Upload
dothu
View
219
Download
5
Embed Size (px)
Citation preview
Digital/Information Rights (DRM/IRM) & Internal Threats
Ramki Thurimella
Complexity of DRM (Bellovin)
Complex systems are less secure Complexity (hence potential incorrectness)
increases more than linearly with the program’s size
Certain amount of extra code is necessary for security (e.g. bounds checking
Real issue is with increased interaction among different pieces of code Attackers can recover content at different points Video card needs to know that it is displaying
protected content and shut down outputs that talk to unprotected monitors
Complexity and DRM (cont.)
This check is not needed if no DRM Can this extra communication channel
introduce new insecurities? DRM needs to assert to the system that it’s
processing protected content, and should have the authority to request the system to turn off the display
How about DoS attack: URL to silent song Designate it as protected If the user clicks, it disables video
Correctness
How do we know that the new measures do not create new problems?
Test it thoroughly Testing is dicey
“Program testing can be a very effective way to show the presence of bugs, but is hopelessly inadequate for showing their absence.”
-- Edsger Dijkstra
History of Rights Management
Publishers feared libraries and cameras Music industry demanded compensation
from the sales of blank tapes Music industry demanded the computer
industry to include DRM Computer industry demanded the music
industry to change their business model Their justification—very hard to stop
copying of bitstreams
Protecting bitstreams
If it is hard to protect bitstreams, how is the software industry guarding its own products?
Early days (60’s&70’s) was being given away Minis—cost of software significant Concern—Intellectual property protection
(codes leaving the company with code). Software birthmarks (which registers are pushed/popped)
Moss Piracy became a bigger concern with micros
Some Defenses Dongle—device attached to PC commonly executed a
challenge-response protocol Install software in a way that is resistant to copying
Mark a sector as bad (so that all OS copy utilities would leave that sector alone)
Write critical portion of the code there Presence of a master diskette (formatted in a unique
way). Allow copies to be made, but prevent copies of copies (generation control)
Store PC configuration—which cards are present, mac ID and other unique identifiers. What if the user does hardware upgrade?
Generic Attack—go through the software with a debugger and remove all calls to RM routines
Psychological Defenses
Embed the registered user’s name and their organization on the toolbar
Don’t provide with security patches Early MS software (Word etc.) would
destroy itself if it detects that the code is being viewed through a debugger
Defenses in the 80’s
Games & software market split. Games market moved to closed architectures. Cheap hardware, expensive games (similar to printers)
Software vendors stopped protecting copying, predominantly for technical reasons Could still use sophisticated tamper resistant dongle.
(Creates a challenge for hacker to break it.) OS software got more complex. Writing to bad sector
does not work anymore. Virtual machines make it difficult to capture unique features of host PCs.
Makes product less robust
No defense needed because…
Don’t provide Tech Support unless purchased legally
Arrival computer viruses made corporations adhere to proper licensing procedures
Not much money to be made from individual users
Certain level of piracy was good for publicity Need not worry whether the product was sold
to a person or the machine the person owned “Pile it high and sell it cheap” – not much
incentive to pirate if the cost is low to start with
Current tax software
Legal Solutions
Software Publishers’ Association High-profile prosecutions of large companies Law protects users’ rights too—illegal to have
a “time bomb” in software unless the user is adequately notified of their existence
Industry is swinging back to technical solutions with license servers—PCs on corporate network that limit the number running instances
“3 million PCs sold every year in China, people don’t pay for the software. Someday they will. And as long as they are going to steal it, we want them to steal ours. They’ll get sort of addicted, and then we’ll somehow figure out how to collect…”
-- Bill Gates
User registration
Large-scale commercial counterfeiting can be detected (many users will have the same serial number)
MS discovered that a third of all Office sold in Germany was counterfeit. Traced it to a small business in Cambridge. Workers were unaware that their company was involved in illegal operations.
Above strategies are adequate for small/med corps
For large corporations, use legal methods combined with other techniques. Reward whistleblowers.
Weigh potential increase in revenue against public backlash of strict enforcement
Audio/Video/Pay-TV
Threat—digital duplication 100% fidelity VCRs had technical measures to prevent
copying, but it was up to VCR manufacturer to implement it
Typical Architecture At the station encode, and issues smartcards to
subscribers A set-top box decodes the signal The smartcard personalizes—specifying what
programs can be decoded to the box. It does this by providing keys to the descrambling circuit.
Smartcard could be controlled remotely to stop working
Attacks on Hybrid Scrambling Replay attack
Copy the control words coming from the server and post them on the Internet
If your service is cut, record the scrambled signal and get the codes from the internet
Let the subscription expire, intercept and drop the message that says “don’t decode anymore”
Break the cipher Commercial piracy—microprobe smartcards Countermeasures and counter-countermeasures Countermeasure: Understand the economics
Pirates are also under pressure from “time to market” from competition
This creates bugs Pull the plug after one of them destroys others and establishes a
base Once there is a substantial base, switch off his cards
DVD
Region coding 5 regions First try in USA, if the movie fails, don’t bother making
expensive film copies for Europe etc. Region coding is now obsolete because of the way it
was implemented in DVD players (users preferred those that paid no attention)
Content Scrambling System (CSS) was under pressure to come up with a different scheme
Key length limit 40 bits because of export regulations DeCSS appeared everywhere Courts ordered prohibition of links This was seen as censorship
Peer-to-peer systems
Overlay networks Napster (client-server) Bittorrent Gnutella CAN (Content-addressable network) GNUnet/Freenet (Censorship resistant)
Anonymity (remailer) Shutdown because of a lawsuit brought of
Scientologists Countermeasures
Bring down the central server Sue and put the company out of business Introduce fake files
Usage Control
The fundamental problem of distributed usage control data providers want to impose control on how data
consumers’ processing devices or information systems handle data
however, these machines are usually outside their scope of control or even visibility
Dedicated mechanisms can give the data provider a limited amount of control Media player might be configured in such a way that its
access to a song is restricted Companies, for example, are reluctant to let other parties
control parts of their IT infrastructure Instead they might be willing to provide evidence that their
information processing indeed adheres to the stipulated policies
Deploying observation mechanisms is more appropriate in this case
Observation mechanism
Police cannot prevent jaywalking, but can fine if caught
Observation mechanism then consists of two parts: A provider-side monitor that monitors the
consumer’s behavior and triggers penalties if necessary
A consumer-side signaling mechanism that sends signals to the monitor
Usage Restrictions Time
File F must be deleted within 20 days Game G must not be played for more than a total of 10 hours.
Cardinality movie M may be played only 2 times
Event-defined If the data provider revokes document D, then D must not be used
anymore Document D must not be further distributed until the author
officially releases D Purpose conditions
for personal use only Free for educational use
Environment conditions HIPPA firewalls that are certified with respect to the Common Criteria
Insider threats
Current protection strategies against insider adversaries are Expensive Intrusive Not systematically implemented Operated independently too often, such strategies are defeated
Threat ranges from petty theft and fraud to espionage and terrorism
Characteristics Recent Insider Threat Study concluded
Fewer than half had authorized access at the time of the incident, though had full access when hired
Suffered a “negative work-related event” wanted revenge planned a possibly unsophisticated incident using
remote access that exploited or compromised a backdoor or shared account
communicated negative sentiments and indicated that he or she had planned these activities in advance
Identified through remote access logs
Study Recommendations
Procedure to give the organization a way to report problematic behavior
Manage and disable accounts Oversee system administrators Enforce password policies Monitor system integrity Limit remote access Protect system logs Have a disaster recovery plan
Another study
Saboteurs and spies share personal predispositions (for example, a need for money or attention), and their acting out implies that they’re under stress
Their behavior changes prior to acting out (for instance, spies access data outside their need to know)
They commit rule violations before acting out Organizations fail to see or ignore the warning
signs. (Audits were poor or no one looked at logs.)
Poor access control enables acting out
Detection
To detect insider cyber threats as early as possible or to prevent them altogether, management, IT, human resources, security officers, and others in the organization must understand the Psychological Organizational technical aspects of the problem as well as
how they coordinate their actions over time limitations of a strictly technological
approach
Motive, Opportunity, and Means
Insiders have means and opportunity Motive:
Money, Divided loyalties, Disgruntlement (including revenge), Ingratiation, Coercion, Thrills, and Recognition.
Individuals often exhibited multiple motives
Character Traits Self-centered—self important and resentful; constantly seeks
recognition and admiration. Arrogant—the “rules” don’t apply; indifferent to others’ rights. Adventurous—seems attracted to risk, danger, and harm;
dislikes boredom and inactivity; unconventional lifestyle. Manipulative—takes others for granted and uses them;
disregards obligations. Cold—indifferent to others’ feelings; not empathetic. Grandiose—exhibits a preoccupation with immature fantasies
of success, beauty, or love; suffers from self-illusions; speech is characterized by exaggeration and hyperbole.
Self-deception—justifies self-centered and socially inconsiderate behaviors; fails to believe his or her behavior will be punished.
Defensive—reacts to criticism with anger/rage; overreacts to constructive criticism.
System Elements for Insider Security
Employee screening investigations (human resources and personnel security);
Activity auditing and monitoring (cybersecurity, access monitoring, self-reporting, and counterintelligence);
Security procedures and practices (physical security, cybersecurity, material control, and counterintelligence); and
Access controls (safes, guards, and fences).