Does pirated software still carry the same security risks that we have always been warned about?
Tom Brewster examines the current state of the problem…
Legendary pirates of the seas were rather good at clandestine attacks. Take tricksy Welsh pirate Captain Howell Davis. According to one myth, he often duped people by using surreptitious methods. One saw Davis deceive the governor of the Royal Africa Company in Gambia to let him into the slave fort of the organization, disguising himself as a gentleman. He later took the governor as a hostage, demanding a ransom of thousands of pounds, which he duly received.
Digital pirates operate a little differently today, but similarities remain. Much like some of the famous swashbucklers of yore, they believe they're great economic levelers, modern-day Robin Hoods. But there are some particularly bad apples, ones who will carry out sneaky attacks, solely to fuel their own greed.
Fortunately for those individuals getting their hands on pirated software, films, music or other content, the danger of facing a legal threat is slim, says Steve Kuncewicz, intellectual property, media and social media lawyer at Bermans. He points to the recently announced UK scheme, the Voluntary Copyright Alert Programme (VCAP), which will see industry bodies sending offenders four letters of increasing severity, warning recipients about the illegality and impact of what they’re doing. It’s modelled on the ‘six strikes and you’re out’ Copyright Alert System in the US, and seeks to fill the gap left by the failed implementation of the much-abhorred Digital Economy Act, except there will be no punitive measures mentioned in the letters.
Kuncewicz worries VCAP might not achieve its aim of stopping illegal downloads with a soft-touch approach.
“The whole issue with VCAP is that given there are no punitive measures, it might become a bit of a joke”, he says. “It’s like telling your child: don't do it again, don't do it again, don't do it again.”Steve Kuncewicz, intellectual property, media and social media lawyer at Bermans
Treasure with Nasty Hidden Surprises
Rather than going after individuals, the industry is now rapaciously chasing down websites serving the pirated content, firstly by having ISPs blocking them. Law enforcement is also hoping to cut off such business’ ad revenue. The City of London Police launched an Infringing Website List earlier this year, hoping it will encourage brands not to run ads on the implicated sites.
Industry bodies and law enforcement are also taking a different tack to deter people from downloading pirated gear. They’re educating users on the threat of malicious code, which is often found hidden inside or attached to knock-off kit, or on websites that serve it. As a prime example of the dangers facing those on the messy seas of the internet, Google warned in May that popular file sharing website Demonoid was carrying malware. Any user that tried to visit via the search engine or through the Chrome browser would have been greeted with a page detailing the danger of visiting the site. Seven of 78 pages scanned by Google resulted in malware being downloaded.
In April, researchers looking at 30 of the most frequently used illegal film and TV sites in the UK claimed nine in 10 contained malware or other “potentially unwanted programs designed to deceive or defraud unwitting viewers”. They said that only one of the 30 sites monitored over a two-week period showed no signs of malware or attempts to defraud visitors in some way. The researchers, who were commissioned by Industry Trust, the anti-piracy UK film, TV and video industry’s consumer education body, claimed one common tactic was to have the buttons that viewers clicked to view a film or TV show trigger downloads of malware or other programs.
A separate study commissioned by the same group found 17% of people who had unwittingly or unintentionally visited a piracy site had seen personal data lost or stolen, while 14% were exposed to material they said they didn’t want to see, such as pornography or violence.
Are the Dangers Real?
Such figures might over-egg the threat level somewhat, says Amichai Schulman, chief technology officer at Imperva. “I don’t think that hacking pirated software is a major threat vector to the industry in general”, he asserts. “I know that it used to be a more prominent vector than it is now. Peer-to-peer networks were once a very convenient platform for spreading infected code. It is a less important platform today.
“For instance, you don’t expect to directly compromise enterprise machines using pirated software because enterprises would not be using pirated software for legal reasons – and we all know that people have more fear and respect towards the legal department than towards infosec.”Amichai Schulman, chief technology officer at Imperva
Schulman’s doubts aside, it’s clear many piracy sites do pose a risk to client security from a malware perspective, while cracked copies of software may not get the same level of support, leaving them riddled with vulnerabilities. If knock-off, tweaked code and piracy websites contain manifold risks, and site owners are often slow to clean them up, then who should be responsible for keeping users safe?
Encouragingly, software vendors sometimes patch pirated versions of their kit, meaning exploits are less likely. As David Harley, senior research fellow at anti-virus firm ESET, notes, Microsoft has long allowed users of pirated Windows versions to apply security updates, “realizing that an unpatched pirated system can constitute a danger to users of legitimate systems.”
Taking such an approach does not always work, however. There have been problems with applying patches to Windows systems that may be pirated, as seen with the notorious KB2859537 update from 2013 that caused many programs not to work. Microsoft said problems could occur in Windows versions that contained an “instrumented version” of ntoskrnl.exe, a file in the Windows kernel, which the vendor didn’t support. That was basically Microsoft’s way of saying the update would negatively affect non-official versions of the OS.
“The combination of a pirated and therefore altered version of Windows ... and a patch that assumes legitimate system files can damage or even brick the system, is pretty hard on people who don’t realize they’re using pirated software, or whose legitimate Windows software has been misidentified as pirated”, says Harley.
Fix Me
Harley doesn’t believe security companies should be tasked with fixing the problem directly, outside of doing their day job of detecting and warning about malware campaigns. “Given the complexities of identifying pirated software – especially if it’s another company’s software – attempting to address a pirated OS may not be the best use of a security company’s resources. Generally, the company that creates the software is best placed to implement patching. However, it’s common for security companies to detect an attempt to exploit a vulnerability and take whatever remedial action is possible.”
Indeed, various security solutions verify that software deployed by an enterprise computer is properly signed and authorized. In such cases, pirated software – like any other unauthorized code – would be detected, notes Schulman.
Other technical solutions are proving useful in detecting legitimate code that has been given a malicious twist.
“One promising development is for each program to run in its own sandbox, as with mobile phone operating systems or with Linux Containers (LXC).”Phil Hunt, computer programmer and one of the founding members of the Pirate Party UK
Rather perversely, use of digital rights management (DRM) tools designed to protect against copyright theft actually open up security problems, Hunt adds. “What security vendors should not do is become a part of the problem. Companies have used rootkits to build DRM systems and to monitor the users of their software. This is irresponsible and opens the door to further abuses.”
One answer for those who want good, cheap software instead of getting bogged down in the world of licenses, or risking using pirated kit, is to find free tools that do a more than adequate job. “We should be doing more to promote free software for a variety of reasons, but it's also a great way to help people move away from compromised pirated software”, says Hunt. “Obviously, in the long term, making legally obtained software more accessible by limiting copyright will make it less likely that people would access software from dubious sources, and that is what it comes down to.”
Users could also deploy open-source alternatives to popular software, says Sarb Sembhi, director at security consultancy IncomingThought. As with free tools, it’s all about ensuring the source hosting the kit is trustworthy. “Open source is good and I trust it, but it depends on which source you get it from”, Sembhi relays. “The problem is where you're getting it from and whether the source is cleaning its site to ensure you don't get malware.”
Even Google struggles to keep malware off its own software platform, so guaranteeing the legitimacy of the source is no simple task. Businesses and individuals have to decide whether they either pay out for official licenses, or go down the riskier but cheaper route of open source and free software. Each option carries its own risks.