Ride the Lightning
Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.
ATTENTION LAWYERS: HOW TO PROPERLY SECURE A PDF DOCUMENT
June 10, 2009
The following guest post was authored by colleage and friend Dave Bilinsky and first published by the Law Society of British Columbia.
Since we see this issue a lot in cases where electronic evidence is altered, it seemed worthy of a post:
The writer learned of a situation recently when a client took a Word document that was sent from a lawyer, modified the contents and then attempted to claim that the law firm had given them erroneous advice, based on the (modified) letter. Fortunately, the law firm was able to produce a copy of the original letter which documented their (correct) advice.
According to John Simek, the Vice President of Sensei Enterprises Inc. (www.senseient.com) and a computer forensics/Legal Technology expert and frequent speaker at The Pacific Legal Technology Conference and other Legal IT conferences, this entire situation would have been avoided if the law firm had sent out a secure PDF document rather than a Word document. How does one secure a PDF document? According to John, securing a PDF document is not complicated but it does have to be done correctly.
Many people believe that applying a “password” to the PDF document in Adobe Acrobat will secure the document. However, John says try searching: “Adobe Password Cracker” in a Google Search and see the number of hits that turn up, such as this one:
“[name of product] can be used to decrypt protected Adobe Acrobat PDF files, which have "owner" password set, preventing the file from editing (changing), printing, selecting text and graphics (and copying them into the Clipboard), or adding/changing annotations and form fields. Decryption is being done instantly. Decrypted file can be opened in any PDF viewer (e.g. Adobe Acrobat Reader) without any restrictions — i.e. with edit/copy/print functions enabled. All versions of Adobe Acrobat (including 5.x, which features 128-bit encryption) are supported.”
John states that Adobe owner passwords can be cracked “very” quickly, since these password hacking products simply remove the ‘flag’ that Adobe applies to the document, which does not depend on the ‘strength’ of the password. Once the ‘flag’ is gone, the document is completely open to be edited, printed etc.
In order to properly secure an Adobe document, John advises a ‘two-step’ test.
The first step is to apply a password to the Adobe document that restricts any changes to the document (a “Change Permissions Password”). The second step is to apply an “Open Document” password. When both of these are applied, the PDF password cracker programs cannot get ‘at’ the flag that controls the editing of the document.
You provide your client with the “Open Document” password but not the “Change Permissions Password”. This way they can view the contents of the document, but they have no ability to edit the document.
Using this dual password method, the software that is used to ‘crack’ the Adobe document password cannot get at the ‘flag’ and therefore cannot be used to break the security of the document (at least at this time).
John advises making both passwords robust – ie not vulnerable to a dictionary attack for example, in order to prevent someone trying to guess the passwords in order to defeat the security of the document.
Thanks Dave! You can find Dave's excellent law practice management blog at www.thoughtfullaw.com.
Listen to the Podcast
