How to Protect PDF Today Blog

As we enter 2010, PDF publishers must be more careful than ever to protect their PDFs with PDF security.

The number of security threats hackers, or employees intent on harming your business, can insert into PDF documents with your name on them are becoming more numerous every day. For example;

Security Holes in PDF files Exploited by Hackers

The latest Sophos Security Threat report tells us; “Instead of simply looking for operating system and browser vulnerabilities to exploit, hackers are also exploring security holes in other widely used programs and tools such as Adobe Flash and PDFs.

The rise in malicious Flash and PDF files can be partly explained by the use of malware construction kits that build web attack pages incorporating booby-trapped code. The inclusion of the Flash and PDF content targets vulnerabilities that have been found in the widely used Adobe browser plug-ins, underlining the importance of keeping these up to date.”

Mobile Devices Targeted by PDF Security Threats

Blackberry manufacturer Research in Motion recently reports; “ Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service.”

Resolution

“Research In Motion (RIM) has issued an interim security software update that resolves this vulnerability in affected versions of the BlackBerry Enterprise Server and BlackBerry Professional Software. Download and install Interim Security Update 2 for the software version that you are running.”

Hackers are finding increasingly inventive ways of exploiting holes in Acrobat

ITExpertMag reports; “The same rich content that makes PDF so useful to businesses can also make it a security risk. Embedding links, images, tables and media uses JavaScript and that allows PDF files to be exploited as an attack vector for hackers.

Although security software can scan for malicious code placed directly in the document, there are increasingly complex ways of obfuscating the code to hide the payload from scanners.

The usual defences of keeping browsers, security software and the Adobe Reader software itself up to date offer some protection. Adobe has released an update to address the specific vulnerability that was discovered and you should make sure all users have this.

You could disable the Adobe Reader browser plug-in but this will be so inconvenient for users that it’s not worth doing unless another vulnerability is discovered and you’re waiting for a security update. In Internet Explorer this can be done through the Tools > Manage Add-ons option and in Firefox this can be found under the Applications tab accessed via Tools > Options.

A better solution is JavaScript filtering in the firewall or on a security appliance, although you’ll need to set this up carefully to avoid problems on JavaScript-heavy Web sites, and you may need a procedure for unblocking PDFs with embedded content that users need to work with.

In the end, common sense and education are the best weapons. PDFs have to be specially created to exploit this vulnerability. Make users aware that there is a slight risk with PDF files and that they should treat emailed PDF documents they didn’t request with the same caution they use for other potential threats in email and attachments.”

Solutions

Whenever you produce a PDF, add security to it, and not just a password (which can be easily broken). Adding a protective shell and user access control will be even more essential in 2010 than previous years.

Here at the Protect my PDF blog, we are often asked how to secure a PDF file. Our first response is always to ask the person if they have released their PDF yet.

If the answer is, “no, the PDF has not yet been released” that’s good. If the answer is, “yes, we already have copies out there” then that’s a problem. Why?

Because, like locking the stable door after the horse has bolted, it’s too late. Even one copy of your PDF ebook or other PDF file, in the wrong hands is one too many and there are likely already scores of unauthorized PDF copies floating around.

The only time to secure a PDF is before it has been released. And these are the steps that should be taken.

1. Use a PDF protection system that contains live monitoring of who is accessing your PDF file. Monitor their name and IP address.

2. Use a secure PDF system that places a shell around your PDF that prevents unauthorized viewing.

3. Secure your PDF with a protection system that enables you to remove access to your PDF, whenever you choose. This is critical.

4. Do not allow printing of your PDF. Even in protection systems that claim to stop copying via the print process (printing to Adobe Acrobat and making a 100% unprotected copy, for example) the results of these systems is less than perfect. Instead, offer a printed, hard copy of your document as a stand-alone item (for additional profit if you desire)

5. Make sure you can evaluate your prospective PDF protection system for low cost, before rolling it out on a larger scale

6. Make sure your PDF protection system has versions that work with both PC for PDF protection and Mac PDF protection. Many protect PDF methods only work with one or the other operating system.

7. For our recommended solution that has all of the above features, with a demo video of how it works, please visit here

Need to protect PDF files, without using a password. And do it quickly? One easy way to prevent unauthorized circulation of your PDF documents, is to imprint the name of the authorized person or company directly into the PDF, so it cannot be removed.

That way, you should know where the unauthorized release of information originated. At the very least, it makes people a little less willing to distribute PDF files, if they know their name will be all over the PDF document.

Here is a free way to do this;

1. Go to http://Stamp.la

2. Select the PDF file you wish to stamp the name of the company or person on

3. Click UPLOAD FILE to bring the file into the system for processing;

4. Enter the name and email of the person whom you wish to imprint into the PDF document

5. The Stamp.la system will then give you a link for download of the imprinted PDF file

6. Download the PDF

7. When you open the protected PDF file, you can see that the person’s name and email is imprinted on every page, in the lower-left hand corner;

This method of protecting your PDF files is effective to a small degree, we recommend additional PDF methods, such as license code entry and live PDF access monitoring, for more effective PDF security.

If you are dealing with standard password PDF security (which we do not recommend) Advanced PDF Password Recovery enables you to recover PDF passwords and instantly remove PDF restrictions, according to specialist software research outfits. They claim you get access to password-protected PDF files quickly and efficiently. Also allows you to instantly unlock restricted PDF documents, by removing printing, editing and copying restrictions.

Advanced PDF Password Recovery recovers (or instantly removes) passwords protecting or locking PDF documents which have been created with all versions of Adobe Acrobat or many other PDF applications.

Book Guard Pro does not recommend the use of password security for a variety of reasons. Let’s take a look at the  features and benefits of PDF password recovery software, as stated by the manufacturers, to see the dangers PDF publishers are exposing their PDF ebooks and other PDF documents to, by using passwords alone;

* Supports all versions of Adobe Acrobat, including Acrobat 9
* Supports GPU acceleration
* Supports all third-party products producing PDF files
* Instantly unlocks PDF documents with printing, copying and editing restrictions
* Removes “owner” and “user” passwords
* Recovers passwords to open
* Supports 40-bit and 128-bit RC4 encryption as well as 128-bit and 256-bit AES encryption
* Patent-pending Thunder Tables technology recovers 40-bit passwords in a matter of minutes
* Dictionary and brute-force attacks with user-defined masks and advanced templates
* Three editions to satisfy the most demanding and savvy customers
* Optionally removes JScript code, form fields and digital signatures
* Batch mode allows automatic processing of multiple files
* Highly optimized low-level code optimized for modern multi-core CPUs

Adobe has said it expects updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, to be available.

If you’ve chosen to read PDF documents using the popular alternative to Adobe — Foxit Reader — you also need to update. Foxit has released an update that fixes at least three serious vulnerabilities in its Reader products. That update, which brings Foxit Reader to version 3.0, is available from here.

Foxit Reader is a free PDF document viewer, with very small size, breezing-fast launch speed and rich feature set. Its core function is compatible with PDF Standard 1.7. Previously, you’ve had to download a huge PDF reader from another software company, such as Adobe, go through a lengthy installation process and wait for an annoying splash window to disappear just to open a PDF document.

Many people find Adobe Reader is a real pain to use. It’s monstrously large. Very slow to load. And includes many features most users will hardly ever need. On the other hand, Foxit PDF Reader 3.0 kills the additional, often unneeded features and throws in some useful additions, such as multimedia support plus content-sharing options. Yet still allowing you to quickly access your PDFs.

The interface is similar to Adobe’s, so you won’t have to change your PDF reading habits.

In a recent test, the text readability was similar. The small program starts surprisingly fast compared with Adobe Reader. You might need to make a few adjustments to get it to work with your Internet browser. But you can find help on Foxit’s support forums.

It’s a good feature that it opens PDFs from the Internet in their own Foxit window – instead of taking resources from within the open browser you are using.

Foxit’s biggest flaw used to be hogging memory. However this has now been corrected. Recent updates include fixing the hyperlink problems, multimedia support, printing highlighted-only sections, and tabbed PDF browsing.

Now, you can read multiple PDFs simultaneously and with ease. Overall, unless you’re tied to Adobe we strongly recommend Foxit, this freeware PDF competitor to Adobe’s older and more bloated PDF reader.