Wibu-Systems Blog

Certificates for Authenticity, Authentication or both?

Posted by Terry Gaul on Apr 23, 2015 10:50:21 AM

CETRIFICATES-WEBINAR_PAGE_old_website_01_790c0b753e

Live Event:

Certificates for Authenticity, Authentication or Both?
April 28, 2015
9 - 10 am PST

Register

Software developers have an affinity for encryption methods, but not all have quite mastered certificate management. Digital certificates are often seen in relation to authentication practices such as single sign-on, email signature, and file encryption, but they are also a key pillar in software protection.

This crash course will navigate you from theory to practice, illustrating basic principles and best application uses. Whether your goal is protecting a computer or embedded software, there are techniques that you can implement and requirements you should follow to achieve greater effectiveness in shielding your application from piracy and tampering.

Through the integrated use of certificates, CodeMeter serves a dual scope: authenticity and authentication. While mechanisms like Authenticode offer authenticity for the software user, CodeMeter offers authenticity for the software developer. If an application consists of more than one executable, small and easy to use proprietary certificates are used by CodeMeter to check the integrity of the whole application. In case of an embedded system such as VxWorks, the integrity of the entire embedded device can also be verified: the authenticity of each module from the bootloader and the operating system, up to each software running on this system is validated.

Additionally, with authentication, you can make sure only users with entitled credentials can use or maintain your software or can log in to cloud-based solutions.

Get familiar with the terminology and become a proficient user of certificates. Register Here

Topics: CodeMeter, software copy protection, Anti-piracy, Copy Protection

Considering an Automated License Management System Hosted in the Cloud?

Posted by Terry Gaul on Mar 23, 2015 4:00:00 AM

With today’s cloud or virtual solutions, there are many available license management options to evaluate and even more questions to consider – what about security? Service levels? Architecture? Server location? Support? Cost and fees?

If you are you considering an automated license management system hosted in the cloud, you won't want to miss this upcoming Webinar:

High Availability for License Creation - Technical and Human Factors
March 31, 2015
12:00 pm - 1 pm EDT
RegisterCmLicenseCentral_120

Wibu-Systems Support and Cloud Consulting Experts will review the key factors involved in selecting a reliable hosted license management platform and present several options available for hosting CodeMeter License Central with our Wibu Operating Services (WOPS), from the cost-effective Datacenter Edition to high performance and high availability services.

During this one-hour event we will present:

  • Overview of available license management packages
    • Datacenter Edition
    • Dedicated Server
    • High Performance Edition
    • High Availability Package
  • Security requirements:
    • DMZ and security area in the Wibu-Systems datacenter
    • Security monitoring
    • Available access options and access protection measures
  • Hosting or operation, what is the difference?
    • Hardware components and overall infrastructure
    • System updates
    • Application updates
    • Application maintenance
    • Availability monitoring
  • Service Levels
    • Basic availability

Let us help you pick the optimum solution and protect your business profitability.

Webinar

High Availability for License Creation - Technical and Human Factors
March 31, 2015
12:00 pm – 1 pm EDT

Register for the Webinar

Topics: License Management, CodeMeter, secure licensing, Virtualization, Cloud License Management

Is security an afterthought in the cyber world?

Posted by Terry Gaul on Mar 16, 2015 5:09:19 AM

CCTV-stock_600

I recently read an interesting article in Engineering and Technology Magazine, entitled ‘Immature’ Internet of Things Hackable with Primitive Methods. What caught my eye was the opening paragraph that stated: “The emerging Internet of Things lags massively behind conventional computers in terms of cyber security with manufacturers failing to implement basic security practices, one researcher has demonstrated.”

That researcher was James Lyne, Global Head of Security at Sophos, who spoke at the Mobile World Congress in Barcelona. During his talk, he demonstrated how to gain access to Internet-connected CCTV cameras using a simple brute force attack. The article went on to summarize many additional examples about the unsecure nature of IoT devices.

Part of the problem, Lyne said, “is the fact the market is driven by innovation and focused on marketable features instead of security and privacy concerns.” And this point, I believe, hits the nail right on the head. Our customers are very bright software engineers who are focused on developing innovative desktop applications, mobile apps, or the embedded systems that are at the core of IoT devices. While they understand the need to protect their software and IP against piracy and reverse engineering, implement a secure licensing strategy, and protect embedded systems against malicious tampering, they also recognize that they are not experienced in these areas. This is why they turn to security experts like Wibu-Systems for help. Jay Grenier of Faceware Technologies, one of our customers using our CodeMeter software protection and secure licensing platform, put it this way:

“With CodeMeter, I rest easy knowing that our technology is completely secure from hackers and reverse-engineering. With this weight lifted off my team, it allows us to focus on what’s most important in software development: creating great products.” (read the case study)

With all of the highly publicized security breaches occurring in the past few years as well as the rapid evolution of the IoT, it’s time to elevate the importance of software security. A sound security strategy should be designed into the product from the start, not as an afterthought.

View our customer case studies and see how easy it is to protect software and IP, secure embedded systems and connected devices, and securely manage licensing.

Topics: CodeMeter, embedded security, Internet of Things

Addressing Secure, Flexible Software Licensing in a Complex Environment

Posted by Terry Gaul on Feb 17, 2015 11:05:48 AM

WireFrame_Head_515

ISVs today must address many questions in your product development and delivery strategies as the software licensing landscape has become increasingly complex. Let’s take a look at some of these questions you face:

  • Should the product be sold as one unit or should several variants be created, each with different features?
  • Is the license perpetual or should it be sold in time-limited subscriptions or usage-based units?
  • Should limited trial licenses be made available?
  • Is the license bound to a specific PC or can it float in my customer’s LAN?
  • Which system platforms should be supported?
  • Is the license safe on virtual machines?
  • What about cloud or mobile apps in the future?

Because of these increasing complexities, many ISVs are turning to 3rd party licensing security experts for help in developing a secure licensing strategy that meets their needs not only for today but also provides the flexibility to enable them to adapt their product to meet new customer requirements as they evolve in the future.

For example, take a look at one of our customers, Faceware Technologies, Inc. Faceware is the pioneer in video-based facial animation. Their hardware and software represent complete solutions for the interactive entertainment, film, video game, television, and commercial markets. Their products were used to deliver exceptional facial recognition in Forbes list of top ten grossing games in 2014.

They turned to our CodeMeter secure licensing and protection platform for several reasons. First, they wanted to protect their revenues by eliminating counterfeit copies from hitting the market and protect their intellectual property from reverse engineering. They knew that CodeMeter protected software had never been compromised in global hacker’s contests.

They also were looking to introduce new business models that would enable trial licensing and pay for time and features. This licensing flexibility enabled them to introduce a “lite” version of their product which allowed them sell their software to independent filmmakers and smaller studios that typically couldn’t afford the high end, fully featured version. And with confidence in security, they were able to launch into new markets, including Russian and China, where they previously had concerns.

One of the key takeaways from their success story is that with a robust, flexible and secure licensing and protection platform like CodeMeter, they could focus on what they do best – create award winning products that could reach more markets.

If you would like to read the details about how CodeMeter helped Faceware to achieve their security and licensing goals, please download the case study. And, if you would like to try CodeMeter, just request a fully functional evaluation system.

Success-story-CTA

Topics: License Management, CodeMeter, software copy protection, secure licensing, software licensing, Copy Protection, software monetization

Building Security Into IoT Devices

Posted by Terry Gaul on Jan 29, 2015 12:37:43 PM

IoT_600

The U.S. Federal Trade Commission recently released an in-depth report entitled, The Internet of Things: Privacy & Security in a Connected World, which included a long list of considerations and recommendations on how manufacturers should secure IoT devices.

To emphasize the magnitude of the IoT, the FTC noted that six years ago, for the first time, the number of “things” connected to the Internet surpassed the number of people. And experts estimate that, as of this year, there will be 25 billion connected devices and by 2020, 50 billion. And, this is not taking into consideration devices sold in a business-to-business context, nor does it address broader machine-to-machine communications.

The report recognized the numerous benefits the IoT presents to consumers and the potential to change the ways that consumers fundamentally interact with technology. In the future, they said, the Internet of Things is likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend. From a security and privacy perspective, the predicted pervasive introduction of sensors and devices into currently intimate spaces–such as the home, the car, and with wearables and ingestibles, even the body –pose particular challenges.

The FTC outlined a variety of potential security risks that could be exploited in the IoT to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. The security risks associated with IoT devices are not only limited to the compromise of Personal information, but can involve broader health and safety concerns. For example, if a pacemaker is not properly secured, the concern is not merely that health information could be compromised, but also that a person wearing it could be seriously harmed. Similarly, a criminal who hacks into a car’s network could cause an accident.

Among the many best practices for IoT device manufacturers recommended by the FTC staff, this one stands out the most – “companies should build security into their devices at the outset, rather than as an afterthought.”

Of course, none of this is startling news to us here at Wibu-Systems. We have been protecting software for more than 25 years and experienced with securing embedded systems found at the core of IoT devices. With our CodeMeter protection platform, IoT device manufacturers can ensure the integrity of embedded systems through the use of cryptographic methods. CodeMeter offers different secure storage options for keys and state information: smartcard chip, TPM and software container. CodeMeter supports common operating systems like Windows, OSX, and Linux as well as Windows Embedded, Real Time Linux, VxWorks, Android, QNX and PLCs like CODESYS, B&R and others. It contains a fast and reliable implementation of symmetric and asymmetric encryption methods (AES, RSA, ECC) as well as hash functions (SHA-256), functions for signature validation (ECDSA) and a random number generator.

CodeMeter includes all the available tools needed to implement integrity protection, software protection and the prevention of code tampering. CodeMeter also includes tools for creation, management and delivery of keys and digital rights.

To see how easy it is to build security into your software and embedded systems, request a fully functional CodeMeter Evaluation System and try it out.

 Request a CodeMeter Evaluation System

Topics: CodeMeter, embedded security, Internet of Things

Secure Your Licensing in Virtual Environments

Posted by Terry Gaul on Jan 23, 2015 4:00:00 AM

During the early 2000's, there was much skepticism about the value and viabilitDownload CodeMeter in Virtual Environments White Papery of virtualization. Today, however, there is no doubt that companies have embraced the efficiencies and expansion capabilities afforded by multiplying resources of a single machine across several different virtual machines. The cost effectiveness and increase in availability, performance and utilization of IT resources are all contributing factors to the success of virtualization, whether applied to desktops, data centers or applications.

While end users are reaping the economic benefits of virtualization, it has been challenging for ISVs to create flexible licensing schemes that are better suited for the virtual environment, are easy to manage on the end user side, and are protected against misuse of the license. Just think about the many ways software licenses can be misused when operating simultaneously on virtual machines and terminal servers. Take for example licensing threats within a virtual machine environment:

For dongle users:

  • Illicit use of a single license by using one dongle for several guest systems.

 For software based licenses:

  • Resetting time-limited or pay-per-use licenses by using a copy or snapshot.
  • Duplicating machine-bound licenses by cloning the allocated machine in its entirety.

And, consider these potential licensing threats on terminal servers:

  • Illicit use of a single license in multiple simultaneous sessions on the terminal server.
  • Use of a single-user license as a floating network license.

To help you identify and address these licensing complexities and security threats, we’ve developed a new white paper entitled CodeMeter in Virtual Environments: Make Your Software License Management More Agile.

This white paper illustrates the potential threats in various licensing scenarios and reviews how the CodeMeter secure licensing platform protects against each one of them. With CodeMeter, you can protect your software against any license abuse. No matter if your customers are using real or virtual systems, or a combination of both, you will have an accurate count of your licenses, and the interruption of the execution of the software if an attack is detected. CodeMeter provides the versatile licensing platform and mitigates the evolving security threats in a straightforward fashion.

Download the whitepaper.

Online Virtualization WP Flipping Book            Download Virtualization WP PDF

Topics: License Management, CodeMeter, secure licensing, software licensing, Virtualization

Secure Software Updates via Embedded Integrity Protection

Posted by Marcellus Buchheit on Dec 17, 2014 7:00:00 AM

Software for embedded systems is based more and more on open system platforms, such as Linux Embedded, VxWorks, Windows Embedded, QNX and many others. In addition to powerful core functionality, one of the main reasons to use open platforms is their implementation of standardized interfaces for loading code or calling system functions (API). Such standards simplify software development between several teams within a large enterprise or even in different software companies. And similar to the success of software for traditional desktop systems or smart phones, you can find more solutions that can be purchased from third parties instead of developed in-house.

However, this new open world also makes embedded systems vulnerable to attacks from hackers who also know the system platforms very well. Current examples of such threats include successful attacks to POS systems to steal credit card numbers or ATM machines to steal cash. The IoT now brings embedded systems with such open platforms into a globally connected environment that is highly vulnerable to all types of attacks from hard-to-identify hackers located around the world.

One solution to prevent such attacks is the installation of security barriers between the code and the open Internet, such as firewalls or strict access control to the critical code. But the structure of such barriers in larger installations of embedded systems – an automobile assembly plant for example – is quickly becoming very complex with a high risk of security leaks. And if a hacker can find one such leak, he or she is now “inside”, and knows the details of the platform in use, and can modify the existing code or even upload and start new code to perform malicious attacks beyond simply analyzing, copying or deleting data.

A more effective solution is to protect the running program code itself against any modifications and also prevent the loader of the operating system to start any unauthorized code. This also includes protecting the open system platform itself to prevent a hacker from installing his own loader. And finally the BIOS of the embedded system should prevent any loading of an unauthorized platform.

Wibu-Systems CodeMeter technology provides consistent code protection at all levels of an embedded system where software components are running. Beginning in the BIOS, which will only start an authorized operating system, through the loader in this operating system which only accepts execution files of authorized programs, and up to the ability that these programs can load only applets or dynamic libraries with authorized dynamic extensions. This code integrity protection is based on sealed code, which cannot be modified at the file level, and which is verified by a private/public key schema. All components (BIOS, operating system, optional loader, application and applets) can come from different sources. Dynamic updates of any component is possible as long as the updated code is authorized as well. It is also possible to remotely update, extend or remove the required keys in a secure manner.

This technology enables the flexibility of secure code upgrades, which will be required in the ever evolving IoT world, with the security of the closed, non-changeable, unconnected systems of today. It is currently available in the latest version of VxWorks Real Time Operating System and will also be available for other platforms in the coming months. The technology is based on secure keys which are stored in a security device and which can be integrated as a chip directly into the system hardware or attached as a USB Stick, SD, microSD or CF Card.

Integrity Protection White Paper

If you are interested in learning more about Integrity Protection for embedded systems, download our whitepaper.

Topics: CodeMeter, Code Integrity, embedded security

Webinar: Enhancing License Management with CodeMeter and Salesforce

Posted by Terry Gaul on Nov 20, 2014 1:48:28 PM

Salesforce

Webinar December 4 - see full agenda and presentation times here

Over the last 15 years, Salesforce has grown exponentially to become the world leading CRM platform. In addition to migrating sales, service, marketing and community-related databases to the cloud, many ISVs are now using Salesforce to create and distribute software licenses. For those ISVs, we’ve made the licensing process easier and more efficient by enabling the integration of Salesforce with CodeMeter. CodeMeter License Central automates the process of creating, delivering and managing licenses for software and digital content and can be easily integrated with Salesforce in just a few easy steps.

On December 4, we will host a seminar and demonstrate how to integrate CodeMeter with Salesforce and how to create and manage the license process with your end users.

Visit our registration page to see the full agenda of this one hour Webinar and the presentation times.

Topics: License Management, CodeMeter, CodeMeter License Central

Unlicensed Software Usage Poses Multi-Billion Dollar Industry Problem

Posted by Terry Gaul on Nov 10, 2014 9:46:01 AM

 2013GlobalSurvey_Study_2

Source BSA 2013 Global Software Survey

Unlicensed software usage continues to pose a multi-billion dollar industry problem – did you know there is a solution?

The BSA 2013 Global Software Survey released earlier this year once again presented some alarming statistics on the financial and commercial impact of unlicensed software usage.

Conducted semi-annually by BSA | The Software Alliance (www.bsa.org), the survey found “that 43 percent of the software installed on personal computers around the world in 2013 was not properly licensed. That marked an uptick from 42 percent in BSA’s previous global study two years prior. The commercial value of this unlicensed software was estimated to be over $62 billion.

By geographic area, the unlicensed software usage rate cited some familiar statistics:

Area % Unlicencensed
Software Usage
Asia-Pacific 62%
Central and Eastern Europe 61%
Latin America 59%
Middle East and Africa 59%
Western Europe 29%
North America 19%
Source: BSA Global Software Survey

And, the magnitude of the problem is not simply a software monetization and piracy issue for ISVs, but a major security concern for enterprises as well.

Among the security risks associated with unlicensed software, the survey noted that 64 percent of users cited unauthorized access by hackers as a top concern and 59 percent cited loss of data. Topping the list of concerns for IT managers was the risk of losing data, followed by unauthorized access to company information, the time and costs involved in disinfecting, and loss of intellectual property or proprietary information.

The survey noted the importance of using genuine, properly licensed software remains critical — particularly as cyber security threats proliferate. Finally, the survey concluded that the global cyber security threat environment has in fact been worsening — and that trend has been exacerbated in part by vulnerabilities associated with illegitimate software.

So, what should software vendors make of this disheartening data?

Try this way of thinking: What if you could envision a solution where your software is protected by strong AES and ECC encryption and licenses were easily protected by the most secure hardware-based (dongles) or software-based measures? Only licensed, authenticated users could access your software. Then consider a licensing solution that is flexible enough to enable you to package your software to optimally meet the unique needs of each of your end-user market segments. Now, you have not only protected your software and secured its licensing, but also monetized your software business model to achieve greater revenues. And, you’ve also helped your customers to protect their data from cyber attacks.

The solution I am referring to, of course, is Wibu-Systems’ CodeMeter all-in-one licensing, security, and copy protection platform for desktop, SaaS, and cloud-based applications. CodeMeter employs proven  technologies and is designed to provide the ultimate in software protection and secure licensing while being very easy to use. Thousands of ISVs and industrial manufacturers around the world use CodeMeter to protect their software, digital assets and Intellectual property.

I invite you to learn more about CodeMeter, view our short video, or download our free Evaluation System and see for yourself how easy it is to license and protect your software. Together, perhaps we can change the next survey data for the better.

Topics: CodeMeter, software copy protection, Copy Protection

Repelling the BadUSB Exploit with Cryptography and Secure Boot

Posted by Terry Gaul on Aug 7, 2014 5:06:02 PM

By now, many of you have heard about the “BadUSB” exploit, where two security researchers at Security Research Labs demonstrated how they could perpetrate an attack on USB devices.  By reprogramming the USB’s firmware with malicious code, attackers could gain control of a PC or any other USB-driven peripheral, such as a mouse, keyboard or even a smartphone. Once the infected USB is connected to the device, the software can be programmed to perform any number of malicious acts, from corrupting data to impersonating a USB keyboard to type in its own commands. And, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.

So what should we conclude about the vulnerabilities of USB sticks? Given the ubiquity of USB technology, consumers using USB memory sticks should be aware of the potential threat and be more cautious about the origin of the stick and who else may have used it, before it’s connected to a device.  But we should also be aware that not all USB sticks are alike and some, such as our WibuKeys and CodeMeter sticks (CmStick), incorporate advanced security technology that make attacks, such as BadUSB, impossible to perpetrate.

Let’s take a deeper look. Each USB stick consists of a controller chip and at least one memory module. The controller is responsible for the communication with the computer over the USB interface, and manages the memory. In principle, this can be equated to a microcomputer that, upon being plugged in, boots its operating system (firmware) from a non-visible part of the flash memory. Then it sets the flash memory of the computer as an available drive.

For economic reasons, the firmware on USB sticks is updateable, and therein lies the vulnerability. There are two ways to update the firmware: 1) a safe, secure boot process or 2) a simpler one with obfuscation of undocumented commands. The latter approach applies to all classic USB sticks and is the main vulnerability to the BadUSB threat.

The first step to a BadUSB attack is the manipulation of the firmware, which must be reversed engineered. New custom firmware is then developed and loaded onto the stick, in a manner that circumvents the obfuscation protection.

Secondly, the modified USB stick presents itself to the computer as an HID device. Once the USB stick is connected, the computer recognizes the HID device and initializes it automatically  -  a standard procedure that would not draw suspicion from the user. Once initialized, the modified firmware goes into action and the programmed malware is unleashed.

Although the explanation of the exploit seems simple enough, the demonstration by Security Research Labs is extremely difficult to achieve. Reverse-engineering controller firmware requires great technical skills and is extremely time consuming. Plus, the attack is controller specific, so it would require extensive knowledge of the specific chip and the reverse engineering effort would need to be repeated for each threat.

However, as we have grown to understand the hacking community, we don’t underestimate their persistence and leave nothing to chance in terms of the protection we build into our CmSticks.  At Wibu-Systems, our own security experts have been developing and refining technologies to make software safe from malicious tampering since 1989.

Our family of CodeMeter CmSticks comes in many form factors. All are implemented on a separate chip that has its own memory and cryptographically secure firmware. Only firmware signed by Wibu-Systems can be downloaded into the controller, making a BadUSB attack impossible. Our most modern CmStick offers further protection. The chip firmware is encrypted and signed and the root key is stored in non-alterable ROM. This key is written only once during manufacturing and cannot be subsequently updated in the field under any circumstances. This is our implementation of a secure boot process. The inter-chip communications is also encrypted, making the stick immune to hardware based attacks.

In conclusion, if you are using any of our USB powered devices, you can feel confident that you are protected from the BadUSB threat.

For a more detailed description of our cryptographic protection and secure boot process, please read our official statement "BadUSB Uncovered", or contact one of our security experts.

 

 

 

 

 

Topics: CodeMeter, software copy protection, CmSticks, cracking, WibuKey, embedded security