Wibu-Systems Blog https://www.wibu.com/kr/blog.html Tue, 14 Aug 2018 19:27:47 +0200 Tue, 14 Aug 2018 19:27:47 +0200 t3extblog extension for TYPO3 Beware the Software Supply Chain Tue, 14 Aug 2018 21:56:00 +0200 https://www.wibu.com/kr/blog/article/beware-the-software-supply-chain.html post-98 https://www.wibu.com/kr/blog/article/beware-the-software-supply-chain.html Daniela Previtali With modern software applications being a combination of public software libraries and custom code, software supply chain security risks are on the rise. Beware the Software Supply Chain by Daniela Previtali 14-08-18

“Threat actors don’t have to defeat a company’s security measures, they only have to compromise a third-party supplier that it works with or relies on.” CSOonline

That seems to be the case with a new wave of software supply chain security breaches. For example, a destructive malware called “NotPetya” was deployed using a legitimate software package employed by organizations operating in the Ukraine. The attack was perpetrated using a mechanism to provide updates distributed by that vendor to their customers. In another attack, hundreds of thousands of computers were infected by a deliberately corrupted version of a free security software utility, CCleaner. Similarly, another group of hackers added deliberately corrupted Python libraries of Python’s public package repository, which were unknowingly incorporated into applications by thousands of Python programmers.

These types of attacks are not new, but the frequency with which they have been taking place are cause for renewed concern.

According to a technical note from The Software Engineering Institute, software supply chain security risk exists at any point where organizations have direct or indirect access to the final product or system through their contributions as a supplier. Security risks can be introduced into the supply chain in several ways:

  • coding and design defects incorporated during development that allow the introduction of code by unauthorized parties when the product or system is fielded. In addition, there are those defects that compromise security directly by allowing unauthorized access and execution of protected functionality.
  • improper control of access to a product or system when it is transferred between organizations (failures in logistics), allowing the introduction of code by unauthorized parties.
  • insecure deployed configuration (e.g., a deployed configuration that uses default passwords).
  • operational changes in the use of the fielded product or system that introduce security risks or configuration changes that allow security compromises (configuration control and patch management).
  • mishandling of information during product or system disposal that compromises the security of current operations and future products or systems.

Most developers build modern software applications with a combination of public software libraries and custom code. According to an article in Forbes magazine, the average web application has hundreds of these libraries, which are comprised of tens of millions of lines of code. The vast majority of these libraries come in the form of freely available software that can be downloaded from the internet.

The Software Engineering Institute points out that supply chain security risks will remain a growing concern as outsourcing and expanded use of commercial off-the-shelf (COTS) and open source software products increase and end users exploit opportunities to reconfigure or make limited additions to deployed products and systems. Common software defects can be readily exploited by unauthorized parties to alter the security properties and functionality of the software for malicious intent. Such defects can be accidentally or intentionally inserted into the software at any point in its development or use, and subsequent acquirers and users have limited ways of finding and correcting these defects to avoid exploitation.

Because it is so important for developers to fully understand all of the public libraries they may be using in conjunction with their own custom code, Wibu-Systems maintains complete transparency of the open source software components and versions that we integrate into our CodeMeter protection and licensing tools. That way, both ISVs and end users can monitor for any new issues that may arise with these components and address them quickly

]]>
The Gravity of IIoT Endpoint Security Mon, 30 Jul 2018 10:11:00 +0200 https://www.wibu.com/kr/blog/article/the-gravity-of-iiot-endpoint-security.html post-97 https://www.wibu.com/kr/blog/article/the-gravity-of-iiot-endpoint-security.html Daniela Previtali Endpoints are ubiquitous across the IIoT landscape and the 2018 SANS IIoT Survey reveals that IIoT endpoint security is the leading concern. The Gravity of IIoT Endpoint Security by Daniela Previtali 30-07-18

IIoT endpoint security was the leading concern of respondents to the 2018 SANS IIoT Survey: Shaping IIoT Security Concerns. The SANS Institute is a cooperative research and education organization and a leading source for information security training and security certification. More than 200 respondents participated in the survey, spanning various industries including energy/utilities, cyber security, government/public sector, technology and education/training.

There are many interesting insights in the survey report and if you are a stakeholder in the IIoT economy, I highly recommend that you read it. Among the many findings that have confirmed Wibu-Systems’ IIoT security recommendations in the past few years, several points stood out. The first is the fact that the definition of an IIoT endpoint and its relationship to an IIoT device is still being debated. The Industrial Internet Consortium (IIC) Vocabulary Report defines an endpoint as a “component that has computational capabilities and network connectivity.” The SANS report points out that a device manufacturer may consider the single, embedded sensor or actuator as the IIoT endpoint, while a system integrator may define that endpoint as a collection of such devices serving a particular function within a larger subsystem. The asset owner may consider an endpoint as a more complex system that is masked behind a gateway or edge device, such as a wind turbine or cooling tower.

The definition and the agreement on the definition by all industry participants is important because endpoints are ubiquitous across the entire IIoT landscape. The report also points out that an endpoint should be characterized specific to the IIoT system of which it is a part, especially if the endpoint requires configuration or programming based on its intended use in the system. This is essential for developing appropriate protective mechanisms against known and, in some cases, unknown attack vectors. The IIoT community is embracing the development of best practices around endpoint security, as described by the IIC white paper, “Endpoint Security Best Practices,” published March 12, 2018.

Another point in the report that stood out was the differing viewpoints around ownership of the development and enforcement of endpoint security mechanisms. Does it reside within the realm of IT or OT? IIoT has blurred traditional IT and OT infrastructure boundaries and added a level of confusion to the inevitable convergence of the two realms, particularly in regards to security.

The report notes that within each of the responsible segments, the perception of what part of the IIoT is most vulnerable and at risk depends on where the responsibility for managing IIoT risk lies:

  • The IT team, company leadership and management tend to emphasize data accessibility, reliability, availability and integrity.
  • Department managers emphasize networking and infrastructure appliances.
  • The OT team emphasizes the specific systems related to the IIoT endpoints and then the devices.

Where responsibilities for endpoint security lie is also confused by the fact that perceived and actual responsibilities differ within each group. The survey indicates that the IT team is most concerned with the protection of data, guarding against financial loss and compliance with industry regulations, while the OT team emphasizes increases in reliability, availability, efficiency and production, safety inside the organization, and protection of equipment and systems.

The report further points out that members of the OT department, the individuals who are likely the most knowledgeable about IIoT implementation, appear to be the least confident in their organization’s ability to secure these devices, while company leadership and management, including department managers, seem to be the most assured.

One of the conclusions in the report indicated the necessity to harmonize the viewpoints of IT and OT teams and any third-party product and service providers, especially as related to IIoT security requirements, threats and risks. Both IT and OT need to understand the risks imposed by new or existing IIoT devices connecting to the Internet and the corporate network. And, both need to know how to track and manage these risks as a team.

You can learn more from security experts and editors of IIC’s Industrial Internet Security Framework in an on-demand Webinar, IIoT Endpoint Security – The Model in Practice. The presenters outline in detail the significance of data protection, physical security, root of trust, endpoint identity, access control, monitoring and analysis, secure configuration and management, and integrity protection of IIoT endpoints

]]>
Just Another Brick in the Wall Tue, 17 Jul 2018 09:03:00 +0200 https://www.wibu.com/kr/blog/article/just-another-brick-in-the-wall.html post-95 https://www.wibu.com/kr/blog/article/just-another-brick-in-the-wall.html Daniela Previtali "Bricking" in software license management translates into the ability to lock down a license if an appropriate or illegal use of the software is detected. Just Another Brick in the Wall by Daniela Previtali 17-07-18

"Bricking” is a widely used term describing an electronic device, such as a smartphone, game console, router, or tablet computer that has been rendered useless due to severe physical damage, a serious misconfiguration, corrupted firmware, or a hardware problem.

Techpedia explains that bricking can occur for a number of reasons. The most common occurrence is when an attempt to update firmware of the device is interrupted by a power outage, user intervention or some other disruption that stops the update process, which inadvertently causes the existing firmware to be overwritten and rendered useless. Bricking can also be caused by the introduction of malicious or incompatible software, such as when firmware intended for a different hardware version of the device is installed.

In some cases, however, it has been speculated that electronics manufacturers may integrate software that intentionally bricks a device as a way of penalizing users who unlock their device for unauthorized use. For example, a recent report from Vice notes that Apple’s recent iOS 11.3 update appears to be bricking iPhone 8 units with screens provided by third party repair shops. It is assumed that the bricking is an attempt to discourage use of third-parties for repairs, which may be a more convenient or less expensive solution for a user than going through an Apple dealer.

More recently, software updates for the popular Nintendo Switch gaming console are said to have included code that appear to be bricking consoles that are illegally using third-party accessories. The speculation suggests that Nintendo is trying to stop users from exploiting the Switch with hacks to make it run software other than intended. Nintendo later issued a statement recommending that Switch owners should only buy officially licensed Switch products as others don’t undergo Nintendo’s rigorous testing and evaluation process.

From an end user standpoint, bricking is a tough lesson learned, whether the root cause be an inadvertent occurrence or an intentional act, and an approach not to be taken lightly should an ISV find an enterprise customer using their software illegally. There may be many reasons why an end user organization may be inadvertently using unlicensed copies of software – they may not have the internal resources to adequately monitor software downloaded on end user computers for licensing compliance; end users may bring their own devices with illegal software installed; or network managers simply don’t completely understand the licensing policies of the ISV. On the other hand, there are those who outright pirate software without regard for legal consequences or monetary damages to the ISV.

Either way, short of bricking, it behooves an ISV to have the ability to lock down a license if an appropriate or illegal use of the software is detected. Here are a few scenarios where an ISV would want the capability to lockdown their software:

  • A hacker is attacking the software in the background with plenty of time for reverse engineering. The ISV can integrate mechanisms to identify the attempted hack and put a limit on the number of recognizable attempts the hacker can try before locking down the software.
  • A dongle containing a valid license may be lost or stolen, or the customer is attempting to mislead the ISV to get a new license for free. In that case, the ISV can lock down the original license associated with the dongle before shipping a new one.
  • A software installed license is no longer accessible, whether the PC was undergoing maintenance and the user could not disable the license before the maintenance, or the customer is simply vying for a new license to install on another computer. The original license can be locked down before issuing a new license and rendering the original license invalid in case it gets “discovered” again.

There are many ways ISVs can manage license entitlements and take action when necessary, short of bricking the computer at any sign of irregularity. This one hour on-demand webinar, Setting Licenses Free vs. Locking The Down, will take you through the various scenarios and action steps that are available with the CodeMeter protection and licensing platform.

]]>
A Shift to the Left for Application Security Tue, 10 Jul 2018 16:01:00 +0200 https://www.wibu.com/kr/blog/article/a-shift-to-the-left-for-application-security.html post-94 https://www.wibu.com/kr/blog/article/a-shift-to-the-left-for-application-security.html Daniela Previtali The speed in which development teams are releasing new software is making it difficult for the security operations team to keep up. A Shift to the Left for Application Security by Daniela Previtali 10-07-18

A recent article in SD Times gave light to the trend that more and more aspects of software development are being forced to “shift left” in the development lifecycle, meaning that the speed at which development teams are releasing new software is making it difficult for the security ops team to keep up. As a result, the responsibilities for creating and enforcing security policies are being shifted back towards the devops teams.

Rani Osnat, VP of product marketing at Aqua Security, noted in the article that “because of the speed at which code is updated and delivered, security can no longer be thought of as an afterthought… Operations teams can no long accept an application as is and plan on securing it once it is deployed in the runtime environment.”

Osnat went on to point out that what’s happening is that “developers are developing more applications faster and delivering code faster than security can catch up to. That’s something where really the only way to address it is not to just give more work to security, but to move some of the burden to the developers in using best practices to secure applications when they are developed.”

From the standpoint of Wibu-Systems, of course, we have devoted ourselves to communicating to ISVs the importance of implementing security by design strategies and providing mechanisms to protect software from even the most unscrupulous hackers.

One of the most secure software protection mechanisms that we recommend is a technique we call CodeMoving. In this case, the application code is moved into a dongle (CmDongle) and executed within that safe environment, making it impossible for a hacker to discern anything about the code and its function.

CodeMoving allows the developer to create as many code fragments as desired for execution in the CmDongle. To move the code, the application is encrypted with our AxProtector tool; all functions to be moved are compiled by AxProtector and encrypted within the application. During runtime, the block in question is moved into the CmDongle, decrypted, and executed with the right input parameters. The output parameters are then returned back to the application.

An internal CodeMoving-API, which provides AES and SHA cryptographic functions, can be used to increase the protection level. Data can be saved temporarily and used again when the next function is called up. Hidden data can also be accessed, although security dictates that this can only be done within the product item that the code fragment is decrypted with.

Given the expectations and demands for accelerated software development cycles it is unrealistic to expect ISVs to understand and keep up with state-of-the-art software security practices. That’s why so many developers are turning to security experts like Wibu-Systems to fill that gap. You can read more about the CodeMoving technique and other software licensing and protection mechanisms in our most recent KEYnote magazine.

]]>
The Future of Industrial System Monetization Mon, 18 Jun 2018 10:31:00 +0200 https://www.wibu.com/kr/blog/article/the-future-of-industrial-system-monetization.html post-93 https://www.wibu.com/kr/blog/article/the-future-of-industrial-system-monetization.html Daniela Previtali The Dynamic Monetization model proposes to move the payment for industrial systems from upfront to the time of usage with revolutionary consequences. The Future of Industrial System Monetization by Daniela Previtali 18-06-18

The software industry’s move towards pay-as-you-go and subscription licensing is fueled by the success of Microsoft, Adobe, Salesforce and others who have revamped their business models to take advantage of the flexibility of cloud-based services and give their customers usage-based options. That trend will no doubt continue as ISVs scramble to retool their packaging and delivery models to take care of their customer preferences while keeping sight on the monetization of their software offerings.

But what about the software driving millions of devices in the IoT, or more specifically, the industrial IoT where connected machines, artificial intelligence, massive data exchange, machine learning and other Internet-driven technologies are shaping the smart factories envisioned in the next industrial revolution, now called Industry 4.0? Would a usage-based monetization scheme work in such a complex environment across the entire industrial supply chain? Quite possibly, but first let’s take a look at the conventional payment model and the challenges it presents.

Industrial systems are expensive to build. The operational user typically pays for the entire system upfront, while there is yet any revenue generated to offset the expense. It could take years for the operational user to realize a substantial ROI on the investment. At this point, all of the financial risks rest upon the operational user. If the operational user requires a loan to initially finance the capital equipment purchase, the risk is even higher. If the system fails or is not profitable, the operational user is at further risk of financial loss or even bankruptcy. This process can be a roadblock to innovation, as banks are more restrictive with loans in what might be considered a high-risk system with no successful track record behind it. This scenario becomes even more complex when the relationship between the machine builders and component suppliers comes into play, considering factors like system pricing and discounts and their impact on profits.

The aforementioned scenario is a simplistic example yet begs the question whether a usage-base monetization method could exist in a modern industrial environment. The potential benefits to usage-based monetization of industrial systems are readily identifiable: reduction of large upfront payments for expensive machinery by the operational users; shared risks and rewards between machine builders, component suppliers and operational users; and revenue generation based on operational usage providing for more equitable distribution of profit.

Among the many challenges to a usage-based model, two stand out:

  1. Industrial systems typically incorporate many thousands of components from hundreds to thousands of different suppliers. No efficient tracking method currently exists capable of delivering accurate usage payments to all these providers.
  2. Some components require payment upon delivery and it is simply not realistic to pay for such components as a result of usage.

To be successful, an efficient pay-per-use monetization model will require a standardized process for all components and the ability to function autonomously and automatically. The Industrial Internet Consortium (IIC) is currently looking into modern monetization methods for industrial systems that could, in fact, change the traditional payment paradigm to a universal dynamic usage-based model that will take advantage of the systems connectivity to the Internet.

As a starting point for discussion, the IIC has drafted the Industrial Internet Monetization Model (I2M2) which presents various monetization scenarios and how they might fit within a world of varying business models, components and systems and the relationships with different participants like Operational Users, Component and System Builders. One of the promising scenarios is the Dynamic Monetization method, which proposes to move the payment for industrial systems from upfront to the time of usage.

You can learn more about these new proposed monetization methods in an article published in the ICC’s Journal of Innovation. The article, I2M2 – the Future of Industrial System Monetization, was written by Marcellus Buchheit, President and CEO of Wibu-Systems USA, co-chair of the IIC Trustworthiness Task Group, and contributor to the IIC’s Industrial Internet Security Framework.

]]>
Unlicensed Software and Malware are related Tue, 12 Jun 2018 21:12:00 +0200 https://www.wibu.com/kr/blog/article/unlicensed-software-and-malware-go-hand-in-hand.html post-92 https://www.wibu.com/kr/blog/article/unlicensed-software-and-malware-go-hand-in-hand.html Daniela Previtali Alarming insights and compelling guidelines in the 2018 BSA global survey: Software Management: Security Imperative, Business Opportunity. Unlicensed Software and Malware are related by Daniela Previtali 12-06-18

Software has become an essential tool for global businesses to perform their fundamental everyday tasks. Software adds value in the way organizations conduct business, improve profitability, reach new markets, and gain competitive advantages. Too often, however, the benefits of these efforts are marginalized by the widespread use of unlicensed software and the often-crippling security threats that accompany it.

That’s one of the main takeaways from the BSA | The Software Alliance’s 2018 Global Software Survey: Software Management: Security Imperative, Business Opportunity. The survey conducted by BSA, the leading advocate for the global software industry, quantifies the volume and value of unlicensed software installed on personal computers in more than 110 countries and regions, and includes nearly 23,000 responses from consumers, employees, and CIOs in those areas.

Despite a global two-point drop in unlicensed software installation rates during the last two years, the survey disclosed that unlicensed software is still being used around the globe at alarming rates, accounting for 37 percent of software installed on personal computers. Regionally, the unlicensed usage rates keep showing dire numbers: Asia Pacific, Central and Eastern Europe at 57%, Latin America at 52%, Middle East and Africa at 56%, North America at 16%, and Western Europe at 26%. The aggregation of all the individual license breaches translates into startling losses for software manufacturers in the trenches and consequently national economies that account for $16.4B in Asia-Pacific, $9.5B in Western Europe and North America, $5B in Latin America, $3.1B in Middle East and Africa, $2.9B in Central & Eastern Europe. That’s to say that the value of unlicensed software is estimated at $46 billion worldwide.

Although some of the abatement comes from fewer PC shipments, the BSA recommends organizations to embrace a three-step process consisting of assessing trustworthy data, improving management across the entire IT asset life cycle, and optimizing the analysis in key functional areas. Furthermore, governments, commonly the largest users of software in the world, can lead by example, increase public education and awareness, modernize laws to account for new innovations, and create a conducive environment for enforcement.

In addition, the survey found the link between increasing malware attacks and unlicensed software to be indisputable, as a higher rate of unlicensed software use correlates directly with the higher likelihood of a debilitating malware infection.

The report noted that organizations face a 33% chance of encountering malware when they obtain or install unlicensed software, and, dealing with the malware associated with unlicensed software can cost more than $10,000 per infected computer. Sixty-eight percent of computer users and 48 percent of CIOs rated malware among the top three reasons not to use unlicensed software. As a result, many CIOs are realizing the true costs of unlicensed software including the loss of corporate or personal data, system downtime, network outages, and the cost of disinfecting systems.

In China, for example, 66% of software is reportedly unlicensed and the country has incurred devastating malware attacks that crippled an estimated 40,000 Chinese institutions, halted the electronic payment systems throughout the country at PetroChina’s gas stations, shut down ATMs run by the Bank of China, and impacted the operations of major companies like China Telecom and Hainan Airlines.

While the overall findings indicate that unlicensed software usage is still widespread, several other key trends emerged that greatly impact the enterprise landscape:

  • CIOs are finding unlicensed software is increasingly risky and expensive
  • Improving software compliance is now an economic enabler and security imperative
  • Organizations can take meaningful steps today to improve software management and achieve important gains

What is the takeaway for ISVs? While the survey was focused on enterprise CIOs and end users, the data suggests that ISVs can help compliance efforts by offering licensing models that make enterprise licensing easier to implement and manage. Today’s software managers require flexibility in licensing, delivery, reporting, and management, which ultimately serves to cut costs as well. For example, the BSA report highlighted a 12,000 employee German company, OSI International Foods, that had reduced post-licensing costs by more than 30 percent by implementing a more effective software licensing model.

Furthermore, ISVs can help to reduce the risks of malware by integrating strong protection measures into their software to prevent illegal software copying and counterfeiting and enable secure licensing via hardware devices or machine bound licensing to make it more difficult to employ unlicensed copies. 

]]>
Every Vote Counts Tue, 05 Jun 2018 18:15:00 +0200 https://www.wibu.com/kr/blog/article/every-vote-counts.html post-90 https://www.wibu.com/kr/blog/article/every-vote-counts.html Daniela Previtali With national elections soon coming up in the U.S., the mere thought of further interference with the democratic process is raising deep concerns. Every Vote Counts by Daniela Previtali 05-06-18

The potential danger of cyberattacks is present in virtually every facet of our lives, whether it be tampering of medical devices, attacks on critical civil infrastructure, prying into our connected home devices, or theft of personal data. Even cyberthreats to our political processes is now a clear and present danger. The disruption of the U.S. 2016 presidential election by cyberattacks, where Russian hackers purportedly targeted elections systems in 21 states, is a prime example. These attacks led to personal information being exposed and two voter registration systems being temporarily shut down. With national elections coming up in the U.S. in November, the mere thought of further interference with the democratic process is raising deep concerns. In a survey of 5,000 voters, published earlier this year, cybersecurity firm Carbon Black found that one in four U.S. voters was considering not voting in upcoming elections due to concerns such as theft of personal data from election databases.

The Washington Post recently convened a panel of more than 100 cybersecurity leaders from across government, the private sector, academia and the research community to discuss these issues. When surveyed, nearly all agreed that U.S. state election systems were not sufficiently protected against cyberthreats. One panelist described the election systems as “massive, distributed IT systems with thousands of endpoints and back-end systems that hold and process large volumes of highly sensitive data” and noted that protecting such systems “is no small feat”.

GenKey, a leading global provider of large-scale, biometric identity solutions for governments, public institutions and businesses, addressed the problem of potential election hacking by investing in Wibu-Systems CodeMeter software protection, licensing and security technology. With headquarters in the Netherlands, one of GenKey’s missions is to prevent identity fraud in emerging countries with solutions for voter management, medical ID handling/claim processing and large-scale identity management.

Documented in an interesting case study was GenKey’s involvement with elections in the African nation of Ghana, which entailed countrywide deployment of up to 26 thousand voting machines to support more than fifteen million potential voters. At the scale of the distributed computing needs of a national election it was critical that the integrity of the results was maintained and above any suspicion and biometric data for each voter was protected.

GenKey integrated CodeMeter technology to secure the software in its voting machines. CodeMeter employs both symmetric and asymmetric encryption. The program code is encrypted using symmetric 128 bit AES encryption. Upon starting the application, asymmetric encryption (ECC, 2224 bit or RSA, 2048 bit) of the digital signature is employed. Before a GenKey system is shipped, it is loaded with software that is protected with CodeMeter. The encrypted code is bundled with a license file into a complete package. When each system boots up, the embedded software calls this file, using a digital signature to verify its authenticity. A list of conditions is verified, such as the validity of the license, or the matching of the hardware features that were initially bound to the license during the encryption process. This ensures a high level of security and integrity of the biometric data while protecting the software against potential counterfeiting and misuse during polls.

Beyond this example, the CodeMeter software protection, licensing and security platform is being deployed across a wide array of business sectors, including medical equipment and healthcare solutions, industrial equipment, factory automation, retail and banking and a host of others. 

]]>
New Breed of Embedded Software Engineers Tue, 29 May 2018 09:00:00 +0200 https://www.wibu.com/kr/blog/article/transformation-of-the-embedded-software-engineer.html post-91 https://www.wibu.com/kr/blog/article/transformation-of-the-embedded-software-engineer.html Daniela Previtali Embedded software engineers of the future will have a very different skillset from their predecessors - Where does the software security skillset fit? New Breed of Embedded Software Engineers by Daniela Previtali 29-05-18

An article by Jacob Beningo that appeared recently in Design News caught my eye and raised an interesting question. The main premise of the article, “The Soon-to-Be-Extinct Embedded Software Engineer,” was that “embedded software engineers of the future will have a very different skillset from their traditional predecessors. They’ll know how to call an API to make the hardware do something, but they won’t know why or how it does it.”

One of the main drivers of this transformation is the IoT, where the push to connect every device to the Internet is creating an unprecedented demand for embedded software engineers. As a result of this demand, companies are finding themselves shorthanded when it comes to the availability of embedded software developers. For expediency, instead of training new engineers, companies are turning to application developers who have experience with Windows applications or mobile devices but have little understanding of low-level hardware.

Mr. Beningo goes on to say that “future embedded software engineers will not be masters of bits and bytes like their predecessors, but rather will have high-level application development skills. Hence, they will know how to call an API to make the hardware perform a function, but not necessarily why or how it does it.” He concludes that rapid innovation often allows teams that might otherwise have been lacking critical skills to still be successful. However, the need for knowledge offered by the traditional embedded software engineer is still required to bridge the gap between the hardware and the new embedded application developers.

As I alluded to earlier, the article raised an important question for me: where does the software security skillset fit in the transformation to the new breed of embedded application developers? As Mr. Beningo noted, the development of software-driven IoT devices is a main driver of this transformation and putting companies under extreme pressure to commercialize connected devices rapidly. At the same time, the proliferation of cyberattacks and threats to IoT devices and data has emphasized the critical need to design in software protection mechanisms to thwart these attacks. Even more concerning is that many of these attacks go beyond merely causing inconveniences, performance snags, or confusion, but jeopardize human safety.

Under the increasing cloud of cyberthreats, the question is who owns the security by design approach required for intelligent device development – the traditional embedded software engineer or the new breed of application developer applying their skills to embedded systems? Who is best equipped to implement code encryption, integrity protection, secure boot and all of the other critical security mechanisms required to protect these devices?

Many companies are relieving their internal developers and software engineers of the mounting pressure of understanding all of the nuances of software security by turning to experts like Wibu-Systems to work with them to integrate established and tested protection mechanisms into their software. This approach allows their own software engineers to focus on what they know and do best. Many of the key concerns of IoT device security and proven approaches to address the issues are covered in this whitepaper, Licensing and Security for the IoT, which can be readily downloaded. Knowledge of these software protections and partnerships with those who understand how best to implement them will go a long way towards empowering the next generation embedded software engineer to develop safe and secure IoT devices.

]]>
New Product Piracy Report – Same Old Story Wed, 09 May 2018 11:06:00 +0200 https://www.wibu.com/kr/blog/article/new-product-piracy-report-same-old-story.html post-89 https://www.wibu.com/kr/blog/article/new-product-piracy-report-same-old-story.html Daniela Previtali VDMA Product Piracy Study 2018 indicates that, while the overall scale of damage remains unchanged, damages have worsened in the last two years. New Product Piracy Report – Same Old Story by Daniela Previtali 09-05-18

The VDMA, the advocacy organization for Germany’s mechanical and systems engineering industry, has released data from its latest research on product piracy (Product Piracy 2018), and once again, the results are alarming –71% of the enterprises in Germany’s industrial engineering sector are directly affected by product or brand piracy with damages estimated at €7.3 billion annually.

Conducted every 2 years, VDMA’s survey seeks to determine the current state of threats posed by counterfeiters, pirates and forgers. The study is mostly concerned with the illicit reproduction of products, or more specifically, the imitation of products in breach of special proprietary rights or imitation of products without any breach of proprietary rights, but against accepted competitive practice.

This year’s study, completed in March 2018, determined that the overall scale of damage from product piracy remains relatively unchanged from 2016, while surprisingly, 39% indicated that damages had worsened in the last 2 years. The People’s Republic of China remains the grand champion of the countries named as the origin of piracy, with 82% of counterfeits made there and 44% sold there. By comparison, Germany was second with 19% of respondees saying they were the country of origin.

Beyond the damages of IP theft, public safety is also a major casualty of counterfeits: 36% of companies reported counterfeits that endanger their operators, users, and the environment while 46% of the participants see the counterfeits they have identified as a danger to the effective operations of industrial facilities.

How are these companies protecting their IP and product innovations from piracy? Most (61%) of the participating companies consider the piracy to be a legal management issue but are engaging other areas of their organization to join the fight. R&D functions (42% of cases), legal and patent affairs offices (34%) and even sales and marketing (29%) have become actively involved. However, before trying legal recourse, most companies will first attempt to settle such matters out of court. More than one third of the affected companies would not, however, take any action. This applies in particular to small and medium-sized enterprises.

Unfortunately, the data suggests that current legal efforts have not stemmed the tide of global product and or brand piracy which continues to pose a major danger to the industry. And, with the emergence of the IoT and Industrie 4.0 fueled by millions of connected devices and the communication of sensitive data over the Internet, the dangers to public safety loom even larger.

The VDMA is working closely with security experts like Wibu-Systems and other industry organizations to develop strong and preventive measures that make it more difficult to copy or reverse engineer product designs, secure data, and add a measure of safety to industrial processes. Some of those protection mechanisms are outlined in VDMA documents, Product and Know-how Protection, and, Industrie 4.0 in practice – solutions for industrial applications.

For our part, Wibu-Systems has dedicated itself to eradicate sabotage, espionage and cyber-attacks in smart factories. With our flagship CodeMeter® licensing and protection platform, developers can safeguard digital assets and product know-how that are available in machines as well as on personal computers, industrial PCs, embedded systems, mobile devices, tablets, programmable logic controllers and microcontrollers from software counterfeiting, product piracy, reverse-engineering and machine code tampering.

]]>
Security Requirements for Medical Devices Mon, 23 Apr 2018 12:08:00 +0200 https://www.wibu.com/kr/blog/article/security-requirements-for-medical-devices.html post-88 https://www.wibu.com/kr/blog/article/security-requirements-for-medical-devices.html Daniela Previtali When choosing the right system software for medical devices, secure communications, multi-CdPU design, modularity and scalability are key. Security Requirements for Medical Devices by Daniela Previtali 23-04-18

Software has become ubiquitous in the healthcare industry given its widespread use for controlling medical devices and health information systems and communicating and maintaining electronic patient data, all in an increasingly connected environment. For embedded system developers, in particular, choosing the software best suited for the design of the medical device and its end use is critical. Options abound – use a commercial off-the-shelf product or create their own? Employ a real-time operating system or a general-purpose operating system such as Linux or Android? And, what security mechanisms will be incorporated to protect software from malicious tampering and ensure data transmission and storage?

Wind River recently published an interesting white paper, Choosing the Right System Software for Medical Devices, that explores many of the essential considerations that will help developers in making their choices. As Wind River points out in the paper, while the needs and requirement for each device will vary as will the features, functions, and capabilities, it is critical to evaluate the full range of options before making the selection. Of the many key considerations are shelf-life, easy-to-understand user interface, secure and stable communications, multi-CPU system design, connectivity, modularity and scalability.

Additionally, use of commercial vs. open source development options require careful consideration. While each has advantages and trade-offs, Wind River notes that the choice typically comes down to the completeness and sophistication of commercial offerings versus the low cost and ubiquity of open source software. From a safety standpoint, the medical device system software needs to support security features that protect against malware and also deliver secure data storage and transmission. The system software also needs to support the secure upgrade, download, and authentication of applications to help keep devices secure across an ever-changing threat landscape.

As open source software continues in popularity within the development community, commercial vendors too are focusing on software solutions that specifically address the unique challenges of medical devices. Companies like Wind River and Wibu-Systems, for example, offer integrated solutions that leverage each other’s technology expertise. With the integration of Wibu-Systems’ CodeMeter security platform with Wind River’s Security Profile for VxWorks®, the world’s most widely deployed commercial RTOS, developers of connected medical systems have access to a fully scalable solution that features best-of-breed security for device, data, and IP protection, and additional licensing management options to expand business opportunities for applications developed on the VxWorks platform. You can read a more detailed description of the joint technology in this solution brief.

Beyond functionality and security, however, medical device developers must also weigh additional economic and operational factors affecting the healthcare industry. For example, given the burgeoning costs of healthcare, developers must take into account a mandate to minimize cost per capita of each person’s healthcare while reducing the cost of the devices themselves. With expanded features and sophistication of the devices, they must be readily understandable and easy to operate by both the professional and non-professional care givers who will use them. And they must work every time.

Medical device software developers have much to consider, particularly when human lives are at stake.

]]>