Connect with us


Certified PDFs can be secretly tampered with during the signing process, boffins find • The Register



A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany.

The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract’s text as well as sign it, creating confusion down the line. While the addition of the second signature would be permitted, the tampering of the text should be detected and flagged up by application software – unless the second person uses the aforementioned techniques.

The exploits, dubbed Evil Annotation and Sneaky Signature, are detailed in a paper [PDF] and website by Ruhr University Bochum’s Simon Rohlmann, Dr Vladislav Mladenov, Dr Christian Mainka, and Professor Jörg Schwenk. The team were due to present their work at the 42nd IEEE Symposium on Security and Privacy, taking place online this week.

Their discovery would be a boon to scammers, and while the developers of major PDF-generation applications, such as Adobe, Libreoffice, and Foxit, have now patched their code to thwart the techniques, the makers of minor PDF tools have been slower to respond.

Using certified PDFs is increasingly common in business. The creator of such a document can allow some content changes, such as adding a digital signature or side notes, without tripping any alarms. However, the team found that some of these annotation fields can be manipulated to introduce new material and change the meaning of the text.

With the Evil Annotation attack, the boffins found three annotations – FreeText, Redact, and Stamp – could be subverted to allow images or new text to be inserted into a document without the creator being aware. “All three can be used to stealthily modify a certified document and inject malicious content,” their paper explained. “In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document.”

For documents where the annotations that are allowed to be added are more limited, Sneaky Signature comes into play. The second person to sign the document can do so, and then use that process to add additional information. That is to say, rather than abuse annotations, the signing process is exploited.

“If a certified document is opened in a common PDF application, signatures can only be added to free signature fields provided by the certifier. Adding empty signature fields is normally no longer possible within the application,” the paper states.

“However, the specification does not prohibit adding empty signature fields to a certified document. By using frameworks like Apache PDFBox2, empty signature fields can be placed anywhere in the document and filled with arbitrary content.”

The researchers tested 26 popular PDF tools, and found 24 of them were vulnerable to either both of the flaws or just one. The only viewers to get a clean bill of health for this issue were PDF Editor 6 Pro and PDFelement Pro.

The techniques described aren’t perfect: the alterations can be later discovered when the PDF files are compared, though by that point, whatever fraud was planned may have been successfully pulled off. In the case of someone inserting new payment details into an invoice or contract to siphon off funds, the money may be long gone by that point.

As a dark bonus, the team also found a security weakness that specifically hit Adobe products. This could be exploited to embed malicious code in documents with no warning to the recipient, thanks to Adobe’s JavaScript policies.

“Only certified documents may execute high privileged JavaScript code in Adobe products,” they said. “The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDFdocument.”

Adobe fixed this issue in the start of November following responsible disclosure of the flaw. Many of the other tested applications have also been patched, although some vendors haven’t responded – you can see the full list here. Make sure you’re up to date with your applications, if you can. ®

Source link


Power Capital takes majority interest in Terra Solar’s portfolio



Terra Solar, a NovaUCD start-up founded in 2016, is giving up its sites in Wexford and Cork to Power Capital to develop solar farms.

Dublin-based company Power Capital Renewable Energy (PCRE) has announced plans to acquire majority interest in Terra Solar’s 400MW portfolio.

This will bring the company’s total solar assets to 840MW and boost its presence in the Irish solar power space.

A start-up that sprung out of NovaUCD, the University College Dublin accelerator, Terra Solar was founded by David Fewer and André Fernon in 2016. State-owned ESB was one of Terra Solar’s early investors, putting up €2.5m for a stake in the company.

Paris-based VC firm Omnes Capital will back the development of the solar sites over the next few years, which require around €200m to build out. Irish and international lenders will also back the development.

Power Capital director Peter Duff said that his company’s aim of becoming Ireland’s leading independent power producer has come a step closer with the deal.

Support Silicon Republic

“Both Terra Solar and PCRE share common values and ambitions to help Ireland meet its 2030 targets and we are excited that Terra Solar chose us as a partner to bring these sites through construction,” he said.

The solar farm sites, located in Wexford and Cork, are a culmination of more than four years of engagement with local landowners, communities and planners, said Fewer.

“We will be retaining an equity stake in the developments and will be working intensively with all stakeholders over the coming few years to ensure that these sites are successfully constructed while equally continuing to grow our remaining development pipeline of 600MW.”

Justin Brown, co-founder of Power Capital, said that the company is currently in talks with other industry bodies about “increasing our foothold in the sector and we expect to see renewable energy being the dominant generator of electricity across Ireland within the next decade”.

Construction on the solar farms is set to begin in 2022 and the project is expected to be completed in the next five years.

Source link

Continue Reading


2021 iPhone photography awards – in pictures | Technology



The 14th annual iPhone photography awards offer glimpses of beauty, hope and the endurance of the human spirit. Out of thousands of submissions, photojournalist Istvan Kerekes of Hungary was named the grand prize winner for his image Transylvanian Shepherds. In it, two rugged shepherds traverse an equally rugged industrial landscape, bearing a pair of lambs in their arms.

Source link

Continue Reading


With Alphabet’s legendary commitment to products, we can’t wait to see what its robotics biz Intrinsic achieves • The Register



Alphabet today launched its latest tech startup, Intrinsic, which aims to build commercial software that will power industrial robots.

Intrinsic will focus on developing software control tools for industrial robots used in manufacturing, we’re told. Its pitch is that the days of humans having to manually program and adjust a robot’s every move are over, and that mechanical bots should be more autonomous and smart, thanks to advances in artificial intelligence and leaps in training techniques.

This could make robots easier to direct – give them a task, and they’ll figure out the specifics – and more efficient – the AI can work out the best way to achieve its goal.

“Over the last few years, our team has been exploring how to give industrial robots the ability to sense, learn, and automatically make adjustments as they’re completing tasks, so they work in a wider range of settings and applications,” said CEO Wendy Tan White.

“Working in collaboration with teams across Alphabet, and with our partners in real-world manufacturing settings, we’ve been testing software that uses techniques like automated perception, deep learning, reinforcement learning, motion planning, simulation, and force control.”

Tan White – a British entrepreneur and investor who was made an MBE by the Queen in 2016 for her services to the tech industry – will leave her role as vice president of X, Alphabet’s moonshot R&D lab, to concentrate on Intrinsic.

She earlier co-founded and was CEO of website-building biz Moonfruit, and helped multiple early-stage companies get up and running as a general partner at Entrepreneur First, a tech accelerator. She is also a board trustee of the UK’s Alan Turing Institute, and member of Blighty’s Digital Economic Council.

“I loved the role I played in creating platforms that inspired the imagination and entrepreneurship of people all over the world, and I’ve recently stepped into a similar opportunity: I’m delighted to share that I’m now leading Intrinsic, a new Alphabet company,” she said.

The new outfit is another venture to emerge from Google-parent Alphabet’s X labs, along with Waymo, the self-driving car startup; and Verily, a biotech biz. ®

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!