Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday February 27 2019, @01:15AM   Printer-friendly
from the jest-sine-hear dept.

Researchers break digital signatures for most desktop PDF viewers | ZDNet

A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services.

[...] The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services.

The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products.

The reason why researchers were willing to wait months so all products would receive fixes is because of the importance of PDF digital signatures.

Digitally signed PDF documents are admissible in court, can be used as legally-binding contracts, can be used to approve financial transactions, can be used for tax filing purposes, and can be used to relay government-approved press releases and announcements.

Having the ability to fake a digital signature on an official PDF document can help threat actors steal large amounts of money or cause chaos inside private companies and public institutions.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by bob_super on Wednesday February 27 2019, @01:38AM (3 children)

    by bob_super (1357) on Wednesday February 27 2019, @01:38AM (#807411)

    I think I had to sign a few documents on a company PC ... which was taken away a few months later because IT policy said it was time.
    I didn't save any key or anything, and I can't remember even entering my email (and definitely not my password) in the tool.
    What gives the signature any legitimacy ?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by MostCynical on Wednesday February 27 2019, @01:47AM

    by MostCynical (2589) on Wednesday February 27 2019, @01:47AM (#807416) Journal

    What gives the signature any legitimacy ?

    Corporate stupidity, and corporate IT incompetence.
    "Adobe" "iBM" "Microsoft".. trust is inherited, rather than earned.

    --
    "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
  • (Score: 0) by Anonymous Coward on Wednesday February 27 2019, @02:33AM

    by Anonymous Coward on Wednesday February 27 2019, @02:33AM (#807431)

    What gives the signature any legitimacy ?

    I could never figure that out either.

  • (Score: 3, Insightful) by JoeMerchant on Wednesday February 27 2019, @01:14PM

    by JoeMerchant (3937) on Wednesday February 27 2019, @01:14PM (#807577)

    Our document control systems use username/password signatures to indicate approval or whatever.

    Those passwords are forced to be changed every 6 weeks, which, at least in my case, is encouraging them to be as trivial as possible within the at least 8 character + at least 3 of: (1 digit 1 upper case letter 1 lower case letter 1 special character) rules.

    I suppose they think it is damage control - one hacked password shouldn't run rampant for too long. I don't write mine down, but many people do...

    --
    🌻🌻 [google.com]