policies.

“Only certified documents may execute high privileged JavaScript code in Adobe products,” they said. “The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDFdocument.”

Adobe fixed this issue in the start of November following responsible disclosure of the flaw. Many of the other tested applications have also been patched, although some vendors haven’t responded – you can see the full list here. Make sure you’re up to date with your applications, if you can. ®

Source link

Technology

Elon Musk sells Tesla shares worth $6.9bn as Twitter trial looms | Elon Musk

Voice Of EU

Published

on

Elon Musk has sold $6.9bn (£5.7bn) worth of shares in Tesla after admitting that he could need the funds if he loses a legal battle with Twitter and is forced to buy the social media platform.

The Tesla CEO walked away from a $44bn deal to buy Twitter in July but the company has launched a lawsuit demanding that he complete the deal. A trial will take place in Delaware in October.

“In the (hopefully unlikely) event that Twitter forces this deal to close *and* some equity partners don’t come through, it is important to avoid an emergency sale of Tesla stock,” Musk said in a tweet late on Tuesday.

In other comments on Twitter on Tuesday, Musk said “yes” when asked if he was finished selling Tesla stock. He also said he would buy Tesla stock again if the Twitter deal does not close.

Musk has committed more than $30bn of his own money to the financing of the deal, with more than $7bn of that total provided by a coterie of associates including tech tycoon Larry Ellison, the Qatar state investment fund and the world’s biggest cryptocurrency exchange, Binance.

Musk, the world’s richest person, sold $8.5bn worth of Tesla shares in April and had said at the time there were no further sales planned. But since then, legal experts had suggested that if Musk is forced to complete the acquisition or settle the dispute with a stiff penalty, he was likely to sell more Tesla shares.

Last week Musk launched a countersuit against Twitter, accusing the platform of deliberately miscounting the number of spam accounts on the platform. Twitter has consistently stated that the number of spam accounts on its service is less than 5% of its user base, which currently stands at just under 238 million. Legal experts have said that Musk will find it hard to convince a judge that Twitter’s spam issue represents a “company material adverse effect” that substantially alters the company’s value – and therefore voids the deal.

Musk sold about 7.92m Tesla shares between 5 August and 9 August, according to multiple filings. He now owns 155m Tesla shares or just under 15% of the electric carmaker.

The latest sales bring total Tesla stock sales by Musk to about $32bn in less than one year. However, Musk remains comfortably ahead of Jeff Bezos as the world’s richest man with an estimated $250bn fortune, according to the Bloomberg billionaires index.

Tesla shares have risen nearly 15% since the automaker reported better-than-expected earnings on 20 July, also helped by the Biden administration’s climate bill that, if passed, would lift the cap on tax credits for electric vehicles.

Musk also teased on Tuesday that he could start his own social media platform. When asked by a Twitter user if he had thought about creating his own platform if the deal didn’t close, he replied: “X.com”.

With Reuters



Source link

Continue Reading

Technology

Iran reveals use of cryptocurrency to pay for imports • The Register

Voice Of EU

Published

on

Iran has announced it used cryptocurrency to pay for imports, raising the prospect that the nation is using digital assets to evade sanctions.

Trade minister Alireza Peyman Pak revealed the transaction with the tweet below, which translates as “This week, the first official import order was successfully placed with cryptocurrency worth ten million dollars. By the end of September, the use of cryptocurrencies and smart contracts will be widespread in foreign trade with target countries.”

It is unclear what Peman Pak referred to with his mention of widespread use of crypto for foreign trade, and the identity of the foreign countries he mentioned is also obscure.

But the intent of the announcement appears clear: Iran will use cryptocurrency to settle cross-border trades.

That’s very significant because Iran is subject to extensive sanctions aimed at preventing its ability to acquire nuclear weapons and reduce its ability to sponsor terrorism. Sanctions prevent the sale of many commodities and technologies to Iran, and financial institutions aren’t allowed to deal with their Iranian counterparts, who are mostly shunned around the world.

As explained in this advisory [PDF] issued by the US Treasury, Iran has developed numerous practices to evade sanctions, including payment offsetting schemes that let it sell oil in contravention of sanctions. Proceeds of such sales are alleged to have been funnelled to terrorist groups.

While cryptocurrency’s anonymity has been largely disproved, trades in digital assets aren’t regulated so sanctions enforcement will be more complex if Iran and its trading partners use crypto instead of fiat currencies.

Which perhaps adds more weight to the argument that cryptocurrency has few proven uses beyond speculative trading, making the ransomware industry possible, and helping authoritarian states like Iran and North Korea to acquire materiel for weapons.

Peyman Pak’s mention of “widespread” cross-border crypto deals, facilitated by automated smart contracts, therefore represents a challenge to those who monitor and enforce sanctions – and something new to worry about for the rest of us. ®



Source link

Continue Reading

Technology

Edwards Lifesciences is hiring at its ‘key’ Shannon and Limerick facilities

Voice Of EU

Published

on

The medtech company is hiring for a variety of roles at both its Limerick and Shannon sites, the latter of which is being transformed into a specialised manufacturing facility.

Medical devices giant Edwards Lifesciences began renovations to convert its existing Shannon facility into a specialised manufacturing centre at the end of July.

The expansion will allow the company to produce components that are an integral part of its transcatheter heart valves. The conversion is part of Edwards Lifesciences’ expansion plan that will see it hire for hundreds of new roles in the coming years.

“The expanded capability at our Shannon facility demonstrates that our operations in Ireland are a key enabler for Edwards to continue helping patients across the globe,” said Andrew Walls, general manager for the company’s manufacturing facilities in Ireland.

According to Walls, hiring is currently underway at the company’s Shannon and Limerick facilities for a variety of functions such as assembly and inspection roles, manufacturing and quality engineering, supply chain, warehouse operations and project management.

Why Ireland?

Headquartered in Irvine, California, Edwards Lifesciences established its operations in Shannon in 2018 and announced 600 new jobs for the mid-west region. This number was then doubled a year later when it revealed increased investment in Limerick.

When the Limerick plant was officially opened in October 2021, the medtech company added another 250 roles onto the previously announced 600, promising 850 new jobs by 2025.

“As the company grows and serves even more patients around the world, Edwards conducted a thorough review of its global valve manufacturing network to ensure we have the right facilities and talent to address our future needs,” Walls told SiliconRepublic.com

“We consider multiple factors when determining where we decide to manufacture – for example, a location that will allow us to produce close to where products are utilised, a location that offers advantages for our supply chain, excellent local talent pool for an engaged workforce, an interest in education and good academic infrastructure, and other characteristics that will be good for business and, ultimately, good for patients.

“Both our Shannon and Limerick sites are key enablers for Edwards Lifesciences to continue helping patients across the globe.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!