Wibu-Systems Blog https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A.html Wed, 20 Mar 2019 08:01:05 +0100 Wed, 20 Mar 2019 08:01:05 +0100 t3extblog extension for TYPO3 The .NET Development Landscape Mon, 11 Mar 2019 06:01:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/the-net-development-landscape.html post-110 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/the-net-development-landscape.html Rüdiger Kügler One of the most frequent questions asked in developer communities is when to use .NET framework and when to use .NET Core. The .NET Development Landscape by Rüdiger Kügler 11-03-19

One of the most frequent questions I see asked in developer communities, like StackOverflow and Github, is when to use .NET framework and when to use .NET Core, as there seems to be confusion with the name and different flavors available. It is not uncommon for developers to ask:

Should I develop .NET desktop applications using the entire .NET Framework?
Or should I use ASP.NET Core web apps or Universal Windows Platform (UWP) with .NET Core?
Or, perhaps I should embrace Mono, the cross-platform, open-source .NET framework alternative from Xamarin/Microsoft?

Knowledgeable .NET developers seem to be very helpful in providing advice to other developers based on their personal experience with the platforms. For the newbies, however, it would be helpful to research some very basic information about the platforms before weighing in with questions on the forums.

Microsoft provides straightforward definitions of the various .NET platforms with a multitude of technical support documents. For the basics, they say:

  • .NET Core is a cross-platform .NET implementation for websites, servers, and console apps on Windows, Linux, and macOS
  • .NET Framework supports websites, services, desktop apps, and more on Windows
  • Xamarin/Mono is a .NET implementation for running apps on all the major mobile operating systems.

There are also many other sources that can help sort it out, one being a recent explanation of the differences between .NET Framework and .NET Core on C-sharpcorner.

Confusion with the name and different flavors of .NET developer tools can also affect companies like Wibu-Systems, who provide software products and services to .NET developers. As the developer of the CodeMeter software protection, licensing and security solution, it is critical for our customers that we support all flavors and versions of the .NET programming platforms.

Perhaps, unlike others in the .NET support community, we’ve adopted a unique approach to .NET compatibility by making our AxProtector encryption tool universally compatible with all variants of the .NET platforms. This approach eases the burden for our .NET customers (one less thing to worry about) as well as removes the potential for confusion from our own customer support team.

If you are curious as to how we make universal .NET support possible, watch our on-demand webinar recording, Protecting .NET Standard 2.0 Applications. Our security experts take a deep dive into our AxProtector encryption platform and demonstrate how it is configured to support applications developed on all .NET Framework and .NET Core versions.

Rüdiger Kügler

VP Sales | Security Expert

After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.

]]>
A Cybersecurity Roadmap for a Digitized Society Tue, 26 Feb 2019 09:00:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-cybersecurity-roadmap-for-a-digitized-society.html post-111 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-cybersecurity-roadmap-for-a-digitized-society.html Daniela Previtali The actors behind the SecUnity Cybersecurity Roadmap agree that effective security and privacy measures require a systematic and holistic approach. A Cybersecurity Roadmap for a Digitized Society by Daniela Previtali 26-02-19

Cybersecurity research is a “technological prerequisite” for addressing the numerous disruptive challenges brought on by the rapid progression of the digitalization of society. That sentiment is the basis for a comprehensive cybersecurity research project that has led to the development of the SecUnity-Roadmap, Cybersecurity Research: Challenges and Course of Action. SecUnity is a joint project organized by five institutions focused on IT security research. A total of six research institutes with seven groups participated in the SecUnity project.

The roadmap, which was officially released in Brussels on February 5th, was the creation of approximately 30 European researchers from academia and industry, who have collaborated on the project since early 2016. Over that period, the researchers exchanged their expert points of view on the pressing problems over the course of several workshops and integrated their consensus into the roadmap.

According to Joern Mueller-Quade, Spokesman of SecUnity and one of the co-authors of the roadmap, the researchers agreed “that effective security and privacy measures require a systematic and holistic approach which considers security and privacy from the ground up.” Professor Mueller-Quade, Director, FZI - Research Centre for Information Technology, & Professor, KIT Karlsruhe Institute for Theoretical Informatics (ITI), is also well known to Wibu-Systems as one of the collaborators on the Blurry Box cryptography project which produced the revolutionary encryption mechanism that has been incorporated into Wibu-Systems CodeMeter Protection Suite.

The traditional and new cybersecurity research fields and challenges examined by the group included securing cryptographic systems against emerging attacks, trustworthy platforms, secure lifecycle despite less trustworthy components, quantifying security, IT security and data protection for machine learning, and big data privacy. Each area underwent a thorough examination of potential and real-world scenarios. The roadmap also provides recommendations for courses of action to achieve short, mid-, and long-term goals in each area.

While Wibu-Systems is involved in many aspects of cybersecurity, one particular area of interest to us in the roadmap was the discussion around trustworthy platforms. The researchers noted that the long-standing concepts of perimeter-based security architectures with well-defined trust boundaries used in IT security up to now have been outgrown by the reality of today’s digital transformation. They pointed out that even on single devices, multiple (potentially untrusted) third-party applications are integrated and interact with each other. Such interactions occur inside smart phones as well as in virtualized cloud data centers and, in the future, will be found in smart factories and other critical infrastructures. They concluded that to address these rising challenges, it is necessary to reliably assess the identity and integrity of each involved entity and then to provide strong means for data secrecy and privacy using hardware-based trust anchors such as Trusted Platform Modules (TPMs) which would enable the design and integration of trustworthy applications and protocols.

To broaden our support for secure elements in connected devices, Wibu-Systems joined the Trusted Computing Group (TCG) in 2016, a not-for-profit organization, formed to develop, define, and promote open, vendor-neutral, global industry standards, supporting a hardware-based root of trust. In cooperation with the TCG and its member organizations, our CodeMeter hardware secure elements now support TCG specifications which will streamline software licensing to all TPM 2.0 users.

At the Embedded World 2019 in Nuremburg, Feb. 26-27, we participated with two other TCG member companies, OnBoard Security and Wind River, and demonstrated solutions for IoT and embedded security based on TCG specifications and technologies with a root of trust. One part of the demonstration explained how to manage licenses with CodeMeter using TPMs as alternative safe repositories for encrypted code keys.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
A Glimpse Ahead to the Dark Ages Tue, 19 Feb 2019 11:40:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-glimpse-ahead-to-the-dark-ages.html post-109 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-glimpse-ahead-to-the-dark-ages.html Daniela Previtali What are the collateral damages of a severe cyberattack for economy, healthcare system, water supply, electricity or transportation? A Glimpse Ahead to the Dark Ages by Daniela Previtali 19-02-19

What if a computer virus was capable of completely destroying the data on every Internet-connected device in the U.S. in a matter of minutes? Can you fathom the chaos?

Basic services like electricity, water supply, transportation, and retail goods and services would be unavailable. Communications systems – phones, TVs, radios, Internet would be rendered useless. The healthcare community would be in grave danger – hospitals and medical equipment unavailable and inadequate care for patients. As a citizen you could not access your own information, prove your identity, or the ownership of the house you live in.

Now consider the collateral damage that could occur with a cyberattack on other critical infrastructure. Such an attack could destabilize the global financial services system – ATM networks could freeze, credit card and other payment systems could fail, and online banking could be inaccessible: no cash, no payments, no reliable information about bank accounts. Ultimately, the global economy would come to a screeching halt, resulting in widespread panic, massive unemployment, unfettered crime, disease outbreaks and a government and its nation vulnerable to attack.

Fortunately, this is a fictional doomsday scenario dreamed up by bestselling author, James Patterson, with the help of former U.S. president Bill Clinton, in a novel they collaborated on in 2018. Titled The President is Missing, the book weaves a gut wrenching tale of a planned cyberattack on the U.S. unleashed by a malicious computer “wiper virus“ with the code name “Dark Ages.” The fictional virus is similar to a type of ransomware but different in that the objective of the terrorist attack is not monetary gain, but rather to inflict geo-political anarchy.

There are many twists and turns in the plot of the book, but what stood out was that the doomsday scenario created by the virus and the subsequent potential consequences were perhaps a bit too close to today’s reality. And, given the increase in the number of global cyberattacks in the past few years, perhaps it is easier to believe that it could possibly happen rather than not.

The heightened awareness to the dangers of cyberattacks has led to an intense resolve by governments, industry organizations, and security technology companies like Wibu-Systems to understand the nature of these threats and develop cooperative technology-driven solutions to protect against them.

At the upcoming Embedded World exhibition in Nuremburg, Germany, industrial and IoT cybersecurity will be an important topic on the agenda and an event where many of the latest security technologies will be on display. For our part, we will demonstrate advanced protection mechanisms for the software, connected devices and machinery that represent the building blocks of Industrie 4.0. We will also showcase novel security solutions in collaboration with a number of our partner companies, like Trusted Computing Group, SD Association, Intel, Wind River, and a host of others.

If you plan to attend the meeting, stop by our booth (Booth 360, Hall 4) and let’s start a discussion to see what security matters mean most to you. If not, you can still visit our Embedded World event page and learn more about these and other novel technology solutions geared toward protecting industry, government, and the public from the threat of cyberattacks.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
A Holistic Approach to IoT Security Tue, 05 Feb 2019 11:00:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-holistic-approach-to-iot-security.html post-108 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/a-holistic-approach-to-iot-security.html Daniela Previtali The IoT Security Standards Gap Analysis from ENISA maps existing IoT standards against requirements on security and privacy. A Holistic Approach to IoT Security by Daniela Previtali 05-02-19

Is it possible to introduce an IoT device that can authenticate its user, can encrypt and decrypt transmitted and received data, and deliver or verify the proof of integrity, yet still be considered an insecure device?

Yes, says the European Union Agency for Network and Information Security (ENISA) in their IoT Security Standards Gap Analysis: Mapping of existing standards against requirements on security and privacy in the area of IoT. The organization is focused on developing advice and recommendations on best practices in IoT information security.

In their study released in December 2018, the organization found that there are no significant standards gaps for IoT security protocols – every requirement can be met by an existing standard which exists for the many different elements of making a device, service or system secure. However, IoT actually refers to a complete ecosystem of more than just devices and services, and one in which scalability and interoperability considerably complicate the environment. Therefore, if the security protocols inherent in the device or service are not considered holistically, it is possible to deliver an insecure device to the market, even if it meets all of the existing individual security standards.

As the analysis suggests, a gap in standards exists only insofar as it is unclear what combination of standards, when applied to a product, service or system, will result in a recognizably secure IoT. The challenge for regulators and suppliers, of course, is to bring only secure IoT devices to the market and this requires a different approach, which will have to be flexible enough to accommodate for the nature of the dynamic IoT ecosystem.

The primary conclusion of the study is that standards are essential but not sufficient to ensure open access to markets. In the particular case of security, a large number of processes as well as technical standards have to be in place to ensure that any device placed on the market is assuredly secure.

Whereas a checklist of IoT security requirements and its mapping to specific standards can serve as a springboard towards holistic and effective IoT security, the report notes that the complexity of the IoT ecosystem calls for more flexible approaches. Not only are the underlying technological challenges calling for adaptive, context- and risk-based solutions, but also the IoT market constraints have to be taken into account, so as not to hamper competitiveness and innovation.

Ultimately, the processes recommended in the analysis are intended in part to engender a change in attitude towards device security by making secure IoT the only form of IoT that reaches the market and to give confidence to the market through a combination of certification, assurance testing & validation, and market surveillance.

If you are involved with implementing secure IoT devices, products and services, I think you will find this investigation to be interesting reading. The complete report is available for download by ENISA.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Are You Ready for the Subscription Economy? Tue, 22 Jan 2019 11:00:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/are-you-ready-for-the-subscription-economy.html post-107 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/are-you-ready-for-the-subscription-economy.html Daniela Previtali In this new era, subscription experiences are built around services that meet consumers’ needs better than static, out-of-the-box offerings. Are You Ready for the Subscription Economy? by Daniela Previtali 22-01-19

Turn your customers into subscribers. That’s the mantra of Zuora Inc., a leading provider of a cloud-based subscription management platform. They have coined the term “Subscription Economy®” which embodies the idea that customers are happier subscribing to the outcomes they want and when they want them, rather than purchasing a product with the long-term burden of ownership. They will tell you that consumer preferences have changed. They are looking for new ways to engage with businesses that come with a new set of expectations: outcomes vs. ownership, customization vs. generalization, and constant improvement vs. planned obsolescence.

To make their point, Zuora stresses the popularity of new usage-based models that keep customers consistently engaged in long-term relationships, like Netflix, Amazon Prime, Uber, Salesforce and countless others. Who can argue? In this new era, subscription experiences are built around services that meet consumers’ needs better than the static, out-of-the-box offering of a single product as perpetuated in the “old” days.

Subscription preferences apply to enterprise software licensing as well as consumer goods and services. Back in 2016, we posted a blog about Gartner’s prediction that “by 2020, more than 80 percent of software vendors will change their business model from traditional license and maintenance to subscription.” That prediction was certainly on target and perhaps going mainstream sooner than expected.

In 2017, Gartner interviewed ISVs who had already made the transition to subscription licensing and reported they experienced stronger customer relationships, reduced cycle time for customer-requested enhancements and modular products with add-on capabilities, along with the advantage of being part of a community and enabling ongoing customer engagement. Gartner further noted that the subscription model also created a direct relationship with every customer, while allowing partners to leverage their relationships for additional services during migration and after deployment. Over time, these progressive relationships resulted in the ability for vendors to sell more capabilities to more customers.

In the report, Gartner cited the 5 most valuable lessons learned by ISVs who successfully transitioned to subscription-based business models. Here are their recommendations:

  • Ease into a subscription model
  • Break down entry barriers with subscription
  • Improve value and create recurring revenue streams through subscription
  • Use value articulation and pricing as levers to influence transition speed
  • Ensure partner and reseller revenue streams remain intact

Wibu-Systems has helped many of our customers successfully transition to subscription-based licensing, and as a result, they are realizing better monitoring and tighter control over software usage, more predictable and recurring revenue, and a greater deterrent to software piracy. For their end users, subscription licensing offers a lower upfront cost, pay-for-use only pricing, and ongoing access to the latest and greatest features and functionality. During these transitions, we stress the importance of three factors for success:

  • Ease of use for the subscription workflow and the user’s interface
  • Ease of use for automatic renewal
  • A pricing point that is proportionate to the perpetual license, most important for those ISVs who create both license models

If you are considering a transition to a subscription software model, or perhaps providing it as an option to your conventional perpetual license, I invite you to view our webinar where we present the basic foundations of subscription models and demonstrate how to configure and implement your own subscription model using CodeMeter License Central, our ultra-flexible license creation, management and distribution system. You can access the on-demand replay for “A Cash Machine for Your Software” here.

* Subscription Economy is a registered trademark of Zuora Inc.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
The New Breed of Engineers Thu, 10 Jan 2019 16:52:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/the-new-breed-of-engineer.html post-106 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/the-new-breed-of-engineer.html Daniela Previtali It is time to create a separate engineering discipline designed to cover the specific CPS and IoT knowledge. The New Breed of Engineers by Daniela Previtali 10-01-19

I read an interesting article recently, How Do You Create an Internet of Things Workforce?, that was published by the IEEE Computer Society. The gist of the article was that given the significant increase in the development of IoT applications and analytics, it was time to create a separate engineering discipline designed to cover the specific knowledge necessary to build "reliable, efficient, and safe" cyber physical (CPS) or IoT systems. Simply adding one or two IoT or CPS courses to an existing program, the authors argued, was not sufficient enough for students to thoroughly understand the reasons why IoT and CPS are different than existing engineering disciplines.

The authors cited a good example to make their case:

“There are also CPS/IoT applications for healthcare with the goal of improving a patient’s treatment regime. For example, the closed-loop insulin delivery system connecting a glucose monitor to an insulin pump can continuously alter the amount of insulin dosed to a patient to assist in managing the patient’s blood sugar. In fact, any product that continuously monitors patient activity to improve treatment would be an effective IoT application. Imagine how much more effective treatment could be for a Parkinson’s patient when a physician has more than a static snapshot from an office visit exam. With months of data and information, the physician could determine a more effective treatment plan.”

An important takeaway from their example is that an engineering or computer science curriculum developed and/or updated 10 or even 5 years ago would not adequately educate students on the recent and rapid developments in artificial intelligence, machine learning, sensors and the many other sophisticated technologies inherent in future IoT and CPS applications. Furthermore, standard engineering curricula most likely would not adequately address the safety and data security vulnerabilities that are being uncovered and compromised in the cyber-world on a daily basis.

Human safety and data security are key elements in the quest to build “reliable, efficient, and safe” CPS and IoT systems. While I fully agree with the author’s premise, I would add that security would be a major component to any engineering curricula designed to train the new breed of IoT and CPS engineers. And as the authors note, simply adding an IoT or CPS course to existing engineering degree programs is not adequate. Cyber-security is more than an add-on course or two, but rather a core component of an entire program.

This is where the term “security-by-design” comes in.  A security-by-design approach to software and hardware development places the emphasis on building security into the products from the start vs. an afterthought in development. One of the major challenges of IoT security is the fact that security has not typically been considered in product design for devices that have not traditionally been Internet enabled and accessible via a network. While in a typical industrial environment characterized by long machine lifecycles, retrofits in the brown field are still significantly important, as all other green field applications require a plan of attack right from the start.

This is also true for the Industrial Internet of Things, where the emergence of smart electrical grids, connected healthcare devices and hospitals, intelligent transport, smart factories and other types of cyber-physical systems have created large scale attack surfaces.

Hopefully, academia will keep up with the rapidly evolving environment where millions of connected devices are the norm and adequately train the next generation of safety-conscious IoT and CPS engineers. There is much to be learned on many fronts. One document I propose for any engineering curricula is the Industrial Internet Security Framework  published by the Industrial Internet Consortium (IIC). The document is a collaborative work containing the cybersecurity wisdom of IIC members from over 25 different organizations and provides guidance for improving organizational approaches, processes and the use of technologies for creating a trustworthy system. It is an important starting point to understanding the security challenges brought on by the IoT and CPS.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Is the Dongle Dead? Wed, 05 Dec 2018 11:23:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/is-the-dongle-dead.html post-105 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/is-the-dongle-dead.html Daniela Previtali Secure hardware-based license dongles remain the platform of choice for the ultimate in software protection against unauthorized usage or illegal tampering. Is the Dongle Dead? by Daniela Previtali 05-12-18

In today’s ISV world, a flexible software licensing strategy is the key to successful monetization and profitability. In the past, secure hardware-based license dongles were the platform of choice for the ultimate in software protection against unauthorized usage or illegal tampering of high-end proprietary applications. Today, along with the trend towards subscription licensing and software-as-a-service in many business arenas, end users are becoming more comfortable with software-based license activations or with cloud licensing implementations. Still, dongles (aka hardware-based license containers) remain at the top of the curve in software protection both in terms of performance and sales volumes. Wherever the ISV finds himself in the global transformation, it is incumbent upon him to work with a licensing solution provider who is capable of offering license containers that easily interface with the same licensing platform and leave the final choice to the end user. So where does that leave the hardware-based license dongle?

Based on our past and most recent experiences, dongles are still prevalent in the licensing mix as many ISVs are reticent to give up on the strengths of hardware-based licensing and their customers still ask them for the associated benefits, like a portable license. Not all of our customers are interested in implementing cloud or flexible software-based activation solutions and, while they may be pursuing these licensing options in the long term, many ISVs still see the value of secure hardware dongles for the same reasons they started using dongles in the first place.

Several years ago, we surveyed our customers and found these main reasons why they preferred dongles as their security method and they still hold true today:

  • License Portability – The license is on the dongle and is easily moved from one system to another.
  • License Recovery – The end user can self-restore a license to an existing or replacement dongle.
  • License Borrowing – Licenses can be lent out (to travelling engineers and salespeople, for example)
  • License Redundancy – Important in “Mission Critical” applications (Ex: Hot and Cold Stand-by licenses).
  • License Security – Prevents employees or others to use software illegally, even if it is unintentional.

More recently, dongles have been made available with flash memory options and smart card chips that vastly increase the robust security functionality. The built-in flash memory can be accessed like any disk and includes data partitions in different sizes. Dongles are now also available in many different form factors to meet specific industry needs, such as microSD and Compact Flash cards designed for use in industrial equipment and controllers that can perform in harsh embedded environments. In our CodeMeter dongles, for example, we build in a full complement of security functionality, including symmetric and asymmetric encryption, encrypted signatures and the storage of X.509 certificates.

CodeMeter dongles also offer an interesting feature in that they are multivendor-capable. This means each dongle can store licenses from different vendors in separate areas. Thus, the user needs only a single dongle to manage multiple vendors’ licenses. This is particularly attractive to suppliers of plug-ins and extensions. Larger license storage volume, driverless installation, secure offline license transfer, and firmware updates in the field, and additional mass storage via flash memory are other reasons why many ISVs are sticking with dongles.

If you are considering dongles as a licensing option for your applications, I invite you to view our pre-recorded Webinar, The Dongle is Dead – Long Live the Dongle, where we will take a deeper look into the inner workings of CmDongles as well as alternative licensing strategies. Even if you can’t make the live event, register anyway and we’ll send you access to the recorded version that you can watch on-demand at your convenience. Also, if you want to dig deeper into the advantages and specifications of secure license dongles, download our whitepaper, CmDongle with Flash Memory in Practice, and you will learn more about security functions and several specific use cases across a variety of industries.

Daniela Previtali

Global Marketing Director

Daniela is a marketing veteran who has dedicated more than twenty years of her career to the service of world-leading IT security vendors. Throughout her journey in this field, she has covered executive positions in international sales, product marketing, and product management and acquired comprehensive knowledge of both digital rights management solutions and authentication technologies. Working from the German headquarters of Wibu-Systems, she is currently leading both corporate and channel marketing activities, innovating penetration strategies, and infusing her multinational team with a holistic mindset.

]]>
Software Security on the Defensive Tue, 06 Nov 2018 11:11:00 +0100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/software-security-on-the-defensive.html post-104 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/software-security-on-the-defensive.html Rüdiger Kügler Recent reports in the U.S. indicate that military weapons and security systems offer the same vulnerabilities found in key infrastructure Software Security on the Defensive by Rüdiger Kügler 06-11-18

In the past few years, high profile cyberattacks to key Infrastructure have raised serious security concerns around the globe. These are just a few of the more prominent attacks:

  • Massive power outages in the Ukraine, resulting from a supervisory control and data acquisition (SCADA) cyberattack, left more than 200,000 people without power for several hours
  •  Hackers (thought to be Iranian) took control of a dam in Rye Brook, New York when they succeeded in accessing the core command-and-control-system, one of the first reported attacks to infrastructure by another nation
  • Hackers from North Korea attacked the Swift Global messaging system, used by banks to move trillions of dollars each day, resulting in a cyberheist of millions of dollars
  • Cyberattacks on a number of nuclear power plants across the U.S. and Europe emphasized concerns that malicious actors could weaponize critical infrastructure against the host country

Now, recent reports in the U.S. indicate that military weapons and security systems offer the same attack surface and exhibit many of the same vulnerabilities found in key infrastructure.

The U.S. Pentagon reported in 2016 that a communications system designed to pass secure messages between the U.S. Army’s portable radios and cellular networks around the globe was found to have more than 1,000 cybervulnerabilities, half of which had “a high potential of giving system access to an intruder.”

Furthermore, a recently concluded report from the U.S. Government Accountability Office (GAO) concluded that “nearly all” of the weapons systems in the Pentagon’s $1.7 trillion dollar purchasing pipeline have glaring cybersecurity holes, and that doesn’t include the vulnerabilities that may exist with older weapons systems that are still in operation.

Today, defense companies, are not only forced to prevent unfriendly governments from reverse engineering advanced technology and stealing Intellectual Property, but are required to protect against threats from attacks that could take human lives. As is the case in most cyberattacks, weak password management and software vulnerabilities are the most frequent causes that enable malicious actors to gain access to the system or the network and execute the exploits that were unimaginable just a few years ago, but clearly a danger today.

Security-minded companies like Wibu-Systems continue to advance software protection technology to adapt and stay ahead of ever-emerging threats. For example, our CodeMeter technology enables users to replace weak password-enabled mechanisms with cryptographic login technology using private keys and certificates that are stored in an ultra-secure dongle. We also strongly encourage our developer customers to continuously check for software vulnerabilities using available tools just as we do with our CodeMeter solution to mitigate the risks of introducing potential vulnerabilities into the software during development.

Sophisticated encryption technology, anti-debugging and reverse engineering mechanisms, secure boot protections, authentication protocols and other sophisticated techniques can all be applied to deploy the necessary levels of software security for military and any other application. These advanced protection and security technologies are proven and deployable today.

Rüdiger Kügler

VP Sales | Security Expert

After completing his physics degree course in 1995, he was head of project management for software protection, software distribution, internet banking, and multimedia projects. In 2003, he joined Wibu-Systems and, as part of his role, contributed substantially to the development of Blurry Box® technology.

]]>
Trustworthiness in Industrial System Design Tue, 23 Oct 2018 11:51:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/trustworthiness-in-industrial-system-design.html post-100 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/trustworthiness-in-industrial-system-design.html Marcellus Buchheit The Trustworthy System Status Model helps designers plan a system that proactively prevent damaged, disastrous or permanently lost system status. Trustworthiness in Industrial System Design by Marcellus Buchheit 23-10-18

Trustworthiness in the context of an industrial system is a relatively new term intended to provide a better understanding of the meaning of trust in such a system and how this trust can be approached by the operational user as well as the planner and designer of the system.

As defined by the IIC in its recently released Industrial Internet of Things Vocabulary v2.1 document: “Trustworthiness is the degree of confidence one has that the system performs as expected. Characteristics include safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.”

While industrial systems vary greatly in their purpose and scope, their stakeholders share an important common element, and that is a deep-rooted trust. For example:

  • The owners, investors and operational users trust that these systems work as specified, are profitable and flawless during their expected lifetime.
  • Neighbors, customers and employees trust that the systems are safe and do not threaten their health or create environmental hazards.
  • The government trusts that laws and regulations are fulfilled: e.g. patient privacy standards in a hospital, clean-air directives in a fossil power plant or public safety in an urban transportation system.

With expectations high, it is quite a challenge for system engineers to fulfill all of these principles of trustworthiness in the design and operation of industrial systems.

While most experts agree that the five trustworthiness characteristics and their interaction are an important goal for any industrial system design, there are ongoing discussions about whether a design which fulfills all requirements of trustworthiness can be automatically trusted by all parties.

Let’s take a brief look of why the notion of trustworthiness in industrial systems can be so complex in relation to the five trustworthiness characteristics as shown in the Trustworthiness Target Model above:

Humans are protected by privacy and safety, while security, reliability and resilience have no direct relationship in this area.

The Environment is exclusively protected by safety without other considerations involved.

The System is protected by security and to some degree by reliability to protect the system against damage or loss of components.

Finally, the system in Operation is manly shielded by security and reliability, while partially protected by resilience.

One of the key challenges to trustworthiness design is that none of the trustworthiness characteristics can be implemented as a separate technology and that the trustworthiness of an industrial system cannot be implemented by simply combining such technologies as the characteristics may support or interfere with each other.

One approach to addressing these challenges in industrial design is to employ a new classification of Trustworthiness Methods that are assigned to the system characteristics rather than the trustworthiness characteristics. In my article in the Fall issue of the IIC’s Journal of Innovation, I provide an in-depth look at these Trustworthiness Methods and introduce a new concept, the Trustworthy System Status Model (TSSM), to help designers plan a system that goes beyond the “normal” status and proactively prevent, by using specific Trustworthiness Methods, a system that has reached “disrupted” status from slipping into a “damaged or disastrous” status or even permanently lost.

I would enjoy your feedback on the concept.

Marcellus Buchheit

Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA

Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.

]]>
The Security of DLTs Tue, 09 Oct 2018 16:36:00 +0200 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/blockchain-event.html post-103 https://www.wibu.com.cn/cn/%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A/article/blockchain-event.html Andreas Schaad The next frontier in DLTs is developing reliable interactions between events and data pushed into a distributed ledger and the physical world. The Security of DLTs by Andreas Schaad 09-10-18

On the 20th and 21st of September, the new "Secure Distributed Ledger and Contracts" Research Center was inaugurated by Prof. Sadeghi at the University of Darmstadt, Germany.

In his role as external research advisor to WIBU-SYSTEMS AG, Prof. Dr. Andreas Schaad represented Wibu-Systems among the 190 participants at this invitation only event.

With over 60% industry participation, this event targeted the core question about current business models using distributed ledger technologies (DLTs) as well as how to improve on the security of DLTs.

After the opening of the event by the Hessian state secretary Burghardt, talks were given by representatives from the German Federal Reserve Bank, the German BSI and Daimler Trucks on the current readiness level of DLTs. Overall, the perception was that there is still a long way to go. The German BSI pointed out that DLTs may violate current EU Data Regulation Policies by publicly storing data in an immutable fashion.

Prof. Asokan (Aalto University), Prof. Capkun (ETH Zurich) and Michael Steiner (Intel Labs) provided talks on hardware-assisted trust (Trusted Execution Environments - TEEs) to enhance DLTs. For example, SGX could be used to replace the current proof-of-work solving hash puzzles with a proof-of-elapsed time. Another practical example would be to use a TEE to address the problem of compromised wallets.

Representatives from Commerzbank and Bosch provided examples of current proof of concepts. Not surprisingly, these are still dominated by supporting scenarios from the banking domain (e.g. a real trading system based on the CORDA framework) as well as how to share identity management data between participants (e.g. based on Sovrin Technology, Verimi or Hyperledger Indy). In particular, Bosch addressed the economy of things (initially coined by IBM) and how DLTs could address the problem of platform monopolies by means of competition. One presented project was how CERTIFICAR uses Blockchain technology to store mileage data as well as other projects in the autonomous vehicle R&D space. However, overall there is a feeling that current DLTs are not ready yet to be used to build systems that have to remain stable for a an extended period.

The European Space Agency investigates using DTLs for securing the procurement and supply chain process as well as document management. More importantly, the question addresses how science data gathered from space crafts can be distributed in a controlled, transparent and ultimately public process. On a more futuristic scale, ESA is investigating with TU Darmstadt on using DTLs for advanced satellite communication protocols (e.g. to verify identities) - still keeping in mind the current practical limitations (i.e. CPU and memory consumption).

Another highlight was the talk by Michele Mosca (University of Waterloo / evolutionQ Inc.) on quantum attacks on blockchains - essentially pointing out that we need a next generation of quantum-safe algorithms as soon as possible as we may see the first real practical quantum computers to attack standard RSA as soon as 10 years (with a 1 in 6 chance of this prediction).

Stefan Teis from Brainbot Technologies AG talked about how to practically implement Blockchain technology and integrate it with the physical world (e.g. by means of collateralized tokens). A specific focus was put on Hyperledger Fabric as a private / consortium Blockchain as well as comparison with other frameworks such as Ethereum.

Final talks were provided by speakers from the Stuttgart Stock exchange and European Central Bank, who, for example, pointed out that with DLTs a stock exchange could focus again on its core expertise: that of an exchange. Banks in the future could act as quality gates, but overall this implies that the current players change their business models.

What should these talks, opinions and observations imply for the adoption of DLTs at Wibu-Systems? Overall, with its proven and trusted CodeMeter technology, Wibu-Systems could provide the missing link between interaction of DLTs with the physical world. This is a problem for which, so far, no adequate solution appears to be available:

 

  • How are events and data from a distributed ledger pushed to and reliably executed by a physical actor (machine)?
  • How is physically observed data pushed into a distributed ledger while maintaining its integrity?

These are some of the questions being addressed by Wibu-Systems and Prof. Schaad in a joint R&D engagement.

Andreas Schaad

Head of Corporate Technology

Andreas Schaad is a Professor of IT Security at the University of Applied Sciences Offenburg. Before that he worked at Wibu-Systems AG Corporate Technology, as well as in various technical and managerial IT Security roles for Ernst & Young, SAP Research Security & Trust and HUAWEI Security Research. He holds 13 international patents and authored over 50 publications in the domain of IT Security.

]]>