Digital/Information Rights (DRM/IRM) & Internal Threats

Ramki Thurimella

Complexity of DRM (Bellovin)

Complex systems are less secure Complexity (hence potential incorrectness)

increases more than linearly with the program’s size

Certain amount of extra code is necessary for security (e.g. bounds checking

Real issue is with increased interaction among different pieces of code Attackers can recover content at different points Video card needs to know that it is displaying

protected content and shut down outputs that talk to unprotected monitors

Complexity and DRM (cont.)

This check is not needed if no DRM Can this extra communication channel

introduce new insecurities? DRM needs to assert to the system that it’s

processing protected content, and should have the authority to request the system to turn off the display

How about DoS attack: URL to silent song Designate it as protected If the user clicks, it disables video

Correctness

How do we know that the new measures do not create new problems?

Test it thoroughly Testing is dicey

“Program testing can be a very effective way to show the presence of bugs, but is hopelessly inadequate for showing their absence.”

-- Edsger Dijkstra

History of Rights Management

Publishers feared libraries and cameras Music industry demanded compensation

from the sales of blank tapes Music industry demanded the computer

industry to include DRM Computer industry demanded the music

industry to change their business model Their justification—very hard to stop

copying of bitstreams

Protecting bitstreams

If it is hard to protect bitstreams, how is the software industry guarding its own products?

Early days (60’s&70’s) was being given away Minis—cost of software significant Concern—Intellectual property protection

(codes leaving the company with code). Software birthmarks (which registers are pushed/popped)

Moss Piracy became a bigger concern with micros

Some Defenses Dongle—device attached to PC commonly executed a

challenge-response protocol Install software in a way that is resistant to copying

Mark a sector as bad (so that all OS copy utilities would leave that sector alone)

Write critical portion of the code there Presence of a master diskette (formatted in a unique

way). Allow copies to be made, but prevent copies of copies (generation control)

Store PC configuration—which cards are present, mac ID and other unique identifiers. What if the user does hardware upgrade?

Generic Attack—go through the software with a debugger and remove all calls to RM routines

Psychological Defenses

Embed the registered user’s name and their organization on the toolbar

Don’t provide with security patches Early MS software (Word etc.) would

destroy itself if it detects that the code is being viewed through a debugger

Defenses in the 80’s

Games & software market split. Games market moved to closed architectures. Cheap hardware, expensive games (similar to printers)

Software vendors stopped protecting copying, predominantly for technical reasons Could still use sophisticated tamper resistant dongle.

(Creates a challenge for hacker to break it.) OS software got more complex. Writing to bad sector

does not work anymore. Virtual machines make it difficult to capture unique features of host PCs.

Makes product less robust

No defense needed because…

Don’t provide Tech Support unless purchased legally

Arrival computer viruses made corporations adhere to proper licensing procedures

Not much money to be made from individual users

Certain level of piracy was good for publicity Need not worry whether the product was sold

to a person or the machine the person owned “Pile it high and sell it cheap” – not much

incentive to pirate if the cost is low to start with

Current tax software

Legal Solutions

Software Publishers’ Association High-profile prosecutions of large companies Law protects users’ rights too—illegal to have

a “time bomb” in software unless the user is adequately notified of their existence

Industry is swinging back to technical solutions with license servers—PCs on corporate network that limit the number running instances

“3 million PCs sold every year in China, people don’t pay for the software. Someday they will. And as long as they are going to steal it, we want them to steal ours. They’ll get sort of addicted, and then we’ll somehow figure out how to collect…”

-- Bill Gates

User registration

Large-scale commercial counterfeiting can be detected (many users will have the same serial number)

MS discovered that a third of all Office sold in Germany was counterfeit. Traced it to a small business in Cambridge. Workers were unaware that their company was involved in illegal operations.

Above strategies are adequate for small/med corps

For large corporations, use legal methods combined with other techniques. Reward whistleblowers.

Weigh potential increase in revenue against public backlash of strict enforcement

Audio/Video/Pay-TV

Threat—digital duplication 100% fidelity VCRs had technical measures to prevent

copying, but it was up to VCR manufacturer to implement it

Typical Architecture At the station encode, and issues smartcards to

subscribers A set-top box decodes the signal The smartcard personalizes—specifying what

programs can be decoded to the box. It does this by providing keys to the descrambling circuit.

Smartcard could be controlled remotely to stop working

Attacks on Hybrid Scrambling Replay attack

Copy the control words coming from the server and post them on the Internet

If your service is cut, record the scrambled signal and get the codes from the internet

Let the subscription expire, intercept and drop the message that says “don’t decode anymore”

Break the cipher Commercial piracy—microprobe smartcards Countermeasures and counter-countermeasures Countermeasure: Understand the economics

Pirates are also under pressure from “time to market” from competition

This creates bugs Pull the plug after one of them destroys others and establishes a

base Once there is a substantial base, switch off his cards

DVD

Region coding 5 regions First try in USA, if the movie fails, don’t bother making

expensive film copies for Europe etc. Region coding is now obsolete because of the way it

was implemented in DVD players (users preferred those that paid no attention)

Content Scrambling System (CSS) was under pressure to come up with a different scheme

Key length limit 40 bits because of export regulations DeCSS appeared everywhere Courts ordered prohibition of links This was seen as censorship

Peer-to-peer systems

Overlay networks Napster (client-server) Bittorrent Gnutella CAN (Content-addressable network) GNUnet/Freenet (Censorship resistant)

Anonymity (remailer) Shutdown because of a lawsuit brought of

Scientologists Countermeasures

Bring down the central server Sue and put the company out of business Introduce fake files

Usage Control

The fundamental problem of distributed usage control data providers want to impose control on how data

consumers’ processing devices or information systems handle data

however, these machines are usually outside their scope of control or even visibility

Dedicated mechanisms can give the data provider a limited amount of control Media player might be configured in such a way that its

access to a song is restricted Companies, for example, are reluctant to let other parties

control parts of their IT infrastructure Instead they might be willing to provide evidence that their

information processing indeed adheres to the stipulated policies

Deploying observation mechanisms is more appropriate in this case

Observation mechanism

Police cannot prevent jaywalking, but can fine if caught

Observation mechanism then consists of two parts: A provider-side monitor that monitors the

consumer’s behavior and triggers penalties if necessary

A consumer-side signaling mechanism that sends signals to the monitor

Usage Restrictions Time

File F must be deleted within 20 days Game G must not be played for more than a total of 10 hours.

Cardinality movie M may be played only 2 times

Event-defined If the data provider revokes document D, then D must not be used

anymore Document D must not be further distributed until the author

officially releases D Purpose conditions

for personal use only Free for educational use

Environment conditions HIPPA firewalls that are certified with respect to the Common Criteria

Insider threats

Current protection strategies against insider adversaries are Expensive Intrusive Not systematically implemented Operated independently too often, such strategies are defeated

Threat ranges from petty theft and fraud to espionage and terrorism

Characteristics Recent Insider Threat Study concluded

Fewer than half had authorized access at the time of the incident, though had full access when hired

Suffered a “negative work-related event” wanted revenge planned a possibly unsophisticated incident using

remote access that exploited or compromised a backdoor or shared account

communicated negative sentiments and indicated that he or she had planned these activities in advance

Identified through remote access logs

Study Recommendations

Procedure to give the organization a way to report problematic behavior

Manage and disable accounts Oversee system administrators Enforce password policies Monitor system integrity Limit remote access Protect system logs Have a disaster recovery plan

Another study

Saboteurs and spies share personal predispositions (for example, a need for money or attention), and their acting out implies that they’re under stress

Their behavior changes prior to acting out (for instance, spies access data outside their need to know)

They commit rule violations before acting out Organizations fail to see or ignore the warning

signs. (Audits were poor or no one looked at logs.)

Poor access control enables acting out

Detection

To detect insider cyber threats as early as possible or to prevent them altogether, management, IT, human resources, security officers, and others in the organization must understand the Psychological Organizational technical aspects of the problem as well as

how they coordinate their actions over time limitations of a strictly technological

approach

Motive, Opportunity, and Means

Insiders have means and opportunity Motive:

Money, Divided loyalties, Disgruntlement (including revenge), Ingratiation, Coercion, Thrills, and Recognition.

Individuals often exhibited multiple motives

Character Traits Self-centered—self important and resentful; constantly seeks

recognition and admiration. Arrogant—the “rules” don’t apply; indifferent to others’ rights. Adventurous—seems attracted to risk, danger, and harm;

dislikes boredom and inactivity; unconventional lifestyle. Manipulative—takes others for granted and uses them;

disregards obligations. Cold—indifferent to others’ feelings; not empathetic. Grandiose—exhibits a preoccupation with immature fantasies

of success, beauty, or love; suffers from self-illusions; speech is characterized by exaggeration and hyperbole.

Self-deception—justifies self-centered and socially inconsiderate behaviors; fails to believe his or her behavior will be punished.

Defensive—reacts to criticism with anger/rage; overreacts to constructive criticism.

System Elements for Insider Security

Employee screening investigations (human resources and personnel security);

Activity auditing and monitoring (cybersecurity, access monitoring, self-reporting, and counterintelligence);

Security procedures and practices (physical security, cybersecurity, material control, and counterintelligence); and

Access controls (safes, guards, and fences).