When plotting their biggest security priorities for 2018, smart companies are looking to protect the code in their mobile payment apps, Intertrust VP and GM Bill Horne said.
Intertrust provides security and policy management solutions for companies building IoT data marketplaces. Mr. Horne is charged with the strategy, day-to-day operations, and P&L of Intertrust Secure Systems, which consists of Seacert, a managed PKI and key provisioning service provider, and whiteCryption, an application shielding solution provider. He has written and published more than 50 papers on machine learning and computer security and holds 36 patents with another 50 pending.
To understand how to best protect mobile banking apps, begin by considering a hacker’s goal for penetrating a system, Mr. Horne suggested. They want to get at the money, of course, but they also are interested in the user’s credentials and their behaviour patterns.
The hack usually begins by reverse engineering the application and looking for a weakness to exploit that allows the hackers to find the secrets used by the codes. Once they get them they can pretend they are the real user and unlock content, Mr. Horne said.
The first line of defence is to make it harder to reverse engineer the code, Mr. Horne said. Next up is making code tamper resistant.
whiteCryption is one of Intertrust’s solutions, Mr. Horne said. It delivers obfuscation, self-defence, and key protection techniques to protect applications from a static and dynamic analysis, hacking and piracy. Software applications are hardened at the source code level, preventing cybercriminals from using reverse engineering to access information and resources within applications. The whiteCryption Secure Key Box is a white-box cryptographic library protecting cryptographic keys in sensitive applications. Standard cryptographic algorithms hide secret keys both at rest and at runtime.
Companies are having to quickly adapt to trends reshaping every aspect of the business, Mr. Horne explained. Computing is now highly mobile and connected to the cloud. Contrast that to decades ago when important systems were contained in on-site data centres.
While the technology has changed many times some corporate security measures struggle to keep pace, Mr. Horne said. Employees can now check email on their Apple watches or company devices over which head office has little control. Employees also bring their personal devices into work.
Just wait, as the Internet of Things (IoT) explodes, billions more devices are added to the mix, Mr. Horne said.
“It accelerates the notion of computing in hostile environments where hackers have easy access. From a security perspective, we have to consider the threat environment around the device.”
A common refrain is device data encryption but what some don’t understand is while encryption protects data, it shifts the responsibility to the keys, Mr. Horne said. If you’re not protecting the keys, you’re not protecting the data. Some hardware security features such as Android TrustZone are not always directly available unless they are deeply embedded in an operating system.
Many IoT devices do not have hardware security features installed, Mr. Horne said, and you consider the extent to which technology has entered popular devices there is cause for concern. A car may have 100 different CPUs and five different networks communicating on miles of cable, so much electronic material that it now makes up one-third of the cost of many vehicles. Hundreds of millions of lines of code are inside their operating systems.
“There is also the issue of the merging of devices with how people interact with them which is usually the phone,” Mr. Horne said.
Healthcare devices track dialysis progress for people with kidney disease and insulin levels for people with diabetes. Protecting that information is literally a matter of life and death.
Seacert provides security to IoT device manufacturers, along with media distribution services and consumer electronics manufacturers. It provides Public Key Infrastructure services to companies requiring digital certificates, identities and cryptographic keys. Unlike other certificate authorities designed before the onset of IoT, Seacert was designed from the beginning with consumer electronics and mobile technology in mind.
“Seacert was designed to offer the best of both worlds—customized public key infrastructure (PKI) services that are highly scalable,” Mr. Horne said. “Seacert has successfully supported the secure provisioning of millions of consumer electronic devices for over a decade. Scaling a PKI service that encompasses the right mix of facilities, processes, technology and people without sacrificing the level of protection of communications, data and identity, has made us an invaluable partner to OEMs around the world.
“As competitors try to figure out how to scale to properly protect the billions of IoT devices coming online in the next few years, we’ll be able to do it without blinking an eye.”