DOCSLIB.ORG

Design – TAG Cyber LLC Finance – M&T Bank Administration – Navitend Research – TAG Cyber LLC Lead Author – Dr

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Design – TAG Cyber LLC Finance – M&T Bank Administration – Navitend Research – TAG Cyber LLC Lead Author – Dr Design – TAG Cyber LLC Finance – M&T Bank Administration – navitend Research – TAG Cyber LLC Lead Author – Dr. Edward G. Amoroso Researchers – Liam Baglivo, Matt Amoroso, Miles McDonald Facilities – WeWork, NYC TAG Cyber LLC P.O. Box 260, Sparta, New Jersey 07871 Copyright © 2018 TAG Cyber LLC. All rights reserved. This publication may be freely reproduced, freely quoted, freely distributed, or freely transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system without need to request permission from the publisher, so long as the content is neither changed nor attributed to a different source. Security experts and practitioners must recognize that best practices, technologies, and information about the cyber security industry and its participants will always be changing. Such experts and practitioners must therefore rely on their experience, expertise, and knowledge with respect to interpretation and application of the opinions, information, advice, and recommendations contained and described herein. Neither the author of this document nor TAG Cyber LLC assume any liability for any injury and/or damage to persons or organizations as a matter of products liability, negligence or otherwise, or from any use or operation of any products, vendors, methods, instructions, recommendations, or ideas contained in any aspect of the 2018 TAG Cyber Security Annual volumes. The opinions, information, advice, and recommendations expressed in this publication are not representations of fact, and are subject to change without notice. TAG Cyber LLC reserves the right to change its policies or explanations of its policies at any time without notice. September 7, 2017 To the Reader: This 2018 TAG Cyber Security Annual – Volume 1: Outlook for Fifty Cyber Security Controls is a companion guide to the report of similar name issued last year. I will admit that it was tempting to take last year’s report and tweak a few words, add some new descriptions, and maybe draw a couple of fresh diagrams – and call the result a new report. Luckily, that lazy option passed, and instead, I spent an hour of each day for the past six months writing a new book. So, if you thought you’d get off easy, then forget it: You have some reading to do. This new volume complements two other new volumes issued as part of the TAG Cyber Security Annual series and available to you as free PDF downloads at https://www.tag-cyber.com/. I suppose one could debate whether our TAG Cyber material is useful, but there is full consensus that our material is voluminous. As always, we offer our reports at a whopping price of free, but I suspect that if we ever decide to sell these massive volumes, we will set pricing based on dollars-per-pound. The process used to create this volume had much in common with last year’s approach. The most obvious similarity is that I once again received a lot of help. Like last year, I carefully selected and reached out to a select group of cyber security technology vendors – most of them new this year – and asked that they invest the time, energy, and resources to help me learn their specialty. These wonderful Distinguished Vendors are listed on the next page – and I hope you’ll reach out and learn from them as well. Your time will be well spent. Also, like last year, I spent hours and hours and hours (and more hours) with enterprise security professionals and Chief Information Security Officers (CISOs) from every sector in business and government. I invited them to dinners, I cajoled them into weekly discussion sessions, and I cornered them at every conference. I think some now head the other way when they see me approaching. But this is necessary, because cyber security only comes into focus with many different perspectives. Even within the same company, I often hear different answers to the same question. So, there are no shortcuts. An awesome new input this year was the group of paying customers (yes, that’s right) for which my growing TAG Cyber team – Liam Baglivo, Matt Amoroso, and Miles McDonald – provided cyber security consulting. To respect their privacy, I won’t name the companies here, but they provided amazing insights into current views on best practices in cyber defense. These clients included two banks, a software company, a government support team, a tech company, a non-profit, and a medical device company. Assisting on their projects was enormously helpful in the creation of this volume. My annual caveat on bias must start with AT&T, where I served for thirty-one incredible years. I continue to believe that the expert team there is doing groundbreaking work in software defined networking under John Donovan, and it is ridiculous for me to try to appear unbiased. My comments on managed security services offer a glowing vision of self-provisioned, virtualized security via cloud and SDN, and if that appears to align with AT&T’s approach – well, then I admit the alignment. I spent years helping to design that work, so I cannot untangle myself. I have, however, carefully removed myself this year from all major boards. I loved my year with M&T Bank as an Independent Director on their Corporate Board, but the relationship has been redesigned as senior consultative. That is one fine group of people up in Buffalo, and I hope you use their banking services. I also stepped down from the NSA Advisory Board so that I could write openly, publish more freely, and devote the proper amount of time required for this research. That government board included an awesome group of amazing volunteers and civil servants – and I wish each of them well. My academic affiliations remain intact, albeit perhaps more intense. I continue to teach two courses per year in a massive lecture hall to about two-hundred graduate students at the Stevens Institute of Technology annually. I’ve also accepted a position as a Research Professor at NYU, where I focus on cooperative learning, government-funded research, and cyber awareness events for executives. Finally, I continue to serve as a Senior Advisor to the Applied Physics Lab at Johns Hopkins University, where I support a group of ridiculously smart technologists. Anyway, enough about me: It’s time that you dive into this 2018 TAG Cyber Security Annual: Volume 1 – Outlook for Fifty Cyber Security Controls. As you read the book, my advice is to use the Feynman self-summarization technique to absorb the material using a sharpened Ticonderoga, a fresh lined pad, and an open mind. I hope this book is useful to you. Dr. Edward G. Amoroso Chief Executive Officer, TAG Cyber LLC Fulton Street Station on Broadway 2018 TAG Cyber Distinguished Vendors Each of the vendors listed below invested their valuable time, resources, and money in the development of the volume you have in your hands. They were carefully hand-selected based on the uniqueness, importance, and relevance of their offering to Chief Information Security Officer (CISO) teams from the nearly 1500 vendors we cover each year. I would list them all as co- authors if that was feasible – but of course, it is not. Instead, they are listed below alphabetically, with a brief note of thanks for their unique insight, friendship, and support of the global cyber security industry. It goes without saying that any unexpected errors in this volume, or recommendations that might ultimately prove incorrect, are entirely my fault – not theirs. Here is the list, with a word or two about their fine leaders: 4iQ – I loved working with the 4iQ team this year, including Monica Pal and Julio Casal. The digital risk monitoring and identity threat intelligence services they provide represent one of the most important contributions in our cyber security industry. Agari – It was a delight working again with Pat Peterson and the new Agari CEO Ravi Khatod. The Agari team helped me understand email security perhaps better than any other group – and I am so appreciative of their assistance. AlienVault – Roger Thornton is such a wonderful technologist, always available to expertly help explain some aspect of advanced cyber security. My thanks go to Roger and the entire AlienVault team for their partnership with TAG Cyber. Appthority – Domingo Guerra was generous with his time helping to explain how app risk can be extended to holistic mobility management. Paul Stich, as always, continues to be such a wonderful contributor to our cyber security industry. Arbor Networks – Brian McCann and his team continue to do such a great job reducing DDOS risk and helping to assure business communications. The Arbor team is first class and always great hosts for visits to Boston. Ataata – It was a delight getting to know Michael Madon, CEO of Ataata, and to immerse in his original and amazing content. His fine subscription-based content offering provides an accurate glimpse into the future of security awareness. AT&T – The security community at my former employer has been so incredibly helpful to the TAG Cyber team in areas such as MSS, SDN, NFV, and evolving threat. The Government Solutions team has also been a delight to work with this year! Attivo Networks – Tushar Kothari and his capable team continue to improve and advance the state of the art in modern cyber deception for the enterprise. His support and friendship are so appreciated by the TAG Cyber team. Bayshore Networks – Francis Cianfrocca is one of my favorite industry partners. His enthusiasm, knowledge, and good humor are such wonderful assets to the IoT/OT/ICS industry. Thank you – Francis, for our many detailed discussions! Blackridge – When John Hayes and Mike Miracle explained first packet authentication to me, I was totally blown away by the concept.
Load more

Recommended publications
  • VYSOKÁ ŠKOLA POLYTECHNICKÁ JIHLAVA Katedra Technických Studií
    VYSOKÁ ŠKOLA POLYTECHNICKÁ JIHLAVA Katedra technických studií Návrh bezpečnostní politiky filtrování webového provozu ve školním prostředí bakalářská práce Autor práce: Radek Kudrna Vedoucí práce: Mgr. Antonín Přibyl Jihlava 2020 ZADÁNÍ BAKALÁŘSKÉ PRÁCE Autor práce: Radek Kudrna Studijní program: Elektrotechnika a informatika Obor: Aplikovaná informatika Název práce: Návrh bezpečnostní politiky filtrování webového provozu ve školním prostředí Cíl práce: V teoretické části diskutujte návrh bezpečného přístupu k Internetu pro žáky škol včetně návrhu monitoringu přístupů, na druhou stranu je potřeba zvážit politiku nefiltrovaného přístupu k Internetu. Diskutujte právní fakt nemožnosti delegace právní odpovědnosti na nezletilé žáky, která souvisí s provozem školních (bezdrátových) sítí. V praktické části bude provedeno nasazení Kerio Control s Active Directory pro filtrování provozu na MŠ a ZŠ Brtnice. Mgr. Antonín Přibyl doc. Ing. Zdeněk Horák, Ph.D. vedoucí bakalářské práce vedoucí katedry Katedra technických studií Abstrakt Tato bakalářská práce se zabývá problémem přístupu k internetu pro školy, zejména pro základní školy. Při nefiltrovaném obsahu jsou nezletilí žáci vystaveni určitým rizikům. Jedná se především o přístup na stránky se závadným obsahem, možností stát se kybernetickou obětí, nebo k samotné možnosti páchání trestné činnosti přes školní internet. Pro zamezení těchto činností je nutnost zavést určitou bezpečnostní politiku v podobě filtrování webových stránek. Právě jednotlivé možnosti blokování stránek jsou v práci popsány. Součástí je i ukázka a popis řešení v nástroji Kerio Control, který je nasazen na filtrování provozu na základní a mateřské škole Brtnice. Klíčová slova filtrování provozu; Kerio Control; monitoring; nezletilí žáci; webový filtr Abstract This bachelor thesis deals with the problem of Internet access for schools, especially for primary schools.
    [Show full text]
  • Statistics for Sdo2.Oma.Be (2021-02) - Main
    Statistics for sdo2.oma.be (2021-02) - main Statistics for: sdo2.oma.be Last Update: 01 Mar 2021 - 00:00 Reported period: Month Feb 2021 When: Monthly history Days of month Days of week Hours Who: Countries Full list Hosts Full list Last visit Unresolved IP Address Robots/Spiders visitors Full list Last visit Navigation: Visits duration File type Downloads Full list Viewed Full list Entry Exit Operating Systems Versions Unknown Browsers Versions Unknown Referrers: Origin Referring search engines Referring sites Search Search Keyphrases Search Keywords Others: Miscellaneous HTTP Status codes Pages not found Summary Reported period Month Feb 2021 First visit 01 Feb 2021 - 00:10 Last visit 28 Feb 2021 - 23:21 Unique visitors Number of visits Pages Hits Bandwidth 652 903 7,528 32,360 82.04 GB Viewed traffic * (1.38 visits/visitor) (8.33 Pages/Visit) (35.83 Hits/Visit) (95270.57 KB/Visit) Not viewed traffic * 28,374 37,407 96.96 GB * Not viewed traffic includes traffic generated by robots, worms, or replies with special HTTP status codes. Monthly history Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2021 2021 2021 2021 2021 2021 2021 2021 2021 2021 2021 2021 Month Unique visitors Number of visits Pages Hits Bandwidth Jan 2021 690 1,051 98,163 104,987 1443.12 GB Feb 2021 652 903 7,528 32,360 82.04 GB Mar 2021 0 0 0 0 0 Apr 2021 0 0 0 0 0 May 2021 0 0 0 0 0 Jun 2021 0 0 0 0 0 Jul 2021 0 0 0 0 0 Aug 2021 0 0 0 0 0 Sep 2021 0 0 0 0 0 Oct 2021 0 0 0 0 0 Nov 2021 0 0 0 0 0 Dec 2021 0 0 0 0 0 Total 1,342 1,954 105,691 137,347 1525.16 GB Days of
    [Show full text]
  • Comodo Internet Security Essentials User Guide | © 2018 Comodo Security Solutions Inc
    Comodo Internet Security Essentials Software Version 1.3 User Guide Guide Version 1.3.120318 Comodo Security Solutions 1255 Broad Street Clifton, NJ, 07013 United States Comodo Internet Security Essentials- User Guide Table of Contents Comodo Internet Security Essentials.......................................................................................................................................... 3 What is Comodo Internet Security Essentials?.......................................................................................................................... 3 How do I install Comodo Internet Security Essentials?.............................................................................................................4 What is a man-in-the-middle attack?......................................................................................................................................... 6 How does Comodo Internet Security Essentials protect me from a man-in-the-middle attack?................................................7 What is the install location of Comodo Internet Security Essentials?........................................................................................8 How do I update CISE?............................................................................................................................................................. 8 Understanding alerts and configuring exceptions....................................................................................................................14
    [Show full text]
  • How to Reform Counterintelligence Outreach to Industry
    Protecting Partners or Preserving Fiefdoms? How to Reform Counterintelligence Outreach to Industry BY DARREN E. TROMBLAY | OCTOBER 2017 U.S. industry is increasingly independent of federal government direction It’s time for a new in its creation of new knowledge and capabilities. Nonetheless, the approach to counterintelligence outputs of industry support the United States’ ability to maintain outreach to the elements of its national power. Consequently, industry is in the crosshairs commercial sector— of not only foreign competitors, but also of foreign intelligence services one that focuses more that seek to surreptitiously obtain valuable knowledge and other on recognizing and responding to intellectual property. This is an unfair fight. It is further complicated by indicators of the the fact that both adversaries and allies alike have directed their threat, less on turning intelligence resources against U.S. industry. to investigators once the damage has Although the U.S. government has attempted to partner with the private sector on already been done. counterintelligence (CI) awareness and response, these efforts have been plagued by a limited concept of which industry sectors are at risk, inconsistency in programs, and redundancies across agencies. Moreover, the U.S. intelligence community is already being asked to do more with less. It is time for a new approach to the important function of counterintelligence outreach to the commercial sector. Such an approach must focus more on recognizing and responding to indicators of the threat, less on turning to investigators once the damage has already been done. Counterintelligence—in the theoretical sense—means preventing an adversary’s intelligence services from acquiring an information advantage.
    [Show full text]
  • Flextivity Getting Started Guide
    Getting Started Guide Before you set up your account, you may want to spend a few minutes thinking about what you want to get out of Flextivity. Of course, Flextivity helps you successfully manage basic security such as Anti-Malware protection and a powerful Network Firewall across the computers in your organization. However, Flextivity goes beyond this. We have included a few tools to help you get the most out of your deployment. Acceptable Use Policies Most employees really want to do a good job and be productive. Nonetheless, personal Internet use has been found to be one of the number one time wasters at work. Experiments have shown that people who are able to successfully resist the temptation to surf at work make more mistakes than they would if there were no temptation[1]. It’s harder for them to learn new skills, too. The practical implication of this is that employers shouldn’t have rules against surfing and then leave access to the web wide open. Instead, it’s best to allow internet access only when it is appropriate. Intego Flextivity gives you the flexibility to manage your acceptable use policy the way that works for you. Do you want to limit use on your office wifi, but let employees surf as they please when they take laptops home? With Flextivity, you can do that. Do you want to put reasonable limits on social media surfing in the office – say, 30 minutes over the course of a day? You can do that too. Intego Flextivity helps you balance trust and team morale while putting common sense checks in place.
    [Show full text]
  • Os X Block Application from Internet Access
    Os X Block Application From Internet Access ionopause!Photographic Cupolated Rickard fibDru some grumbled guacharos sanctimoniously. and microfilm his determent so promisingly! Overviolent and malfunctioning Pasquale never balloted his Then, using Vallum, you can set bandwidth limits for each process, independently. IE by calling this without checking the console exists first. We have strong opinions about controlling where kids use their tech. Murus makes use of anchors to separate inbound and outbound filtering rules from options rules, redirection, translation and dummynet rules. Safari says that it cannot locate the website host; it does not say I am not connected to the Internet. Managed Services views, and assigning groups to such services. Do you see anything new you could remove so you can try again? Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. An inclusive firewall does the reverse. As a quick update it seems that is you are not using an account with admin privileges, you may need supply admin credentials for the first time you download an app to install it, which may solve some of the problem. OS X Server offers options for managing this, but you can also do the same in the client version of the OS. Talk with your children so they know what is acceptable, who they are allowed to text, sites they should stay away from, for example. Then everything else is blocked. Dropbox syncing newly changed files, and so on.
    [Show full text]
  • Microsoft Security Intelligence Report
    Microsoft Security Intelligence Report Volume 20 | July through December, 2015 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2016 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Authors Charlie Anthe Dana Kaufman Anthony Penta Cloud and Enterprise Security Azure Active Directory Team Safety Platform Nir Ben Zvi Nasos Kladakis Ina Ragragio Enterprise and Cloud Group Azure Active Directory Team Windows and Devices Group Patti Chrzan Daniel Kondratyuk Tim Rains Microsoft Digital Crimes Unit Azure Active Directory Team Commercial Communications Bulent Egilmez Andrea Lelli Paul Rebriy Office 365 - Information Windows Defender Labs Bing Protection Geoff McDonald Stefan Sellmer Elia Florio Windows Defender Labs Windows Defender Labs Windows Defender Labs Michael McLaughlin Mark Simos Chad Foster Identity Services Enterprise Cybersecurity Bing Group Nam Ng Roger Grimes Enterprise Cybersecurity Vikram Thakur Microsoft IT Group Windows Defender Labs Paul Henry Niall O'Sullivan Alex Weinert Wadeware LLC Microsoft Digital Crimes Unit Azure Active Directory Team Beth Jester Daryl Pecelj Terry Zink Windows Defender Microsoft IT Information
    [Show full text]
  • A Simple Malware Test Environment
    International Journal of Computer and Information Technology (ISSN: 2279 – 0764) Volume 02– Issue 04, July 2013 A Simple Malware Test Environment Sam Lundie and Daniel Rolf School of Computing and Information Systems University of Tasmania Launceston, Tasmania, Australia e-mail: {slundie, Daniel.Rolf} @utas.edu.au Abstract— Malware does not need to compromise the operating not-present fraud increased by 38% for the calendar year system kernel in order to provide an untrustworthy browsing 2010, with 35.6 cents in every $1,000 dollars falling victim experience for the user. This paper describes a simple, virtual to fraud [1]. However, similar figures for fraud perpetrated machine-based, malware test environment built using freeware against Online Banking are much harder to obtain as banks and open source software. The system was designed to allow are seemingly reluctant to divulge loss figures. The the high-level behaviour of a piece of malware to be studied quickly and conveniently by monitoring network, process and Symantec Corporation has claimed that cybercrime has file activity. The system proved effective when trialled against surpassed illegal drug trafficking as a criminal money- different samples of the well-known malware Zeus and was maker [2]. verified further by tests conducted with the commercially available anti-malware products PC-Tools and Trusteer. It has been estimated that Zeus is guilty of approximately Although tests were conducted with variants of the Zeus 44% of all banking malware infections [3]. In August 2009 malware, the techniques discussed in this paper are equally Gunter Ollmann the VP for research at Damaballa [4] applicable to any other malware and can be used to quickly positioned the Zeus malware as the number one botnet assess the effectiveness of potential anti-malware solutions.
    [Show full text]
  • Are3na Crabbé Et Al
    ARe3NA Crabbé et al. (2014) AAA for Data and Services (D1.1.2 & D1.2.2): Analysing Standards &Technologies for AAA ISA Action 1.17: A Reusable INSPIRE Reference Platform (ARE3NA) Authentication, Authorization & Accounting for Data and Services in EU Public Administrations D1.1.2 & D1.2.2– Analysing standards and technologies for AAA Ann Crabbé Danny Vandenbroucke Andreas Matheus Dirk Frigne Frank Maes Reijer Copier 0 ARe3NA Crabbé et al. (2014) AAA for Data and Services (D1.1.2 & D1.2.2): Analysing Standards &Technologies for AAA This publication is a Deliverable of Action 1.17 of the Interoperability Solutions for European Public Admin- istrations (ISA) Programme of the European Union, A Reusable INSPIRE Reference Platform (ARE3NA), managed by the Joint Research Centre, the European Commission’s in-house science service. Disclaimer The scientific output expressed does not imply a policy position of the European Commission. Neither the European Commission nor any person acting on behalf of the Commission is responsible for the use which might be made of this publication. Copyright notice © European Union, 2014. Reuse is authorised, provided the source is acknowledged. The reuse policy of the European Commission is implemented by the Decision on the reuse of Commission documents of 12 December 2011. Bibliographic Information: Ann Crabbé, Danny Vandenbroucke, Andreas Matheus, Dirk Frigne, Frank Maes and Reijer Copier Authenti- cation, Authorization and Accounting for Data and Services in EU Public Administrations: D1.1.2 & D1.2.2 – Analysing standards and technologies for AAA. European Commission; 2014. JRC92555 1 ARe3NA Crabbé et al. (2014) AAA for Data and Services (D1.1.2 & D1.2.2): Analysing Standards &Technologies for AAA Contents 1.
    [Show full text]
  • Between Enforcement and Regulation
    Katharina Voss Between Enforcement and Regulation A Study of the System of Case Resolution Mechanisms Used by the Between Enforcement and Regulation Between European Commission in the Enforcement of Articles 101 and 102 TFEU Katharina Voss ISBN 978-91-7797-570-0 Department of Law Doctoral Thesis in European Law at Stockholm University, Sweden 2019 Between Enforcement and Regulation A Study of the System of Case Resolution Mechanisms Used by the European Commission in the Enforcement of Articles 101 and 102 TFEU Katharina Voss Academic dissertation for the Degree of Doctor of Laws in European Law at Stockholm University to be publicly defended on Friday 12 April 2019 at 10.00 in Nordenskiöldsalen, Geovetenskapens hus, Svante Arrhenius väg 12. Abstract This thesis examines the current design of the system of case resolution mechanisms used by the European Commission (the Commission) where an infringement of Articles 101 and 102 TFEU is suspected and advances some proposals regarding this design. Infringements of Articles 101 and 102 TFEU cause considerable damage to the EU economy and ultimately, to consumers. Despite intensified enforcement of Articles 101 and 102 TFEU and ever-growing fines imposed for such infringements, the Commission continues to discover new infringements, which indicates a widespread non-compliance with EU competition rules. This raises the question of whether the enforcement currently carried out by the Commission is suitable for achieving compliance with Articles 101 and 102 TFEU. The thesis is divided into four main parts: First, the objectives pursued by the system of case resolution mechanisms used by the Commission are identified.
    [Show full text]
  • The Application Usage and Risk Report an Analysis of End User Application Trends in the Enterprise
    The Application Usage and Risk Report An Analysis of End User Application Trends in the Enterprise 8th Edition, December 2011 Palo Alto Networks 3300 Olcott Street Santa Clara, CA 94089 www.paloaltonetworks.com Table of Contents Executive Summary ........................................................................................................ 3 Demographics ............................................................................................................................................. 4 Social Networking Use Becomes More Active ................................................................ 5 Facebook Applications Bandwidth Consumption Triples .......................................................................... 5 Twitter Bandwidth Consumption Increases 7-Fold ................................................................................... 6 Some Perspective On Bandwidth Consumption .................................................................................... 7 Managing the Risks .................................................................................................................................... 7 Browser-based Filesharing: Work vs. Entertainment .................................................... 8 Infrastructure- or Productivity-Oriented Browser-based Filesharing ..................................................... 9 Entertainment Oriented Browser-based Filesharing .............................................................................. 10 Comparing Frequency and Volume of Use
    [Show full text]
  • Breaking PDF Encryption
    Practical Decryption exFiltration: Breaking PDF Encryption Jens Müller Fabian Ising Vladislav Mladenov [email protected] [email protected] [email protected] Ruhr University Bochum, Chair for Münster University of Applied Ruhr University Bochum, Chair for Network and Data Security Sciences Network and Data Security Christian Mainka Sebastian Schinzel Jörg Schwenk [email protected] [email protected] [email protected] Ruhr University Bochum, Chair for Münster University of Applied Ruhr University Bochum, Chair for Network and Data Security Sciences Network and Data Security ABSTRACT Home/Trusted Environment The Portable Document Format, better known as PDF, is one of the Decrypted Document 1. Victim opens 2. Exfiltrating Tax Declaration decrypted content most widely used document formats worldwide, and in order to en- an encrypted PDF file Scrooge McDuck with their password via the Internet sure information confidentiality, this file format supports document TOP SECRET Victim encryption. In this paper, we analyze PDF encryption and show Attacker two novel techniques for breaking the confidentiality of encrypted Victim’s PC documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within Figure 1: An overview of the attack scenario: The victim attacker-controlled content and therefore, exfiltrate the plaintext opens an encrypted PDF document and unintentionally once the document is opened by a legitimate user. Second, we abuse leaks the decrypted content to an attacker-controlled server. a flaw in the PDF encryption specification to arbitrarily manipulate The encrypted PDF file was manipulated by the attacker be- encrypted content.
    [Show full text]