Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Are software cracks also a form of security vulnerabilities?
From: Travis Biehn <tbiehn () gmail com>
Date: Thu, 17 Jan 2013 08:42:14 -0500

Most licensing systems are toothless except for the ones that offload
critical functionality to external components.
A) A USB Stick that processes encrypted commands issued by the program.
These little things are pretty ingenious, they contain the decryption keys
in the USB stick and the program contains encrypted functions. High cost to
recover the decryption key and get the routines and they work in offline
mode.
B) Program logic is carried out server side. Cost to maintain servers,
program requires persistent internet connection.

Neither of them seem too feasible for a mobile environment, developers have
to assume and account for losses due to piracy just like in any other
medium.

That being said nobody is preventing you from responsibly disclosing
licensing issues to a vendor and recommending a more robust approach. One
such case is if a vendor was to use a license.dat file stored in open
storage, easily copied and shared. You might also warn a vendor with
un-obfuscated binaries which make it excessively easy to bypass validation
routines.

Of course the impetus is on the vendor, as usual, to make a correction. In
the context of licensing the damage is to the IP holder not the consumer.
Outside of the licensing there are a number of areas where an unobfuscated
binary or improper data handling could hurt end-users.

-Travis


On Thu, Jan 17, 2013 at 8:31 AM, COPiOUS <copious () hushmail com> wrote:

Yes, I know - lets say that someone who isn't me is an experienced
software and hardware
 reverse engineer.

But the cracking scene is often surrounded with a dirty smell of piracy,
leaving the real interest (research
 in software "vulnerabilities") often obfuscated.

Let's say that someone who isn't me has found obvious risks in licensing
systems of certain vendors,
 does this also account as vulnerabilities, since licensing issues mostly
don't really account customers
directly, but pose a risk for the software manufacturer.

COPiOUS

On 17-1-2013 at 2:11 PM, "Travis Biehn" <tbiehn () gmail com> wrote:

COPiOUS,
The best you can do is obfuscate your binaries to the point where
it keeps
out the least skilled attackers, beyond that it's unreasonable to
expect
your binaries will stay un-modifiable or resist examination at all.

The best I can recommend is that if you have logic that you don't
want compromised or if there's a pay-application to host most of
the logic
on your server; providing license verification there.

-Travis


On Thu, Jan 17, 2013 at 4:20 AM, COPiOUS <copious () hushmail com>
wrote:

Hello,

First of all, the question is in the subject. Should say enough.

In my opinion they are, since a software crack allows
unauthorized use of
software and the exposure of (possible) trade secrets, but I
want to know
how other people think about this. Also, by cracking software
packages,
other issues pop up quite often - quite a lot of applications
aren't
tamper-proof. But does "not tamper-proof" mean that the software
is flawed?

Since we're moving to a smartphone/app-centric world,
application security
(and especially mobile application security) is an important
topic, since
many developers think that a walled garden is safe. It's not
because you
can't get out, that others can't get in.

COPiOUS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Twitter <https://twitter.com/tbiehn> |
LinkedIn<http://www.linkedin.com/in/travisbiehn>|
GitHub <http://github.com/tbiehn> |
TravisBiehn.com<http://www.travisbiehn.com>




-- 
Twitter <https://twitter.com/tbiehn> |
LinkedIn<http://www.linkedin.com/in/travisbiehn>|
GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]