What if…

consider-the-following
Copyrigt FOX

What if Great Britain, Germany, Italy, Sweden,…  had WHS tamper-proofing technology?
Would the US be prevented from spying?  We are not in the business of getting our military technology by copy-cat and espionage of our allies, I hope. They need to prevent their secrets from leaking, both to their and to our enemies. However, any others who spy on the above countries would have less success if WHS technology would be in place.

What if China had our tamper-proofing technology?
Would we be prevented from spying?  Maybe.  I doubt that puts us back a lot, I think our technology is ahead.  It may put back some other countries. China may have slightly less motivation to speed up the arms race.  Good for the Chinese people, good for us.

What if Russia had our tamper-proofing technology?
Would we be prevented from spying?  Could be.  A small price to pay for other countries spying on Russia having a harder job. Russia may have slightly less motivation to speed up the arms race.  Good for the Russian people, good for us.

What if Iran, Iraq, ISIS…
I can’t see where that would cause real suffering for us, nor for anybody else, them included.

What if organized crime had our tamper-proofing technology?
We make code hard to reverse engineer, or to tamper with; we don’t make code easy to hide.  (The bad guys depend strongly on hiding their stuff.)

What if the US would use our tamper-proofing technology?
what-ifFewer secrets would be lost through reverse engineering. There would be less fear software sabotage.  Our defense technology wouldn’t really be more potent, but it would last longer until it is outdated.  Cyber-criminals would need to work harder on any software that has been protected with WHS technology.  Less profit for cyber-criminals will certainly not cause more crime.

What if software producers, movie producers had our technologies to protect their copyrights? There could be more revenue where it belongs, and less revenue for stolen copies.

Waging War on Hackers

For the 2015 State of the Union address, cyber security played an important role.  New laws go-to-jailwere proposed.  Such laws are not unproblematic however.  Rob Graham made some interesting comments in the “Wired Magazine” about what might happen with such laws.  That is how governments, ours included, seem to act.  I would never think the bad consequences were intentional.  I think this is nothing more than a simple over-reaction to a problem which seems to get out of hand.  Hacking is the new scare.  People are either totally unprepared, or deadly scared.  Neither is rational.  Enacting laws when scared is almost a guarantee for enacting bad laws.  I recommend punishing performing a crime, but don’t make the punishment depending on the technology and on how scared the victims are.

In our opinion, there are better solutions to cyber-space problems.  The essence of the best solutions lie probably both in the social and economical adjustments.  However, the part of the solution a startup company like ours can safely provide is on the technological site.  With some good technological solution there wouldn’t be a need for overreacting and society would by kinder and safer.
There rarely is a one technology which fixes all. However, there are several technologies which can make a difference.  Tamper proofing your software for example. It may still be overkill for simple problems like stealing from buggy websites.  But tamper proofing is ideal for critical software.  Maybe this method of protecwe_the_peopletion will become standard and thus can easily be affordable, so it can be implemented everywhere, but not yet.  Tamper proofing may not be the only solution, but it is a good one.

Compare your digital treasures to your nest egg of savings.  Do you pile your money on the front lawn, make tougher laws and blame the neighbors when the pile is gone in the morning?  No, you put your money in a safe box or into a bank.  Equally, commercial software users and producers just need to do their part of due diligence in protecting software.

North Korea says: No, We Didn’t Hack Sony.

Recently a new cyber crime story gets reported every week. This week’s news on cybercrime is about an attack at Sony Pictures Entertainment, among other problems making movies publicly available, and creating substantial damage.

Cute dog and girl, most likely from movie.
Picture from linked web page., most likely from movie

An important aspect of most cyber crime is the fact that hacks usually cannot be attributed to the real source. Just because a computer was attacked by another computer, maybe in North Korea or maybe somewhere else doesn’t confirm the real source. That computer may itself be an innocent victim and may have been used by another computer in some other part of the world. There can be a chain of tens and more computers. Even aunt Emma’s computer may be part of such a chain. Therefore it is a very bad idea for most people to start counterattacking cyber criminals by themselves.

This attack is different from old fashioned cyber-crime in what it tries to do. It is not simply stealing some money were the loss of the victim matches the gains of the criminal; it is not simply leaking credit card numbers. The loss to Sony is “strategic”: The loss for Sony isn’t what is gone and has been stolen. The loss in this case is directly hurting Sony in its ability to do further business. As of today, such crimes are common place in newspaper talk about state-actors, cyber-“terrorism” and in hype like cyber-“war”. What is new and unusual here is that such losses are inflicted on normal, commercial business enterprises.

Adding several layers of protection could significantly minimize the risk of such attacks. Obfuscation of your code as provided by White Hawk Software can be one of these protective layers.

For more about this incident see:

Cost of cyber-crime $400 billion

An interesting report has been released from the Center for Strategic and International Studies and McAffe.

Net Losses: Estimating the Global Cost of Cybercrime
Economic impact of cybercrime II

[http://csis.org/files/attachments/140609_rp_economic_impact_cybercrime_report.pdf]

“We estimate that the likely annual cost to the global economy from cybercrime is more than $400 billion.”

Do you have a clue how much notes2money that is?
According to the report:  more than the national income of most countries

Like most bloggers I cannot judge whether this number is too high or too low.  Lots of arguments for either side might be made.  Given the title, I assume that these numbers are the losses only and do not include the cyber security costs implied for preventing the losses from becoming larger.  The report also states that a large fraction of damages are not reported and that statistics in different countries are quite different.

I found the following table interesting, putting the costs into some perspective:

Activity               Cost As % of GDP
 Maritime Piracy        0.02% (global)
 Transnational Crime    1.2% (global)
 Counterfeiting/Piracy  0.89% (global)
 Pilferage              1.5% (US)
 Car Crashes            1.0% (US)
 Narcotics              0.9% (global)
 Cybercrime             0.8% (global)

It would be interesting for White Hawk to know what part of these losses are considered caused by insufficient tamper-proofing.

For several reasons we cannot answer that question:

  • The report is not detailed enough.
  • Certain (probably more correct: most) losses could have been prevented by multiple solutions.
  • As classical security companies don’t do tamper proofing, there is no appropriate category in the report.

And even if we could answer the question… who would believe us?

Lastly, in protecting critical infrastructure, knowing the possible damage can be more of a driving factor then the past damage specially when the really bad things didn’t happen.

Wanted by the FBI

Headline of the day

Chinese military unit charged with cyber-espionage…
(Guardian and 10000 other news sources)wanted

Will hacking indictment against Chinese stop theft of U.S. trade secrets?
(Business Journal)U.S. Charges Five Chinese Military Hackers with Cyber Espionage
(U.S. Department of Justice )

Another alternative could be…
3 guesses what other solutions White Hawk Software is thinking about?


new official reply

includes: An indictment is merely an accusation, and a defendant is presumed innocent unless proven guilty in a court of law.

 

 

 

Model, simulate, theorize – or just do it?

A recent article in Wired magazine explained how some very smart mathematicians had theorized for years that there was a way to use encryption techniques to protect executable code as well as data. As far as I can tell, most of them never got around to it as they thought the mathematical simulation and proof that this would work was estimated to be a 3 many year project. However, some new research and concept tools in this area are close to coming to fruition and hence the article.

Software code protection tools
Coopers Hawk in nest – thanks to Cornell Univ.

But what if someone with a lot of experience in obfuscation tools, and others, created a new complex tool set that used a variety of techniques simultaneously to properly protect sensitive parts (or the whole) of a software system? Tools that can balance speed, protection and size? Tools that can protect object code as well as work on source code?  That is what Dr. Jacobi has been doing for White Hawk for the past 3 years using intense applied science, starting from a clean slate. Plus he previously worked for a major vendor in this area where they applied completely different techniques.

He has developed a software protection technique based on random control of novel obfuscations, mutually checking protection aspects, and algorithmic combinations of diverse code primitives. We are busy packaging the X-86 version of this as NEST-X86 for demo and beta testing in late March 2014. Forget trying to model its strengths and weaknesses, as each company will implement their chosen protection plans in different ways with this tool set.

Do think about signing up to be a beta tester or even a beta breaker – if you can.

(C) Copyright 2014 White Hawk Software

Hacker-Proof vs Tamper-Proof Software

DarkHand300Recently some people have asked us why we don’t call our software “hacker-proof tools” rather than tamper-proofing software tools. Both terminologies are correct of course, but we think the word “hacker” often has a connotation of “amateur” or at least not full time professional.

 

Yes, we want to protect your software from hackers, but we also want to protect it from professional code-breakers, competitors and virus developers.  Hence the stronger term tamper-proof.

(C) Copyright 2013 White Hawk Software

Ensure Your Space Programs are Tamper-Proof too!

IntSpaceStation
Picture of International Space Station that itself was infected with a virus. Photo thanks to Wiki Commons

Renowned Russian virus and security expert Eugene Kaspersky revealed recently that a virus had even been discovered on board the  International Space Station – despite them being a million miles from the nearest internet node. Turns out some space astronaut accidentally took along the virus on a USB “thumb” drive for use on one of the many laptops deployed in the space station. See full story from the International Business Times.

The big motto of this story is that you don’t have to be attached to the internet to be infected. So don’t wait to run virus checkers and hope for the best. Mission critical software should all be tamper-proof so that no malware can hook in and cause any damage whatsoever.

(C) Copyright 2013 White Hawk Software

FBI Chief: Our New Enemies May Be Online

FBI_logo_SmallIn Washington on Thursday Nov 7th, FBI Director James Comey said that cyber attacks are increasingly representing the most serious threats to the homeland security and in the next decade will likely eclipse the risk posed by traditional terrorist threats.
He told a Senate committee that this cyber risk is a multi-layered threat posed by thieves, hackers and others who are able to travel the world via the internet at the “speed of light.’ His stern warning continued with “there are no safe neighborhoods.”

(C) Copyright 2013 White Hawk Software