Wibu-Systems Blog

Stay secure

Posted by Terry Gaul on Dec 22, 2015 5:21:21 AM

Blog_Post-USA_Stay-Secure.jpg

The close of a year and the anticipation of what’s to come in the New Year always brings about some interesting reviews of the past 12 months and predictions for the future by industry analysts, company executives and the trade press. Two articles recently caught my attention.

The first was an article on healthcareanalytics.com that noted Healthcare IoT topics dominated their top 10 stories of 2015. In fact, three IoT related stories made their top ten, including the year’s most popular story, Why Healthcare Big Data Analytics Needs the Internet of Things.

I found this quote from writer Jennifer Bresnick in particular to be a very clear indicator of the power of the IoT for healthcare: “While some may view the IoT as the perfect set-up for a post-apocalyptic novel, it has real power for healthcare. Analytics systems that integrate medical devices like imaging machines and beside monitors can reduce unnecessary spending, improve diagnostic accuracy, and slash repeated tests. Monitoring hand hygiene through internet-connected sanitizer stations can cut infection rates and save lives. Increasing patient engagement through smartphones and patient-generated health data doesn’t just improve satisfaction and overall health, but it also helps providers get paid.”

Secondly, Jahangir Mohammed, a member of the World Economic Forum, published his 5 Predictions for the Internet of Things in 2016. His first prediction caught my eye and I couldn’t agree more:

1. “The ‘security of things’ will take centre stage. In 2015, the market saw tremendous growth in the number of connected devices, and that proliferation gave rise to concerns about the security of IoT. Next year will be the one where IoT security takes centre stage – and the winners will be the solution providers who can help enterprises not only deliver connected services, but secure them, too.”

These two thoughts go hand in hand. There is great potential for the IoT to dramatically change the healthcare delivery landscape, from improving patient safety and outcomes to enhancing the way care is delivered. But, success will be predicated upon the ability to integrate these connected systems, devices and data in a secure manner while ensuring patient privacy and protecting against cyberattacks. And this applies to all industries where IoT solutions are being developed and deployed, and that’s just about everywhere.

Fortunately, technology exists today that enables the device developers to incorporate security into their designs and provide that safety assurance. Wibu-Systems co-Founder and CEO Oliver Winzenried, wrote an interesting article that appeared in Medical Device Developments magazine recently, entitled Stay Secure, where he addressed both the challenges and the security solutions for the medical device industry.

He wrote: “Manufacturers of IoT devices in the medical space must implement security mechanisms by design to safeguard patients’ safety and privacy, and device availability and robustness against cyberattacks and product piracy.”

The article goes into great depth about technologies that will help developers effectively meet these challenges.

Topics: embedded security, Internet of Things, cybersecurity

Software licensing: it's all about flexibility and security

Posted by Terry Gaul on Dec 14, 2015 11:23:11 AM

Licensing-Blog_Post-USA.jpg

IDC recently released their annual top 10 software licensing and pricing predictions for 2016 and I think they are right on target based upon feedback from organizations who are using our CodeMeter secure licensing platform.  I believe a few of the predictions will have an immediate impact on software developers:

  • Software subscription revenues will continue its rapid growth trajectory
  • Software license complexity will indirectly cost organizations an average of 25% of their software license budgets in 2016
  • At least three software vendors will announce in 2016 the intent to end all perpetual licensing

There are many more details outlined in the report, but the bottom line for me was that the licensing environment is rapidly evolving and software publishers, now more than ever, need to have the flexibility to roll out new licensing models to meet their customer’s needs as well as achieving their own software monetization goals. Let’s take a brief look at some of the license models that are currently in play, ranging from single user/network licenses to modern consumption and user-based models:

  • Single user license: the license is stored on a local PC or dongle plugged into the local PC.
  • Single user license in a virtual machine: the license is bound to a virtual machine and when the virtual machine is copied, the license becomes invalid.
  • Network license: the license is stored on a license server in the network.
  • Feature-on-Demand license: individual licenses are used to activate specific product features and modules.
  • Perpetual license: the license never expires.
  • Demo/Trial license: the user can only access specified features for a limited time.
  • Rental, Leasing, Subscription License: the developer specifies how long the licensee is valid.
  • Pay-per-Use license: billing is based on the number of units used.
  • License with software assurance: a perpetual license with a maintenance agreement that includes automatic updates.
  • License with downgrade-right: the license provides the right to optionally use older versions of the program.
  • License with upgrade-right: the license covers the right to optionally use a newer version of a program.
  • Grace period license: software can used for a limited time without activation.
  • Volume licensing: the customer is sent a large number of licenses to cover the required number of seats.

This is just a short list of licensing options (read an expanded list of licensing options here) which could possibly double in size by next year. Whether you are using your own, home grown licensing solution or you’ve outsourced to licensing professionals, it is imperative that you have the flexibility to adjust your model as the market dictates.

 Finally, let’s go back to the IDC report. One surprising note was that there was no mention of license security. No doubt, secure software licensing is at the forefront of the discussion, particularly in the rapidly growing IoT sector. We’ve covered IoT security in this blog frequently and will continue to post more thoughts in the coming months as the market emerges.

Topics: License Management, CodeMeter, secure licensing, software licensing

Security by Design for connected devices

Posted by Terry Gaul on Dec 4, 2015 7:52:53 AM

IoT_600.jpg

There were some interesting findings released in a global study this past June conducted by Harbor Research (in conjunction with Progress Software) on the State of IoT: 2015 Global Developer Study. Not surprisingly, inexperience, interoperability and security were at the top of the list of challenges mentioned by 678 developers polled in the study. Here are a few of the key findings: 

  • Only 50% of developers say they have the skills, resources and technological tools to deliver on IoT expectations.
  • Interoperability, integration, security and privacy are among the top concerns of IoT developers
  • Low levels of monetization reflect business models that have not kept pace with technology advances
  • Current activity to address these issues is scattered among government organizations, various company alliances and other disparate groups
  • Security must be factored in from the beginning of development of any IoT product or application
  • Developers believe commercial vendors and the open source community have the greatest power to help them overcome these challenges

Certainly security and software monetization are on the top of our list and the main focus of our business. In our ongoing discussions with customers, we’re finding that more and more developers are looking to vendors like Wibu-Systems to help them address security from the start rather than later in the development process. And this is a growing sentiment with embedded system developers of connected IoT devices, in particular.

WP-IoT-Licensing-cover.jpgTo put it all into perspective, I invite you to read our latest white paper, Licensing and Security for the Internet of Things. This document delves into the current trends in IoT device development, strategies for success, and standards for protection and licensing systems in the IoT. It also presents a detailed explanation of our extensive CodeMeter toolkit that provides protection that can be easily and securely integrated into the software. The technology protects against reverse engineering and software replication and provides integrity protection of the application, licensing options, and flexible management of access rights.

Download the white paper and learn about the benefits of security by design.

Topics: CodeMeter, embedded security, Internet of Things

Endpoint Security for a Rail System: Another Industrial Internet System Success Story

Posted by Terry Gaul on Nov 18, 2015 10:45:11 AM

CodeMeterTrain_550.jpg

When At&T, Cisco, GE, IBM and Intel founded the Industrial Internet Consortium in March 2014, I wonder if they had envisioned how quickly the International technology community would embrace the their mission to catalyze and coordinate the priorities and enabling technologies of the Industrial Internet. Many amazing collaborative solutions have already emerged – for example, RTI and Siemens teamed up on a solution to network and control hundreds of wind turbines for better control and optimization, and National Instruments and Airbus have developed tools for smarter factories. Just take a look at the many case studies published by IIC members in a variety of fields – communications, energy, healthcare, manufacturing, transportation and logistics, and security – and you will gain a sense of the enormous potential for the connected world.

Industry collaborations and technology partnerships are the foundation upon which these innovative Industrial Internet systems will be created. Wibu-Systems’ main focus is to provide the protection platform for our partners to secure these next generation systems. For example, as a member of the Infineon Security Partner Network (ISPN), we have worked closely with Infineon and other leading security vendors to secure devices and systems in various applications. In a recent collaboration, we employed Infineon’s SLE 97 security controller and our CodeMeter Embedded Protection to deliver an endpoint security solution to safeguard railway control systems.

Wibu_CS_Endpoint_Security-c.jpg

In this use case, the safety of the application was paramount. Hardware components had to comply with an extended operating temperature range, moisture challenges, and vibrational conditions. The software security elements were tasked to guarantee the highest level of security against cyber threats while protecting IP against reverse engineering and piracy. And, the solution needed to be compatible with the real-time VxWorks operating system already in use. The multiplicity of potential attack vectors called for an endpoint security solution. The CodeMeter-based solution met all these criteria and was then integrated into the existing power-controlling infrastructure.

You can read more specific details about the cryptographic elements of the solution, secure boot mechanism and other innovative development and implementation details in this case study.

 

Topics: CodeMeter, Code Integrity, embedded security, Internet of Things, cybersecurity

Industrial Internet System Security: several Good questions and many good answers

Posted by Terry Gaul on Nov 4, 2015 1:32:29 PM

The Industrial Internet Consortium held an interesting TweetChat last week in preparation for their Security event held on Tuesday, November 4 in NYC. The IIC-led chat posed 6 questions and received enthusiastic responses in a lively chat by the many security experts who participated. I’ll attempt to summarize answers to the questions in this post, but you can view the TweetChat in its entirety here

Q1: What are some examples of solutions you have already seen securing Industrial Internet Systems?

This question solicited pointers to many current security solutions, from wastewater facility control networks to anomaly detection and machine-learning-based approaches to uncover malicious activities. Others mentioned security solutions for embedded devices for protecting product know-how and software IP from theft and piracy, and of course, Wibu-Systems mentioned our solutions for railway control systems, data validation and reconciliation systems, and manufacturing. Case studies of many of these solutions can be found on the IIC website

Q2: Intentional vs unintentional threats: are there different approaches to protecting Industrial Internet systems?

There seemed to be general agreement that both types of threats will need to be addressed during the design phase, while intentional threats would require strong encryption measures and comprehensive security, and “unintentional threats require easy but strong user authentication”. The IIC unveiled an interesting security infographic of their own to add content to the conversation. 

Q3: Do the benefits of deploying Industrial Internet solutions outweigh the security risks?

This question was answered with a resounding "yes" by the group and several noted that “the greater the risk the greater the reward, and the IIoT is no exception.”  Wibu-Systems cautioned that a single incident can disrupt production, compromise safety, reveal confidential data with financial and legal consequences. 

Q4: Open standards or proprietary solutions for IIoT security? Why?

Most participants agreed that Open International Standards would “allow for greater participation, ease of adoption and accessibility for security researchers.” Transparency, industry cooperation, and interoperability are key. However, a few thought that there was still room for proprietary solutions or a mixture of both. 

Q5: What new security functions will future industrial devices need to support?

User authentication, encryption, signing, access control, measures against tampering and reverse engineering, are all key security features for Industrial Internet systems. Being secure, vigilant and resilient in the connected age seemed to be the consensus for this question. 

Q6: What are some measures an organization can take to ensure their system is secure?

It seemed here that common sentiments were to incorporate security by design mentality, get management buy-in early, educate, take great care in the amount and manner in which data is collected, and hire experts as necessary to help design and check device security. 

I’m sure this TweetChat was one of many more collaborative events focused on developing innovative solutions for securing Industrial Internet systems. Wibu-Systems is an active participant in the IIC Security Working Group and we will continue to report progress in the coming weeks.

Topics: Internet of Things, cybersecurity

How Much is Your IP Worth?

Posted by Terry Gaul on Oct 28, 2015 5:18:17 AM

Erfolgsgeschichte_Belsim_EN

The intellectual property gained during the development of an ISV’s flagship software product most likely represents an investment in hundreds and hundreds of man hours. 

The majority of that time is spent on developing features and functionality, refining, and testing to assure that the final product addresses the needs of the customers in the most effective way possible – that’s the core strength of the software engineers. The business end of the development process is in software monetization – implementing creative licensing strategies and protection against piracy to assure that the company achieves the maximum revenue it deserves. However, that capability may not be the core strength of the software engineer and the reason why many ISVs are looking for help from licensing and security specialists to protect their IP investment and monetize their software.

For example, consider the case of Belsim, a spin-off company of University of Liège in Belgium. Belsim’s VALI-suite is the leading worldwide solution for Data Validation and Reconciliation (DVR) software. The VALI-suite is the result of many years of R&D and it represents the centerpiece of Belsim’s intellectual property.

According to Christophe Pirnay, Belsim’s Development Manager, "When we decided to develop VALI’s newest version in Microsoft .NET, it was clear that we also needed a partner to support the solution’s license management and to protect it against software piracy."

"We never really knew if our software was copied or used illegally", says Christophe. "We were a bit suspicious at times, but we never were sure if it was really happening. In those days, we were handling license management and software protection ourselves," he added.

Belsim recognized that license management and software protection were not part of their core business and they began to search for a security partner. Their search steered them toward Wibu-Systems’ CodeMeter software protection, licensing and security solution. CodeMeter protects VALI against unauthorized use, but also against anyone who tries to take a peek at the code. This way, CodeMeter also keeps Belsim’s competitors at a safe distance, as well as others who might try to build their own solution based on Belsim’s code.

In this case, with the help of CodeMeter, Belsim can fully concentrate on its core business – the development and implementation of software – while CodeMeter guarantees the protection that is needed at the heart of their solution.

download Belsim case studyRead the full case study and see how CodeMeter protects Belsim’s invaluable intellectual property.

Topics: CodeMeter, secure licensing, Anti-piracy, Copy Protection

Good Things Come in Small Packages

Posted by Terry Gaul on Oct 14, 2015 11:49:38 AM

10y-mSD-Blog_Post-USA-3

The SD Association recently celebrated the 10th anniversary of the microSD™ Card.  Founded in 2000 by Panasonic, SanDisk and Toshiba, the SD Association is a group dedicated to establishing SD standards and facilitating their adoption and development. In their Thought Leadership article, the Association shares interesting facts, including that the memory capacity of the microSD card had increased 6,000 times during that 10 year period, with the latest version available to consumers today containing 200 gigabytes of storage. 

Due to their tiny form factor, microSD cards have found their way into a growing list of devices that require expanded memory, from smart phones to wearable devices and many more. For Wibu-Systems the microSD form factor is a perfect solution for protecting and licensing embedded systems and the next generation IoT devices. Our CmCard/microSD contains an integrated smart card chip with approximately 384 kbytes of secure memory available for storing more than 1,000 licenses and providing the full complement of CodeMeter security functions, including symmetric and asymmetric encryption, signatures, and the storage of X.509 certificates. At only 11 mm x 15 mm x 0.7 mm in size, the CmCard/microSD will fit in the tiniest of devices, providing both security and flexible licensing options in space limited embedded systems and Industry 4.0 sensors.

Integrated security functionality and built-in SLC flash memory are standard features in all of our CmCard form factors that include µSD, SD, Compact Flash, and CFast cards along with optional SLC or MLC flash memory for our USB Sticks. The combination offers our customers many benefits:

  • Lower costs by combining functions on a single device
  • Industrial grade design for long life
  • Field upgradeability without any changes to hardware
  • Dedicated data partitions offer application flexibility, such as storage of highly sensitive data on mobile devices
  • Prevention of software piracy
  • Protection against counterfeiting
  • Additional security for gambling machines, ATMs or other devices frequently targeted for tampering and attacks


You can learn more technical details about our flash-equipped CmDongles in our latest whitepaper, CmDongle with Flash Memory in Practice. The document illustrates the technological alternatives, the modalities of use, the possible applications, and the commercial reasons that provide the commercial advantages for Wibu-Systems’ protection, licensing, and security devices.

The white paper specifically addresses:

  • The types of memory best suited to commercial and industrial purposes
  • The available partitions (encrypted, read-only, CD-ROM, and public areas)
  • The complete calculation concerning the Total Cost of Ownership
  • The advantages of a combination product
  • The benefits in terms of increased security
  • The versatility of the many form factors
  • Real-world customer applications

Wibu-Systems-White_Paper_Cm-_125Download the whitepaper

Topics: dongles, CodeMeter, CmSticks

From Stuxnet to iPhone: The evolution of modern computer viruses

Posted by Rüdiger Kügler on Sep 22, 2015 12:50:13 PM

Whether it be Stuxnet or an iPhone virus, it is people who are the cause for trouble. But let’s go back to how the story began: Just a few days ago, it was unthinkable for an iPhone to be infected with a virus. The concept of the App Store itself – which only allows the distribution of software authorized by Apple – seems to suggest that the spread of viruses through their apps would be impossible. It is the same belief we had for one of Siemens’ controllers years ago: "They can never be subject to viruses." It was just a matter of time before both assumptions were proven wrong.

What happened then? Any software running in a closed system, like an iPhone, must be signed by a software publisher. For this purpose, the developer uses a key pair consisting of a private and a public key. The private key is kept secret and used for the cryptographic signature. The public key is signed by the manufacturer of the closed system, in this case Apple, with his private key (root key). The resulting electronic document – which includes the developer’s public key and the signature from Apple – is called a certificate. For validation purposes, the closed system only requires the public key (public root key) that is already included in iOS by Apple: "Only developers that I know and trust, are allowed to run software in my closed system."

In a jailbreak, this mechanism is undermined by the user of the device. A modified operating system skips this check. While any software can then run on the device, the user of a jailbroken phone inadvertently opens the door to virus threats as well. However, the issue now affects respectable users (those not using jailbreaks) too.

And why is the iPhone case so similar to Stuxnet? In both cases, the development environment of the software developer was attacked. This means that the virus had already taken hold of the software after compiling, but before signing the application. When the developer signed the software, he included the virus as well, which thus passed any verification controls unnoticed. Compared to this, the attack via Stuxnet occurred at an alarming lower level. The new incident exploited human vulnerability – convenience first and foremost – by offering a tampered pirated copy of XCODE for download. China was affected more significantly by it, as the use of pirated products is widespread and usually regarded as a minor offense.

What are the takeaways from this incident?

  • Even free software needs protection against piracy, protection against reverse engineering, and very robust integrity protection.
  • The signature of a software must be made in a trusted environment. For instance, the key should be safely stored in a secure hardware element.
  • Even in a closed system, we should not assume that all software will be reviewed in detail and take our security for granted. The review process is only one link in the protection chain.
  • A security solution is only as good as the weakest point in the chain. Even the best approach may be undermined, if it is not done holistically.
  • A protection solution must offer the same level of security across all platforms. This is where a professional solution like CodeMeter comes into play.

Siemens responded quickly and did a good job after all. Let's hope that Apple is equally responsive. If you are ready to implement the lessons learned from this episode, you can count on CodeMeter, our all-in-one protection suite, and on the professional expertise of our team.

Topics: software protection, CodeMeter, Code Integrity

Anti-Piracy, Flexible Licensing and software monetization

Posted by Terry Gaul on Sep 17, 2015 11:03:39 AM

We’ve all seen the disturbing software piracy statistics released by BSA | The Software Alliance in their Global Software Survey:

  • 43 percent of the software installed on personal computers globally in 2013 was not properly licensed
  • The global rate at which PC software was installed without proper licensing rose from 42 percent in 2011 to 43 percent in 2013 as emerging economies where unlicensed software use is most prevalent continued to account for a growing majority of all PCs in service.
  • The commercial value of unlicensed PC software installations totaled $62.7 billion globally in 2013.

These trends are sure to put a dent into any ISVs bottom line. In their blueprint for reducing software piracy, the BSA points to increased public education and awareness, modernization of IP laws, and stepped-up enforcement with dedicated resources as important steps towards thwarting piracy.

Of course, a more immediate approach to preventing piracy is to integrate copy protection directly into the application with a robust software protection solution like Wibu-Systems’ CodeMeter. It takes just minutes to protect software from illegal copying, reverse engineering or tampering without having to change a single line of source code.

In addition to preventing software piracy and hacking, a sound monetization strategy will serve to maximize ISV revenues as well. With secure, flexible licensing capabilities, ISVs and device manufacturers can effectively implement creative licensing strategies to meet the dynamic market requirements of their end users. The days of the perpetual software license are long gone and ISVs need the ability to introduce various pricing schemes based on pay-per-function, pay-per-use, subscription, or other possible licensing options. A representative example of a flexible licensing system is CodeMeter License Central, which enables ISVs to create, manage and distribute all types of licenses in a secure, straightforward manner.

Industry analyst firm, Frost and Sullivan, concluded in a white paper that “customers experience best long-term value in terms of both top-line revenue realization bottom-line costs and efficiency when license management solutions inherently provide comprehensive functionality and robust security.”

Download Frost and Sullivan Whitepaper

I invite you to download the full whitepaper, entitled Best Practices in Software Monetization: A Customer-Centric View of Secure License Management. The White Paper sheds light on various aspects of successful software monetization strategies, ranging from business-enabling licensing architectures to resilience against hacking. The document demonstrates how changing times demand that ISVs implement customer-centric business models and customer-friendly enforcement in order to increase their top line software revenues while controlling bottom line costs.

   

Topics: License Management, software protection, CodeMeter, secure licensing, software piracy, CodeMeter License Central

Protecting the Healthcare Landscape of 2020

Posted by Terry Gaul on Sep 8, 2015 1:00:00 AM

The Deloitte Centre for Health Solutions paints an interesting picture of the healthcare and life science sectors in their report, Healthcare and Life Sciences Predictions 2020 – a bold future? The landscape they envision is being shaped by the many scientific and technology innovations emerging today.

By 2020, they foresee an era of digitized medicine where patients manage their own electronic health records and provider and patients share crowd-sourced data via social media and other electronic communities. Today, wearable technologies have been embraced mainly by fitness buffs. But by 2020, Deloitte points to the development of new biosensors that will enable broad adoption of wearables for remote monitoring, disease management and early detection. And in the age of fully digitized medicine, Big Data will have found a way to leverage the healthcare data exposition and deliver information to patients and providers to make better and more informed decisions.

Deloitte imagines that “the convergence of biomedicine, IT, health data, wireless, and mobile will have transformed medicine from an art to a data driven science providing the right care, in the right place, at the right time and at affordable cost.”

The report presents quite an optimistic outlook, but quite plausible from Deloitte’s standpoint, based on the evidence presented. However, Deloitte also points out the many hurdles that will have to be addressed along the way. The two most prominent issues involve patient privacy and safety. While an abundance of patient data will help develop better treatments and improve outcomes, the protection of patient privacy and confidentiality is still paramount. Much more progress needs to be made in cybersecurity to provide the assurances that patient information is protected.

One area that was not addressed in detail in this particular report is the importance of protecting not only patient data, but the connected devices and embedded software themselves from malicious tampering. I like to use the example of former U.S. Vice President Dick Cheney when he acknowledged that he once feared that terrorists could use the electrical device that had been implanted near his heart to kill him and had his doctor disable its wireless function. The device in question was a defibrillator that could detect irregular heartbeats and control them with electrical jolts. Cheney had his doctor turn off the device’s wireless function in case a terrorist tried to send his heart a fatal shock.

Deloitte delved further into these type of issues in a brief entitled, Networked medical device cybersecurity and patient safety: Perspectives of health care information cybersecurity executives. The brief notes that while connected medical devices have the potential to play a transformational role in healthcare, they also may be a vehicle that exposes patients and providers to safety and cybersecurity risks such as being hacked, being infected with malware and being vulnerable to unauthorized access.

With the rapid proliferation of electronic patient data, wearables and other connected medical devices in the healthcare landscape, cybersecurity will be more important than ever. Fortunately, proven technologies exist today for protecting embedded software and connected devices from tampering and execution of malicious code.

Read how custo med, a leading medical diagnostic company in Germany, employs Wibu-Systems’ technology to keep patient data private and protect their diagnostic cardio-respiratory acquisition and reporting system from tampering. Download the case study.

Topics: CodeMeter, embedded security, Internet of Things, cybersecurity

Order your free CodeMeter Evaluation System

Follow Wibu-Systems

Subscribe via E-mail