Arxan CTO Musings

Over The Top Media Distribution

2011-04-06T11:06:00.000-07:00

A few weeks ago I gave a presentation at OTTCon (the Over The Top Conference) in San Jose, California. What is "over the top"? The purest definition is multi-media (HD video, "television", and other media) delivered to your home through the internet. Over the top refers to working "around" the traditional "television" delivery channels to your home (broadband cable, airwave broadcast, and satellite).

The conference was over-subscribed and indicative of the tremendous foment in this technology, product and service area. As with any market with such dynamics and growth, the business opportunities are tremendous.

This market has large, well established vendors operating "walled garden" solutions with strong interest in expanding out from their now traditional music or DVD quality video distribution to high definition content. There are a large number of smaller niche players, and new entrants of varying types almost every day. Of course all the major consumer electronic brands and consumer media sales brands are jockeying for position as well.

The cable companies are highly involved, particularly as they strive for a larger business role than just as a bandwidth provider for "the last mile", which in turn has been and will continue to raise net neutrality issues.

There is tremendous product crossover, with gaming boxes serving as internet connected media access devices, smart phones and tablets operating as media access devices, set-top box functionality being integrated into traditional TV's and monitors, not to the mention the evolving role of the traditional PC as a multi-media hub.

There are platform wars erupting. The most interesting is Google's promotion of Android and Chrome as ubiquitous platforms to be used by all media oriented product vendors...which just happen to very easily integrate with Google's services and advertising.

Standardization is a major market force. Ultraviolet is an open standard in development with huge industry participation working to define and create a uniform and compatible system for purchasing, renting, accessing and viewing high definition video content on all owned Ultraviolet compatible devices.

Behind all of this are the studios, with their content and in particular with their high definition content, which they are being extremely careful with relative to distribution and monetization.

Overall, this is an incredibly complicated business and technology ecosystem, with participation by telcos, cable companies, satellite companies, consumer electronics companies, cell phone companies, microprocessor companies, computer companies, bricks and mortar and web only consumer sales companies, studios, and security companies. The corporate membership list of Ultraviolet, for example, is stunning in its breadth.

Michael Porter of the Stanford Business School is famous for (among other things) his promotion of a "force analysis" of industries. A comprehensive force analysis of the "over the top" market would be fascinating, revealing and extremely complex and rich.

I can't use the term "force" without bringing to mind the meme introduced into our social consciousness by George Lucas, "the Force". As we all know the Force has a light side and a dark side, and in this market area, the dark side centers around (no surprise!) digital media piracy.

Digital media piracy requires a legal basis for defining digital media as proprietary assets. This basis was all but non-existent only a few short years ago, as our large body of property law was primarily concerned with the physical plane. The Digital Millenium Copyright Act (DMCA) is now the foundation on which digital media as proprietary property rests.

Intellectually, most of us understand and agree that media in digitized form is still property. However, sadly, our moral structure and cultural attitudes have not kept pace with the advancement of technology. There are huge numbers of people who would not steal a pack of gum from a store who can and do routinely access pirated digital content.

Why is that? I believe there are two fundamental reasons. The first is the lack of perception of "theft", because there is no overt loss of goods to the owner when the piracy occurs. The second is what I call "second order access": if it's available for free or low cost download, then "I am not stealing it". This is analogous to buying the fancy new watch from the back trunk of someone's car; we know they stole it, yet we are tempted to make the purchase of the stolen goods.

Morality in a society is nurtured and supported by simple acts of peer pressure, and I urge readers to engage in this relative to digital piracy: do not allow this to occur in your home, refuse to support it by saying "no" to offers to enjoy "free" movies by friends and neighbors, and in general stand up at the critical times for the property rights of those who labored to create the content that has been stolen. All the technology in the world will not make us a moral society and protect our interests from ourselves. Only we as a society can do that, and it truly starts with each of us taking simple daily stands on the issue.

There is an incredible essay written in the early 1990's by John Barlow (who later became a co-founder of the Electronic Frontier Foundation) called "Selling Wine Without Bottles: The Economy of Mind on the Global Net". In this essay Barlow poses the following riddle: "if our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without it's even leaving our possession, how can we protect it?", which in turn leads to a fascinating observation: "A lot of protection technologies will develop rapidly in the obsessive competition which has always existed between lock makers and lock breakers."

Here at Arxan Technologies, we are deeply involved in this "obsessive competition" in the arena of propriety digital content lock making and breaking. Consistent with the vastness of the ecosystem involved in "over the top" media distribution is an alarmingly complex delivery value chain for the actual content. This in turn presents a vast "attack surface" for those who wish to steal the digital assets in motion. And the problem doesn't stop with merely the protection of the digital content: other elements of the environment are subject to tampering to effect different forms of piracy. For example, tampering with a retail node to enable "purchases" without any actual financial transaction, or tampering with policy code to disable the time period restrictions on content.

We at Arxan are members of the Ultraviolet organization and are deeply involved in protecting digital assets in both Ultraviolet and many other "over the top" media distribution channels through Digital Rights Management software protections, key hiding technologies and node locking technologies.

Android Marketplace Apps Removed by Google

2011-03-03T14:53:00.000-08:00

For quite some time now I and others have been speaking out regarding the risks of the Android application marketplace, as an un-vetted "wild west" for software.

The essence of the problem is simple: any one can post software there, without any review of actual content and behavior. The overarching security model is that applications on installation must request and the user must approve certain capabilities (for example the right to access address book information, or to send text messages), and this then gives the user security control. The problem with this model is that broad capability requirements are very common on legitimate applications, and users become assumptive that the capabilities requested are both needed and will be used "appropriately" by the application. Neither is necessarily true, particularly with applications that are intentionally malignant.

Today we have the news of a significant number of applications with large #'s of download being, in fact, malware attempting to get device access at the root level, and stealing confidential information off the phone.

http://www.cnn.com/2011/TECH/mobile/03/02/google.malware.andriod/index.html?hpt=T2

It's important to keep in mind that there are three types of parties involved in Android security issues. The first is of course the consumer and individual business user, and their concern is the ability to utilize applications that provide incremental value without concerns about malware. The second is businesses themselves who must field these devices with their staff for productivity reasons, and have to balance between the need to enable them with productivity applications, while still ensuring device security. This is particularly needful given the business data likely to reside on the device. Lastly, there is the application developers (sometimes these same businesses fielding such devices), who have to be concerned about the risk of their software being compromised with malware, and potentially their brand compromised as a result of re-distribution with malware injected into their application.

The heart of the problem leading to this action by Google is first, the lack of any review practices for the Android marketplace. Some are suggesting a "vetted" Android marketplace as a solution; meanwhile, some larger enterprises are constructing their own "vetted and approved" download areas for Android applications for employee business devices. It's not hard given this recent action to see why such a methodology is needed for large corporate deployments of Android devices into the work force.

The second problem is the lack of any software protections in the application software itself. We at Arxan have been ringing this bell for some time, and while those with obvious code security concerns do take active steps to secure their application code with intrinsic security (media players, payment system software, banking software, etc.), others do not. This enables exactly the above situation to occur: hackers can casually lift an application, reuse/modify the binary level code, and republish. The result: rapid and effective malware distribution to a huge base of Android device users.

The solution isn't overly difficult: protect your applications from reverse engineering and tampering! Arxan and others provide powerful technologies to accomplish this. While this won't secure the Android marketplace itself, it will help to assure that YOUR software isn't cloned and published under a similar function or brand name with malware inserted.

A New Decade of Computing!

2011-01-06T10:54:00.001-08:00

2010 is over, and a new decade is beginning to unfold. We have a tidal wave of computing change occurring, indeed it is really just getting started.

"Smart phones", which I prefer to think of as hand held computers with cellular I/O support, are by far the fastest growing class of computer systems today. I've suggested it before and I'll suggest it again: what we are witnessing is the rise of a "fourth wave" of computing. The first wave was the mainframe, the second was the minicomputer, the third wave was the PC. Interestingly, the "personal" computer was personal only in the sense that you, as an individual, had your own. The rise of the truly "handheld" computing device, which also adds cell phone I/O (for both data and voice transmission, thus making them "smart phones"), is more accurately a "personal" computer, in that the computer generally stays in contact with your body. However, since "personal computer" isn't available as a moniker, I've suggested "intimate computer" as a more accurate and expansive name for this new computing class.

What can we learn from history, from the forces we see at work, from our own logical assessment, and even perhaps from our intuition, about how this new intimate computing wave will unfold?

First, as to form factor: I do not think we are anywhere near "done" with evolution of form factor in these new intimate computing devices. Just as the desk-side/desk-top PC fairly quickly evolved into a wildly popular "laptop" form, I predict that the current form factor of a rectangular hand held "bar" will evolve into yet more intimate forms. Generally I'd call this "wearable computers" and all that that implies. The specific forms that will be successful are hard to predict, but it's sure to be a fascinating arena with multiple audio and visual possibilities!

The challenge of new form factors will of course be I/O between us and the computer. While voice is an obvious possibility for input, voice strikes me as being problematic for the innumerable times you want to "use the computer" but speaking extensively is inappropriate or just not comfortable. Audio output is easily dealt with via the current forms of ear based speakers, but perhaps during the decade we will some something more subtle, a la bone induction or some other means of bypassing the need for external speaker based output.

Visual output requirements would seem to take us back to some kind of "hand held screen" form factor, but I think this leads to a very likely "wearable" form factor that can address multiple needs in an integrated manner. Glasses. Yes, glasses, where visual output is projected onto the inside of the glass and is seen as an "overlay" on the outside visible world, similar to heads up displays in aircraft. Such a form factor can easily include audio output via integrated ear buds. Voice input is obvious but as I said, not ideal, and the human input side is probably the area I am least able to see what innovations might develop. Sensors on finger tips that allow some kind of finger movement based textual input? Perhaps we'll get to internet access and general computing paradigms where textual input is generally obsolete! Or perhaps some kind of "sub-vocal" input means will be created, allowing "voicing" that is performed silently relative to the outside world!

If you think that I am alone or far fetched in my thinking, then perhaps you were not at the Open Mobile Summit late last year in San Francisco. I heard a few companies talking about these trends and sharing thoughts on concept products that might one day appear. One company showed a "mirror mirror on the wall who is the fairest of them all" concept where as you brush you teeth in the morning, you engage in I/O activites from getting the weather, news and sports, and sending them on to friends. Another company decryied the current "heads down" paradigm of smart phone usage, promising to lift up the heads of people everywhere with use of their future products. I don't believe my ruminations are entirely speculative!

Of course where innovation goes, crime is sure to follow. It's an immutable law of nature. What might be the evolution of "computer viruses", and more generally, the entire arena of "cybercrime"? As noted in prior blogs, this area isn't just kid stuff or even just "malicious people" stuff anymore. This is hard core major organized crime stuff! Billions of $'s are being stolen, every year, both in outright cash and in more subtle economic forms (intellectual property in particular).

Even today, we already have examples of viruses infecting intimate computing devices. We have an example of malware hiding under a veneer of a legitimate application (watching a new movie trailer) directly monetizing its infection by making toll calls charged to the service plan of the owner of the smart phone. It's a safe bet that ALL the forms of viruses, malware, bots and botnets, and the like will move through the intimate computing landscape.

Do the specifics of intimate computers enable new and different forms of malware? Note: I'm not referring to the detailed level of "yes there will be differences because it's Linux or Symbian or XX underneath not Windows or OS/X". Are there new and unique attributes of intimate computers that will enable whole new classes of malware? If so, what are those unique attributes?

First, the "universal" connectivity of intimate computing devices to the cellular infrastructure is a unique attribute. Second, the popularity of mobile apps (downloaded to and run as independent programs) as the basis for functionality extension is rather unique. Yes we all have loaded applications onto our PC's, but in general we are rather selective and judicious about that, loading those apps from large well established and recognized legitimate vendors, and we generally load relatively few in number. The intimate computer world is shaping up very differently where loading many tens and even hundreds of little apps from all kinds of no-name vendors is business as usual!

Do the apps represent a new means of malware infection? Well, to a large extent the same issue was present in PC's. However, what we have here is a huge different in SCALE. BILLIONS of apps are being downloaded; Gartner is projecting approximately 30 BILLION app downloads into intimate computers by 2013. Is the opportunity for large scale infection substantially higher for these intimate computers? Clearly, it is.

What about the cellular I/O that is fundamental and pervasive on these devices? What can malware do with that? I truly don't know, but one thing I'm 100% certain of: there are some very smart minds out there, with advanced technology knowledge, getting paid by very evil minds with lots of money and no compunctions or morals, thinking about this as a tremendous (criminal) revenue generating opportunity. And that puts intellectual property at risk, not to mention business models and privacy.

So, how do we move forward in our mobile, connected, app-loaded world? With excitement and innovation, but also with consideration for the defenses required to safeguard assets in this brave new world (apologies to Aldous Huxley). If this stirs your thinking a little as we march into the madness of a new decade, I've accomplished my goal for today. Happy New Year, and here's to an exciting second decade of the millenium!

The Anti-Piracy Fiscal Maelstrom

2010-11-15T10:55:00.000-08:00

There are recent reports of Microsoft spending upwards of $200M (yes, million!) a year on anti-piracy technology. See the New York Times feature article:

http://www.nytimes.com/2010/11/07/technology/07piracy.html?scp=4&sq=microsoft&st=cse

This is an astounding figure, particularly given that in general, Microsoft software is available at vastly reduced costs from the pirates.

While it may be tempting to conclude from this that software piracy is unstoppable, I thought I would share my perspective based on my company, Arxan’s, experience. Frankly, we've seen time and again that our technology (for instance), properly applied on top of a thoughtful design from a security perspective can and does stop piracy. We've had major successes in a wide variety of market segments, from low end extremely high volume gaming software, to very low volume but extremely high value geophysical software, and all kinds of interesting applications between those two extremes.

We are also familiar with failure. That's right, I'm not here to claim our solution is a panacea. It doesn't work that way. It's a continuous arms race in general, and on a software title by software title basis, it sometimes feels like hand to hand combat.

What we have learned is that a solid design in the security dimension is critical. A weak security design can't be easily "protected" later! A design that seriously considers the threats to the software in general, how those threats are directly mitigated by the design, and then on top of that, how the design and implementation itself is protected from undermining through reverse engineering and code tampering, is required.

Secondly, we've learned that you have to stay right on top of latest technique used by the cracking community. As an example, we are now to "anti-anti-anti-debug" techniques. That's right, we deploy anti-debug techniques...and the crackers have deployed anti-anti-debug techniques...and we are deploying techniques to detect those, hence "anti-anti-anti-debug".

It's a brave new world indeed!

Microsoft's piracy problems are complicated by the fact that they have such a broad array of products, from multiple disparate design and development teams, with different licensing schemes, different distribution models and a wide diversity of distribution channels. As anyone who attempts to run their business on Microsoft software knows, Microsoft does NOT look like "one company" when viewed through the lens of purchasing and licensing their software!

Few companies have the financial wherewithal for this level of security investment, both in absolute terms and even in 'relative to revenues" terms. For these companies, it's critical that application security be integrated into their product lifecycle, as a "must" design attribute. Letting a team rip on a major product development program, then starting to think about "how do we address this piracy problem?" after the product has been shipping for a few days, weeks or months is to take a step in the direction of Microsoft levels of relative spend. Don't do that! Just as reliability, usability, and supportability are, these days, critical requirements that are considered through the software product lifecycle, so must software security be considered and addressed.

The end result can be a secure, un-pirated product. We know this for a fact, we've succeeded with many customers in achieving this result. So don't end up staring down the tunnel of extravagant anti-piracy costs: think application security early, and often.

Digital Media Security

2010-09-28T09:35:00.000-07:00

The HDCP copy protection technology has been successfully hacked, through the generation and publication of the overall master key:

http://www.eweek.com/c/a/Security/Intel-Investigating-HDCP-Master-Key-Exposure-384053/

What does this really mean? It is in fact a bit complicated. The content on Blu-Ray disks is protected with something called AACS, and optionally with additional technology called BD+. The Blu-Ray player itself decrypts the content, de-compresses it, and re-scales it as needed for the target display device. Then this content is re-encrypted using HDCP and sent through HDMI to the target display. The display device decrypts the HDCP encrypted content for presentation on the monitor.

With this master key, it is possible to build external devices that will appear as legitimate recipients of HDCP encrypted content with an ability to decode that content, and then do whatever is desired with it (such as re-compress it and make it available through download sites). Will someone do this? It's a good bet; where's there's money to be made via piracy, people will take advantage.

How did this happen? After all, isn't encryption based security supposed to be based on an "ultimate level of obscurity", namely, the problem of "can you figure out which # of our 100 billion possibilities I'm using?".

Yes but...in this case the overall system had a flaw, that allows someone to use some heavy math to "back compute" the master key from a sufficiently sized (but still small, somewhere between 30 and 50) set of "device keys", which get generated through use of the master key.

Overall, what does this say about our digital media security systems?

The answer is a hard pill to swallow: our digital media security system can't really be trusted. Nothing about their basis on "hard cryptography" makes them immune from cracking, and nothing about their implementation directly in custom hardware makes them immune.

So what's needed? What is needed is multiple layers of defense, ideally implemented with both hardware and software mechanisms. Arxan Technologies is predicated on the exponentially increasing difficulty of fully cracking a protected system, when that system is protected by multiple layers of relatively independent security mechanisms. Additionally, the overall architecture should be designed with not just the concept of stopping cracking, but also of anticipating and detecting a cracked environment...and them compromising that environment in a new, subtle but pernicious way.

Always seek to detect and create trouble for the cracker and/or for the user of the crack. I recommend an approach of multiple layers of defense, with both crack blocking strategies and crack detection strategies, all coupled to overt and subtle response strategies.

Intel, in response to this crack, has said they will sue anyone using the master key. Legal solutions to piracy historically have had very limited success. Our technology can and should do better in presenting very difficult barriers to those willing to act outside of the law.

Apple vs. Open: Doomed to Repeat History?

2010-09-10T10:05:00.000-07:00

Continuing this recent theme of Android specific blog posts, I'd like to point out the remarkable repeat of history we have going on here.

Consider Apple and their "market creation" and "market leader" position they've achieved with the iPhone. Consider its key attributes: a closed system environment in every respect: closed operating system, a tightly controlled 3rd party application solution set, strict limitations on what software is allowed on the devices, and a supporting Apple proprietary media solution (iTunes).

On the scene arrives Android, an open operating platform available to all. And quickly a new business ecology is born, consisting of a myriad of companies building Android/ARM based devices to rival Apple's, all similar but all unique as well.

Does any of this sound familiar? I hope at least a few readers are old enough to remember Apple's position in "personal computing" in the early 1980's with the Apple II (and later MacIntosh) computer. They were "dominant", with their closed proprietary technology. Along came IBM with an open component approach, with all the critical components (DOS, Intel x86 microprocessors, and boot loaders, backplane and I/O specifications), generally available to all comers. I remember the full page "welcome" add put out by Apple, welcoming IBM to the party, and of course the "once only" Super Bowl ad announcing the Mac a few years later.

So what happened back then? We all know the story: the IBM PC "clone" business got rocking, and soon Apple's share in the market dropped to less than 20%. Open, clone-able, with lots of choice and variety from a multitude of vendors won out handily over single vendor, closed, more expensive and arguably "better".

The story is repeating with the iPhone and Android, and in my opinion, the story will continue to repeat. In three years, Apple smart phone share is likely to be down to a fraction of their current leadership share, and you will see massive innovation, variety and choice in the Android based product field. Apple's closed "complete ecosystem" solution will be better...and still won't win.

A side note to all of this is the question of where is Microsoft? Here we have what I believe is a fundamental shift in the computing paradigm for the masses, from personal computers to "intimate computers", computers that stay yet closer at all times to your body than those big and bulky "personal" computers. Where is Microsoft in this transition? Answer: nowhere in sight, at least thus far. The Windows environment has failed to be successful in the multiple attempts to adapt it to the smart phone form factor. The Kin product was a complete disaster and potentially reflective of a real inability to innovate successfully inside Microsoft. Apparently they will be making a fresh try soon with a "Window 7 phone"; it will be fascinating to see if they can recover and establish a serious market position.

In the meantime, the Apple vs. Android wars heat up. Apple yesterday announced a loosening of restrictions on iPhone developers, and everyone thinks this change is a function of competitive pressure from Android, and I'd have to agree. Competition is fundamental to successful capitalism and generally promoting market openness and freedom, and while I am a happy iPhone user, I like to see competition, choice and a lessening of market controlling restrictions.

To sum it up, if I was a betting man, I'd put my personal bet on Android to be the winner here. History tells us it's the likely outcome --- unless Apple will challenge that outcome by signficiantly opening up their walled garden.

Android Application Security

2010-09-07T13:46:00.000-07:00

Android based devices are exploding onto our consumer products scene. By my recent count at the wikipedia list of Android devices (http://en.wikipedia.org/wiki/List_of_Android_devices), there are 97 devices shipping today, and another 57 in the delivery pipeline.

On the volume side, Android devices are also showing rampaging growth. Gartner numbers show Android smart phones at 1.8% market share in Q209, rising to an astounding 17.2% share in Q210. While I don't have "smart devices (not phones)" figures, I'd expect even larger percentages for Android. (Who are the big losers of smart phone share you wonder? No surprises there: Windows Mobile and Symbian.).

Yet the Android model is fundamentally suspect at the level of 3rd party applications. Why? Simple: the bulk of these applications are from "boutique" developers or development shops, and there is absolutely no vetting of what exactly these applications do. The potential for malware in these applications is enormous.

Android does have a mechanism that requires applications "request" capabilities at installation time. However, it appears few pay much attention to that. A few million downloads of wallpaper applications that requested sufficient capabilities to send phone specific information (SIM ID, phone #'s, etc.) to a server in China certainly proved that point (why would you grant your wallpaper application internet access? Because it asks for it and you want the wallpaper, so..."yes" you click!). A security researcher, Jon Oberheide, demonstrated the potentially malicious application "Rootstrap", which bootstrapped a rootkit on an Android device. The app, (a preview of the popular movie Twilight Eclipse) routinely polled a server to see if new Android exploit code was available, and if so would download it into the application and execute it. About 200 people installed this app, and while in this case the compromised app didn't inject malware, it's a sober reminder of how you really have no clue what you are getting when dealing with Android applications.

Is the iPhone model better? From a security perspective, absolutely. Apple is doing something with apps to vet them. What exactly they do in this vetting process they don't share (and I like many others would like them to be much more transparent about this), but personally I'm reasonably comfortable loading an iPhone app onto my phone, but would hesitate long and hard before loading any application written by any unknown publisher onto my Android device.

Don't get me wrong, I do like the broader openness that Android devices offer. After all, it's my device is it not? I should have the right to load any software I want, in my opinion. At the same time, the marketplace needs to provide me with options for ensuring or identifying problems with the security of my choices. Those options don't exist today.

This leads different parties involved with the Android device phenomena to different (sometimes overlapped) sets of requirements.

First, for the consumer, there's an enormous need for Android application vetting, some high quality "seal of goodness" that is arrived at through a reasonably thorough review of the actual code in the app and what it is doing.

For the enterprise IT professional, there's a need for the same vetting service, and of course some device management services. Corporate phones should not be allowed to be loaded with arbitrary applications; all apps should be required to come from a secure enterprise location that holds only vetted (and dare I say business appropriate?) applications, or alternatively, a vetting service can offer a means for particular enterprise phones to only download applications marked as appropriate by that same enterprise's IT organization.

For the application developer, whether a small shop or an enterprise, there is another critical need. While Android applications are signed, they are self-signed. It is not difficult to take (as an example) a well known bank's application, insert into it high value malware, re-sign it, and publish it in way that gives an illusion that it is still from or works with the original bank. Applications need protection from this kind of malware insertion. Additionally there is the usual piracy problem. Recently Google initiated an attempted solution to this, with a licensing service. However, that led to immediately demonstrated trivial cracks allowing applications to run without licensing. In response, Google has said "oh, you need to obfuscate your application code". Why, thank you Google! What have I been prattling on about in this blog for the last year? Guard your application software folks, because if you don't, others will open it and have a field day stealing and modifying it to serve their own economic agendas.

Did I mention that Arxan is announcing support for guarding of native code in Android applications yet? Yes indeed: watch for our announcement this week.

DLL Hijacking Redux

2010-08-27T12:00:00.000-07:00

Someone once suggested there is nothing new under the sun, and that's certainly true with this week's spate of reports about DLL hijacking attacks in Windows.

This is a well known vulnerability dating back many years. New reports that that specific Microsoft applications fall prey to this vulnerability are not at all surprising (http://tinyurl.com/33btjkh).

Microsoft is quoted by Computerworld (http://tinyurl.com/23ag8kb), saying:

"We're not talking about a vulnerability in a Microsoft product," said Christopher Budd, a senior communications manager with the company's MSRC, or Microsoft Security Response Center. "This is an attack vector that tricks an application into loading an untrusted library."

Assessing this statement requires a brief review of the facts. First, this is a vulnerability driven by the fact that Windows will search in all kinds of places to find a DLL that your application requests to be loaded, if you application is so "unsecure" as to identify that DLL only by file name instead of a fully specified pathname.

Why would applications fail to use a fully specified pathname? One good reason is compatibility: Microsoft DLL's are not consistently in the same location across different versions of Windows! Therefore software striving for compatibility needs to allow Windows to search for the DLL, or search itself. A second reason is simply because Windows allows it and thereby "it's easier".

Windows first looks for the DLL by name in the current process's current ("working") directory. That's where an attacker can easily load their own replacement DLL under the same DLL name (through a wide variety of means, none legitimate but all relatively easy to perpetrate), if (as is usually the case) the current directory is not where the named DLL resides. The next time the application runs, viola, they have their own software now running on the computer. What can it do? Literally, just about anything, including quickly load other more subtle and pernicious bot-ware, key loggers, system scanners, etcetera.

Can applications operate in a manner to avoid the vulnerability? Yes, they can, but doing so is more complicated for the application developer. The key is to always load a specific DLL in a specific directory using a fully specified pathname. This in turn can create its own application compatibility issues, as any given path name to a system DLL is not guaranteed to be the same from Windows version to version! This is the true heart of the design issue, because any attempt to deal with this multiplicity of DLL locations across Windows versions in a single version of an application requires the application perform a "search" for the DLL across different directories...which is exactly what Windows does automatically for you and which opens up the application to a replacement DLL attack!

We here at Arxan are looking at this problem in an orthogonal manner, by identifying opportunities to validate that the proper DLL was loaded, regardless of its originating location. Those are the kinds of application internal security features we are quite good at. Note the elegance of this kind of solution: it doesn't require any application source code changes (because our technology inserts such checks directly into the binary application code), it creates no new dependencies on Windows specifics such as specific DLL locations in this or that version of Windows, and it is a security solution that migrates with the application itself.

To end with another ancient aphorism, if you want a job done, best to do it yourself. If you want your applications secure, don’t trust in the operating system to provide that security: secure your applications yourself!

Smart Phones: The Fifth Wave of Computing!

2010-08-20T12:04:00.001-07:00

Two recent analyst reports detail the proliferation of smartphone apps. ABI Research predicts that mobile application downloads from iOS and Android will account for 78% of all application downloads in 2010, with iOS (the iPhone's operating system) taking the lion's share of 52% of all applications. Meanwhile iSuppli predicts Android will be used in 75 million smartphones by 2012, up from 5 million in 2009. Meanwhile, iOS usage will amount to 62 million in 2012, up from 25 million in 2009. Sales of these multi-function hand-held internet connected computers are expected to pass up sales of traditional PC's and laptops well before the middle of this new decade.

Overall, I believe this represents a titanic shift in the computing industry. If we step back far enough we can see perhaps four massive waves in the evolution of computing: first, the custom/boutique computing period of 1940's and 1950's, then the mainframe period of the 1960's through 1970's, then the minicomputer period from the 1970's through the 1990's, and the PC period from the early 1980's to the 2010's. The fifth wave is upon us, and it is the "smartphone" period.

Note how with each wave, old winners faded away, and new winners emerged. Nowhere is this more stark today than the fading glory of Microsoft, huge winner in the PC wave...with virtually no technology or product position in the heart of the smartphone wave.

In this new wave, the iPhone is the front runner, and Android-based smartphones are gaining in what appears to be a two-horse race, as the overall smartphone market is poised for explosive growth. This is great news for the smartphone ecosystem, while at the same perhaps a "deer in the headlight" moment for enterprise security teams.

Today's smartphones continue to expand in functionality, driven by huge numbers of innovative applications and generally better performance as a computing device. The iPhone and Android-based phone is rapidly becoming a serious alternative as a general personal computing device offering unique value in terms of personal mobility.

This is leading to sticky issues for enterprise security teams. What applications are okay to download? Will any applications used for personal purposes create any security issues (i.e. malware) with applications to be used at work? Can third party "business" applications be generally trusted? What are the additional costs to add smartphones to the already broad mix of enterprise IT managed devices? Are the appropriate security policies and underlying practices, mechanisms and resources in place?

While no doubt a daunting task for the enterprise security teams, this is yet another reason why widely used data protection methods aimed at "defending the perimeter," are not enough in today's distributed computing world. Today, companies need to adopt new strategies aimed at integrating security into the software and application themselves. Given today's distributed enterprise computing model, a modern enterprise literally has no set network perimeter to defend. This was true with the laptop and home PC being used routinely as a corporate computing devices. But now with the smart phone filling the same role, the distributed computing nature of the modern enterprise reaches it ultimate manifestation: corporate computing is happening everywhere there are employees, everywhere they go, all the time.

Obviously the security industry must roll up its sleeves and expand the notion of enterprise security. In this process, the old models of "centralized everything" probably won't work. Individuals must broaden their awareness and their personal practices, because these are "personally managed" devices. Application providors must consider the risks and take appropriate actions to protect their applications from cloning and trojan insertion. Lastly, device and the system software providers must continue to enhance and refine the security attributes, features and functions of the devices themselves.

-------------------

Late breaking news: Intel, with a growing new focus on mobile computing, acquires McAfee, and the talk is all about...traditional PC anti-virus you say? No! Not a word! The talk is all about the need for Intel to get a position in mobile/wireless computing security. Just another indication that the fifth wave of computing is upon us.

Smart Phone Privacy?

2010-08-03T12:02:00.000-07:00

The media is in a minor uproar over (the lack of) phone privacy:

http://www.zdnet.com/blog/google/apps-on-your-phone-putting-your-privacy-at-risk/2332?tag=nl.e550

The essence of the story is that (1) you don't really know or control what all those applications you are loading onto your "smart" phone really do, and (2) they do far more spying on your phone data than you realize.

If you think such hidden spyware in phone apps is uncommon, let me tell you about a presentation at last week's Black Hat conference in Las Vegas. Kevin Mahaffey and John Hering reported in their session "Application Attack: Surviving Explosive Growth in Phone Applications" on an automated methodology called "Genome" in which they have downloaded and analyzed just about all the world's free applications for both the iPhone and Android phones.

Among their many interesting results, they found an abundance of "wallpaper" applications, all from the same author, that sent back to a server in China your phone's sim serial #, your subscriber ID, your phone line # and your voice mail #. Whoops, so much for phone privacy and application security. This news is now getting general media coverage:

http://www.tgdaily.com/security-brief/50862-as-many-as-4-million-people-downloaded-data-stealing-android-app.

These researchers also found that while it appeared that about 30% of smart phone applications "steal" your phone location information, in fact the bulk of that usage is by 3rd party adware software in those applications, which want to vend to you location targeted ads. So it's not necessarily as nefarious as it may seem, though just as with Google mail giving you targeted ads based on the content of your email, all kinds of interesting questions of appropriate bounds of privacy arise.

Before we run, scream and shout about the lack of smart phone privacy, let's acknowledge that there is nothing new here under the sun. The exact same issue presents itself on our PC's. We can and do download all kinds of apps, and they can (and do) gather and lift info.

One critical difference is that on our PC's, we don't have the same privilege management systems that at least give us the chance to know of and approve of the rights the app is requesting. So one could argue Android is superior to PC's in this regard. And on the iPhone, there is at least a minimal amount of vetting, again, an improvement vs. the PC.

A key difference here is that people have more sense of "privacy" related to a phone than to a PC. We've been inured to PC virus issues so we just assume that nothing's really safe or personal on a PC. Phone calls and phone specifics are viewed as private, so all the PC issues coming to roost on smart phones creates a media uproar.

What we need to understand and accept is that the "smart phone" device you have in your pocket (or are reading this blog post with) is not a phone! It's an extraordinarily powerful internet connected computer, with all the security issues such computers come with. All of them.

Downloading an application to a computer is a fundamentally dangerous proposition, just as wheeling in a large wooden horse into their city was a bit risky for the Greeks. The situation is worsened by the fact that the application arena for smart phones is a cottage industry. We are comfortable and reasonably safe when we load a PC application from a known business entity; when we load a wallpaper application written by "jackeey wallpaper", do we have any idea what we are really getting? Clearly not.

There is a business opportunity here, and that is to provide a technology/service that vets phone applications through internal code analysis (just as the Greeks should have first taken a look inside that wooden horse!). A "Good Housekeeping Seal of Approval", perhaps structured as a separate app store front or just as an informational service.

There is a corollary problem of how do I, as a "good guy" or "good company" publishing application software, protect my application from being trojanized and republished? If you've read any of my earlier blogs you'll find plenty of material on how to effectively deal with that.

So the next time you are about to casually download that nifty new game or whizzy app that makes your phone sing and dance...think about how much you really know about the software you will be unleashing on your "private" hand held computer, and the range of possible objectives of the person who wrote and published that software.

And beware Trojan's bearing application gifts.

Electronic Espionage and Application Security

2010-08-03T09:25:00.000-07:00

When it comes to cyber attacks, “the stakes are too high to ignore the problem,” according to InfoWorld (http://tinyurl.com/2fk3vt6) in an in-depth report on electronic espionage.

The attacks often bypass typical security tools that companies implement to protect their data assets. Once inside the system, the electronic spies quietly gather data over time without causing disruptions that could alert integrated security tools or draw suspicion from a company's IT security team.

Neil MacDonald, vice president at research firm Gartner, says, "as many as 75 percent of enterprises have been or are being infected with undetected, financially motivated, targeted attacks that evaded their traditional perimeter and host defenses."

The simple fact is that widely used data protection methods aimed at "defending the perimeter," are not enough to protect against more and more sophisticated threats such as electronic espionage. There are far too many methods by which the perimeter can be penetrated, both through direct and indirect attack. Applications in the enterprise, in the cloud, distributed applications and applications in end point devices are the new focused target of attack by organized crime.

This is a good time to re-post what I call my "application commandments."

1.) Applications can and should detect and notify of debugger attachments.
2.) Applications can and should protect critically sensitive code through encryption and dynamic decrypt/execute/re-encrypt operations.
3.) Applications should utilize multiple levels of networks of self-guarding techniques, with a variety of overt and subtle response actions, to ensure that persistent attacks are foiled at some level.
4.) Enterprise applications should have these response actions wired into the security monitoring systems deployed by the enterprise.

These practices need to become commonplace and part of our general software lifecycles. We need to keep up with the organized criminals, and right now our software is falling woefully behind.

Happy Tenth Birthday, Microsoft .NET

2010-07-14T16:03:00.000-07:00

The popular Microsoft framework celebrated an impressive milestone this past month - ten years ago, .NET arrived on the scene and with its debut, quickly became the development "framework of choice" for innovative software and a key framework enabling the evolution to Web 2.0 applications, including Silverlight.

Given the popularity of .NET applications, the issue of how best to protect the framework is one of vital importance. Software piracy is rampant around the world and .NET applications have unfortunately been among those most heavily targeted by hackers for reverse engineering. This is due at least in part to the comprehensive metadata included with .NET applications, which (in a manner similar to Java), enables easy software analysis, including comprehensive de-compiling (meaning, generation of near original source code).

As B2C client software with greater amounts of intelligence and interactivity with corporate back-end systems become more prevalent, we will see a higher volume of business client applications written in .NET and Silverlight. This code is highly vulnerable and generally needs strong anti-reverse engineering and anti-tamper properties. No one wants a trojan-ized version of your favorite banking client app available on the internet, indistinguishable (to the casual user) from the un-tampered version!

To address this risk in .NET applications, meta-data must be stripped, character strings in the code must be encrypted, the code in the application must be obfuscated, and internal detectors of code modifications must be installed. Without aggressive protections, client software produced by businesses for consumer usage is open to casual hacking for illicit and nefarious purposes.

Windows .NET introduced a new way to build rich software applications for Web 2.0, and this model now applies to applications for emerging Cloud platforms as well. To continue to expand the .NET usage footprint, particularly for commercial business application client software, it's critical that development teams be aware of the security issues implicit in .NET code, and how to address them.

Here's to a safe and secure next 10 years, .NET!

Internet TV: The New Security Battlefield

2010-06-24T11:50:00.000-07:00

The internet and the television are "converging". It's an exciting, transformative time in media delivery, consumption and business models.

The dark underside to this happy and expansive story are the security threats associated with these new and emerging business models. In order to be a winner in this space, not only does a company have to deliver new innovations or better performance, but it also has to be viable and sustainable from a content and application perspective. Where are the potential content leaks in the system? Can unscrupulous hackers compromise the integrity of the ecosystem such that content and IP are pirated, and the ssociated revenues jeopardized? If companies don't model these risks and mitigate them proactively, and invest in properly validating the security strength of their solution through red teaming efforts, history will repeat itself, and serious losses will ensue.

What is needed are content protection, conditional access and digital rights management systems that are hardened and validated to be very difficult to crack or circumvent. Much of this innovation will come from applications enabling digital entertainment access through new devices with relatively new softare platforms. Android is the best current example, a popular emerging platform that is completely open. Those developing applications and digitial media infrastructure and solutions for Android have to plan for and validate the security of those applications. Anything less and the internet/TV convergence will be slowed down quickly by content owners unwilling to distribute their assets via this new channel.

Respecting Digital Property

2010-05-24T10:13:00.000-07:00

In the landmark essay "Selling Wine Without Bottles, The Economy of Mind on the Global Net", written in 1992-1993 (http://www.virtualschool.edu/mon/ElectronicFrontier/WineWithoutBottles.html), John Barlow anticipates and lays out the fundamental intellectual property issues that plague our current digital world. Barlow eloquently and precisely frames the core questions:

"If our property can be infinitely reproduced and instantaneously distributed all over the planet without cost, without our knowledge, without its even leaving our possession, how can we protect it? How are we going to get paid for the work we do with our minds? And, if we can't get paid, what will assure the continued creation and distribution of such work?

Barlow concludes his insightful essay with an assertion that has clearly come to pass:

"Cryptography...is the "material" from which the walls, boundaries--and bottles--of Cyberspace will be fashioned."

Barlow also anticipated the rise of Arxan Technologies (and other similar companies)) when he stated that:

"Cryptography will enable a lot of protection technologies which will develop rapidly in the obsessive competition which has always existed between lock-makers and lock-breakers."

We here at Arxan can certainly attest to the "obsessive competition" as we engage in virtual and digital hand to hand combat with the crackers striving to steal our customer's software and/or data.

The fascinating point Barlow made in 1993 that I'd like to explore today is the following:

"A social over-reliance on protection by barricades rather than conscience will eventually wither the latter by turning intrusion and theft into a sport, rather than a crime. This is already occurring in the digital domain as is evident in the activities of computer crackers."

Let's turn now to some recent news about the movie Avatar and it's release on Blu Ray disc. This release was protected using a technology called BD+. Unfortunately, the cracking community managed to procure (read "steal") an early copy, successfully cracked the protection, and published the movie through bit torrent sites. Here's a fascinating "news" report on the availability of the movie "for free" as a torrent download (which occured within a day or two of the public release of the blu ray disks for purchase):

http://torrentfreak.com/avatar-most-pirated-blu-ray-film-ever-100427/

So within a matter of just a few weeks, Avatar has become the most pirated movie ever.

What does it require for this to occur? It requires exactly what Barlow predicted: a withering of basic personal ethics of property ownership at the individual level. We now have a culture where people view the casual theft of intellectual property as completely acceptable. The heart of it seems to be a vast difference in perspective in people's minds and ethics between a physical object and a digital object.

What drives this difference in perspective and behavior? Is it the removal of risk of "getting caught stealing"? I personally believe this is a significant enabling factor, yet not the fundamental driver of this widespread contagion of theft. I believe it is a subtle, and simple. People fundamentally do not view creation of a (perfect) copy of something as theft. Morals are still wrapped around the physical-ness of goods and physical-ness of possession. Stealing means taking something so that I have it and you no longer have it. This notion of physical theft being "wrong" is deeply rooted in most individual's ethical system. Hence, most people (including those illegally downloading Avatar) would not steal the Avatar blu ray disk from a store, even if they knew they could do so without risk of being caught. They would be taking a "real thing" that belongs to another (the store), and that violates their sense of morals and ethics. But download the same movie for free? Hey, no one has been ripped off! No one has "lost" anything! So "it isn't theft". And besides, if it's wrong (illegal) to download it for free, it wouldn't be available on the network for free would it? Once again, "it must not be theft". Of course, this entire line of thinking is dead wrong. Every aspect of it's free availability is illegal, and access of this stolen property is itself theft.

So while I and my colleagues toil and sweat to provide the "digital locks" that will help prevent (or perhaps more realistically, deferred for a longer period of time) the cracking of the high value digital content in our world, I think it's paramount that we as a society strive to re-tool our ethics and attitudes. This battle must be fought on all fronts, not purely a technology front. How does this kind of change occur? Simple: it changes when you and I put simple social pressure on our family and friends regarding this kind of theft. "Come watch Avatar tonight at my place?" "Hey yea; you got it on Blu Ray?" "Yea, I downloaded it last night, it's awesome." "Oh...well, hey, that's theft and it's wrong, I'm sorry, I can't watch that with you." For me, it's takes the form of remonstrating with my son when he tells me of a friend who is downloading this or that PC video game for free: "that's wrong son, it is theft, and you are not allowed to do the same nor are you allowed to play his stolen games".

Social pressure is that simple and I believe it can be very effective at evolving and shaping attitudes and behaviors. It's really up to us to drive change in our culture to respect these new forms of property. Just because the wine is available for the sipping because it's outside the old bottles, doesn't mean it's right to open our mouth and gulp...without compensating those who made that wine.

The Game Within the On-Line Game

2010-02-05T09:58:00.000-08:00

Online gaming is a relatively new industry, and one with phenomenal growth over the last 15 years. The release of Call of Duty: Modern Warfare 2 late last year generated a stunning $550M in sales revenue in the first week alone, and overall the series has generated over $3B in sales for Activision, the publisher:

http://www.csmonitor.com/Innovation/Horizons/2009/1127/call-of-duty-series-sales-top-3-billion-activision-says

There is a fly in the ointment, however. As has been true forever, the larger the business, the larger the attraction for the criminal element. What's unique here is the nature of the crime, given that the essential product is that most intangible of assets, software.

There are two fundamental modes of online game play today: standalone mode, and multi-player mode. The latter can be more refined into two general categories, small group play and massively multi-player gaming.

Standalone commercial gaming software has suffered since it's inception from the problem of illicit copies in which the license protection has been "hacked". Simply put, someone has taken a version, analyzed the code internals, and modified the binary level code to disable or otherwise spoof the license checking code. The result: a "free" copy of the software, or at least a copy that won't generate any revenue for the publisher. And software being casually clone-able means this free copy can be and is distributable to as many people willing to pay for it (if required) and use it (illegally, of course).

The result of this common crime is a general axiom in the gaming industry for standalone games, namely that all the sales of significance happen in the first two weeks after release. After that, "cracked" copies are available on the cheap, and the revenue stream ramps down far more rapidly than normal sales dynamics and economics would indicate. As an example, a simple web search for "Call of Duty Modern Warfare 2 download" will quickly find cracked versions of this product available for little to no direct cost.

Massively multi-player on-line role playing gaming (MMORPG) vendors had a solution to this problem...or so they thought. The very nature of MMORPG games required participation in a single unified "world" (virtual reality), implemented as a single world by a server (or server farm) operated by the game publisher. The client software operating on the gamer's computer communicates with the servers to participate in the single world with all the other gamers participating at the moment. The business model is based on ongoing subscription revenue for the privilege of continued participation in the virtual world enabled by the publisher's servers, rather than the licensed sale of a single copy of the game.

Not to be stopped, the criminal element went to work on this model as well. Careful analysis of the code within and the networking traffic to and from the client software on the gamer's personal computer enables these server applications to be "reverse engineered", meaning new software is developed from scratch the performs the same functions as the original publisher's gaming server software. Obviously this isn't cheap nor simple, but given the literally millions of players involved in these types of games, and the ability to operate "parallel worlds" with lower subscription costs, the economic returns of the criminal effort become quite attractive.

For those of us who believe that we have rights to our owned intellectual property and deserve to be compensated for it's usage, there is hope. The technologies to fight back are available today. I'm not referring to simple copy protection schemes that are relatively trivial for competent code hackers to analyze and disable. I am referring to technologies that approach military grade anti-tamper facilities, used to protect US military software assets ("critical program information").

Given the stakes in the gaming industry today, the industry would be remiss to not take advantage of such technologies. The days of accepting only two weeks of revenue for a game that takes years and many millions of dollars to develop, and the days of organized crime stealing massively from the game publishers, can and should be over. To not take advantage of these technologies would be a business management crime of a different sort.

Needless to say, Arxan Technologies is here to help turn the tables on the criminals. We vend these technologies, with easy to use tools to define and insert such protection networks into executable software ("binary code"). Here at Arxan, nothing gives us more joy than a famous "cracker" getting flamed on the the download bulletin boards for long delays in providing a functioning crack for a "new" release after three months...then six months...then twelve months. At which point, the war is won, because that version is now "old" and the process starts over with a new version from the publisher, with yet stronger, more robust and unique guard protections.

It's time to stop intellectual property theft, it's time to stop software business operations theft, it's time to stop piracy of software in general. Call Arxan and let us show you how.

Commercial Cyber Warfare

2010-01-21T09:49:00.000-08:00

Today Sec. of State Clinton went after China for their network censorship:

http://www.cbsnews.com/stories/2010/01/21/ap/tech/main6123918.shtml

However, as I see it, the issue of real significance here isn't China's censorship. The news reports of "attacks" on Google and other "unnamed" companies is the action of real significance. I'm not referring to illegal access to mail accounts. I'm referring to the explicit theft of intellectual property in the form of source code:

http://www.wired.com/threatlevel/2010/01/google-hack-attack/

In China, the coupling between government and leading companies in different industries is extremely strong. It can be hard to distinguish where a company stops and the government begins when it comes to such industry players as Baidu, HuaWei, and China Telecom.

It is reasonable to suspect and to investigate the potential that aggressive theft of source code from US companies is an activity that is being actively supported, and potentially even led, by the Chinese government. It appears that at the very least, the Chinese government tolerates such operations and private industry reuse of this stolen software.

In an age when information and intellectual property is the coin of the realm, does government sanctioned intellectual property theft constitute not just a crime, but verges on an act of war?

These kinds of acts should be investigated deeply by the government. Regardless of ultimate responsibility, we need a strong, overt response from the US government. The message must be clear and backed by strong actions that this kind of attack will not be tolerated and will be prosecuted.

A specific US response needs to include a product watch program to monitor for the use of stolen software, followed by vigorous prosecution of such illegal usage of stolen technology through available legal, diplomatic and trade channels. Reused source code will have significant bodies of unique identifiable binary code in the products utilizing the technology. This is an area where private industry has far too little power to fight back effectively, though it could play a key role in the monitoring program.

I acknowledge the private industry accountability for failing to prevent such theft. We in the software industry can and must make deeper investments in our security systems around our core property of value, our source code. DLP technologies, encryption technologies, strong multi-factor authentication for source access, and other solutions are available.

China's censorship is an important issue. That some group from China is actively stealing US company technology out from under our nose is an extremely important issue as well, and needs equal attention and even more governmental action.

At Arxan, we provide technologies to help protect software intellectual property through protection of the binary code with what we call "guards". We provide this technology in both military/classified forms to the DoD and DoD contractors, and in commercial form to commercial customers. However, to protect the source code of software from theft through systemic security holes, different measures are needed. Stronger source code security measures need to be deployed by private industry. The US government must speak out and lead in efforts to identify and prosecute those responsible and those who attempt to take advantage of such theft.

Secure Software Marketplaces

2010-01-11T13:23:00.000-08:00

The news today of a trojan'd application for Android phones (http://www.sophos.com/blogs/gc/g/2010/01/11/banking-malware-android-marketplace) is a fascinating and potentially extremely significant, if not altogether expected development in the smart phone wars.

Simply put, if the consumer marketplace develops a ground fear of the software available for Android phones, the predictions about Android phone growth may be vastly inflated.

Whether we like it or not (and some don't, preferring a phone browser centric world), ubiquitous phone apps are the "killer app" for smart phones, at least for the moment. This single spot of bad news for Android can quickly become a huge differentiator for Apple with its controlled iTunes store for safe apps for the iPhone. Similarly, it points to an interesting opportunity in the business ecology: who is going to offer a vetted app store for Android phones, with appropriate software security reviews on the in-bound side and guarantees on the outbound side? Without such a market service, I'm suspicious that hackers will quickly ruin the unregulated marketplace for Android apps.

Secure 'droid app store anyone? Anyone?

Security in the Cloud

2009-11-09T12:25:00.000-08:00

Cloud computing is one of the "big new things" in commercial computing today. The promises of cloud computing are broad and deep: lowered capital costs, lowered operational costs, ease of scale, broad accessibility, high availability, and more.

And then there's security. It's the usual follow-on question after hearing about all the benefits, "yes, great, and...what about security?".

The simple truth is that cloud computing carries with it each and every security risk that already existing in your commercial computing environment, and unfortunately significantly increased risks.

Why is this so? Simply because at the highest levels, there is little structural change in shifting elements of your computing infrastructure from "here" (inside your corporate data center) to "there" (inside an external vendors corporate data center). The same security controls you needed (and in many cases didn't have) are needed in your cloud providors environment (and in many cases they don't have), and the same fundamental attack vectors and risks are present.

As we drill down into the details however, it will become clear that the situation is worse than this, for two fundamental reasons: one is shared infrastructure, the second is a general loss of control. Let's look at each of these.

The foundation of the cost benefit premise of cloud computing rests on the leverage achieved through a shared computing infrastructure, with the cost benefits of scale and higher average utilization. But shared with who? That's risk #1; you don't know who, and you can't control who. "Other companies, other users." Shared at what level? At all levels: shared storage, shared networking, shared routers, shared firewalls, right on down to operating your applications on the same physical hardware being used by other cloud clients (though always in a separate virtual machine instance).

So what's the risk of that? The risk is the ease of access to your data and application software. By definition, an environment where "others" are running their software and maintaining their data in the same physical environment that you are running your software and maintaining your data creates very substantial incremental security risk, because environmental access is the first step in any and every IP and data theft attack. If I'm "in" the general computing environment, and I can run arbitrary application software, I've got a launching pad for attacks on local data and applications.

Another element of shared infrastructure in cloud computing is the extension of the insider risk. Many of your own insiders will still have cloud environment access similar to the access they had when you were running inside your own data center. However, you've now added a whole new class of insiders: the cloud provider employees! And unlike your own insider threats, where you can take active steps to reduce risk, with the cloud provider you have no controls and no influence. Relative to these unknown people, you applications and data might as well be considered "fully available", with all that that implies.

The second general area of risk is in a loss of controls. This loss of control is across the board, starting at the level of physical access; when you operated in your data center, you controlled physical access, and with a cloud provider you don't. Logical access is no different; what people (administrators or otherwise) can access your databases and your applications? You have vague assurances from the cloud provider, but you have no direct control whatsoever.

This control issue extends out to more subtle yet extremely significant areas. Take the example of web application security risks. These are the most pernicious security risks in computing today, with SQL injection attacks alone (just one of many types of web application security risks) resulting in the theft of millions of credit card numbers. The most recent attempt to harden web applications is through the deployment of so called web application firewalls. These are networking appliances that monitor networking traffic looking for evidence of a web application attack. These devices require a very high amount of customization in their specific monitoring practices, effectively to "tune" the firewall the specifics of the applications and their operations being protected. Can such a solution be applied in your shift to a cloud computing environment? Generally no, due to the difficulty of assuring the application firewall is both "in the right place" relative to what is now managed as a highly mobile set of applications within the large cloud infrastructure environment, and the need for your application firewall rules to apply to your applications data flow and your applications data flow only.

Control issues cut right through all traditional required practices in commercial computing. Backup? Of course the cloud vendor provides backup! Can you test that it's actually occurring and the data is recoverable? There have already been major examples of commercial cloud providers losing customer data. It's a risk, and it's driven by your loss of control when shifting your computing practices to an external provider, and those risks are exacerbated by the shared infrastructure nature of that environment.

All of this said, cloud computing is here and it's expanding it's footprint dramatically across the commercial computing landscape. Cost saving attracts commercial usage likes light attracts moths. The issues cited here are going to get incrementally addressed over time, as part of high value cloud solutions.

The better news is that some fundamental solution technology exists today. The essence of security protection in a cloud environment is to take advantage of what you do control to implement security mechanisms to the level required by your business. The two critical control points are, simply put, your applications and your data.

Data security solutions have been increasingly developed and deployed over the last ten years, and these solutions generally can be deployed coupled directly into the cloud hosting environment. Any computing solution migration to the cloud must seriously consider the addition of such security technologies.

Application internal security solutions are a relatively new technology area. This kind of technology derives from military grade technology utilized to protect critical military technology assets from reverse engineering and tampering. This technology is now available for and being applied to commercial software.

Application internal security technology puts security functions directly into the application software. These security functions start with obscuring the code flow, the instruction sequencing, and even the unencrypted presence of critical blocks of code, to protect against reverse engineering and through reversing, the identification of critical value components and/or critical points for effective tampering. They extend to dynamic monitoring of code correctness both in terms of actual instruction to dynamic code behaviors. And such security units can, internally within the application, monitor data flows to detect and respond to evidence of web application security attacks.

The tremendous benefit of application internal security technology is the complete independence such technology has from location considerations. An internally secured application carries it's security properties with it, where ever it goes: in your data center, on your employee's laptops and cellphones, or in a external provider's cloud computing environment. Such technology is immune to network topology changes, and protects the application in private and shared infrastructures.

Cloud computing is still in it's infancy, and it's reasonable to say that cloud computing is one of several fundamental change agents that is transforming our information world at a faster rate than ever before. While cloud computing has dramatic benefits and is highly attractive as a computing environment solution, it must be approached extremely cautiously from a security perspective. The shared nature of the cloud and the loss of controls that occur when utilizing the cloud dramatically increase your security risk footprint. The best and most immediately available technologies for dealing with these two factors are the deployment of application internal security technologies and data security technologies.

The Democratization of Software

2009-10-20T09:08:00.001-07:00

It's a strange new software world!

For those of us old enough to remember things like mainframes (my first ever computer programs ran on an IBM 360 model E22 at a local community college!), minicomputers (Dec PDP's, HP1000's, Data General Nova's, etc.), then the world changing arrival of the "PC" in 1983, the world of software was generally a "dark art". Very very few people knew what software was, and the population of those who actually wrote software was even smaller.

I personally learned my programming chops first in that same community college's computer center, writing Cobol code to schedule the lazy counselors to appointments with students (a brilliant idea of a new school VP administrator promoted out of the computer center, knowing that since the kid doing the programming was the son of a member of the board of trustee's, they couldn't effectively fight it!). Then it was on to writing assembly code for a PDP 11/35 running a customized version of RT-11, to drive and test a custom data acquisition board built by a small shop (Acroamatics) for the Navy. Then on to kernel level operating system development in HP, working again in assembly language on kernel level code for the HP1000 and the RTE (IV, VI, and A) operating system.

In those days, the late 70's and the 80's, software was generally incomprehensible to the masses. Literally. People just had no clue. By the early 90's that was changing pretty fast; people "knew about" software, but for the most part, in the same way they "knew about" automobile engines. That is, they knew software was there, was important, and "made the computer go", but not much more.

This starting changing in a major way with the development of the web and web site programming, starting with HTML (arguably not a programming language but let's not quibble). Suddenly a lot of "non-technical" people (non-computer scientists) were "programming". And as abilities to link in actual run-time software into web pages (PHP, Perl, Javascript, etc.) have become prevalent, this same group advanced into what is definitely the world of writing procedural software.

Now we have the iPhone and an open development environment for it. We are witnessing another huge shift in the breadth of activity in the creation of software, driven by this new ubiquitous platform. The opportunity to sell a few hundred thousand copies of a cool little application for a buck apiece suddenly brings the opportunity of "software for profit" right into the mainstream...and the mainstream is responding. We are seeing an explosion of a new cottage industry right before our eyes. I don't know the actual numbers of downloads of the objective C development environment for the iPhone, but I'm certain the numbers are staggering. The volume of applications available for the iPhone from this cottage industry is certainly staggering, and considering what a small percentage of actual development activity out there that represents, we have to acknowledge that a seismic level expansion of software development is underway.

Again, here's the point: for the FIRST time ever, we've are experiencing a "grand conjunction" of a widely popular platform with broad computing and I/O capabilities, with a freely available development environment, with a effective channel with a strong demand pull, with a world wide population who through web programming already has some awareness, skill and inclination. And viola...instant massive cottage software industry.

What are the longer term impacts of these "force vectors" going to be? I have several projections.

First, in the world of personal computing devices (which how I think of the iPhone by the way; the "phone" part of it I consider to merely be one of it's many I/O features), a free and open development platform is going to be a must. A single company can't compete against the forces of "solution" innovation and availability that Apple has shown can be unleashed.

Second, this "democratization" of software development isn't going to stop. SW skills are expanding across the population at an unprecedented rate, and that growth is going to continue and even accelerate. What exactly the impact of that will be is hard to predict, but I do believe as the world increasingly is driven by and supported by software, this is an enabler for the world's economy.

Third, the world of software cracking (finding technological ways to run this commercial software for free or for a black market low price) is going to continue to be a huge technology area and force in the industry. You can't discuss iPhone apps too long with friends and colleagues before hearing about the ability to "unlock" all the apps available "for free". There is a dark side of this democratization, a black market side. The technology race to fight those black market forces is just getting going in this particular market. Of course my company, Arxan Technologies, has been working for years with more serious users of such technologies, namely the US Department of Defense. These technologies are becoming more prevalent in the mass market consumer software space, helping to protect the product software that your son, your sister, and maybe even YOU wrote and published yourself!

Code protection is critical in a web 2.0 world!

2009-08-03T12:33:00.000-07:00

Neil McDonald of Gartner blogged on the differences between byte code and binary code analysis:

http://blogs.gartner.com/neil_macdonald/2009/07/24/byte-code-analysis-is-not-the-same-as-binary-analysis/

His points are important at a deeper level as it relates to the risk of reverse engineering and tampering. Specifically, byte code (.NET and Java) is almost trivially reversed engineered, and fairly easily tampered with using available tools...unless active steps are taken to address the risk.

Byte code representations of programs contain sufficient information to allow a complete inverse compilation back to source code. To address this problem, use of a .NET or Java obfuscator is necessary. The best in class obfuscators can perform a host of transformations with minimal to no impact on performance that raise very large hurdles for the would be theft. The transformations include general code encryption, code restructuring to create complexity that is not understood by inverse compilers (and difficult to understand by human analysis as well), string encryption so that variable and static data names become unintelligable, deletion of meta-data that describes program attributes, and even insertion of code for dynamic detection of evidence of tampering.

This kind of code protection becomes paramount in a Web 2.0 world were significant application components are being deployed to and executed by customers. Additionally, this kind of code protection is critical in a highly mobile world where applications and data frequently are on the move with employees.

Source Code Stolen by Insider at GS...Where Are Your Assets Tonight?

2009-07-10T09:15:00.000-07:00

So the news is full of a source code theft by an insider (a "programmer") at Goldman Sachs, specifically some proprietary trading system code. Security industry analysts are talking about it (http://blogs.gartner.com/neil_macdonald/2009/07/07/security-no-brainer-7-if-you-have-intellectual-property-embedded-in-software-protect-it/) and it's a very current example of a couple of significant trends:

Enterprise security is now defending against organized crime, not merely casual hackers or disgruntled employees.
Insider threats are a tremendous problem.

A recent study executed by Cerias at Purdue found average IP theft levels from enterprises operating globally to be $4M/year, across over 900 companies. This is serious crime for serious money, and the opportunity for serious theft attracts the professionals.

How best to execute such thievery? Find new and innovative ways to penetrate network firewalls, avoid application firewalls, dodge data leak detection circuits, avoid application tamper detectors, and the like? That's an approach and it is actively used and every enterprise must utilize all of these security methods (and more) to fight against such attacks.

But there's an easier way, is there not? A bag of cash up front, with a promise of another bag of cash on delivery, to the right employee with access. Bingo bango bongo! Got the goods, everyone is happy. Well, except the company losing their assets.

A fascinating aspect of the Goldman Sachs story is the fact that their data leak prevent software was just enough security to help them know they'd been robbed...but not enough to catch the thief in the act and stop the theft. Why? Because he copied the source code to another computer inside the company, then took that computer (or disk drive) out with him. The DLP system noticed the unusual traffic of the source code, but since the code wasn't leaving the perimeter, didn't block its transfer. In the past, such a theft was rarely noticed. So I will acknowledge that what looks like a major trend might in fact be growing visibility of a long standing problem. I suspect both are the case.

What can be done? The only real answer is "more", in the way of security mechanisms. The core assets must be encrypted and decrypted only under managed legitimate usage situations. The applications operating on internal systems must be self protecting from tampering. The application firewalling must be complete. Data flows in general must be monitoring to look for unusual activitivies. Security practices must be rigorous in s/w development.

On the human side, the most pragmatic solution is a combination of training and awareness of the risks. Awareness takes two forms: awareness inside the company of the potential for insider execution theft, and awareness across all employees of the stringent security practices and the severe cost of getting caught executing any such theft. Faced with a high likelihood of detection and serious jail time, people are much less likely to have the discussion with the high tech mobster who just wants to chat. It's when they think it'll be easy and low risk that people start bowing to temptation.

Yes a Cyber Czar IS Necessary!

2009-05-29T16:13:00.000-07:00

So we've all watched and/or read or read about Obama's cyber security speech today, and his call for a new high level federal "coordinator" to lead the solutions charge.

Some are saying "it's about time", and some are saying "is this really necessary?".

I'm here to tell you YES, it is about time, and YES, it really is necessary. And here's why.

First, speaking at a broad philosophical level, systems tend to optimize locally, for and around local optima. What does that mean you ask? It means for example that Microsoft at one level doesn't really care much about the security of their products...unless and until the lack of security in their products affects their bottom line. Local optimization, for local profits. If the whole country (and world) has insecure s/w as a result, but Microsoft has maximized revenue while minimizing costs (let's face it, it costs more to product high quality secure software that it does to ship garbage), then it's a win for Microsoft!

This applies across the spectrum of computer activities: s/w development, personal computer usage, enterprise systems, you name it. Security is a "as and when needed" component, and the learning of as and when needed is usually driven by the sharp end of a sequence of costly or even crippling attacks. Think about it: when did YOU finally start using firewalls and anti-virus software? I'm guessing that it wasn't until you experience the sharp end of the malware spear!

Now the second point: government, among other things, must serve to guide social action (broadly speaking; I'm including business action here) for global optima, versus pure local optima. Security comes through making security a high priority, across many fields of endeavor that result in computer based "solutions". Government has a wide variety of tools at their disposal to guide social action and thereby drive priorities, including taxation practices, government led investment, and government procurement practices both in the civilian (federal and state government) and in the defense domains. All these need to be utilized in a coordinated manner, to drive computer security in general as a priority, and to drive the specifics of that priority in consistent manner. That level of coordination is NOT going to happen through random, chaotic governmental processes. A high level federal "coordinator" is needed to lead, guide, and drive through multiple areas of government, in a consistent manner and in an aggressive manner.

Of course there are an infinitude of risks here. Largest perhaps are dictates of what "must" happen at an inappropriate levels of specificity, which invite solutions that salute the requirement at a superficial level. Result? More cost for all, and no improvement. Another is requirements that drives lots of bureaucracy that slows down innovation and adoption and deployment of improved security solutions.

These kinds of risks are why, in my opinion, the specific leader chosen is so enormously critical. They must be a solid systems thinker, someone who understands how to enable and support virtuous cycles, rather than merely create more "requirements". How do you enable, drive, encourage and support a security focus through the computer enabled and driven business world...without creating a crippling mess?

Devices All Around Us Are NOT SAFE!!

2009-05-05T08:17:00.000-07:00

Conficker has now invaded medical devices: http://tinyurl.com/ck3z3n

Why and how is pretty easy to understand:

- medical devices with "intelligence" embedded in them (microprocessors and a lot of software to control the device) are sometimes designed using Windows. Yes I think this is a horrible horrible choice but it is a choice that is often made.
- once developed and certified, these devices rarely get updated. So "old" security flaws in Windows stay there, "forever".
- sometimes the devices are not supposed to get connected to the internet, but do anyway.
- viola, detection and infection...

So what are the device types in general we have to worry about potentially be targetted by viruses or other takeovers by "bad guys"?

Well, let's see, not too many, it only includes:

- internal systems on automobiles
- internal systems on airplanes
- home networking equipment
- home TV's (my 42" high def LCD TV is running Windows inside, I'm almost certain!)
- digital video recorders
- DVD players, particularly Blu-Ray devices
- medical equipment, both hospital based and advance home care devices
- automated tellers
- traffic control systems
- railway control systems
- power control systems

Folks I could go on. The point is, increasingly, the world around us is "controlled" by "intelligent" devices. And these devices are hugely suscpetible to being compromised in their operations, through software/network based attacks.

I don't want the owners of conficker effectively "owning" my TV, much less the system that controls the local mass transit system, much less systems on the Boeing or Airbus plane I'll be on later today.

The world needs secure software and systems, and we need it NOW. Getting there includes:

- better security training for s/w development engineers
- better security requirements managed through the software lifecycle
- use of best of breed tools for security assessment of code, both through static and dynamic analysis
- use of defensive mechanism in code to detect, defend and react to internal security breachs (yes this is where my company, Arxan Technologies, has solutions).
- use of updating capabilities and processes to ensure that security faults in ALL devices are addressed quickly and responsibily, rather than left to be taken advantage of in later months or years.
- choice of appropriate operating systems and other tools for the task, rather than use of known low security quality software such as Microsoft Windows

So are the conficker owners going to issue an update that is specific to a medical device to cause it to misbehave? Not likely...but they could. It's really quite unbelievable. We are giving control of the world around us away, to those whose only interest is leverage their control for profit and/or mayhem.

Funny, that hunting and gathering life is sounding more and more appealing. No you may not take over my spear!!

Cyber attack on an American City

2009-05-01T14:24:00.000-07:00

Bruce Perens, a well known technologist and open source evangelical, wrote a fascinating review and analysis of the recent attack on the city of Morgan Hill in California, via the simple but highly effective means of merely popping manhole covers, entering and cutting fibre optic lines. Read the story here: http://perens.com/works/articles/MorganHill/

I believe this story points out what I've been suggesting in my recent blogs regarding conficker: we are a society highly dependent on a live, running internet. Hugely dependent. This story is direct evidence.

So I ask again, how effectively could several million computers be, working in concert, in shutting down sections of the internet, or targeted commercial properties from operating on the internet? Because that is the power the owners of conficker have. The latest usage appears to be the more traditional usage of heisted computers: spambots and capturing keystrokes to capture credit card information or other high $ value information from the user.

If that's all they can come up with, I have to say I'm unimpressed with the meta-level creativity of the owners of this worm. Yes they've shown some create technical creativity and implementation skills in what they've done, but to what effective end? Sure they should be able to make some $'s from stealing CC#'s and from selling spam services. But that's pennies compared to leveraging what might be within their capability set at this point.

Think about it: shut down Citibank for a day. Wait a few days. Then send a private message to their president saying they will be randomly shut down again, over and over...until they pay a $50M ransom into such and such bank account. That's serious, serious criminality on a scale that's Bond film worthy, if you ask me.

I just can't figure out why they aren't executing on it. And I can't figure out why some serious brainpower isn't being applied to figure out how to stop them.

Maybe it is and we just don't know it. I can only hope so. Because the nonsense about "check and make sure your computer isn't infected and you have latest Windows patches applied" is both important...and completely irrelevant at this point. The owners of conficker already have a fascinating and potentially extraordinarily potent weapon under their control.

Does anyone really know how powerful? I'm don't know! I guess it's good so far that we haven't found out. But as the attack on Morgan Hill demonstrates, the western world at least is far, far more vulnerable to this weapon than we believe or understand.

"Secure software" is enough anymore!

2009-04-15T09:36:00.000-07:00

Lots of folks are talking about "securing software" in the rather traditional context of "writing secure software", and this is being broadened out to a complete security focus through the entire lifecycle. You can hear me discuss this on this recorded webinar:

http://www.arxan.com/software-protection-resources/webinar-series/application-security-360-view-webinar.php

and colleagues at Fortify and Cigital have developed a "Building Security In Maturity Model", which is here:

http://www.bsi-mm.com/

However, I'm here to tell you folks, IT ISN'T ENOUGH.

What's that you say? What more is there? What more can we do than ensure our applications don't have security flaws?

The answer is that applications have to go on the offensive. Applications must not just be "defensively secure" by not having code vulnerabilities, they must take active measures to detect and respond to attacks directed against themselves.

Of course my company is in this business and of course this is a blatant advertisement...but darn it folks, it is absolutely true and knowing what I know, I'd be saying this even if I worked as a used car salesman. Applications in the enterprise, in the cloud, distributed applications (ISV s/w) and applications in end point devices (phones, set top boxes, automobiles, home gaming systems, the list is endless) are the new focused target of attack by organized crime. And these applications CAN be engineered to have multiple layers of active defense ("offensive defense").

Applications can and should check themselves for code integrity. Applications can and should authenticate components that are dynamically attached (DLL's). Applications can and should detect and notify of debugger attachments. Applications can and should protect critically sensitive code through encryption and dynamic decrypt/execute/re-encrypt operations. Applications should utilize multiple levels of networks of these self-guarding techniques, with a variety of overt and subtle response actions, to ensure that persistent attacks are foiled at some level. Enterprise applications should have these response actions wired into the security monitoring systems deployed by the enterprise.

These practices needs to become commonplace and part of our general software lifecycles. The world is too dangerous a place for it not to happen. We need to keep up with the organized criminals, and right now our software is falling woefully behind.

Cyberwar is Real: US Electrical Grid Attacked and Compromised

2009-04-08T11:52:00.000-07:00

The Wall Street Journal has reported what many of those of us on the inside of the cyber security world already knew, namely that their is a very serious warfare going on today between Russia and China, and the US. Read the report here:

http://online.wsj.com/article/SB123914805204099085.html?mod=googlenews_wsj

We could call this a "cold war" on the network/computer ("cyber") battlefield in the sense that damaging actions are not yet being taken. Instead, "footholds" are being created from which highly effective attacks can be mounted. In this case, it's footholds in the heart of a critical area of infrastructure, our power systems.

The report speaks to the North American Electrical Reliability Corp. being responsible for oversight of the security of our electrical systems, and setting standards for firewalls between administrative and actual control systems.

Sorry to be overly colloquial but, "well duh!".

In general, control systems shouldn't have any connections to the internet, period. Interconnects between "administrative" systems that are internet connect and the control systems should not exist, or utilize proprietary and highly secured lines and technologies. Obviously this isn't the case. It's a safe assumption that a casual attitude in the evolution of the internal systems in the power industry, combined with a real lack of understanding of the ability of hackers to thread malware through a wide variety of industry standard communications interfaces, has lead to a high degree of interconnection and thereby to an easy to penetrate set of control systems.

Unfortunately the problem certainly isn't limited to power systems. Is the situation likely to be any different in our telecommunications infrastructure? Our water management infrastructure? Our police and civil defense infrastructure? Our hospital and emergency response infrastures? If our power control systems can be subverted, is there much of anything in the civil arena that isn't in all likelihood subject to successful intrusion and subversion?

One area of real concern I have is the lack of computing security expertise that your typical power systems organization, and all other civil infrastructure computing systems, are going to have. Simply put, they don't have the right soldiers in the field to fight the type of war being waged.

It's no wonder that Obama's administration is issuing a call to action in the general area of "cyber security". While we are busy designing and building jet fighters that can take out anything China might produce by the year 2100, China and Russia are thinking and operating strategically.

We in the US (and other western nations) must think and act strategically too. The plane of combat has expanded in new dimensions, with the network being the enabler, and the computer control system being the field of battle. Of course we shouldn't forget that there may very well be offensive actions well under way by the US Department of Defense. However, that doesn't address our own weaknesses. If we were thinking and acting strategically and comprehensively, wouldn't there already be clear efforts underway to secure our infrastructure from cyber attack? Unfortunately this line of thinking, combined with the evidence at hand, is not comforting.

Let's go back to Conficker for a moment (see previous blogs); if I was the "owner" of that worm, my perspective would be that I have a pretty darn powerful "bomb" available, potentially an ability to bring down certainly selected targets that operate on or via the internet, and potentially even wide swathes internet based economic activity, through leveraging the power the +/- 5 million computers under my control. Personally I know what I would do with this capability; I auction it off to the highest bidder, and I'd go to Russia and China first and formost to start the bidding process. (Then I'd go retire to a life of surfing, pool and internet poker in the Maldives.)

It's a strange new world in all respects, and this strange new world includes a new Cyber Cold War. We'll acronymize it and call it CCW (you heard it here first!). It's real, it's serious, and it is a threat to our economy and even our daily creature comforts of power, phone and internet. Obviously Arxan Technologies, Inc. is in the the business of helping, both "confidentially" through our Defense Systems organization, and more openly and publically on the commercial side through commercial products and technologies. What's needed is an active and investing government, stepping up to the plate to enable the investments by our infrastructure organizations to devise and deploy the necessary re-architecting and defensing of our infrastructure computing systems.

Digital Piracy and How to Slow It

2009-04-07T10:03:00.001-07:00

New reports (http://tinyurl.com/d2jfae) are putting digital piracy of media at $20B worth of content every year and rising. Much of this content is from US media companies, and as you see from the article, these kinds of figures start generating a lot of political churn.

However, realistically, can lawmakers make the slightest dent in this activity? Simply put I think the answer no. The methods and channels are just not subject to any serious action feasible from a legal perspective.

Can technology ala DRM throughout the production and distribution channel solve this problem? To some degree, yes. However, as the recent theft of the new Wolverine movie demonstrates, the problem is not strictly one of technology, amenable to technology solutions; in this instance, it's virtually certain an "insider" in the studio lifted an early (unencrypted) "digital print" of the movie for illicit distribution. More extreme internal controls on access may help here, but obviously are difficult given the breadth of people involved in film production in general, particularly ones with high special effects content. There's also the simple low budget and low quality, but still effective, pirating approach of simply "filming" (videoing? interesting how all our terms are out of date with current technology!) the film in the theatre, a pirating approach that is only amenable to full body searches at the doors of theatres. While posturing lawmakers might suggest it, it's obviously never going to happen.

So where does that leave those companies that are getting robbed blind?

I don't think it's beyond rationality to think that they might just take matters into their own hands. After all, people and organizations that are losing serious money eventually will resort to "serious" actions to solve the problem. What am I implying here? I'm implying the use of questionable at best if not outright illegal actions to attempt to impede the business of the distribution organizations involved in the piracy, particularly those using the internet as a distribution channel.

What kinds of actions? Web site attacks, in general, via all the "usual" means that hackers use to access company intranets today for illicit ends: penetration attempts followed by operation of s/w that would compromise the piracy delivery operations, and denial of service attacks as a start. A kind of "fight back with the tools available" approach...even if those tools are on the wrong side of the law.

Let's be clear: I'm not promoting illegal activities by "the good guys", and taking this kind of action would move "the good guys" into a difficult morale area, at best (vigilante action is always questionable, but it is sometimes popular as a means of getting justice). I'm merely raising the question: at what point does Big Money Lost move to Serious And Illegal Action in order to get on the offensive against the thieves robbing them blind? Does it start to happen at $20B? I'm suspicious it just might...

Revolution in Smart Phone Design?

2009-04-06T08:58:00.000-07:00

The new Motorola "Evoke" phone uses a single ARM processor, without a second processor (which is frequently a DSP, or digital signal processor). Typical smart phone designs use a two processor configuration. One processor (the ARM, frequently called the "application processor") runs a full-up operating system and general applications including the graphical user interface. This OS is typically WinCE, Symbian, Linux, Apple's OS-X, PalmOS, etc. The second processor runs s/w that is responsible for servicing the radio, including accepting/processing inbound calls, initiating outbound calls, etc. This s/w is called the "modem stack". The modem stacks requires real-time processing, meaning responses and transactions must occur within a deterministic period of time, frequently measured in the range of tens of micro-seconds. Longer delays can cause phone operation glitches and call failures.

By separating out the application OS and applications themselves from the modem s/w via separate processors, phone designs assure that the modem processing is not affected by the applications, and the phone (as a phone, vs. as a computer) operates correctly and reliably.

The Evoke phone merges these separate functions onto a single processor. It does this by utilizing a "micro-kernel". A micro-kernel virtualizes the hardware, giving each higher level OS the perception that it is running directly on the hardware, controlling and manipulationg hw resources, when in fact the micro-kernel is really doing that work. The micro-kernel can make decisions about which OS environment gets priority. By being extremely lightweight, the micro-kernel can add very little overhead to overall operations.

The OKL4 microkernel is a design based on the L4 microkernel design that originates from physics researchers in Germany. Researchers in Australia implemented their own version of the design, then created Open Kernel Labs to commercialize the technology, around 2002. While at MontaVista Software (an embedded Linux company which is a leader in providing Linux for cell phone designs), while I can't give specifics I'll say I was "aware of" OKL4 and it's slowly growing traction in the phone industry. The key work there is "slow".

Well, this "Evoke" phone shifts the gears up from slow to fast, in my opinion. The cost benefit of being able to use a much simpler, lower cost, and lower power core "system on a chip" is huge. Simply put, within 18 months, I would expect the majority of new smart phone product releases to have moved to this general architecture, using a variety of specific micro-kernels.

Who are those micro-kernel players? Open Kernel Labs, VMWare (who purchased Trango Virtual Processors a while back to broaden their portfolio and enter this market), Chorus produced by Jaluna in France, RTLinux now owned by Wind River, and probably others.

One interesting question to be answered is whether this integration of application and modem functions on a single processor overly compromises the user experience on the application side. My guess is "no", for the simple reason that when being used as a phone, application execution is not important!

The L4 design is considered to be extremely high performance relative to most micro-kernel designs, due to careful cache management to insure high performance low level IPC (inter-process communications) operations. Open Kernel Labs could end up being a big winner with this technology, and thereby a new significant player overall in the OS market. Before you discount this as a niche, yes it's a niche but consider the unit volumes, and remember that VMWare started with very similar technology for a market area with far smaller unit volumes (though obviously far larger budgets spent on the equipment overall).

VMWare is sure to be a player in this new market as well, though it's technology will tell, as marketing hype is not sufficient to win in this market!

It will be interesting to watch how this all develops.

Application Security 1A

2009-04-03T08:54:00.000-07:00

There's a fascinating demo and supporting tool to be shown and released at Blackhat in Amsterdam upcoming (http://tinyurl.com/djad82). The researcher is showing techniques to use SQL injection (typically used to get to inappropriate/inaccessible database contents) to "take over" the SQL server, and from there, to upload arbitrary privileged code onto the server, effectively allowing complete server takeover.

Gad zooks. The researcher says this is enabled by taking advantage of default settings in the SQL server, combined with SQL and OS code that have flaws enabling buffer overflow attacks (don't understand those yet? Try here: http://en.wikipedia.org/wiki/Buffer_overflow).

A week ago I presented a webinar on "Application Security: A 360 Degree View" (which you should be able to find/watch here: http://www.arxan.com), and the focus was on the need for comprehensive security practices throughout the software development lifecycle.

So what's the final word from Mr. BlackHat researcher (Bernardo Guimaraes)? "I think that the attacks described are realistic threats when the Web application does not follow a proper security development life cycle and the database server is used with default configurations in place or is badly configured."

Ding dong! As Pogo said oh so long ago, "we have met the enemy, and they are us...".

We Need a New OS!

2009-04-02T14:54:00.000-07:00

It's time for a new operating system.

Windows (and Linux and BSD) as the foundation operating systems for the Computer Economy Age just don't cut it folks.

BSD, with it's security minded focus, is best but still far from rigorous, Linux is worse and Windows is downright obscene when it comes to security. And I'm not just talking about security flaws, like the defect that allowed a buffer overflow attack used by Conficker. I'm talking about fundamental design.

I "grew up" (professionally that is) in an industrial OS R&D lab, at Hewlett-Packard. While we were dealing with OS kernel basics, the notions of security (and robustness, the idea of system ever ever ever going down was absolutely unacceptable, a system crash in the field was an all hands on deck and send out the best engineers on site exercise and rarely happened) were deep and strong in our designs. Windows for example casually allows external objects to create and launch a new thread in a running process...say what? Hijack system entry points...hello??
Memory access permissions are loose and can be over-ridden. From the perspective of an old school old guys, it's completely nuts what's allowed in a Windows environment.

I suppose the thought process of the designers was "enable flexibility", but the result is an environment where anything goes, and unfortunately just about anything can and does, including all kinds of subversive activities by the criminal technologists.

On top of this sinful licentiousness of the OS is the complexity, and when you add the two together, you enable the bad s/w to pull all kinds of shenanigans and hide itself extremely well in the process. Conficker is a great example: it uses multiple techniques to make itself just not show up or otherwise hide itself in a sea of other crap in running process, DLL and/or registry scans.

It's important to think about this pretty deeply because let's face it, the world is already deeply dependent on the operation of our computers and their continuous communications on the internet. I'm not talking about just the "convenience" of email and chat (though just shut down those and imagine the chaos to the economy!), I'm talking about the world of finance and general B2B transactions that are computer and internet based.

Can we really afford to have the fundamental computing and communications infrastructure of our world economy dependent on crappy s/w designs?

Unfortunately today we have no choice. But it sure would be nice if we could have a new operating system, one that is well organized, properly modular, with appropriate levels of security and complexity.

The problem of course is the extraordinary amount of s/w that already exists in the world that depends on a Windows or Linux environment. However, this shouldn't completely block the attempt, as reasonable emulation environments for applications can be crafted and run on top of a true modern OS, one of sufficient quality to actually base business operations on.

Note that a "root of trust" design around which Windows could be wrapped doesn't really cut it, for the the reason that you still have the Windows environment with all of it's fundamental lack of secure processing models. Root of trust designs can enable secure functions with secure access to particular hardware (a good model for a cell phone design where you want a secure core for come things but a broad application OS for "the general public"), but don't address the broader OS environment as a whole.

I don't know how a new modern, secure and highly adopted OS is going to come about. Linux and BSD are pretty amazing developments, and each took 10+ years to get to significant mainstream adoption. But they DID happen, and it can happen again. So I encourage all you smart and motivated s/w engineers out there, don't be shy, MAKE IT HAPPEN! Not for me, but "for our children". Because running our businesses and increasingly our lives on fundamentally non-secure computing platforms it just a bit insane, if you ask me.

More thoughts on Conficker worm

2009-03-31T11:08:00.000-07:00

How much damage can someone with "remote control" of somewhere between 2 million and 15 million computers (the estimated number of conficker infected computers worldwide) actually do?

Think about that. Whoever is "running" this worm has the ability to update the worm, in general, within a few days time, effectively issuing new operating instructions to this vast arsenal of internet connected systems.

So what kind of attack can be launched? How much and/or what specific critical areas of world economy or infrastructure can be attacked?

Is it conceivable that a vast amount of the world economy can be brought to its knees?

I honestly don't know. And so far, I can't find anyone who's saying, aside from vague comments such as "in the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself."

What not addressed in this kind of comment is the question of degree of impact on the world economy, if attacks could in fact "disrupt the internet itself"? To the degree such a general statement is true...I'd say the world economy could be pretty much brought to a standstill, don't you agree? The world economy is extraordinarily dependent upon the internet, in a way that we haven't really grokked...but we need to, and quickly.

Are we potentially facing one of those comic book moments where Dr. Doom truly causes mass disruption of the world economy, then announces to the world that he'll only re-enable operations if he's sent $100B? Or named world dictator? Or both.

I know it's fantastical...but if there aren't people RIGHT NOW sitting in Pentagon think tanks analyzing the potential level of disruption, I'd be awfully shocked. Unless of course the level of potential disruption is well understood already, in which case they are probably analyzing just what can be done about it.

I've spent some time reading through the detailed descriptions of this nasty little worm, and it's a son of a gun. The problem is that unless people owning/managing the infected computers wipe it out themselves by retaking control of their own computers and running appropriate "disinfectant" software, there's just no darn way to recover control of these 2-15 million computer systems! However, most such people have no clue their machine is infected.

A few key notes if you aren't aware of them:

- this all only started in October of last year, and in that time, this worm has gone through three updates (A=>B=>B++=>C). Of course, not all older version of the worm have successfully evolved to the new versions, so what's out there now is a range of types. These updates have include active measures to counter the "counter-measures" that security researchers has been deploying to block or disable the worm.
- developers are using absolute state of the art technology, literally within days of development (such as MD6; they included first versions only a few weeks after initial development and release to the public, including defects, and then in an update early in '09 included the very new corrections to those defects).
- the worm uses a variety of methods to access updates to itself, the most powerful being a "find a domain on the internet where my master has new code for me to download". A new method for doing this is what "turns on" on April 1 2009. Whether or not April 1 will be a date for a new version of the worm to be downloaded to all the infected machines is rather independent of this "mode switch" date.
- most perniciously, the worm performs sophisticated public/private key based validation of the veracity of the new worm version to be downloaded. The private key is only know by the creators of the worm, and at a key length of 4096 bytes, is quite immune to a brute force attack to derive the private key from the worm code and the public key.

The "easy" way to turn this thing off is to build a "good worm" if you will (some benign code that will terminate itself and stop operating once it has replaced the old version on an infected system), sign this "good worm" with the private key, and put it where all the infected systems will find it and download it. Then all the "bad conficker worms" replace themselves with a new benign version over time, and viola, threat is over. (Remind you of Data sending the "go to sleep" command into the Borg collective in Star Trek TNG? It should...)

Easy right? The core issue is WHAT IS THE PRIVATE KEY? How do we make sure the Borg accept the sleep message as a valid message?

The way to get the private key is "easy", and it's call the rubber hose method. You simply find the criminals responsible for conficker, put them under the rubber hose (if you will), until they share the private key. So the problem becomes one of tracking down the SOB's responsible, which is unfortunately not easy at all. There are some indications that the criminal group of Baka Software (who distributed "anti-virus software for Windows" as a product that was itself a virus, sneaky crooks) MIGHT be responsible. Baka is apparently in Kiev, Ukraine. However, the vague signs pointing their way could also be intentional mis-direction by the real developers.

We can only hope to hear the news reports soon of the attack by a multi-national SWAT team that execute the rubber hose method of private key extraction. I for one will be cheering on the sidelines. I don't want to have to wake up every morning and recite a Pledge of Allegiance to Dr. Doom...

2009-03-30T09:06:00.000-07:00

Conficker (note: sometimes you'll find this on the web as "conflicker", but apparently the roots of the name are dirtier than that...) is "due" to update itself on April 1 (2009). What's conficker all about and what are the implications?

First, it's on millions of PC's. Second, to date, it hasn't explicitly done anything deeply "wrong", beyond propogating and protecting itself by doing things like blocking virus scans etc.

The question is: what IS it going to do? What's the purpose? Well, it's a tool for the "owners"; they have access to millions of computers, for doing just about whatever they darn well please, when they please. If they wake up on the wrong side of the bed and decide to toast them via disk wipes, they can have the virus download new instructions to do just that. However, that's not likely, because to understand this we have to understand the mindset of the creators.

The creators are, in all likelihood, part of a crime syndicate. Availability of millions of computers is a tool not to be wasted for non-monetary purposes. How exactly they will be used over time will be revealed, one conficker update cycle at a time, starting in two days.

How does such extensive infestation happen in this day and age? Unfortunately it happens because organizations and individuals don't keep their system software current, end of story. Anyone at Windows XP SP2 or anything more recent than that have access to both patches that prevent conficker, and to s/w that will find it and remove it.

The problem is all the computers that run older s/w. MS doesn't support XP SP1 anymore, for example, and have not and will not release a patch to correct the security flaw that enable infestation by conficker. While we can berate MS for this, I don't think that's appropriate, because if an organization (or individual) doesn't bother to upgrade to SP2...then are they really like to bother with a security patch to the SP1 system? I'd guess probably not.

So while we can moan and groan about "insecure software", unfortunately this is as much or even more a human and organizational behavior (and economic) issue than it is a technology issue. Or to put it a different way, folk there's always going to be security issues in s/w. (Well, maybe someday that won't be true but for the next good while it is and will be!) At the same time, there will always be ways to REACT to the security issues that come to light...which requires not just "dumb users" but involved users, caring users, thoughtful users, and perhaps most importantly...users that understand that keeping their computer systems secure through updates is a COST OF OWNERSHIP REQUIREMENT.

Conficker is a fascinating testament to the problem: it's insidious, and it causes, to date, no overt and obvious (to the casual user) harm to the computer. So "all is well", and infected machines work hard to infect others unprotected systems, and so it spreads. It's taking great advantage of our "feel no evil, there is no evil" attitude toward technology. I'd guess than 95% of the people sitting in front of computers infected with conficker have never heard of the worm (it is a "worm", a self-replicating computer program which, unlike a virus, does not need to attach itself to an already existing computer program). Kind of like getting a disease for which there are no clear symptoms for some time until...whoops, something bad happens.

In the case of conficker, the "something bad" may still not be anything overt obvious to the infected systems. For example, they could be harnessed to launch mass denial of service attacks at specific targets, or perform spam mailings, etc. The impact on any particular infected system may be very minor.

I still hear many of you reading this asking "but isn't there a technical solution?". Sure there is! Don't run older MS operating system software that is vulnerable to a RPC buffer overflow attack; keep your system software current and updated with all latest security patches! Don't run your computer in a ADMIN$ share using NetBIOS that doesn't use strong passwords (this is probably the method through which large groups of commercial computers have been infected).

Other steps: go here and download a latest/greatest copy of the microsoft malware scanner, and then run it by navigating to c:\WINDOWS\system32 and running the program mrt.exe:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displayLang=en

(Note: if you are unable to access this page with your browser...you are probably infected! Conficker blocks access to most security/virus related sites...)

Can system software or some kind of add on security software be designed to "automatically detect" and report an infestation? Well...yes. And the newest versions of the anti-virus software do exactly this, they find and neutralizes conficker, which is why one of conficker's actions is to disable the updating and execution of virus detection s/w! Okay you might ask, how about "built in" safeguards, built in sentries? Well...yes. And the anti-virus s/w on your computer (assuming you are current w/your updates and not infected) does this. "How about something generic that is always there from the get go that can find and notify or even destroy this and any and all new and different viruses and worms?". Ah yes, the holy grail.

No.

Why not? Because step 1b of every serious virus/worm designer is "counter all the existing defenses". So it becomes a game of "can we develop a non-counter-able defense, which can find and deal with any arbitrary infestation?".

My friends that is seriously difficult, perhaps bordering on impossible, and perhaps even formally "uncomputable" (for you computer scientist types). Perhaps in an extremely well structured operating system environment with extremely formal interfaces and controls...which of course Windows definitely is not.

That said, you CAN enable programs to monitor themselves for changes, you CAN enable programs to validate the "correctness" and "appropriateness" of any attaching modules, and Arxan is in this business. But it takes proactive effort by the owners of all those programs to take such actions. Additionally worms such as confiker don't operate this way, it comes in as a separate body of code, hiding itself. Can all such "inappropriate" s/w be seen/found and root out as it lands in a computing system? That's tough, because again, a Windows (or Linux etc.) environment is one very complicated environment, with a wide range of dynamic content including many different programs being loaded and run.

The analogies with biological viruses and human behaviors here are just too strong to ignore. "Can we protect ourselves from viruses?". Well, yes...to a degree. Wash your hands often particularly after being in public places or having human interactions, take your vitamen C (500 mg 2x/day folks, it's working for me!), get regular aerobic exercise (20+ minutes 3-4x/week), practice safe sex, etc. So...does everyone do this? Hah, not even close. So we are far far more sick than we need to be.

Our computers are too. Between 9 and 14 million of them by last estimate, to confiker infection alone.

That's sad. So check your computer and keep it current.

Cerias Security Conference - Purdue

2009-03-25T12:40:00.001-07:00

I attended sessions at the Cerias security conference on the Purdue conference today, and participated as a panelist on a discussion around the recent report "Unsecured Economies", performed by Dr. Karthik Kannan, Dr. Jackie Rees and Dr. Eugene Spafford, and funded by McAfee. (The report can be accessed through this request page: http://resources.mcafee.com/content/NAUnsecuredEconomiesReport).

The report is based on a study of 1000 senior IT decision makers across 800 companies, the distribution of their IP and data assets around the world, and the IP and data theft they have experienced in the last year. The numbers are rather staggering: $4.6M in AVERAGE losses per company in a single recent year.

Some interesting questions were asked during the panel, including "how were the values of the losses assessed?". Indeed "how we count" here is a tricky question. At Arxan, while we could look for example at the direct cost of any piracy of our software ("whoops, would/could have been a customer so that's a loss of $x of income/revenue"), the larger costs are in how such pirated s/w could be misused to compromise the value proposition of the company, and the resulting damage over the longer term to the company valuation.

My opening statement, boiled down, amounted to the following: enterprises today utilize vastly distributed computing elements, with no well defined perimeter, and each of which maintains and/or processes company data and/or IP. Perimeters defenses are ineffective, and even when in place around concentrations of computing elements, are too easily compromised through direct and indirect attack. Therefore, our security model must directly address the security of the fundamental data, the enterprise applications that process that data, and the keys that enable the legitimate usage of the data and applications.

This is where Arxan plays and represents Arxan core vision. And the reality is that's it's a journey and quest, by both us and our customers, because it's an ongoing battle with the criminals who are always seeking to overcome our latest and greatest solutions and defenses.

A few other notes on the conference. Dr. Ron Ritchey of Booz Allen (and also an adjunct professor at George Mason teaching a course in secure software development) gave the keynote this morning, and focused on the questions of how security flaws do or do not scale with the size and/or complexity of the code base. He had some fascinating data from the operating system world show the find rate of security issues in OS, particularly various Microsoft OS's, over time.

At one level (to me anyway) it's "obvious" that security issues scale with size and complexity. The questions are a bit more subtle than that: can security issues be taken out of a given code base over time, and can complexity management be applied to the continued development of or addition to that code base to keep aggregate security issues "constant" (or even on a downward sloping trend line)? The most obvious driver it seems to me are the s/w lifecycle practices utilized in the enhancement/maintenance process itself. Additionally, usage levels are a critical factor re: the resulting metrics. For example, Dr. Ritchey shared data showing nicely downtrending security find rates for NT starting around year 5 or 6 of deployment...but mightn't this be primarily a function of constently decreasing usage vs. newer Windows versions vs. any indication that NT was better or is being maintained "better"?

The other interesting data was on Vista as it compared with XP and other olders MS OS's. The find rate curve for Vista for the first two years is dramatically sharper that it was for XP (which in turn was higher than for the previous version), in fact the increase in slope was to me rather alarming. There were only two data points, but the trend is clearly in the wrong direction by a long shot, and this for an OS where increased security was a primary business objective (or so I understood). Of course the code size and complexity level of Vista vs. XP is much larger/higher, so..."to be expected", but that's not a good answer for us the users nor for the software industry in general, is it?

Ciao for now,

-Kevin

Software Security from the Arxan CTO

2009-03-19T09:42:00.000-07:00

Hello world!

Yes, very puny for you computer scientists (for you others, a program that prints "Hello world!" is the first program in the original book by Kernihan and Ritchie on the C programming language...).

I'm Kevin Morgan and for over two years I've been managing product R&D (and support and training development and now professional services) here at Arxan Technologies. We specialize in application software protection; protection from what you ask? Protection from reverse engineering to steal your intellectual property; protection from tampering to unlock features that customers haven't paid for or are not allowed to access; protection from tampering to break license management or activation so they can run the software without paying for it; protection from tampering so they can steal unencrypted digital content. Protection from tampering so they can access your company internal business data or intellectual property, or worse yet, to perform illicit financial transactions. The list is literally infinite.

Now they pinned a CTO title on my chest, and among other things, asked me to blog about what's up in the world of software security in general. So here's my first post just to get started, with I'm sure many more (with real content!) to come...

Be blogging at you soon.

-Kevin Morgan
kmorgan@arxan.com
VP of Engineering
Chief Technology Officer (Commercial)