9

feature

through recognizable attack signatures.None of which will necessarily assist indeterring as yet unknown and new attacks.

Attackers must gain entry to a systemfirst, in order to exploit it, vandalize it, orotherwise cause damage. The methods ofgaining entry, all tend to start in the sameway. Closing the doors used by attackers,and bolting them shut can make a systemsubstantially more secure.

While the adoption of MVA solutions isstill in its very early stages, they are expect-ed as a complimentary layer to existing ITsecurity precautions. Gartner recentlyreported that the US Government’s Officeof Management and Budget included‘detection and reporting of vulnerabilities’as one of six identified weaknesses in feder-al information security and, with this levelof priority, MVA is set to rapidly expandover the next few years.

MVA is often described as havingevolved through two phases to reach thelevel of performance it offers today. Earlierphases involved the use of port scanningtools and other script based code operatedfrom a single location and generating copi-ous volumes of hard to interpret data.Today’s most advanced systems offer100% originated and independent thirdgeneration distributed scanning service.

In operation, the security scanning ser-vice must instigate thousands of testsagainst thousands of IP addresses, each ofwhich could potentially be located any-where in the world. In order to achieve,and remain efficient and manageable, the

service must be designed to be highlyscalable, resilient, robust and stable.

In Pan Security International’s case thishas been achieved largely through propri-etary technologies in the form of ‘TaskDirectors’ and ‘Test Servers’ throughoutthe world in ‘Secure Operations Centres’.Task directors control and manage thetesting of many physical addresses, andallocate the actual tasks of issuing thetests, and gathering the results, to one ormore appropriately situated test servers.

The task director will intelligentlyselect the most appropriate test server torun a test, according to the proximity ofthe test server to the target IP addressunder test, and the present workload ofthe test servers within the vicinity.

In the event that a test server becomesunavailable, the task directors will recog-nize this, and reschedule the tests, whichthe now absent test server had been con-ducting to one or more available testservers. This ensures that the testingregime is never broken.

The testing takes the form of interroga-tory packet transmissions directed at aspecific IP address, commencing with acomprehensive port scan. It is not possi-ble to predict precisely how testing willproceed in any given situation, as it willdepend very much upon what each testdiscovers. Because the testing process isintelligent and can react to results as theyare received back, intelligent decisionscan be made as to which tests should berun.

This intelligent, reactive testing meansthat tests that do not apply to a particularplatform, for example, will not rununnecessarily, saving on expensive band-width and processor time.

MVA offers the assurance of risk mea-surement and management before ahack is even attempted. By identifyingthe approaches, methods and tactics thata potential attacker would use to enter asystem, and reproducing these regularly,usually daily, any ‘cracks’ in system secu-rity can be found and remedied by theIT and business managers before thehackers find them.

MVA gives organizations the ability toestablish security ‘norms’ or ‘baselines’ atthe network perimeter against whichunusual or unexpected changes in thenetwork set-up can be alerted — it iden-tifies where ‘doors’ and ‘windows’ mayhave been left open or ajar, when at firstglance it may appear they are closed tightshut, giving an organization enough timeto act and secure the network before abreach is even attempted.

In today’s environment hacking andregular network attacks are a certaintyand their occurrence is found at thehighest levels in the financial servicessector. The cost of inadequate protectionis too much for any organisation toignore and this is why MVA representsan important step forward. MVA assistsbusinesses at the most important time— before the hackers find a way in totheir network.

The case hit the headlines early inMarch with the revelation that CanalPlus, the digital TV technology arm of

the giant multinational Vivendi mediagroup, was suing Murdoch-owned NDSfor alleged cracking of the former’s

smartcard technology used for control-ling access to digital TV networks.NDS, which is a subsidiary of NewsCorporation and numbers RupertMurdoch’s son James among its direc-tors, has launched a countersuit con-tending that the Canal Plus action is asmokescreen to disguise the inadequa-cies of its smartcard technology.

The case involves a tangle of businessand personal relationships that are rele-vant here only in emphasizing thehuman dimension to any major securitybreach, given that if the allegations aretrue a large amount of collusion musthave taken place. Also of interest is the

Canal Plus Versus NDSCasePhilip Hunter

The unprecedented $1 billion lawsuit between two of the world’s largest digitalTV companies looks like one of the most intriguing industrial espionage storiesof all time. It also happens to be highly relevant for IT security, highlighting theneed for a flexible approach that can be modified in the light of changing tech-nology and business conditions.

nese april.qxd 4/24/02 3:01 PM Page 9

role of the hacking website, The Houseof Ill Compute (THOIC), which clearlydistributed the codes of the Canal Plussmartcards used by, among others, ITVDigital in the UK.

NDS admits having had a relationshipwith, and funded, the THOIC site,which has now been closed down, thestated motive being to gain informationabout the hacking culture by so doing.This is not an uncommon practiceamong companies involved in ordepending heavily on IT security, butthe first lesson to be drawn from thiscase is that such liaisons can be danger-ous and costly. In this case the existenceof this relationship could well have abearing on the outcome of this veryexpensive lawsuit.

The case also demonstrates, as if fur-ther evidence were needed, how greatthe commercial implications of a majorsecurity breach can be. Shares in NDSplunged 26% on the day the suit wasannounced. More significantly, ITVDigital has been brought to its knees bythe proliferation of counterfeit smart-cards that can be used to access itschannels. It is estimated that at least100 000 and perhaps as many as 500000 such smartcards are in circulation,depriving the company of a huge sliceof revenue at a time when it is strug-gling to amass a commercially viablerump of digital TV customers in theUK. ITV Digital estimates these lossesat £100 million.

Among the wider implications for ITsecurity, there is a possible impact on roll-out of broadband Internet services, ascontent providers may become morereluctant, at least for a while, to trust amedium that also relies on encryptiontechnology. But according to Ian Walker,EMEA technology director of EntrustInc, one of the world’s leading IT securityinfrastructure companies, the biggestdanger is a loss of confidence among bothconsumers and merchants in smartcards.“This would be unfair, and it would bedangerous to say that smartcards areunsafe full stop,” said Walker.

The danger is that the world maymove away from what ultimately

promises to be the best way of control-ling access to information and services,whether via digital TV or the fixed wireInternet. The same applies to mobilephones, given that their access is con-trolled via internal smartcards, i.e.SIMs.

The reason Walker considers it unfairfor smartcards as a whole to be taintedby this case involving NDS and CanalPlus is that the technology concerned isno longer representative of the state ofthe art. The Canal Plus technologyused by ITV Digital is essentially a pri-vate key system where each subscriber’ssmartcard embodies a key, which isused to unscramble the digital bitstreams. The system provides strongprotection with long key lengths, but ifyou crack just one smartcard, you crackthe lot, and the whole network is wideopen. Any counterfeit smartcard basedon the compromised codes can then beused to access the network, as has hap-pened in the UK — the dispute is notover whether the hacking took placebut whether NDS was involved.

When your whole security, and rev-enue running into potentially hundredsof millions of pounds, depends not juston a single private key system, but effec-tively just on one key, then you are ask-ing for trouble. Whether or not NDSwas involved, the temptations for eithera rival, an organized group of hackersintent on causing mischief, or a criminalgroup seeking revenue from counterfeitsmartcards, becomes enormous. In secu-rity, when the stakes are this high, thereare two recourses. You make the securitywatertight, which is well nearly impossi-ble, or you design it in such a way thatwhenever successful attacks are made,damage is limited.

Canal Plus has attempted to do the lat-ter belatedly by upgrading the smartcardtechnology, but this is a flawed approachbecause the rate at which millions of sub-scribers can be given a replacement isunlikely to be more often than a year atmost. This gives plenty of time forattacks to be made and counterfeits to bedistributed. With a private key system,the alternative is to distribute new keys,

but this too is a big logistical challengewith a wide base of subscribers — it isnot just a simple matter of sending outnew numbers, as the cards need to beupdated.

The alternative, advocated by Walker,is to adopt a public key system. Thisavoids the exposure to attacks on indi-vidual smartcards, because now everysubscriber has a separate set of two keys,and these can be readily stopped in theevent of a theft. But there is still a prob-lem with satellite and terrestrial distrib-ution, except where the subscriber hasan uplink with the service via a tele-phone connection. This is because witha public key system, the two ends of alink normally need two way communi-cation to establish a temporary privatesession key for use over a limited timeinterval. In the case of a digital TV ser-vice, this key could be re-negotiatedperiodically to minimize exposure. It istrue that in this case, because at any onetime all subscribers would use the samesession key, it could be possible todownload that key to all authorized sub-scribers, without requiring acknowl-edgement. But this itself weakenssecurity because there is no dialogue thatcan be used to strengthen the authenti-cation process.

In this sense the Internet could actu-ally be a more secure medium for dis-tributing digital TV, because it is thenmore practical to authenticate the useras well. Against that there is the greaterrisk of piracy over the Internet, giventhe potential for copying downloadedcontent.

But back on this case, one feature ofinterest is that the issue hinges partlyon the degree of difficulty involved inthe hacking of Canal Plus smartcards.The two companies naturally givesharply different versions of events.Canal Plus argues that its technologywas so secure that, apart from academicinstitutions, only a major company inthe field such as NDS would have theresources to perform the necessaryextraction of code. This, according toNDS, involved “electrical and opticalexamination of the protected internal

feature

10

nese april.qxd 4/24/02 3:01 PM Page 10

Unfortunately, the European Union hasrecently taken a strong stance on dataprotection legislation as can be seenfrom the Directive on the Protection ofIndividuals with Regard to theProcessing of Personal Data and on theFree Movement of such Data. In reality,that stance is not matched by theinhabitants of Europe who, in practice,seem to be far more relaxed about theuse of their personal data. People willmost certainly want this technology andtherefore it is highly likely that the legaltechnicalities in particular, infringe-ment of data protection, will be ignored— both by the users and by theproviders of the technology. This wouldcertainly be the best course to adoptsince the dangers of being left behind inthe next technological revolution aregreat.

Bluetooth in GeneralBluetooth was introduced in 1998 andalthough its growth did not acceleraterapidly, products are now starting toemerge. Microsoft has included nativesupport for Bluetooth in Windows XP.Bluetooth will feature in a number ofsystems this year including laptops,PDA, printers etc. In March, theInstitute of Electrical Engineers (IEEE)announced that it would integrate sec-tions of Bluetooth MAC and PHY layersunder its 802.15 standard. This has beenconsidered as a step forward forBluetooth because the IEEE has a repu-tation for developing reputable stan-dards such as the 802.11 WLANstandard. According to Frost andSullivan, a market research company,Bluetooth is now a rival to wireless LANtechnology, such as 802.11. Michael

Wall, an analyst from Frost and Sullivancommented that Bluetooth has superiorsecurity over 802.11.

Bluetooth and cryptographyTelecommunication transmissions are sus-ceptible to being overheard. Accordingly,there will be a need for some encryption tobe built into Bluetooth devices – particular-ly those designed to be part of privateintranets in the office or home. Helpfully,the United States has given a blanketexemption to all types of encryption tech-nology designed for Bluetooth.

Under the new United States regula-tions, the Export AdministrationRegulations of the United States (15 CFRParts 730-774), administered by the USBureau of Export Administration, someitems are exempt from a technical reviewprior to export. Section 740.17(b)(3)(vi)of these US regulations states:

“Items which would be controlled onlybecause they incorporate components orsoftware which provide short-range wire-less encryption functions may be export-ed without review and classification by[the US Commerce Department’s Bureauof Export Administration] and withoutreporting under the retail provisions ofthis section.”

The preamble to the new US regula-tions provides the following additionalguidance:

feature

11

BluetoothDai Davis

Many of the applications of Bluetooth will have important legal ramifications.Most importantly, the use of Bluetooth is an anathema to the UK and Europeandata protection laws. When a visitor enters an office building, does he consent tohis personal information (in particular his whereabouts) being transmittedthroughout the building to all the companies that have offices there? Bluetoothenables this to be easily done.

software code using expensive machin-ery designed and operated to defeatCanal Plus Technologies’ protectivemeasures.”

NDS on the other hand describesCanal Plus’ smartcards as being based on“inadequate technology” and of being rel-atively easy to hack.

The view from the pirating communitytends if anything towards the NDS posi-tion, irrespective of the actual quality ofthe technology involved. The view is thatany code-carrying device is currentlycapable of being hacked with skill andpatience, without requiring expensivecomputing or scientific equipment. This

view cannot be totally correct, for it isalways possible to improve the tamper-resistance of a device to the point atwhich it does require great resources tocrack. The question though is at whatcost. With security being a compromisebetween protection, cost and conve-nience, there will always be occasionalmajor breaches. What is certainly true inthis case though is that the money beingspent by NDS and Canal Plus slogging itout in the legal arena could have made asubstantial impact on online piracy hadthe two companies decided instead topool their resources for the collectivegood of the industry.

One final point of interest is thatCanal Plus has invoked the USRacketeer Influenced and CorruptOrganizations Act (RICO), rather thanthe more widely used DigitalMillennium Copyright Act, in the suit.One reason for this could be that RICOallows courts to award damages threetimes the value of the intellectual prop-erty judged to have been stolen or lost asa result of the action of a convictedparty, plus legal costs. So in this case, thepotential liability is increased from $1billion to $3 billion. Nice work forlawyers on this case, whatever the out-come.

nese april.qxd 4/24/02 3:01 PM Page 11