Is Encryption the Answer for POS Systems?

A recent Computer World article discussed a new encryption approach announced by Verifone to protect customer data transmitted from Point of Sale (POS) terminals. Of course encryption is useful, but the attack vector used in the Dave & Buster's restaurant chain breach involved two hackers who gained remote access to the POS servers and installed packet sniffing software.

Although encryption will close an easy access point, if it's implemented in software without additional code protection, then the hackers can hook or subvert the application prior to encryption or reverse engineer the keys themselves. Verifone may have considered this given that their announcement mentions "tamper resistant modules."

-Vic

Making Sense of the Recent BSA/IDC 2007 Global Piracy Study

The BSA and IDC get a lot of heat on the methodology used to arrive at global piracy trends, but I thought I’d comment on some of the results with respect to our own experience and other external references. In particular, two points within the report are worth expanding: piracy rates in emerging markets and the use of technology to slow piracy.

Impact of emerging markets:

First, emerging economies represent a significant piracy threat to certain software sectors.  According to the report, China alone had a piracy rate of 82% -- this is close to the estimated 90% piracy rate cited in a more complete analysis of China and Piracy (see UBS Investment Research Q-Series A Billion Dollar Opportunity?). In addition, piracy increases are proportional to internet user growth (e.g., more PCs, easier software availability, and better bandwidth make it easier to gain access to pirated software). Again, looking at China alone, it had the fastest growing internet user population (210 million according to the China Internet Network Information Center), so this finding makes sense.

Piracy of consumer products (Adobe, anti-virus, etc.) has always been an issue, but what is more noteworthy is the use of high value EDA, CAD, and other software to actually design and build products in these emerging markets. From experience, the EDA community is aware that its pirated software is used to build Printed Circuit Boards (PCB) and chips within emerging markets. The issue here is not just the loss of license revenue, but the advantages these countries have in winning manufacturing business since their software costs are virtually non-existent.

Use of technology:

The report included a minor reference to “software vendors building technical protections like digital rights management directly into their products to prevent illegal use.” Being in the software protection business, this statement is interesting given that we believe that larger software vendors are only starting to deploy or think about adding anti-reverse engineering technology into their software releases.

So where did this reference come from? I believe it’s related to Microsoft’s anti-piracy measures in its Vista release and its relationship with BSA. Microsoft said it recovered $164M in a just one quarter late last year (see my previous blog post, "It Takes Microsoft Clout to See Anti-piracy progress in China"). Microsoft has seen significant revenue gains by using anti-piracy technology including phone home, activation, CD authentication, and anti-reverse engineering techniques. 

We are also seeing other ISVs adopting these technology approaches, but implementing technology was not included in the BSA’s “5 steps to reduce piracy” section.  I imagine that this omission is most likely due to technology solutions not being aligned with the services that BSA offers.

I also believe the Digital Rights Management (DRM) label is incorrect in this context. DRM and licensing approaches have failed to reduce piracy for years. And for good reason, too: the focus of these technologies is on controlling the purchaser’s use or rights to the software and not on preventing reverse engineering. Software protection, on the other hand, is meant to fortify the DRM or licensing system and to prevent it from being easily circumvented to enable piracy.

Although the methodology used by BSA/IDC to measure the trends for software piracy may have holes, we know the problem exists. The report is useful for highlighting the countries with the highest piracy rates and providing a benchmark or global average for comparison. Technology, legal, and policy-based anti-piracy strategies should all be used in these geographies not just to recover lost license revenue, but to ensure that businesses in these countries do not have an unfair advantage from a software cost perspective when competing globally for services and manufacturing work.

Infected Firefox Add-in Demonstrates Need for Internal Code Protection

We've seen this threat before in the software piracy world, where illegal versions of antivirus products have been distributed via P2P networks with embedded malware. This latest story demonstrates the ease in which malware can cloak itself and be distributed within a legitimate application.

Mozilla unwittingly shipped the "W32/Xorer.A" worm embedded in a Firefox language pack. Although the story discusses the need for frequent virus scanning, malware writers could ensure that each time the file embeds itself, its signature is jittered to avoid detection. Imagine a scarier scenario where an enterprise or financial application becomes infected (by a compromised machine, insider threat, or offshore development) and the malware buried within the application is then distributed across thousands of desktops. Programming techniques exist that obscure the malware within application binaries and prevent it from being detected by virus scanners.

One option is to use software protection technology. By embedding runtime monitoring capabilities within an application file, the application can ensure its own integrity and prevent it from running in a tampered state no matter where it is distributed.

Crackers – A Lesson in Channel Marketing?

The Department of Justice announced the sentencing of a cracker to 30 months in prison – read the full press release here. This case was part of "Operation Copycat" which has resulted in over 40 convictions. It appears that in this case that Mr. Fish was caught circumventing the licensing and encryption technology being used to protect software and DVDs and was quite busy within the groups with over 13,000 software and other assets being pirated.

As many of you know, warez groups are made up individuals that fulfill specific roles, and this announcement did a good job of describing some of roles which I’ve expanded on below.

• Cracker/encoder - reverse engineer and circumvent copy protection, code protection, and licensing schemes
• Packager - builds and test crack software for release
• Equipment Suppliers - provides hardware and computers for the group
• Supplier - acquires software from within vendor or their supply chain to be provided to the group for cracking and distribution
• Brokers - find groups to participate and recruits crackers
• Courier - distributes crack releases

It doesn’t take a lot of imagination to see how this model mirrors how many software vendors market and sell their software. As I’ve said before piracy groups have become their own ISVs - they've got developers, testers and distribution.

This raises a couple of interesting questions: how can software vendors minimize the impact of piracy and is there anything they can learn from the pirates’ “business model?”