Wibu-Systems Blog

Certificates for Authenticity, Authentication or both?

Posted by Terry Gaul on Apr 23, 2015 10:50:21 AM


Live Event:

Certificates for Authenticity, Authentication or Both?
April 28, 2015
9 - 10 am PST


Software developers have an affinity for encryption methods, but not all have quite mastered certificate management. Digital certificates are often seen in relation to authentication practices such as single sign-on, email signature, and file encryption, but they are also a key pillar in software protection.

This crash course will navigate you from theory to practice, illustrating basic principles and best application uses. Whether your goal is protecting a computer or embedded software, there are techniques that you can implement and requirements you should follow to achieve greater effectiveness in shielding your application from piracy and tampering.

Through the integrated use of certificates, CodeMeter serves a dual scope: authenticity and authentication. While mechanisms like Authenticode offer authenticity for the software user, CodeMeter offers authenticity for the software developer. If an application consists of more than one executable, small and easy to use proprietary certificates are used by CodeMeter to check the integrity of the whole application. In case of an embedded system such as VxWorks, the integrity of the entire embedded device can also be verified: the authenticity of each module from the bootloader and the operating system, up to each software running on this system is validated.

Additionally, with authentication, you can make sure only users with entitled credentials can use or maintain your software or can log in to cloud-based solutions.

Get familiar with the terminology and become a proficient user of certificates. Register Here

Topics: CodeMeter, software copy protection, Anti-piracy, Copy Protection

Addressing Secure, Flexible Software Licensing in a Complex Environment

Posted by Terry Gaul on Feb 17, 2015 11:05:48 AM


ISVs today must address many questions in your product development and delivery strategies as the software licensing landscape has become increasingly complex. Let’s take a look at some of these questions you face:

  • Should the product be sold as one unit or should several variants be created, each with different features?
  • Is the license perpetual or should it be sold in time-limited subscriptions or usage-based units?
  • Should limited trial licenses be made available?
  • Is the license bound to a specific PC or can it float in my customer’s LAN?
  • Which system platforms should be supported?
  • Is the license safe on virtual machines?
  • What about cloud or mobile apps in the future?

Because of these increasing complexities, many ISVs are turning to 3rd party licensing security experts for help in developing a secure licensing strategy that meets their needs not only for today but also provides the flexibility to enable them to adapt their product to meet new customer requirements as they evolve in the future.

For example, take a look at one of our customers, Faceware Technologies, Inc. Faceware is the pioneer in video-based facial animation. Their hardware and software represent complete solutions for the interactive entertainment, film, video game, television, and commercial markets. Their products were used to deliver exceptional facial recognition in Forbes list of top ten grossing games in 2014.

They turned to our CodeMeter secure licensing and protection platform for several reasons. First, they wanted to protect their revenues by eliminating counterfeit copies from hitting the market and protect their intellectual property from reverse engineering. They knew that CodeMeter protected software had never been compromised in global hacker’s contests.

They also were looking to introduce new business models that would enable trial licensing and pay for time and features. This licensing flexibility enabled them to introduce a “lite” version of their product which allowed them sell their software to independent filmmakers and smaller studios that typically couldn’t afford the high end, fully featured version. And with confidence in security, they were able to launch into new markets, including Russian and China, where they previously had concerns.

One of the key takeaways from their success story is that with a robust, flexible and secure licensing and protection platform like CodeMeter, they could focus on what they do best – create award winning products that could reach more markets.

If you would like to read the details about how CodeMeter helped Faceware to achieve their security and licensing goals, please download the case study. And, if you would like to try CodeMeter, just request a fully functional evaluation system.


Topics: License Management, CodeMeter, software copy protection, secure licensing, software licensing, Copy Protection, software monetization

Unlicensed Software Usage Poses Multi-Billion Dollar Industry Problem

Posted by Terry Gaul on Nov 10, 2014 9:46:01 AM


Source BSA 2013 Global Software Survey

Unlicensed software usage continues to pose a multi-billion dollar industry problem – did you know there is a solution?

The BSA 2013 Global Software Survey released earlier this year once again presented some alarming statistics on the financial and commercial impact of unlicensed software usage.

Conducted semi-annually by BSA | The Software Alliance (www.bsa.org), the survey found “that 43 percent of the software installed on personal computers around the world in 2013 was not properly licensed. That marked an uptick from 42 percent in BSA’s previous global study two years prior. The commercial value of this unlicensed software was estimated to be over $62 billion.

By geographic area, the unlicensed software usage rate cited some familiar statistics:

Area % Unlicencensed
Software Usage
Asia-Pacific 62%
Central and Eastern Europe 61%
Latin America 59%
Middle East and Africa 59%
Western Europe 29%
North America 19%
Source: BSA Global Software Survey

And, the magnitude of the problem is not simply a software monetization and piracy issue for ISVs, but a major security concern for enterprises as well.

Among the security risks associated with unlicensed software, the survey noted that 64 percent of users cited unauthorized access by hackers as a top concern and 59 percent cited loss of data. Topping the list of concerns for IT managers was the risk of losing data, followed by unauthorized access to company information, the time and costs involved in disinfecting, and loss of intellectual property or proprietary information.

The survey noted the importance of using genuine, properly licensed software remains critical — particularly as cyber security threats proliferate. Finally, the survey concluded that the global cyber security threat environment has in fact been worsening — and that trend has been exacerbated in part by vulnerabilities associated with illegitimate software.

So, what should software vendors make of this disheartening data?

Try this way of thinking: What if you could envision a solution where your software is protected by strong AES and ECC encryption and licenses were easily protected by the most secure hardware-based (dongles) or software-based measures? Only licensed, authenticated users could access your software. Then consider a licensing solution that is flexible enough to enable you to package your software to optimally meet the unique needs of each of your end-user market segments. Now, you have not only protected your software and secured its licensing, but also monetized your software business model to achieve greater revenues. And, you’ve also helped your customers to protect their data from cyber attacks.

The solution I am referring to, of course, is Wibu-Systems’ CodeMeter all-in-one licensing, security, and copy protection platform for desktop, SaaS, and cloud-based applications. CodeMeter employs proven  technologies and is designed to provide the ultimate in software protection and secure licensing while being very easy to use. Thousands of ISVs and industrial manufacturers around the world use CodeMeter to protect their software, digital assets and Intellectual property.

I invite you to learn more about CodeMeter, view our short video, or download our free Evaluation System and see for yourself how easy it is to license and protect your software. Together, perhaps we can change the next survey data for the better.

Topics: CodeMeter, software copy protection, Copy Protection

Repelling the BadUSB Exploit with Cryptography and Secure Boot

Posted by Terry Gaul on Aug 7, 2014 5:06:02 PM

By now, many of you have heard about the “BadUSB” exploit, where two security researchers at Security Research Labs demonstrated how they could perpetrate an attack on USB devices.  By reprogramming the USB’s firmware with malicious code, attackers could gain control of a PC or any other USB-driven peripheral, such as a mouse, keyboard or even a smartphone. Once the infected USB is connected to the device, the software can be programmed to perform any number of malicious acts, from corrupting data to impersonating a USB keyboard to type in its own commands. And, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted.

So what should we conclude about the vulnerabilities of USB sticks? Given the ubiquity of USB technology, consumers using USB memory sticks should be aware of the potential threat and be more cautious about the origin of the stick and who else may have used it, before it’s connected to a device.  But we should also be aware that not all USB sticks are alike and some, such as our WibuKeys and CodeMeter sticks (CmStick), incorporate advanced security technology that make attacks, such as BadUSB, impossible to perpetrate.

Let’s take a deeper look. Each USB stick consists of a controller chip and at least one memory module. The controller is responsible for the communication with the computer over the USB interface, and manages the memory. In principle, this can be equated to a microcomputer that, upon being plugged in, boots its operating system (firmware) from a non-visible part of the flash memory. Then it sets the flash memory of the computer as an available drive.

For economic reasons, the firmware on USB sticks is updateable, and therein lies the vulnerability. There are two ways to update the firmware: 1) a safe, secure boot process or 2) a simpler one with obfuscation of undocumented commands. The latter approach applies to all classic USB sticks and is the main vulnerability to the BadUSB threat.

The first step to a BadUSB attack is the manipulation of the firmware, which must be reversed engineered. New custom firmware is then developed and loaded onto the stick, in a manner that circumvents the obfuscation protection.

Secondly, the modified USB stick presents itself to the computer as an HID device. Once the USB stick is connected, the computer recognizes the HID device and initializes it automatically  -  a standard procedure that would not draw suspicion from the user. Once initialized, the modified firmware goes into action and the programmed malware is unleashed.

Although the explanation of the exploit seems simple enough, the demonstration by Security Research Labs is extremely difficult to achieve. Reverse-engineering controller firmware requires great technical skills and is extremely time consuming. Plus, the attack is controller specific, so it would require extensive knowledge of the specific chip and the reverse engineering effort would need to be repeated for each threat.

However, as we have grown to understand the hacking community, we don’t underestimate their persistence and leave nothing to chance in terms of the protection we build into our CmSticks.  At Wibu-Systems, our own security experts have been developing and refining technologies to make software safe from malicious tampering since 1989.

Our family of CodeMeter CmSticks comes in many form factors. All are implemented on a separate chip that has its own memory and cryptographically secure firmware. Only firmware signed by Wibu-Systems can be downloaded into the controller, making a BadUSB attack impossible. Our most modern CmStick offers further protection. The chip firmware is encrypted and signed and the root key is stored in non-alterable ROM. This key is written only once during manufacturing and cannot be subsequently updated in the field under any circumstances. This is our implementation of a secure boot process. The inter-chip communications is also encrypted, making the stick immune to hardware based attacks.

In conclusion, if you are using any of our USB powered devices, you can feel confident that you are protected from the BadUSB threat.

For a more detailed description of our cryptographic protection and secure boot process, please read our official statement "BadUSB Uncovered", or contact one of our security experts.






Topics: CodeMeter, software copy protection, CmSticks, cracking, WibuKey, embedded security

Integrity Protection for Embedded Systems

Posted by Terry Gaul on Oct 21, 2013 9:51:00 AM

In their book, Embedded Systems Security, David and Michael Kleidermacher point out some all-to-real scenarios about the consequences of malicious threats to embedded systems.

Consider that for every PC in the world, there are hundreds of embedded systems, interconnected over various communication channels, like WiFi, Bluetooth and RFID. And nothing has become more computerized faster than the modern automobile. Computers, in the form of self-contained embedded systems, have been integrated into virtually every aspect of a car's operation and diagnostics, including throttle control, transmission, brakes speedometer, climate and lighting controls, external lights and entertainment systems.

The authors gave one example of an industrial company that sells bearings that use a magnetic field to suspend a shaft. A Digital Signal Processor performs 15,000 calculations per second to keep operations running smoothly. The bearing controllers have Ethernet connections.  With a coordinated attack on the bearings, plant operations could be brought to a halt.

The authors also discuss the security issues brought on by non-malware bugs. As embedded systems become increasingly ingrained in our lives, any bug that compromises the reliability of a system can become a mission-critical security threat. For example, what would happen if automated jail control doors failed to close? A task that errantly consumes too many resources (like memory) or CPU cycles can prevent other activities from running: the traffic light fails to turn red, the railroad signal remains open, or the ATM’s bill counter fails to stop spewing money. 

The Department of Homeland security notes that our country’s reliance on cyber systems to run everything from power plants to pipelines and hospitals to highways has increased dramatically, and our infrastructure is more physically and digitally interconnected than ever. Yet for all the advantages interconnectivity offers, critical infrastructure is also increasingly vulnerable to attack from an array of cyber threats.

Most embedded systems developers have little training in security and are largely unaware of both the threats and the techniques and technologies needed to make their products secure. In order to develop effective methods aimed at preventing attacks, the potential threat scenarios need to be understood. Some of the possible attacks to embedded systems are listed here below:

  1. Attackers develop a "fake device," a device that looks just like the original, but whose functions have been altered for nefarious purposes, that could be installed, for example, as a replacement part during equipment service.
  2. Attackers develop their own software and run it by replacing the memory card in the embedded system.
  3. Attackers extract the memory card out of the embedded system, manipulate the software and plug the card back into the system.
  4. Attackers modify the software on the embedded system by controlling the communication interfaces from the outside.
  5. Attackers monitor an embedded system, while in use by the application, in order to analyze it and to develop avenues of attack.

Finally, the authors make one more important point. They say that one of the most important tenets of computer security is that it is difficult, unwise, and often financially and/or technically infeasible to retrofit security capability to a system that was not originally designed for it. Therefore, they conclude, the only hope for improving security across the world of embedded systems is to educate the developers, who must learn to think about security issues as much as they already think about functionality, memory footprint, and debugging.

And that's where Wibu-Systems comes in. For 25 years, we have delivered the tools needed by software developers to protect their software against piracy, IP theft, and manipulation.  We continue to incorporate state-of-the-art security technologies into our software protection tools for embedded systems and PC software as well as cloud services and mobile apps.

Protect Your Embedded Systems

The term "Integrity Protection" encompasses security measures, namely protection of system resources, programs and data against unauthorized manipulation, or at least identification and display of such modifications. The challenge consists in guaranteeing data integrity, and, if not possible, bringing the system to a safe mode and stopping the execution of any function. The best integrity protection solutions are based on cryptography and associated security mechanisms, such as digital signatures and message authentication. This 12-page white paper will describe these advanced encryption techniques.

Topics: CodeMeter, software copy protection, Copy Protection, Anti-piracy, embedded security, secure licensing

Wrapper or API to Improve Secure Licensing

Posted by John Poulson on May 7, 2013 12:57:00 PM

First a bit of history

Wibu-Systems’ API’s “secret sauce” will securely protect your softwareAs many of you reading this know, Wibu-Systems has been in business since 1989, developing secure license management tools that enable software monetization options for ISVs and embedded systems developers. From the early days we provided our customers with the option of implementing our technology through the use of our API or by using an automatic wrapper tool. We told our customers that the automatic wrapper option provided a “quick and dirty” way to get a protected program to market; but that the most secure way to deploy was through the clever use of our sophisticated functions and API calls. We spent considerable effort in improving those functions and creating new ones that improved the overall security of our licensing solution. For over a decade, our “best practices” advice was to use the API and not the wrapper.

After several years we began to notice that illegal copies of our customers’ “protected” programs were appearing on various hacker sites on the Internet. This was distressful to us as a company and we wanted to find out what we were doing wrong. Upon analysis, we discovered that the vast majority of our customers were using the API in a way that resulted in a simple challenge / response dialogue between the protected program and the hardware dongle. All of our sophisticated function calls and suggested implementation methodologies were not being used. The engineers at Wibu-Systems had spent several years creating API functions that were being left on the shelf.

Where to put our secret sauce

Once we realized our “secret sauce” was not being implemented we had to change direction with the advice we gave to our customers. And we had to improve the wrapper tools. For several years now, we have worked hard to enhance and improve the security and performance of our encryption utilities and now emphasize that customers who want a quick and secure implementation should utilize the wrapper. And for those who require the most security we suggest they implement both automatic encryption and API functions.

The result? The powerful tool many of you know today as AxProtector.

AxProtector — The right recipe

Wibu-Systems’s AxProtector is a smorgasbord of secure software protection for everyoneFrom debugger detection to sophisticated code encryption, AxProtector provides anti-tampering and reverse engineering protection. It is no longer a simple wrapper. Why? Because AxProtector encrypts and rearranges your executable, DLLs, data, media, or video files with minimal effort on your part. In most cases, you don't even have to change your source code. On program load, the program starts only if the required CodeMeter license is available.

And AxProtector is a smorgasbord to meet everyone’s requirements. Use it with software activation codes (CmAct) or hardware dongles (CmDongle).Use it with Windows, MacOS, Linux, .NET (also Mixed Mode), even VxWorks, and in the near future… Android.

The end result

As a result of our change in philosophy, we no longer put the bulk of our development effort into just creating API functions. We concentrate instead on improving AxProtector. And, it is true… part of that improvement process includes creating more sauces, improving existing sauces and changing the recipe. It is a constant process to stay one step ahead of the global hacking community. Now… Our “best practices” advice is to use the AxProtector wrapper along with the API.

Watch the 3 minute demo!

john poulsonJohn Poulson has worked in the software protection industry since 1988 and has been with Wibu-Systems since 2000. He is an expert in license authentication best practices and deep powder skiing.

Topics: CodeMeter, software copy protection, AxProtector, secure licensing

5 Reasons to Choose Software Copy Protection Dongles

Posted by John Poulson on Jan 29, 2013 9:55:00 AM

Dongles – The Historical “Bad Rap”

The WibuBox parallel port copy protection dongleWhen describing software protection dongles in a 2007 article appearing in PC Magazine, John C. Dvorak, a well-respected (but self-described curmudgeon) and award winning columnist said, “The dongle was a mostly failed copy-protection device that came into existence in the 1980s. It was also a point of controversy…”

The controversy mentioned by Mr. Dvorak boiled down to (1) The rights of software publishers to get paid for their efforts and (2) the rights of users to use the software they legally purchased without the inconvenience associated with plugging in a hardware dongle.

Activation Codes – The Compromise

In an effort to address the concerns of their users, software publishers rolled out a scheme of utilizing activation codes which bind a license to a PC. When companies like Microsoft and Adobe began requiring users to activate licenses, the practice became almost universal for software costing as little as $50.  In essence activation codes turn the whole PC into a “dongle”.

Dongles in the Twenty-first Century

It has been over five years since Mr. Dvorak’s comment. But more tellingly, it has been over twenty-five years since the first parallel port dongle appeared on a PC protecting the first CAD/CAM programs written for DOS.

Worldwide dongle sales have increased year over year since the late 1980s and any computer technology that has been around that long must have merit. And such software copy protection technology should be seriously investigated by any software publisher tasked with protecting Intellectual Property, controlling software usage via licensing, and preventing profit erosion due to wide-spread illegal use of software titles. If you are tired of seeing “free” versions of your products posted on bit-torrent sites; read on.

Why End-Users Prefer Dongles

The CodeMeter/C. All the benefits of CodeMeter and in a tiny package.Considering all the technologies that have come and gone in the last twenty-five years, it’s remarkable that dongles are not only still with us but are still undergoing improvement in both function and design. There are some things that an end user can do with a dongle that cannot be done with an activation code. In a recent survey of users who had software installed protected with a dongle, the following were the top five reasons they preferred this method of license enforcement over activation codes.

  • License Portability – The license is on the dongle and is easily moved from one system to another.
  • License Recovery – The end user can self-restore a license to an existing or replacement dongle.
  • License Borrowing – Licenses can be lent out (to travelling engineers and salespeople, for example)
  • License Redundancy – Important in “Mission Critical” applications (Ex:  Hot and Cold Stand-by licenses)
  • License Security – Conscientious companies do not want employees or others using software illegally.

Software Activation via activation codes can offer end-users the ability to recover licenses. This usually involves communicating with the software developer and convincing them that you need to move your legally purchased software to your new PC. This can be time consuming and problematic, especially if the activation code is protecting a 25 user license on a server where the hard drive just failed.

Dongles v Activations – Why not have both?

The CodeMeter License Platform from Wibu-Systems offers an ISV the option to seamlessly protect a product with a dongle and/or activation code. Either method has its pro and cons. We leave it up to you, your sales team and your customers to choose which method is best.

john poulsonJohn Poulson has worked in the software protection industry since 1988 and has been with Wibu-Systems since 2000. He is an expert in license authentication best practices and deep powder skiing.

Topics: CodeMeter, software copy protection, Copy Protection, dongles, software activation

Tariffs are not software protection

Posted by John Browne on Jun 19, 2012 11:57:00 AM

Kenya in a bold move has decided to eliminate duties on imported software as a means of combatting piracy. 

Apparently the piracy rate in Kenya is 83%, double the worldwide average, according to the BSA's 2011 global software piracy report

Of course, the total value of pirated software in eastern and southern Africa (excluding South Africa) is a relatively paltry $108M, chump change compared to the $9.7B in estimated value of pirated software in the US of A. (Note: I have no dog in this fight--the BSA has been criticized for the manner in which they calculate the "economic value" of pirated software; it's probably an inflated number because not everyone who steals something would buy it otherwise, but it's a consistent measurement so it has value to show trend lines.)

TThree cheetahs sitting in Kenya Africa acinonyx jubatus
These are not the cheatahs you are looking for. Three cheetahs sitting in Kenya Africa acinonyx jubatus by Stolz Gary M, U.S. Fish and Wildlife Service

Kenya's Finance Minister, Njeru Githae, is on the right track, but it won't solve the problem. In fact, I doubt it will make a dent in the problem. The reasoning seems to be that someone who is willing to steal something because it costs X will pony up instead if it costs less than X. 

Whether this will make ISVs rush to market products in Kenya or not I can't say. I can say unequivocally that the ISVs who aren't worried are the ones using robust software protection. When I park my car downtown, I don't first check to see what the current state of grand theft auto conviction rates are. I have a key, I lock the car, it's hard to steal. I want someone to rip it off, I can leave the key in it. It won't last long that way, unless it belongs to Jerry Seinfield.

Topics: software copy protection, Anti-piracy

The secret of software copy protection

Posted by John Browne on May 2, 2012 12:31:00 PM

Copyright infringement--which includes software piracy--is a big deal, even if the numbers are inflated. The federal government is all over this, but I wouldn't hold your breath waiting for them to make it all go away. For one thing, I believe most of this happens in countries where either we have no sway over their internal laws and enforcement policies (can you say former Soviet Union kiddies?) or where they are our banker. (Small aside: the federal government has been trying to eliminate illegal drug use in this country as well since Nixon and that's worked well, hasn't it?)

So the problem will be with us probably forever. So only prevention will work. If I have to park my car in a bad neighborhood, I'm going to make sure it has a serious anti-theft system on it. Maybe I can't stop them from stealing it, but I can make it more profitable to go steal someone else's car.

And that's the secret of software copy protection. You have to make it hard enough to steal your product that the perps will go steal something else. It's not like they're going to go work at Starbucks. They're criminals--they do criminal stuff. Maybe you'll get lucky and they'll rip off your competitor's product and all the real sales will fall in your pocket. Maybe they'll switch to Rolex watches and Gucci bags. 

Container freighter

Sounds easy, right? But how to accomplish it? The key is thoroughness. Let's switch to a different analogy--protecting your house. It doesn't make sense to have five locks on the front door if the back door is unlocked. Or if there's a storm cellar with a unlocked door into the basement. You have to think about all the places where bad guys could get in and secure all of them.

Software crackers won't spend their lives trying to break your AES encryption to get a key; they'll see the front door is heavily fortified and wander around looking for a window to break. This is where people who roll their own software copy protection go astray--they haven't learned to think like crackers, so they leave vulnerabilities they aren't even aware of.

Then they get cracked. 

 Man getting keys from a monitor.

Even if they don't roll their own solution, depending on a third-party vendor to provide a solution doesn't mean you can stop thinking about it. You need to make sure that your vendor has not left openings by focusing too much on the front door. A classic misstep is to believe in the server-side authentication of registered users. Setting aside the annoyance issue (what if there's no Internet connection? What if the server is down?) anytime you reduce the protection to a yes/no test it can be cracked by patching the code to always return the "correct" answer. This is a common ploy and in these cases the cracker isn't interested in how robust your encrypted server sessions are because he's go in the open window next to the front door.

Want to know more? More secrets of software copy protection.

Topics: software copy protection, Copy Protection, Anti-piracy

The world's worst software copy protection advice

Posted by John Browne on Apr 18, 2012 3:26:00 PM

So the VP of Sales was talking to the VP of Engineering and the VP of Sales was bemoaning how many copies were being ripped off through piracy. "What can we do?" she asked the VP of Engineering, who replied:

"We should write our own software copy protection system."

Halt. Full stop. Red alert. DEFCON 3! This is the worst advice possible.

call support small

Let's put it in perspective. Need a car? Build one. Going on vacation? Build an airplane first to fly there. Hungry? Start plowing...

Seriously, rolling your own solution for software copy protection is just asking for trouble. It's one of those things that, well like a lot of things, looks far easier than it is. We've been working on nothing else for over 20 years now and we still aren't finished. There ARE people out there who want to steal your software. Building your own copy protection system will almost certainly not slow down the pirates but will annoy your customers when it misbehaves. So save yourself some trouble. Pick up the phone and call us today

Topics: software copy protection, Copy Protection, Anti-piracy