Information that we have stored on our computers can be of a very sensitive nature, things we want private for business or personal reasons. There can be files that need to be stored in a certain way due to government legislation e.g. medical and financial records. Regardless, when you create something with the intention of it being secured it makes the storage and security of documents fundamentally important. It means that format, software and system vulnerabilities are taken very seriously and proactive steps are taken to mitigate the risks associated with storage.
The thing that prompted this article was a press release that was put out recently that discusses a new product that boasts about its ability to strip the security from PDF documents. The two main features are for accessing passwords that are ‘forgotten or lost’ and editing documents that have restrictions placed on them. Character filter options includes, digits, caps latin, space, small latin, and special symbols. They can support 40-bit/128-bit RC4 encryption as well as 128-bit/256-bit AES encryption. This concerned me to a degree so I started doing some reading about security threats, encryption, compatibility, and the levels of security that can be built at the document and company level.
On my search for software to bypass encryption I found that there isn’t one program that claims to do it all but a slew that are all guaranteed to get into documents that have restrictions in a variety of ways. There are going to be updates for all things (both to secure and bypass security). The new products that will emerge into the market will make it faster and easier to get past a restriction until the next fix is made.
There are also a number of ways that programs, formats and systems can be hacked. Flaws can be exploited and work-arounds can be made. New security breaches can be found each week within the security blogs of software companies. That’s probably why Adobe has taken the step of appointing a Chief Security Officer
Adobe Acrobat XI has a range of security measures built into the application that allows security at a government level, but even that doesn’t mean total security for a government (e.g. Wikileaks via internal hacking and Anonymous via external hacking). So what are some of these security measures? Obviously there are passwords but there are also things that go a step further.
- FIPS 140-certified cryptography – This is a type of file encryption that provides a level of defence.
- Permissions – This controls how users are able to copy and edit restrictions to PDF files. Fine-tune file permissions to control or limit other activities such as commenting, form filling, or adding pages.
- Actions – These define sets of steps that users can easily apply consistently to create PDF files that comply with an organization’s security policies.
- Author signatures – Protect the authenticity and integrity of documents with author signatures that comply with PAdES standards.
- Redaction and sanitization tools – Permanently delete sensitive text and images, and remove hidden information such as metadata, layers, and text. It is important this is done properly otherwise it can be a simple matter of removing a layer or removing a background colour from text to reveal information.
- Integration with Adobe LiveCycle Rights Management ES3 Dynamic – This is server-based security policies to documents to control, track, and audit access and use.
There is other software that will aid in the protection of your PDF documents (or any document for that matter). They include and focus on a range of weaknesses within current systems making them more robust. Lock Lizard (a past sponsor of Planet PDF) offers software that does just this. It offers security for PDF documents more thoroughly than can be currently done.
There is a sure fire way to keep documents safe if you are overly concerned about your PDF documents, or any electronic document being accessed for that matter. This might sound, silly, but unfortunately it’s the best way to protect your electronic documents. Simply do not have the computer plugged into a phone line/internet connection, send it out or even have it on a system that other people can access. That would be in addition to having all of the information encrypted and restricted with passwords. But, that might be taking it too far, unless you have some world changing sensitive information to safe guard from elite hackers. Armies and governments seem to think this is a pretty good way to keep information secure though.
Files are more often than not stored and sent as PDF files because of their ease of use. There are a number of reasons for this, but this is not the article that will go into why using PDF is a preferred document method. There are also a number of past articles that detail various aspects of PDF security, both in regards to the documents themselves and the software that interacts with them. A small list has been included at the conclusion of this article. The subject of document security and even file security can be delved into on such a level that books are written and forums dedicated to the topic. Some more articles about PDF security follow:
- Adobe Reader and PDF Security Threats
- An introduction to PDF security
- How Encryption Works
- How To Use PDF Files More Safely