As Brian W. Kernighan and Rob Pike wrote in “The Practice of Programming“

As personal choice, we tend not to use debuggers beyond getting a stack trace or the value of a variable or two. One reason is that it is easy to get lost in details of complicated data structures and control flow; we find stepping through a program less productive than thinking harder and adding output statements and self-checking code at critical places. Clicking over statements takes longer than scanning the output of judiciously-placed displays. It takes less time to decide where to put print statements than to single-step to the critical section of code, even assuming we know where that is. More important, debugging statements stay with the program; debugging sessions are transient.

In programming, it is faster to examine the contents of a couple of variables than to single-step through entire sections of code.

Collecting security logs is key to information security management not only for understanding what and why an event happened but also in order  to  prove regulatory compliance with regulations such as the HIPAA security rule. The business requirements are that   security logs  should be both relevant and effective.

1. Relevant content of audit controls:  For example, providing a  detailed trace of an application whenever it elevates privilege in order to execute a system level function.
2. Effective audit reduction and report generation:  Given the large amount of data that must be analyzed in security  logs, its crucial that critical events are separated from normal traffic and that concise reports can be produced in real-time to help understand  what happened, why it happened and how it was mediated and how to mitigate similar risks in the future.

In security log analysis, it is faster and definitely more effective for a security analyst to examine the contents of a few real time events than to process gigabytes or terabytes of security logs (the equivalent of stepping through or placing watch points in sections of of a sub-modules with  hundreds or thousands of lines of code.

When you have to analyze security logs, it is easy to get lost in details of complicated data and flows of events and find yourself drifting off into all kinds of directions even as the bells go on in the back of your mind that you are chasing ghosts in a futile and time-consuming exercise of investigation and security event debugging.

In order to understand this better, consider another analogy, this time from the world of search engines.

Precision and recall are key to effective security log analysis and effective software debugging.

In pattern recognition and information retrieval, precision is the fraction of retrieved instances that are relevant, while recall is the fraction of relevant instances that are retrieved. Both precision and recall are therefore based on an understanding and measure of relevance. When a program for recognizing the dogs in a scene correctly identifies four of the nine dogs but mistakes three cats for dogs, its precision is 4/7 while its recall is 4/9. When a search engine returns 30 pages only 20 of which were relevant while failing to return 40 additional relevant pages, its precision is 20/30 = 2/3 while its recall is 20/60 = 1/3. See Precision and recall in the Wikipedia.

In other words – it doesn’t really matter if you have to analyze a program with 100,000 lines of code or a log file with a terabyte of data – if you have good precision and good recall.

The problem is however, that the more data you have, the more difficult it is to achieve high precision and recall and that is why real-time events (or  debugging statements) are more effective in day-to-day security operations.

In order to determine how encryption fits into server data protection, consider 4 encryption components on the server side: passwords, tables, partitions and  inter-tier socket communications.

In these 4 components of a application / database server encryption policy, note that some countermeasures are required (for example one-way hashes of passwords, while other such as encrypting specify table columns may or may not be relevant to a particular application).

1. Encrypted password storage

You must encrypt passwords. It’s surprising to me how many Web sites don’t bother encrypting user passwords – See cases Universal Music Portugal where e-mail addresses and clear-text passwords are dumped on Internet.

What is more surprising is the confusion between encryption and hashing.

Don’t use AES for encrypting passwords in your MySQL or Oracle or MS SQL database.  You’ll end up storing the AES key somewhere in the code and an attacker or malicious insider can read the key by opening up one of your application DLLs in Notepad++ and read that key in a jiffy and breach your entire MySQL database with a single SELECT statement.

Database user passwords should be stored as MD5 hashes, so that a user  (such as a DBA) who has been granted SELECT access to the table (typically called ‘users’)  cannot determine the actual password. Make sure that different instances have different salts and include some additional information in the hash.

If you use MD5 encryption for client authentication, make sure that  the client hashes the password with MD5 before sending the data on the network.

2. Encrypt specific database table columns

The PostgreSQL 9.1 pgcrypto module allows certain fields to be stored encrypted. This is especially useful if some of the data is sensitive for example in the case of ePHI where the Web application needs to comply with the CFR 45 Appendix A Security rule. The client software provides the decryption key and the data is decrypted on the server and then sent to the client.  In most cases the client (a database driver in an MVC application such as Ruby on Rails or CakePHP or ASP.NET MVC is also a server side resource and often lives on the same physical server as the database server. This is not a bad thing.

3. Encrypt entire data partitions

Encrypting entire data partitions has its place.

On Linux, encryption can be layered on top of a file system using a ”loopback device”. This allows an entire file system partition to be encrypted on disk, and decrypted by the operating system. Many operating systems support this functionality, including Windows.

Encrypting entire partitions is a security countermeasure for physical attacks, where the entire computer is stolen. Research we did in 2007 indicated that almost 50% of large volume data breaches employed a physical attack vector (stealing a notebook at a hotel checkin desk, hijacking a truck transporting backup tapes to Iron Mountain and smash and grab jobs where thieves know the rent-a-cop walkaround schedule and break in and steal desktop computers.

On the other hand, once the volume is mounted,  the data is visible.

4. Encrypt socket communications between server tiers

SSL has it’s place, although SSL is not a silver bullet countermeasure for Microsoft Windows vulnerabilities and mobile medical devices vulnerabilities as I wrote here, here and here.

SSL connections encrypt all data sent across the network: the password, the queries, and the data returned. In database client-server connections,  relational database systems such as PostgreSQL allow administrators to specify which hosts can use non-encrypted connections (host) and which require SSL-encrypted connections (hostssl). Also, clients can specify that they connect to servers only via SSL. Stunnel or SSH can also be used to encrypt transmissions.

As a preface, begin with the understanding that you already have all the resources you need.

Discussions with colleagues in a large forensics accounting firm that specialize in anti-fraud investigations, money laundering and anti-terror funding (ATF), confirm what I’ve suspected for a long time. Armies of junior analysts working for the large accounting firms who have never seen or experienced a fraudulent event and are unfamiliar with the your business operation are not a reasonable replacement for careful risk analysis by the business done by people who are familiar with the business.

Step # 1- Do not do an expensive business process mapping project.

Many consultants tell organizations that they must perform a detailed business process analysis and build data flow diagrams of data and users who process data. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows inside your organization between people doing their job is arguable. There are much better ways to protect your data without writing out a 7 digit check. Here is the first one you should try out. Select the 10 most valuable data assets that your company owns. For example – proprietary mechanical designs of machines, detailed financials of a private company being acquired, and details of competitive contracts with large accounts. In a few interviews with finance, operations, IT, sales and engineering, you can nail down those key assets. After you’ve done that, schedule a 1 hour meeting with the CFO and ask her how much each asset is worth in dollars. In general, the value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO in dollar terms – in terms of replacement cost, impact on sales and operational costs.

Step #2 – Do not develop a regulatory compliance grid.

There is no point in taking a non-value-added process and spend money making it more effective.

My maternal grandmother, who spoke fluent Yiddish would yell at us – ” grosse augen” when we would pile too much food on our plates. ” Grosse augen” ( or as my folks put it); is having eyes that are bigger than your capacity. Yes, US publicly traded companies are subject to multiple regulations – if the company sells to customers and stores and processes PII (personally identifiable data) they will have to deal with PCI DSS 1.1, California State Privacy Law, Sarbanes-Oxley PCI DSS 1.1 protects one asset – payment card numer and magnetic stripe, while Sarbanes-Oxley is about accounting records. Yes, there are a few commercial software products that map business processes, databases and data elements to multiple regulations; their goal is to help streamline the work involved in multiple regulatory compliance projects – eliminating redundancy where possibility using commonality.
Looking at all the corporate governance and compliance violations; cases such as Hannaford supermarkets and AOL – it’s clear government regulation has not made America more competitive nor better managed.

Step #3 – Identify the top 5 data assets in your business and valuate them

I saw an article recently that linked regulatory compliance mandate and asset cost. Definitely not true – the value of an asset for a company is whatever operational management/CFO say it is. Asset value has nothing to do with compliance but it has everything to do with a cost effective risk control plan. For example – a company might think that whole disk encryption on all company notebook computers is a good idea – but if only 20 people have sensitive data – why spend 1 million dollars on mobile device data encryption when you can solve the problem for less than 5k?

Step #4 – Do not store PII

The absolutely worst thing you can do is a project to analyse data retention and protection regulations that govern each of the sensitive data elements that need protecting, and working with legal and compliance consultants who know the relevant regulations. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help the marketing guys sell more anyway – and you can give the money you save on some fancy database encryption software to the earthquake victims in Myanmar and China.

Step #5 – Monitor your outsourcing vendors

Despite the hype on trusted insiders, most data loss is from business partners. You can write a non-disclosure agreement with an outsourcing vendor and trust them, but you must verify their compliance and prevent unauthorized data leaks.

The best story I had in years was in a meeting with the VP internal audit at a medium sized bank in Israel. He took a sales call with me and I pitched our extrusion prevention technology from Fidelis Security Systems as a way to protect their customer data. He said – look Danny, we don’t need technology – we’ve outsourced everything to a very large bank and their data center security is world-class. Two weeks later, the big bank had a serious data breach event (a high school student hacked into the internal network of the bank from a public Windows-based kiosk and helped himself to some customer lists. Two months later, the small bank was reported to be looking to get out of their outsourcing contract. Don’t rely on contracts alone – use people and DLP technology to detect data leakage.

Step #6 – Do annual security awareness training but keep it short and sweet

Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have everyone read, understand and sign a 1 page procedure for information security. Forget interview projects and expensive self-assessment systems – what salesman in his right mind will take time to fill out one of those forms – if he doesn’t update his accounts on salesforce.com? Install an extrusion detection system at the network perimeter. Prosecute violators in real time. Do random spot checks on the read-and-understand procedure. Give demerits to the supervisors and managers if their employees don’t pass the spot check.

Step #7 – Calculate valuate at risk of your top 5 data assets

ISO 27001 and PCI DSS 1.1 checklists are great starting points but they focus on whether a particular technology, policy or control has been implemented, and not whether these controls are cost-effective security countermeasures against internal and external attackers. Use Practical Threat Analysis with a PTA risk library for ISO 27001 or PCI DSS 1.1 and you will be able to build a cost-effective risk mitigation plan based on asset values, threat probabilities and estimated damage levels.

Step #8 – Ask your vendors and colleagues difficult questions

After you’ve done a practical threat analysis of your risk exposure to attacks on sensitive customer data and IP you will be in better position than ever to know what policies, procedures and technologies are the most effective security controlss. You’ll be in an excellent position to ask difficult questions and negotiate terms with your favorite vendor. While the attitude of many companies is to hold data protection protections close to their chests, it is valuable to talk to your colleagues at other companies in the same market and get a sense of what they have done and how well the controls perform.

Step #9 – Resist the temptation to do a customer data integration (CDI) project.

Customer data is often stored in many applications and locations in a large organization. The knee-jerk reaction of IT is to do a big data integration project and get all the digital assets under one roof. There are three reasons why this is a terrible idea. (a) Most of these projects fail, overrun and never deliver promised value (b) If you do suceed in getting all the data in one place, it’s like waving a huge red flag to attackers – heah , come over here – we have a lot of sensitive data that is nicely documented and easily accessible. Companies with enterprise software systems such as SAP and Oracle Applications are three times more likely to be attacked. (c) Ask yourself – would Google have succeeded if with global data integration strategy?

Step #10 – Prepare a business care for data loss prevention before evaluating products

Despite claims that protecting data assets is strategic to an enterprise, and IT governance talk about busines alignment and adding value – my experience is that most organizations will not do anything until they’ve had a fraud or data security event. The first step to protecting customer data and IP in any sized business from a individual proprietership to a 10,000 person global enterprise is laying the case at the door of the company’s management. This is where executives need to take a leadership position – starting with a clear position on which data assets are important and how much they’re worth to the company.

Practical threat analysis is a great way to identify and assess threats to your business and evaluate the potential business impact in dollars and cents to your operation using best-practice risk models provided by the PTA Professional threat modeling tool.

In summary

Software Associates specializes in helping medical device and healthcare software vendors achieve HIPAA compliance and protect customer assets and provides a full range of risk management services, from stopping fraud to ensuring regulatory compliance and enhancing your ability to serve your customers.

There are resources that help you turn information into insight such as   Risk Management from LexisNexis, Identity Fraud TrueID solutions from LexisNexis that help significantly reduce fraud losses and Background Checks from LexisNexis that deliver valuable insights that lead to smarter, more informed decisions and greater security for consumers, businesses and government agencies.For consumers, its an easy way to verify personal data, screen potential renters, nannies, doctors and other professionals, and discover any negative background information that could impact your employment eligibility. For businesses and government agencies, it is the foundation of due diligence. It provides the insight you need to reduce risk and improve profitability by helping you safeguard transactions, identify trustworthy customers and partners, hire qualified employees, or locate individuals for debt collections, law enforcement or other needs.

I’ve been talking to our medical device customers about mobile security of implanted devices for over a year now.

I  gave a talk about mobile medical device security at the Logtel Mobile security conference in Herzliya a year ago and discussed proof of concept attacks on implanted cardiac devices with mobile connectivity.

Mocana, is a company with a pretty impressive line of security products for embedded devices – working at the firmware layer it appears. Mocana secures the “Internet of Things” – the 20 billion non-PC devices that are increasingly connecting to networks across every sector of our economy including Smartphones, Datacom, Smartgrid, Federal, Consumer and Medical. These devices already outnumber workstations on the Internet by about five to one, representing a $900 billion market that’s growing twice as fast as the PC market.

The Mocana Deviceline blog reports that “Alarmed by new research showing the increasing vulnerability of wireless implanted medical devices, two members of Congress have asked for hearings on the security of these devices“

Mobile and medical and regulatory is a pretty sexy area and I’m not surprised that politicians are picking up on the issues. After all, there was an episode of CSI New York last year that used the concept of an EMP to kill a person with an ICD, although I imagine that a radio exploit of  an ICD or embedded insulin pump might be hard to identify unless the device itself was logging external commands.

Congress was more concerned about the regulatory issues than the patient safety and security issues:

Representatives Anna Eshoo (D-CA) and Ed Markey (D-MA), both members of the House Energy and Commerce Committee sent a letter last August asking the GAO to Study Safety, Reliability of Wireless Healthcare Tech and report on the extent to which FCC is:

• Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology.
• Taking steps to improve the efficiency of the regulatory processes applicable to broadband and wireless enabled medical devices.
• Ensuring wireless enabled medical devices will not cause harmful interference to other equipment.
• Overseeing such devices to ensure they are safe, reliable, and secure.Coordinating its activities with the Food and Drug Administration.

At  Black Hat August 2011, researcher Jay Radcliffe, who is also a diabetic, reported how he used his own equipment to show how attackers could compromise instructions to wireless insulin pumps.

Radcliffe found that his monitor had no verification of the remote signal. Worse, the pump broadcasts its unique ID so he was able to send the device a command that put it into SUSPEND mode (a DoS attack). That meant Radcliffe could overwrite the device configurations to inject more insulin. With insulin, you cannot remove it from the body (unless he drinks a sugary food).

The FDA position that it is sufficient for them to warn medical device makers that they are responsible for updating equipment after it’s sold and the downplaying of  the threat by industry groups like The Advanced Medical Technology Association is not constructive.

Following the proof of concept attack on ICDs by Daniel Halperin from the University of Washington, Kevin Fu from U. Mass Amherst et al “Pacemakers and Implantable Cardiac Defibrillators:Software Radio Attacks and Zero-Power Defenses”  this is a strident wakeup call to medical device vendors  to  implement more robust protocols  and tighten up software security of their devices.

The Little Engine That Could

Copyright 2004 Joel Isaacson. This work is licensed under the Creative Commons Attribution License.

I  try to explain what are the top 10 mistakes made by Linux developers as I see it. I’m aware that one person’s mistake is another person’s best practice. My comments are therefore subjective.

I will use an embedded Linux device, the WRT54GS, a wireless router as an illustration of an embedded Linux device.An interesting article about this device can be found in: http://www.pbs.org/cringely/pulpit/pulpit20040527.html.

“The Little Engine That Could” How Linux is Inadvertently Poised to Remake the Telephone and Internet Markets – By Robert X. Cringely

So what are the top 10 mistakes made by Linux developers?

10 – Pick a vendor.
9 – Then pick a platform.
8 – We are not in Kansas anymore.

Support Issues

10 – Pick a Vendor

• In my experience picking a large foreign company for support is not the best way to go for various reasons.
• More about this later.

Which Linux?

From: ” Snapshot of the Embedded Linux market March, 2004″
http://linuxdevices.com/articles/AT8693703925.html

Which Vendor?

From: ” Snapshot of the Embedded Linux market March, 2004″
Instead of rolling their own OS from scratch, embedded developers now roll their own OS from Linux source. The barchart shows that, collectively, embedded Linux vendors including MontaVista, Metrowerks, TimeSys, Denx, Sysgo, LynuxWorks, and FSMLabs have supplied Linux for only 22 percent of projects during the last two years, projected to reach 24.2 percent over the next two years.

http://linuxdevices.com/articles/AT8693703925.html

9 – Then Pick a Platform

• Most people immediately turn to Intel for a platform.
• If you are running high performance commodity systems this makes sense.
• For smaller embedded systems the Intel X86 architecture isn’t necessarily the best choice.

Which Processor?

ARM — including StrongARM and XScale architectures – are gaining on x86 as the most popular processor architecture for embedded development. This year’s results show that trend continuing. And, for the first time, embedded Linux developers are projecting that they’ll base more projects on ARM than x86 processors in their projects during the next two years.

http://linuxdevices.com/articles/AT8693703925.html

8 – We are not in Kansas anymore.

• Linux is a disruptive technology. A once in a generation paradigm change.
• If you don’t change your methods of dealing withsoftware support, you will not benefit.
• Let’s examine the issue of support in Open Source Systems.

Commercial vs. Open Source Knowledge Base – cost and access

Who Do You Turn To?

• There are three viable approaches in dealing with support issues in Linux.
  • Get support from a large foreign software company.
  • Get support from a smaller local software company
  • Support yourself.

Support:
Large Foreign Company

• There are a number of fairly large companies that support embedded Linux:
  • IBM
  • Montavista
  • RedHat
• You have to be careful of ” vendor lockin”
• Why go to Linux and then sell your soul to the devil?

Support: Small Local Company

• There are a number of local companies that can provide support for embedded Linux.
• The nice thing about this approach is that the local companies are not at a disadvantage since there is no proprietary or hidden software in the embedded Linux solution.
• Just look around you, there is plenty of talent in this country.

• No ” vendor lockin” .

Support Yourself:

• Since everything is open you can provide your own support.
• This is definitely the most effective, but it needs the largest investment of time and talent.
• There is a lot of help available on the Internet and recently published books.

7 – I want it to run real fast.

Well boy you need real time.

Real Time Systems

• A large amount of confusion exists about the uses of commercial RTOS’s
• This confusion is largely propagated by companies that sell RTOS’s.
• The use of RTOS’s in embedded systems is mostly a historical anomaly.

Real Time Systems

• Real time systems are optimized to minimize worse case latency (the response time).
• Interrupt latency is usually the criterion that defines how “Real Time” the operating system is.
• RTOS are usually needed to control hardware that has strict time constraints.

Embedded Systems

• Embedded systems are systems with limited human interaction.
• These systems are sometime very small but not necessarily.
• The embedded computer market is huge The shipment volume of embedded systems is much larger than the PC computer market.

Latency vs Throughput

RTOS
Linux
Real Time – Says Who?

• The majority of realtime systems aren’t.
• Embedded systems are often misclassified as realtime systems. However, most systems simply do not require realtime capabilities, in fact these capabilities are detrimental.

• Realtime requirements are often simply designed out through the use of a deeper hardware FIFO, scatter/gather DMA engines and custom hardware.

So You Still Want Real Time!

• There are a number of approaches that can be used to provide Real Time Response:
• Soft Real time: There are various low latency patches to the standard Linux kernel:
  • Montavista’s
  • Redhat’s
• Hard Real time: The are a number of hard real time kernel patches:
  • Rtai
  • RtLinux

6 – Posix RealTime Extensions

Posix.4 RealTime Extensions to Linux

• Posix.4 adds realtime facilities to Posix.
• This standard add the facilities typically used in RTOS’s.
• In my opinion using these facilities are a recipe for trouble.
• There are no standard Linux programs that use these facilities, just look at your favorite Linux distribution.

Use Linux’s Strong Simple Abstractions

• Linux supports some very powerful abstractions that should be preferred over many weaker techniques.
• The major strong abstractions of Linux are:
  • Files
  • Processes
  • Memory spaces
  • IPC

5 – Java

• While this is difficult to classify as a mistake, it is worth noting that virtually no standard Linux programs are written in Java.

• Sun itself uses GnomeGtk for its desktop, which is written in C. If Java is so good why doesn’t Sun use it.
• Sun releases a SUSE version of Linux, without any Java programs, and dubs it the ” Java Desktop System” .

4 – Scaling

• Embedded environments many times have restrictive resources and the software must be properly scaled to run on the platform.
• Things that are appropriate for a large enterprise server, such as Apache, PHP, graphical toolkits that are familiar to many Linux users are just too big for restricted embedded hardware.
• Trying to squeeze these large programs into small flash memory is just no fun.

3 – Threads

• The main problem with threads is that they are hard to use correctly. Even for experts,development is painful.

http://www.cc.gatech.edu/ccg/people/rob/software/threads/ousterhout_threads.html

Why Threads are Hard

• Synchronization:
  • Must coordinate access to shared data with locks.
  • Forget a lock. Corrupted data.
• Deadlock:
  • Circular dependencies among locks.
  • Each process waits for some other process.

Why Threads are Hard, cont’d

• Achieving good performance is hard:
  • Simple locking (e.g. monitors) yields low concurrency.
  • Finegrain locking increases complexity, reduces performance in normal case.
  • OSes limit performance (scheduling, context switches).
• Threads not well supported:
  • Hard to port threaded code (PCs? Macs?).
  • Standard libraries not threadsafe.
  • Kernel calls, window systems not multithreaded.
  • Few debugging tools (LockLint, debuggers?).

Debugging Threaded Programs

If Not Threads Then: EventDriven Programming

• One execution stream: no CPU concurrency.
• Register interest in events (callbacks).
• Event loop waits for events, invokes handlers.
• No preemption of event handlers.
• Handlers generally shortlived.

• Main loop architecture.

Process Based Concurrency

Process Based Concurrency Another Alternative

• Use processes for concurrency rather than threads.
• Synchronize processes with event based IPC.
• Advantages:
  Simpler and surprisingly more efficient synchronization than threads.
• send/rcv is self synchronizing and buffered.
  No race conditions. Much simpler to debug. Trivial to distribute.

Process Based Concurrency

P1 P2 P3 P4
Event Based Manager
Process Based Threading
Another Alternative

• Instead of sharing all memory, create processes with a shared memory region.
  • This allows you to minimize the interaction of the processes to a well defined subset of the total memory space of the application.
  • Thread safe libraries are not needed.
  • Use POSIX 1003.1b semaphores to synchronize shared data.
  • No performance hit.

2 – Use the Source Luke

• The source is your friend.
• The GPL creates a unique situation that makes many embedded devices transparent.
• The WRT54G wireless router is a case in point.
• Linksys (a Cisco company) shipped this box without any indication that the software was GPL’ed
• Someone noticed that this was a Linux box and sent an email:

The Letter

From Andrew Miklas <>
Subject Linksys WRT54G and the GPL
Date Sat, 7 Jun 2003 22:41:23 0400
Hi,
Awhile ago, I mentioned that the Linksys WRT54G wireless access point used
several GPL projects in its firmware, but did not seem to have any of the
source available, or acknowledge the use of the GPLed software. Four weeks
ago, I spoke with an employee at Linksys who confirmed that the system did
use Linux, and also mentioned that he would work with his management to
ensure that the source was released. Unfortunately, my emails
to this
individual over the past three weeks have gone unanswered. Of course, I also
tried contacting Linksys through their common public email
accounts
(
 pr@linksys.com,
 mailroom@linksys.com) to no avail.

Linksys Releases The Source

• Linksys eventually released the sources.
• You can just download it from their web site.
• This launched ” The Little Engine That Could” .
• They have done very well with this product.
• If you want to design an embedded Linux product just look at the completely transparent design of the WRT54G for a guide on how to design an embedded system.

1. GPL Violations

• Israeli companies tend to ignore the finer details of legalities.
• Violations of the GPL are a serious matter.
• Recently the GPL has been upheld in its first court test in Germany.
• The authors of netfilter, Linux’s firewall, has been granted an injunction against Sitecom Germany GmbH for GPL violations.

Typical to flawed security countermeasures, HDCP and AACS exacerbate and enlarge the threat surface rather than enhance revenues and reduce risk.

In this article we will show that Network PVR services may be an effective strategy for studios to mitigate the risk of content piracy.

Background

NetFlix, Vudu and Universal Studios Home Entertainment are skipping over HD-DVD/Blu-ray formats in favor of what some industry observers say is inevitable – download-only distribution.

Beginning November 23 2007, Vudu started giving new buyers “The Bourne Identity” and “The Bourne Supremacy” pre-loaded on their set-top boxes in HD. Buyers can purchase a downloaded copy of “The Bourne Ultimatum”, for $25 starting December 11, 2007.

The VUDU box and services sounded pretty cool to me when I first saw it – until I realized that the price of the “The Bourne Ultimatum HD” on Amazon is $27.99 with free Super Saver Shipping and the I don’t need to buy the Vudu and commit to their service. It’s two bucks less with Vudu but the VUDU STB sets you back $250 (reduced from $400). The Vudu business model does not seem extremely compelling. Although you have a hard disk – you cannot go back and view a movie if you ran out of time in a single sitting. The Netflix business model of having 3-5 movies for unlimited usage still seems a winner and in comparison, Vudu just doesn’t seem to have all the movies we’d want to see.

The price of SD (standard definition) DVDs is between USD2-5, depending on where you live and HD DVD seems to be going for about USD25-30, depending on the movie and season of the year. It’s cheaper and more convenient for a consumer to rent or buy a DVD from NetFlix or Blockbuster then to pay Vudu. if you want to see the latest episode ofDexter you can’t even get it on Vudu, and BitTorrent is more accessible not to mention, free.

While Vudu seem to have done some impressive engineering work on their STB, if they get any widespread traction, it may only be a matter of time until some irritated user cracks their box or bypassess the content protection.

What is HD (High Definition) video?

There is a good deal of confusion regarding exact definitions and consumer electronics product requirements for HD (high definition). HD refers to the quality of the picture (not to the means of digital content protection). Digital HDTV broadcast systems are defined by the number of lines in the vertical display resolution, the scanning system: (progressive (p) or interlaced (i) and the number of frames per second. The 720p60 format is 1280×720 pixels, with progressive encoding at 30 frames per second. The 1080i50 format is 1920×1080 pixels, with interlaced encoding at 25 frames per second. For commercial naming of the product, either the frame rate or the field rate is dropped, e.g. a “1080i television set” label indicates only the image resolution.

Is HD for digital TV only? (no)

If you have have an older TV set with an analog RCA interface, you’re in luck – the issues of digital HDTV are eliminated by connecting your TV set to a DVD player using the analog HD signal output with RCA connectors instead of HDMI. The analog outputs of most HD devices will replicate the resolutions of the digital outputs i.e. 720p and 1080i, so fidelity of the picture is maintained. Connectivity is via standard VGA HD15 connector or high-resolution component video output using 3 x RCA connectors. Analog HD signals can also be distributed over standard Cat5 cable up to a few hundred meters, which is pretty convenient if you have a large house or a small hotel.

What is HDCP?

High-bandwidth Digital Content Protection (HDCP) is a proprietary DRM scheme for protecting premium HD content. HDCP was developed by Intel Corporation to control digital audio and video content transmitted on DVI (digital video) and HDMI (high definition media) interfaces in consumer electronics devices such as DVD, STB, TV Sets. Compliance with HDCP requires a license from Digital Content Protection LLC, a subsidiary of Intel. In addition to paying fees, manufacturers agree to downgrade quality when interfacing to non-HDCP compliant devices. For example, HD video is downgraded to DVD quality on a non-HDCP compliant TV set. HDCP also incorporates a black-listing scheme of cracked devices using a key-revocation scheme where the black list is stored on the DVD media.

HD content protection – fundamentally flawed

The HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Timbuktu hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Blu-Ray copy protection was broken in the beginning of this year (January 2007) (Courtesy of muslix64, the same fellow who cracked HD-DVD). Both HD DVD and Blu-ray use HDCP (High-Bandwidth Digital Content Protection) for authentication and content playing, and both use the AACS (Advanced Access Content System) for content encryption. (AACS is the content protection for the video on DVDs and HDCP is the content protection on the HDMI link between the DVD player and the TV). It appears that muslix64 took a snapshot in memory of a running process, then used selective keying – serially trying bytes 1-4, then 2-5, 3-6 etc as the keys until the MPEG frame decrypted. (much faster than a pure brute force attack). If the video player process stores the key in clear text in memory, this type of attack will always work. Like most flawed encryption schemes, AACS is vulnerable to threats to due a poor software implementation.

” The AACS design prevents legitimate purchasers from playing legitimately purchased content on legitimately purchased machines, and fails to prevent people from ripping the content and sharing it through bittorrent. The DRM people wanted something that could not be done, so unsurprisingly they winded up buying something that does not do it”

James Donald.

Now you understand why BitTorrent is so popular.

A popular TV series like Heroes is available for download on BitTorrents worldwide in AVI format within a few hours after airing with the commercials edited out. OK – Heroes is SD, not premium content like ” The Bourne Ultimatum” but so far I reckon the quality of the AVI download is not deterring users from watching Heroes off BitTorrent.

In world of download-only distribution, studios have an opportunity for expanding business using the Internet and a huge digital asset protection challenge. From the perspective of piracy (protecting intellectual property of the studio) and revenue assurance; being able to download HD content to a PC or PVR disk is an ugly threat, especially considering how easy it has been to crack or bypass AACS content protection in Blu-Ray and HD DVD until now. Once the content is stored on a hard disk on a Windows PC, you’ve lost control for ever.

The software and algorithms for Premium HD content protection are fundamentally flawed as Peter Gutmann shows in his article: A Cost Analysis of Windows Vista Content Protection

Alternatives for a download world.

As the consumer Internet moves towards a download-only distribution model, the motion picture industry needs to find answers to their digital asset protection challenge without biting the hand that feeds them.Network PVR may conceivably be the most effective method for protecting digital movie content from the perspective of both the studios and the consumer.

There is no such thing as a single silver-bullet, optimally-effective countermeasure to the vulnerabilities of flawed content protection schemes, flawed software implementations and vulnerable PC operating systems. That is the mistake of an over-reaching scheme like HDCP.

Gutmann’s analysis is outstanding in its breadth and depth but he doesn’t propose a system of countermeasures which would help the studios protect their intellectual property. In order to identify the most cost-effective set of countermeasures to the threat of piracy, we start off by examining risk profiles of different digital content distribution implementations.

Digital content distribution vulnerabilities

Fortunately, a threat analysis of digital content distribution (VOD and live content) is simplified by having one asset (the digital content) and one major threat; piracy (people who want to make unauthorized copies of the content and give it away for free). This means that we can focus on the vulnerabilities.

The below heat diagram provides a qualitative threat analysis of digital content distribution. The Y-axis is the channel – broadcast or Unicast (for the sake of classification, we call distribution of physical DVDs – ” Unicast ” since sale of a DVD is performed between only two parties – the seller and buyer). The X-axis classifies whether or not the subscriber stores the content on a hard disk.

Red is high risk, Orange is medium risk and Yellow is low risk.

As seen in the bottom left quadrant of the above heat diagram, network PVR has less vulnerabilties and lower risk. Note that the video servers are stored in the operator premises in a controlled and secure operating environment and are much less vulnerable than subscriber set-top boxes.

An introduction to Network PVR

Cablevision, the New York suburban cable provider, took an aggressive approach to Network PVR (NPVR) services that ran into strong resistance from the content industry. Cablevision uses an NPVR service where they record broadcast TV channels at the head-end and the subscriber can replay specific programs at a later time on a disk-less set top box (the NPVR). If the area of personal video recording is not familiar to the reader – see the Wikipedia article on Digital video recorders

Cablevision felt that it had the right to do this, but the TV networks disagreed. They sued, Cablevision lost and is now appealing that decision.

FastWeb in Italy is a service based on Cisco technology that provides 100MB/s to the home. FastWeb launched their NPVR service with a nuanced approach – the subscriber requests that a TV program be recorded. FastWeb records that program and allows only that viewer and any other viewers who requested recording the program to view it later. This was no worse that if the viewer owned a Tivo, so the TV broadcasters in Italy accepted it.

The Cablevision case is particularly relevant for IP network providers. Their IPTV networks are better suited than cable networks to support NPVR and other on demand services. NPVR can give the telcos a significant advantage over the cable companies.In addition, it keeps all the traffic in the network provider cloud and significantly removes the load on WAN connectivity to the Internet from all those home users downloading pirated copies of the Lord of the Rings movie and the latest episode of Heroes

A threat analysis of a Network PVR service

There are three main security concerns for a TCP/IP Unicast Network PVR system:

1. Digital content protection at the subscriber premise.
2. Digital content protection for content in motion and content at rest in video servers.
3. Authentication (identifying a valid subscriber with a STB and protecting the VOD provider from fraudulent usage)

In light of the Cablevision case, we constructed a scenario based on a Unicast NPVR service that provides VOD, and live-content recording of shows at subscriber-requests, and performed a threat analysis using the PTA (Practical Threat Analysis) methodology, Assuming that the operator installs diskless set-top Boxes (STB) at the subscriber premise and video servers in the network operation,we identified the following threats, vulnerabilities and countermeasures.

Threats are labelled TX, exploited vulnerabilities are labelled VX and countermeasures that mitigate the vulnerabilities are labelled CX.

T1 – The subscriber may steal plain-text content by tapping the STB ethernet link.

V1- Transmission of clear-text content enables interception using off-the-shelf network tap devices that cost less than USD 500 The breakeven point on a network tap is about 20-25 movies which makes it worthwhile to buy a tap for a semi-serious hacker.
Call Netoptics Network Taps for a quote.

C1 – Encrypt content on video servers, decrypt content on STB
C2 – Encrypt keys on video servers or don’t store keys
C3 – Place physical safeguards on key access
 

T2 – The subscriber may capture an output signal from STB to home TV set and distribute by a Bit Torrent

V2 – The DVI/HDMI cable from STB to TV set can be tapped.

C4 – Let subscribers use an analog cable (so-called ” analog-hole “)
According to FCC fair-use rulings, free over-the-air broadcast signals may be copied freely, and may not be reduced in resolution (” down-res’d” ) when output from unprotected high-definition analog ports.
C5 – Protect content with an economic ” dis-incentives”
It’s easier and cheaper to buy the HD DVD movie for USD 25-30 at Amazon than to hack the technology. If the IPTV operator provides a rich collection of SD, HD and Television series content for an attractive price, without changing the way a subscriber runs her life, the economic incentive for piracy becomes minimal.

T3- A subscriber may redirect a video stream to other NPVR users who did not pay for the content

V4 – The STB vendor may sell boxes to competitors
V5 – STB Middleware commands can be manipulated
V6 – Unauthorized users may engineer STB clones to access the NPVR service

C7 – Restrict redirection of content in the STB middleware to the IP address of the STB that made the command request.
C8 – Require subscriber authentication by the video server for each NPVR content request.

T4 – Malicious attackers may mount a denial-of-service attack and overload video servers.

V7 – VOD servers may be accessible from the public Internet

C9 – Segregate the VOD network from the public Internet with firewall and VLAN.

T5 – A trusted insider in the IPTV operation may steal clear-text content.

V3 – Employee with who work for the network provider may have physical access to content before source-encryption

C10 – Vet employees, have them work in pairs; don’t employ students or temporary contractors.
C11 – Check bags leaving the building for removable media
C12 – Detect unauthorized network transfer of clear text content using extrusion detection techniques in network core.

Conclusions

• It’s a lot easier to protect content on IPTV video servers in a controlled environment of a Telecom service provider than on a Windows PC in someone’s home.
• An attack could be mounted on the STB/NPVR network in order to steal master keys and decrypt encrypted content. The cost of mounting such an attack is far greater than the economic alternative of buying HD DVD media on the open market and producing pirated copies or ripping the media and putting it on a Torrent.
• Since BitTorrent is both a strong competitor and sucks up a lot of ISP bandwidth (over 20 percent last time I looked), operators and studios have an opportunity to use an” if you can’t beat them join them”strategy. Considering FCC fair-usage rulings on free-to-air content, the studios and operators are better off using NPVR to serve up shows like Dexter and Heroes and tack a bit extra on the monthly charge. Unicast NPVR serves video on demand without loading the entire network with multicast traffic, subscribers get faster response times (by not having to go out to the public Internet) and the studios gain residual revenue on the shows.
• NPVR security countermeasures use open standards for encryption and network security and have no dependencies on what a third party vendor or subscriber may or may not do. There are no side effects on the entire system if an individual subscriber hacks her IPTV set-top box

It’s interesting to compare the TV / movies market with the PC / Internet market. The TV world is groping towards 1080p and the PC industry long since moved beyond it. The TV world is floundering in shallow waters with an ill-conceved, and poorly implemented scheme of HD content protection written by one of the major vendors (Intel) whereas the the PC / Internet market is overtaking all competition having adopted vendor-neutral standards such as HTTP over 20 years ago.

As seen from the above threat analysis, Unicast network PVR provides the smallest threat surface of current content distribution schemes lowest risk profile and some additional revenue opportunities. It uses standard security measures with no massive side effects like HDCP and plays well with the market economics of providers, studios and subscribers.

Unicast NPVR may just be the most effective way for both the studios and the network service providers to distribute and monetize content with the widest audience and at the lowest cost.

It is convenient for a customer to buy a product and feel “secure” but, as businesses become more and more interconnected, as cloud services percolate deeper and deeper into organizations, and as  government compliance regulation becomes more complex and pervasive; the security “problem” becomes more difficult to solve and even harder to sell.

I believe that there are 3 reasons why it’s hard to sell security:

The first is that it’s complex stuff, hard to explain and even harder to build a cost-justified security countermeasure plan and measure security ROI.  The nonsense propagated by security vendors like Symantec and Websense do little to improve the situation and only exacerbate the low level of credibility for security product effectiveness with  pseudo science and ROI calculations written by wet-behind-the-ears English majors marcom people who freelance for security vendors – as I’ve noted in previous posts here, here, here and here.

The second is related to prospect theory. A CEO is risk hungry for a high impact, low probability event (like an attack on his message queuing transaction processing systems) or theft of IP by a competitior and risk averse to low impact, high probability events like malware and garden variety dictionary attacks on every ssh service on the Net.

The third is related to psychology.   Why is it a good idea to cold call a CIO and tell him that the multi-million dollar application his business developed is highly vulnerable?    Admitting that his software is vulnerable and going to the board to ask for big bucks to fix the problem is tantamount to admitting that he didn’t do his job and that someone else should pay the price.  Very bad idea.

This is why cloud services are a hit.

Security is baked into the service. You pay for the computing/storage/messaging resource like you buy electricity. The security is “someone else’s problem”  and let’s face it, the security professionals at Rackspace or Amazon or Google App Engine are better at security than we are. It’s part of their core business.

The next step after cloud services is the security industry evolving into a B2B industry like the automotive or energy industry.  You don’t buy brakes from a McAfee and a car from Checkpoint – you buy a car from GM and brakes are part of the system.

That’s where we need to go – building the security into the product instead of bolting it on as an after-sale extra

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

• legal information gathering to identify attackers,
• direct blocking of network traffic from specific origins,
• use of transaction identifiers that label the traffic as suspicious,
• placement of honeypots,
• identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
• certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes,  a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little.  Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

However – there is an important class of small business operations that is often overlooked when it comes to information security and is the technology startup.   A high tech startup is an SME by all definitions – usually less than 50 employees but it doesn’t buy and sell and neither does it provide professional services.   Unlike other small businesses, a high tech startup is almost purely focussed on product research and development. Almost all startups have a very high percentage of software development. Even if the startup develops hardware – there is still a strong software development focus.

Intuitively – one would say that a primary concern for a startup is IP (intellectual property) protection and that starts with protecting source code.

Counter-intuitively this is not true. There are two basic reasons why source code leakage is not necessarily a major threat to a startup:

1) If the startup uses FOSS (free open source software), there is nothing to hide.  This is not strictly speaking correct – since the actual application developed using FOSS has immense value to the startup and may often involve proprietary closed  source code as well.

2) A more significant reason that source code leakage is of secondary importance is that a startup IP is invariably based on a combination of three components:    Domain expertise, implementation know-how and the implementation itself (the software source code).   The first two factors – domain expertise and  implementation know-how are crucial to successful execution.

The question of how to protect IP still remains on the table but it now is reshaped into a more specific question of how best to prioritize security countermeasures to protect the startup’s domain expertise and  implementation know-how.  Prioritization is of crucial importance here, since startups by definition do not generate revenue and have little money to spend on luxuries like data loss prevention (DLP ) technologies.

Software Associates works exclusively with technology and medical device developers and I’d like to suggest a few simple guidelines for getting the most security for your money:

The startup management needs to know how much their information security measures will cost and how it helps them run the business. Business Threat Modeling (TM) is a practical way for a manager to assess the operational risk for the startup in dollars and cents. The advantages of the business threat modeling methodology are:

These are similar objectives to GRC (Governance, risk and compliance) systems.

The problem with most GRC (governance, risk and compliance) and ERM (enterprise risk management) systems is that they don’t calculate risk, they make you work hard and they’re not that easy to use.

Startup management needs a simple security management approach that they can deploy themselves, perhaps assisted with some professional consulting to help them get started and get a good feel for their exposure to security and compliance issues.

How does a practical security management methodology like this work? Well – it works by using common language of threat modeling.

You own assets – for example, expensive diamond jewelry stored at home. These assets have a dollar value.

Your asset has vulnerabilities – since you live on the ground floor and your friendly German Shepherd knows where the bedroom is and will happily show anyone around the house.

The key threat to the asset is that an attacker may break in through the ground floor windows.

The countermeasures are bars for the windows, an alarm system and training your dog to be a bit less friendly around strangers with ski-masks.

Using countermeasure costs, asset value, threat probability of occurrence and damage levels, we calculate Value at Risk in financial terms, and propose an prioritized, cost-effective risk mitigation plan.

That’s it – adopt a language with 4 words and you’re on a good start to practical security management for your high tech startup.

I assume that we are not the only business to suffer from Netvision (and Bezeq International and 012).

Perhaps there is a business opportunity for a “cloud concierge” service  that would provide a VIP front end to the best of the international cloud service providers but with a local presence.  The cloud concierge would help customers select and implement the right product,  application, security and provide a guaranteed SLA using unbunbled services from providers like dnsmadeeasy, rackspace and peer 1.

My wife doesn’t get it. She asks: “What is the concierge angle here?  I reply – “How do you get basketball tickets, a recommendation to a good restaurant and a local metro card in a foreign country without the hotel concierge?”

Hmm., she says. “OK, now I get it. but how are you gonna make money out of it when anyone can google for cloud services?”

Got me there babe. Right to the bottom line. Then again, she already has a celebrity stylist service to buy shoes online. Why on earth would she need a cloud concierge?