Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Relaxing controls = bad idea
(http://blogs.computerworld.com)
By Michael R. Farnum
Created Mar 28 2008 - 5:19pm
I was recently reading through some security blogs talking about the recent news on full disk encryption hacks. As I was reading, I came across the following comment on Rich Mogull's blog, securosis.com [1]:
Just wanted to point out a bit of a paradox, “your best bet is still to maintain physical control of your laptop”. Isn’t the main purpose of full-disk encryption to prevent data disclosure when people *don’t* maintain physical control of their laptop? If people maintained physical control wouldn’t that negate the reason to have full-disk encryption in the first place? :)
When I first read the comment, I thought it was a really good point. But then I started thinking about the thought process behind the comment, and it worried me. My guess is that he didn't think it all the way through. Basically, this person is saying that if you implement FDE, then you can relax your physical security controls. But that is actually not true. FDE is implemented IN CASE physical control fails.
When you relax a security control because you have implemented another, you create an area for attackers to target that was previously guarded. Yes, if you put in a control that makes another totally irrelevant, then I understand. But how often does that actually happen? So if you stop worrying about the physical security of your laptop because your security guy put on FDE, then you are asking for someone to steal your laptop.
And remember, physical assests have value, just like intellectual property. And what about the inconvenience factor? It all adds up.
zen... could be
They seem to make a distinction earlier in the article:
"....few of the missing laptops were protected by encryption
software. "
and SKS has alluded many times to some government agencies already using FDE before receiving FIPS approval.
From Seagate:
http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=dn_sec_ask_expert_landing&vgnextoid=860d4eab3f6b3110VgnVCM100000f5ee0a0aRCRD
Q. Is the Momentus drive going to be FIPS 140-2 compliant?
A. We do not have FIPS 140-2. (FIPS 140-3 is currently in draft review: http://csrc.nist.gov/cryptval/140-3.htm) compliance. Development and product cycles are too short for disk drives to acquire FIPS certification; the Seagate Momentus 5400 FDE.2 drive is already on its second generation (the .2 designation). We are working with the federal government on FDE and expect the result of this will be NSA approval of FDE security. Seagate announced our FIPS 197 AES validation certification on July 30, 2007.
DEA is using FDE........
http://www.breitbart.com/article.php?id=D8VM3DT00&show_article=1&image=large
DEA computers, guns missing
March 28, 2008
By Jerry Seper - More than 90 weapons and 230 laptop computers belonging to the Drug Enforcement Administration have turned up missing over the past five years and despite efforts by the agency to address weaknesses in tracking the items, "significant deficiencies" remain, a report said yesterday.
The lost and stolen weapons include pistols, rifles, shotguns and a submachine gun, said a 105-page report by the Justice Department's Office of Inspector General, which also noted that DEA officials could not say how 198 of 231 laptop computers came to be missing.
Inspector General Glenn A. Fine also said the DEA was unable to provide assurance that 226 of the 231 lost or stolen laptop computers did not contain "sensitive or personally identifiable" information, adding that few of the missing laptops were protected by encryption software.
"The DEA has made improvements to its internal controls over weapons and laptop computers since our 2002 audit, such as conducting physical inventories and reconciling these inventories to its financial system records," Mr. Fine said. "However, we concluded that the DEA still requires significant improvement in its overall controls on weapons and laptops."
DEA spokesman Garrison K. Courtney said yesterday the agency has made significant improvements in its rate of loss for laptops, adding that in instances where weapons were lost or stolen, "appropriate disciplinary actions" were taken. He also noted that the IG's report said the DEA was following the appropriate methodology in regards to the inventory of weapons and laptops.
"DEA has recently implemented new interim policy regarding the detailed reporting of lost, stolen and missing laptop computers by all DEA personnel, as well as reporting potential losses of sensitive information that may have been contained on lost and stolen laptops," Mr. Courtney said.
In its written response to the IG's report, the DEA disagreed with a recommendation that all its laptop computers be encrypted, saying that as of December 2007, DEA laptops that process sensitive information already have full disk encryption but others including those used to support electronic surveillance, computer forensics, polygraph examinations and other digital monitoring functions are exempt from the security requirements.
Seagate/Wave/ASI....
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/03-12-2007/0004543913&EDATE=
Seagate Delivers Industry's Strongest Security for ASI Laptop Computers
SCOTTS VALLEY, Calif., March 12 /PRNewswire-FirstCall/ -- Seagate
Technology (NYSE: STX) today announced that Momentus(R) 5400 FDE.2, the
world's strongest encrypting 2.5-inch notebook PC hard drive with a
comprehensive suite of powerful security capabilities, is shipping to ASI
Computer Technologies for secure notebook systems that will feature Wave
Systems Corp. (Nasdaq: WAVX) security management software to simplify
enterprise deployments.
Seagate's Momentus 5400 FDE.2 (Full Disc Encryption) hard drive
features perpendicular recording technology to deliver up to 160GB of
capacity, a fast Serial ATA interface, and hardware-based AES encryption, a
government-grade security protocol used to encrypt all hard drive
information transparently and automatically, preventing unauthorized access
to data on lost or stolen laptops. The encrypting hard drive also gives
organizations an easy way to repurpose or retire laptops without
compromising sensitive information and to comply with the growing number of
data privacy laws calling for the protection of consumer information using
government-grade encryption.
ASI Computer Technologies, a leading channel provider of laptop PCs,
will offer the drive in its new ASI C8015 whitebook system. For additional
security, the ASI C8015, expected to be available as soon as April, will
feature a biometric fingerprint reader for stronger user authentication.
The laptop will target healthcare, legal, finance, government and other
industries requiring strong protection of information stored on laptop PCs.
"Computer security is a growing concern for all of our channel
customers, though fear of stolen laptops is especially acute," said Kent
Tibbils ASI senior director of Platform Technologies and Marketing. "And
for good reason: the theft of intellectual property, customer information
and other precious content stored on laptops can cost organizations dearly
in legal remedies and customer retention, to say nothing of the
considerable cost of restoring one's good name. Seagate's Momentus 5400
FDE.2 hard drive with the Wave Systems management software allows ASI to
deliver notebooks with the strongest, easiest to deploy security
available."
The ASI C8015 will feature Wave Systems Embassy Security Center's
Trusted Drive Manager, software that simplifies setup and configuration of
Momentus 5400 FDE.2 drives. Trusted Drive Manager also makes it easy for
administrators and users to create and back up passwords, and for
administrators to control hard drive policies and security settings. The
software also leverages Seagate's DriveTrust Technology to allow
administrators to instantly and easily erase all data cryptographically so
the drive can be safely redeployed or discarded.
Seagate DriveTrust Technology is a powerful new security platform that
combines strong, fully automated hardware-based security with a programming
foundation that makes it easy to add security-based software applications
for organization-wide encryption key management, multi-factor user
authentication and other capabilities that help lock down digital
information at rest.
"The inherently secure hardware of the hard drive provides the ideal
cryptographic environment where encryption keys and access control data are
safeguarded from software attacks," said Lark Allen, executive vice
president, Wave Systems. "In a major step forward for data protection,
Wave's Trusted Drive Manager and Seagate DriveTrust Technology provide a
new, highly secure pre-boot capability that authenticates users to their
system, protecting data at rest from risks associated with loss of the
notebook."
Momentus 5400 FDE.2 -- Locking down notebook PC data
Strong laptop data security is increasingly important as the adoption
of notebook PCs continues to soar and more notebooks are used to store
sensitive personal and business information. Lost or stolen notebook PCs
can cost companies millions of dollars in compromised trade secrets and
intellectual property and threaten consumers with the high cost of identify
theft, yet many laptops remain unprotected. A recent Ponemon Institute
study found that 35% of all computer data breaches involved lost laptops or
other digital devices. In the institute's 2005 National Encryption Survey,
the chief reasons organizations cited for not encrypting sensitive or
confidential information were concern about system performance (69%),
complexity (44%) and cost (25%).
Momentus 5400 FDE.2 provides an easy, cost-effective way to prevent
unauthorized access to all notebook PC data, not just selected files or
partitions, in case the system or disc drive is lost, stolen, retired or
resold. The 5,400-RPM drive's hardware-based full disc encryption delivers
significantly stronger protection against hacking and tampering than
traditional encryption approaches by securely performing all cryptographic
operations and key management within the drive.
About ASI Computer Technology
ASI Corporation is a global IT component and systems distributor with
over $1.2 billion in revenue. With 24 locations world wide and over 20
years' market experience, ASI is a leader in providing customers with the
latest technology and computer-based solutions including a full line of
custom-built notebooks designed to address the needs of this growing market
segment. ASI is dedicated to working with its manufacturing partners to
deliver technology that provides system integrators with unique solutions
that give them the ability to add value through product differentiation.
For more information about ASI, visit http://www.asipartner.com.
About Wave Systems Corp.
Consumers and businesses are demanding a computing environment that is
more trusted, private, safe and secure. Wave is a leader in delivering
trusted computing applications and services with advanced products,
infrastructure and solutions across multiple trusted platforms from a
variety of vendors. Wave holds a portfolio of significant fundamental
patents in security and e- commerce applications and employs some of the
world's leading security systems architects and engineers. For more
information about Wave, visit http://www.wave.com.
About Seagate
Seagate is the worldwide leader in the design, manufacture and
marketing of hard disc drives, providing products for a wide-range of
applications, including Enterprise, Desktop, Mobile Computing, Consumer
Electronics and Branded Solutions. Seagate's business model leverages
technology leadership and world-class manufacturing to deliver
industry-leading innovation and quality to its global customers, and to be
the low cost producer in all markets in which it participates. The company
is committed to providing award- winning products, customer support and
reliability to meet the world's growing demand for information storage.
Seagate can be found around the globe and at http://www.seagate.com.
NOTE: Seagate, Seagate Technology and the Wave logo are registered
trademarks of Seagate Technology LLC. Momentus is a trademark or registered
trademark of Seagate Technology LLC or one of its affiliated companies. All
other trademarks or registered trademarks are the property of their
respective owners. One gigabyte, or GB, equals one billion bytes when
referring to hard drive capacity. Accessible capacity may vary depending on
operating environment and formatting.
Gaming motherboard with TPM:
Did barge just get it right??
Press Release
Release date: March 13, 2008
Advansus GME965 Mini-ITX Design Supports TPM & 6W AMP Gaming Applications
March 13, 2008, Taipei, Taiwan
Advansus, a joint-venture motherboard manufacturer of ASUS and Advantech, announces the roll out of i965GM-DCQI, an Intel® GME965 Mini-ITX motherboard designed for high definition video gaming machines and digital signage systems. The i965GM-DCQI Mini-ITX motherboard delivers excellent user experience with 3D graphics, dual-view display, dual audio streams, a 6 watt audio amplifier, dual LAN and an onboard Trusted Platform Module (TPM) providing a hardware cryptoprocessor for increased data security.
Graphics Performance
The i965GM-DCQI delivers advanced system performance, and accelerated graphics based on Intel® GME965 and Intel® Core(TM) 2 Duo mobile processors combined with high speed system memory of up to 4 GB dual channel DDR2 667 SDRAM. Leveraging Intel® Integrated GMA (Graphics Media Accelerator) X3100 Graphics engine, the i965GM-DCQI supports DirectX 10, Pixel Shader 4.0, and performs 3D rendering at graphic core speeds up to 500 MHz with 384 MB of video memory.
Dual-Display & Dual-Stream Audio
The i965GM-DCQI's multimedia functionality is extremely versatile, offering dual channel 24-bit LVDS and DVI display with a built-in Chrontel CH7307C DVI transmitter. The motherboard supports dual view display with resolution of up to 2048 x 1536. The i965GM-DCQI uses Realtek's ALC888 5.1 + 2 channel audio codec to provide two independent audio streams. Sound is further enhanced by the TPA3005D2 6 watt stereo amplifier, creating a wraparound effect from the two front channels.
Trusted Platform
The i965GM-DCQI's increased system security is provided by an Infineon SLB 9635 Trusted Platform Module (TPM) chipset, which is used to ensure authenticity, and is able to withstand logical and physical attacks, protecting Internet transactions and communications in E-commerce environments.
Flexible I/O connectivity
The i965GM-DCQI provides dual LAN high speed network capability with Realtek's RTL8111B PCI-E Gigabit LAN controller. System engineers will find the i965GM-DCQI easy to configure offering a flexible array of peripheral support. It comes equipped with 10 USB ports, 3 SATA interfaces and one PCI expansion slot. An onboard 8-bit GPIO allows 8 general purpose input/output controls. One CompactFlash slot supports portable memory/storage. Four powered serial COM ports are ideal for connecting peripherals such as barcode scanners or debit/credit card readers with 5/12 volt output.
The i965GM-DCQI yields powerful yet energy-efficient performance based on Intel's latest mobile and graphic technologies. The motherboard offers flexible configuration for system development combining outstanding graphics, an integrated audio subsystem, I/O connectivity, high speed networking and enhanced security. It is an excellent choice for embedded applications such as interactive clients, gaming, digital signage and many more.
Features
o Supports Intel® Core(TM) 2 Duo/Solo, Intel® Core(TM) Duo/Solo mobile processors
o Intel® GME965 Express Chipset
o Two SODIMM slots; up to 4 GB 2-CH DDR2 533/667 SDRAM
o Intel® Graphics Media Accelerator X3100
o DVI, Dual 18/24-bit LVDS
o Realtek ALC888, supporting 5.1+2 CH Dual Audio Streams
o Max. Dual Realtek RTL8111B PCI-E Gigabit LAN
o 1 PCI, 1 CompactFlash slot
o 4 Powered COM ports, 10 USB ports, 3 SATA interfaces, 8-bit GPIO interface
o Infineon SLB 9635 TPM Onboard
o TPA3005D2 6W Stereo Amplifier
About Advansus
Advansus, a computer manufacturer, is a joint-venture between ASUSTek and Advantech. Advansus provides industrial computer design & manufacturing services (D&MS) that combine custom design, wide industry expertise and competitive total cost for OEM/ODM customers. Advansus also delivers a variety of multi-form factor motherboards and modular systems with extended services for product longevity and revision support.
Lark Allen: "Quite frankly, for an organization like the NIH, I find it very surprising -- there can't be anyone there who doesn't understand how critical it is for encrypting the data,”
http://www.scmagazineus.com/NIH-laptop-theft-prompts-security-questions/PrintArticle/108294/
NIH laptop theft prompts security questions
Jim CarrMarch 25 2008
A laptop containing sensitive medical data that was stolen from a National Institute of Health (NIH) employee's car is indicative of a pervasive data-security problem facing both commercial and government organizations, according to security experts.
The theft, involving seven years' worth of clinical trial data, occurred in February but was not revealed by the NIH until last week, nearly a month after the loss. The machine included names, medical diagnoses and details of the patients' heart scans. The information on the laptop was not encrypted, a violation of government data-security guidelines.
NIH officials said they waited nearly a month to announce the theft because they believed news of the event would cause alarm among patients affected. A similar notification delay was seen following the 2006 theft of a laptop from a Department of Veterans Affairs (VA) employee's home, when VA officials delayed notification of the loss of personal information about veterans and active-duty service members for 19 days.
Rep. John Dingell, D-Mich., chairman of the U.S. House Energy and Commerce Committee, is leading an investigation into the breach and said he wants to know why there was a lag in time between theft and notification, according to reports.
NIH officials said the laptop was stolen Feb. 23 from the locked trunk of a car driven by an employee who had taken his daughter to a swim meet in Montgomery County, Md.
In a letter to affected patients, the NIH said that personally identifiable information such as names, birth dates, hospital medical record numbers and MRI information reports such as measurements and diagnoses, was on the stolen laptop.
The letter was signed by the employee who was the subject of the theft, Andrew Arai, the laboratory chief of the National Heart, Lung and Blood Institute, part of the NIH.
Social Security numbers, phone numbers, addresses and financial information were not on the laptop, according to the NIH.
The NHI theft is the most recent a series of failures by government agencies to properly secure personal information. In a report earlier this month, the Government Accountability Office found that 19 of the 24 agencies it had investigated had experienced at least one breach that could reveal personal information and lead to identity theft.
The NIH incident was a "breakdown in policy enforcement that is a pervasive problem across all industries," Brian Cleary, vice president of marketing for security vendor Aveksa, told SCMagazineUS.com on Monday.
“Regardless of what industry, whether it's a commercial or government entity, we're not finding that they are governing data and access very effectively,” he said. “If you know a mobile device is subject to a high degree of risk, you need to enforce better policies on what types of sensitive information can be stored on those devices."
That another government agency would lose an unencrypted laptop is surprising considering all the recent attention paid to such breaches, Lark Allen, executive vice president at security vendor Wave Systems, told SCMagazineUS.com.
"Quite frankly, for an organization like the NIH, I find it very surprising -- there can't be anyone there who doesn't understand how critical it is for encrypting the data,” he said.
But encryption can be complex.
“The operational challenge of deploying software-based encryption to tens of thousands of laptops" is not to be underestimated, Allen said. “Installing encryption software on an existing laptop remotely is probably a bigger challenge than installing other types of software," he said.
Many new laptops now come with hardware-based encryption, which encrypts the entire drive, he added.
The NIH did not respond to SCMagazineUS.com's request for comment on the theft.
ryukin, you didn't try hard enough....
Gateway Security Center: http://support.gateway.com/s/MISC/Virus/SUPPAGE01su7.shtml
Data Defender: TPM
A security chip that's bound to a computer's motherboard—and that can't be removed—TPM stands for Trusted Platform Module. It provides enhanced protection against information exposure for professional systems. Among other things, TPM:
• encrypts data and files to defend against hackers
• authenticates and protects user passwords
• offers network authentication
• safeguards e-mail communications and file transfers
Besides the TPM chip, TPM software is required to manage the chip. That's where EMBASSY® Trust Suite Gateway Edition comes in. This extensive software suite includes three applications: EMBASSY® Security Center (setting up and managing preferences for TPM), Security Wizards (additional hardware security) and Private Information Manager (password protection and management).
TCG at the Data Protection Summit
Avoiding the Vulnerabilities of Software-Based Encryption
March 11-13 TCG participated in the Data Protection Summit, including a day focused on Mobile Encryption. The meeting was held in Irvine, CA and was attended by approximately 300 which included enterprise IT, consultants, and vendors.
The Mobile Encryption day was dominated by TCG related speakers who covered many aspects of the Storage Work Group activities, and FDE encryption products related to the TCG specs. TCG Storage was covered in more than half of the overall presentations during the day. With all the recent press related to the Princeton Coldboot Attack of software FDE encryption keys, there was significant interest in the TCG approach for hardware FDE and the implications for more secure key protection provided by the architecture.
The TCG also had a 10×10 booth at the Expo. The demos in the booth were presented by Fujitsu with a combination of TPM and TNC related network access control demo, and Secude, Seagate, and Wave Systems with hardware FDE demonstrations. Michael Willett, Seagate, supervised the booth and also did a radio interview on behalf of TCG during the conference.
The second and third days of the conference also had good TCG representation in the speakers and panels. The combination of continuing high visibility data thefts, laptop losses, and ever tougher privacy legislation continues to make data protection one of the most popular conference and IT topics around. It seems that almost no one has to be convinced of the problems, but there is still work to be done in explaining and promoting the solutions, especially the new hardware based approaches being described by the TCG Storage Work Group.
Can Your Computer Keep a Secret – Part III: Next Generation Encrypting Hard Drives
Can Your Computer Keep a Secret – Data Protection Methods are NOT Created Equal, we discussed the pros and cons of each of these options and showed their relative level of security, with encryption being the most secure approach by far. In the second article, Can Your Computer Keep a Secret – Software Solutions for Encrypting Data at Rest, we focused on encryption, and took a close look at using software to encrypt the data on your hard disk. In this article, we will focus on a hardware approach for encrypting your data at rest. Specifically, we are going to look at the new breed of encrypting hard drives. We will discuss the features and benefits of this next generation solution, and show why this hardware based approach to encryption is so effective.
Why encrypt within the disk drive?
The ability to encrypt data on hard disks has been around for a long time. Although juvenile by today’s standards, applications that encrypt specific sets of data were emerging in the early 80’s, and software drivers that encrypt everything as it is being written to the hard disk started appearing in 1987. However, it’s only recently that disk drives have evolved to perform hardware-based encryption within the drive itself. So far, only two of the major hard disk manufacturers, Seagate and Hitachi, have produced encrypting hard drives, but other manufacturers are sure to follow suit. Seagate is leading the market, and announced the industry’s first encrypting hard disk in fall of 2006. Hitachi entered the encrypting hard disk market several months later.
There are several reasons why performing the encryption within the drive itself makes sense. First, encryption requires a great deal of processing power to carry out the complicated and intense cryptographic operations. Without dedicated cryptographic hardware, a device’s CPU must do all the processing, essentially robbing cycles from other tasks the computer could be doing. Encryption done within the device’s CPU can, depending on the application and amount of data, have a dramatic impact on overall system performance. Encrypting hard disks on the other hand, contain their own encryption chip. Cryptographic processing is handled by the drive’s hardware, not the computer’s CPU, so there is no impact on the system’s performance.
Another reason that makes doing encryption within the hard drive a good idea is added security. For example, Seagate’s encryption capabilities are based on their DriveTrust technology, which includes a secure hardware environment that is inaccessible to other processes. Spyware, Trojans, or other forms of malicious malware can often see and modify what is going on in the operating system, but they can’t penetrate the DriveTrust hardware, so encryption done within the secure hard drive is not subject to having the encryption keys captured or the data modified. This might be likened to an armed guard and security system positioned right next to the Mona Lisa versus protection only at the outer doors of the museum. The closer the defense mechanism is to the treasure itself, the better the security. Performing encryption within the drive itself puts the security as close to the data as possible.
A third advantage of doing encryption within the hard disk is the fact that it is built into the system from day one. Because the drives themselves do the encryption, everything on the disk can be protected from the very beginning, including the operating system and all user or application data. Everything on the disk is already protected when the unit is purchased, and there is no need to buy and install a separate after market or add-on software package to do the encryption. This is not only a savings in cost, but avoids the hours long and frequently frightening process of the initial encryption of all data on the disk that software solutions require. Although when a software encryption solution is installed users can usually continue working during the initial encryption of their data, the process can literally take hours on a large disk. Even though the software solutions are generally robust and don’t deserve the fear users have of them, the need to do a full system backup and the thought that something could go wrong during the process is tough to swallow for many users. All of that is unnecessary on a system with the encryption built into the hard disk from day one.
Features and capabilities
In addition to the characteristics mentioned above, there are a number of features found in encrypting hard drives that are worthy of note, so let’s take a deeper look at the more significant ones. Although Hitachi is now producing encrypting hard drives, they have not yet released any significant details to the public regarding their technologies, features, and capabilities. As a result we won’t be able to say as much about their systems as we’d like, but we will address as much as we can. Seagate however, who was first to deliver encrypting drives and has set the standard whereby other systems will be measured, has provided a goodly amount of information regarding their encryption solutions. This allows us to discuss the list of capabilities and features established by Seagate in fair detail.
Both Hitachi and Seagate drives provide full disk encryption (FDE). This means that for authorized users, every write to the disk is encrypted and every read from the disk is decrypted. All data, including the operating system, swap and temporary system space, applications, application data, and user data is automatically and transparently encrypted. Apart from authenticating themselves and backing up their authentication credentials, users don’t need to take any action whatsoever in order to reap the benefits of FDE and protect their stored data.
To implement FDE, both manufacturers use the widely accepted Advanced Encryption Standard (AES) and 128 bit key lengths, so the strength of the encryption is excellent and adequate for even U.S. government classified information. Since all encryption is done within the drive, there is no performance impact on the system’s CPU. One notable difference between the two manufacturers is that Seagate’s DriveTrust technology, which is the cryptographic engine used by the Seagate drives, includes a dedicated crypto chip whereas Hitachi builds the encryption function into the disk drive’s firmware.
Another important feature found in encrypting hard drives is called secure erase. Government entities and private enterprise spend millions of dollars each year to ensure that sensitive data is not recovered from hard drives that have been discarded, repurposed, out for repair, or are being stored. Simply changing the encryption key on an encrypted disk, or more accurately, the key(s) to the encrypted encryption key, instantaneously and securely renders all stored data unreadable and unusable. Secure erase can be done in seconds and eliminates the time and potential for human error associated with standard disk erase techniques such as physically destroying the disk or overwriting it with multiple passes of random data.
Seagate’s encrypting hard disks, which benefit from the DriveTrust security platform built into the drives, have a number of additional capabilities and features. Secure storage partitions are specially secured disk storage areas that are only available to software applications that have been authorized by DriveTrust. Secure storage partitions are completely hidden and inaccessible to the operating system and all other applications. Applications authorized by DriveTrust can use secure storage partitions to safely store sensitive application specific data such as encryption keys, user passwords, account numbers, financial information, or other sensitive data. Each application has its own secure storage partition that even other DriveTrust authorized applications can’t access.
Another feature, Drive paring, allows a specific disk drive to be locked to a specific system or host. This DriveTrust technology can be used to address a number of business challenges. For example, many organizations are concerned about USB-attached external hard drives being used to steal sensitive data from a laptop, desktop, or server. Because gigabytes of stored information can be copied to such a device and stolen in a matter of minutes, there is large and growing demand for restricting their use to authorized systems. Drive paring can be used to lockout specific drives, including unauthorized USB-attached external hard drives so they can’t be attached to a given host. Conversely, drive paring can “lock-in” specific drives, so a drive can only be used with a specific set of computers. Drive paring has many additional applications, including the prevention of illicit copying and distribution of copyrighted or otherwise protected data.
DriveTrust also includes a cryptographic service provider (CSP) built into the drive. A CSP supplies Microsoft windows applications with advanced cryptographic services such as encryption and decryption for authorized applications as well as a random number generator, cryptographic key generation, hashing, and other digital signature functions. ISVs can utilize the DriveTrust CSP functions to implement central key management and enhanced security features such as application level data encryption, secure email, and strong authentication of users, web sites, transactions, or documents.
DriveTrust’s SDK and associated trusted command set and issuance protocol allow central management systems to administer security functions for the entire enterprise. In any organization, it’s critical to be able to assist users who forget their logon ID or password, and to administer a host of other related tasks. Managing the length and security attributes of passwords, key generation, escrowing, and recovery, and governing who has authority to access what systems are all critical administrative functions. For example, if a user is unavailable for any reason, his supervisor or co-workers may need to have access to their PC. Key or password recovery is vital in this situation. For all of these reasons and many more, an encrypting hard drive must have a secure interface to the outside world, including enterprise’s management systems. Fortunately, to that end, in addition to the DriveTrust SDK and CSP, Seagate has been instrumental in creating and working with the Trusted Storage Group standards body. This group is focused on establishing standards to protect information assets and has wide industry participation. As a result secure messaging has been designed into the ATA and SCSI interface protocols.
Software and Hardware Working Together
The actual encryption of a disk drive’s data is ideally done within the drive’s hardware. However, if it’s necessary to protect existing systems that aren’t equipped with an encrypting hard disk, the only choice is to use a software based FDE solution to protect those legacy systems. Many larger organizations will have both older computers requiring software FDE, and at the same time be deploying new systems equipped with encrypting hard disks. So having both software and hardware based FDE solutions at the same time will likely be quite common.
Fortunately, at least in the case of Seagate’s encrypting drives, both hardware- and software-based FDE systems can work together in a very complimentary way. Utilizing DriveTrust’s SDK and external interfaces, software FDE vendors can enhance their software to detect if a computer has an encrypting hard disk, and if it does, the encryption can be done within the drive’s hardware. If no encrypting drive is present, then the encryption can fall back to a software approach. Additionally, since the better software FDE packages are feature rich with enterprise management functions such as central help for forgotten passwords, key management, auditing, etc., there is strong synergy present when encrypting disk drives are used in conjunction with enterprise software FDE packages and their management engines.
Since encrypting hard drives are still very new to the industry, it will take time for the various software FDE vendors to add support for the drives, but that process has already begun. Secude IT Security has already demonstrated support for Seagate’s encrypting drives with their FinallySecure Pro enterprise capable FDE product. Wave Systems, and GuardianEdge have also indicated they will support the drives. Other leading vendors are expected to follow.
Summary conclusions
Numerous recent security incidents involving lost or stolen data have received a lot of press and attention, and with good reason. One laptop worth a couple of thousand dollars can become a multi-million dollar device when loaded with lots of sensitive data. Here’s why. We at Trusted Strategies have estimated that the average cost of a security incident involving stolen personal private information is around $200 per user record. A single laptop like the one stolen from GAP in September 2007 with 800,000 sensitive user records is actually a $160 million dollar device! Unfortunately thefts like GAP experienced are happening on an almost daily basis. Protecting sensitive stored data has become absolutely imperative.
There are many security solutions at the front door so to speak, including password locks at the operating system, BIOS, or hard disk level. However, these front door locks can be easily defeated by an attacker with even modest skills. The only real protection from theft is encryption of the data itself. A thief who defeats the outer perimeter locks and ultimately gets to data that has been securely encrypted obtains nothing. Encryption is the only real safe harbor for data protection. As such, it is mandated by many of the laws and regulations governing sensitive data worldwide.
Until recently, the only real option for encrypting data was to do it in software. Unfortunately this required the purchase and installation of a 3rd party add-on software solution, then doing a full-system backup, and finally encrypting all of the data on the drive. An installation and initial encryption process of such a software based solution can take many hours on a large disk. To add to these issues, because software solutions perform all cryptographic functions within the system’s CPU, there can be a substantial impact on system performance.
Fortunately, the next generation of encrypting hard drives developed by Seagate and Hitachi solve these limitations. These hardware based encryption solutions are built in, so everything on the drive is encrypted from the beginning and there is no need to do a massive initial encryption of all your data. And since the encryption is done in the drive not the system’s CPU, there is no negative impact on system performance.
Moreover, Seagate drives include DriveTrust technology with additional significant features that empower central management and a number of other functions for applications that need enhanced security. Features such as drive paring and secure storage partitions are sure to enable a whole new breed of badly needed security offerings.
While Seagate has set the standard for encrypting hard drives and is the undisputed leader, Hitachi has made aggressive strides and other vendors are sure to follow suit. This is all great news for ISVs as well as end consumers. It will probably be a few years before we see encrypting drives in the mainstream, and the battle against computer crime will certainly go on, but the addition of encrypting hard drives is a huge leap forward in our quest to protect or precious and sensitive data.
Also see:
Part 1: Can Your Computer Keep a Secret?
Part 2: Software Solutions for Encrypting Data at Rest
Bill Bosen is a partner with the research firm, Trusted Strategies. You can reach Mr. Bosen at Bill_Bosen@trustedstrategies.com. www.TrustedStrategies.com
New Dell Servers: Big-Business Performance at Small-Business Price
http://www.streetinsider.com/Press+Releases/New+Dell+Servers:+Big-Business+Performance+at+Small-Business+Price/3468976.html
......Enhanced Business Security and Services
Dell's PowerEdge R300 and T300 offer built-in security features to help customers better protect their server investments, including:
-- Trusted Platform Module (TPM) to strengthen security, enabling better authentication, encryption and protection of critical information;
Wave Achieves Record Net Revenues of $1.9 Million and $6.3 Million for Q4 and Full-Year 2007, Respectively
- Growth Driven Principally by PC OEM Royalties, Complemented by
Client and Server Upgrades -
LEE, Mass.--(BUSINESS WIRE)--March 13, 2008--
Wave Systems Corp. (NASDAQ: WAVX):
Conference call: Today, Thursday, March 13, 2008 at 4:30 P.M. EDT
Webcast / Replay URL: http://www.wave.com
Dial-in numbers: 212-231-6010 or 415-537-1841
Wave Systems Corp. (NASDAQ: WAVX; www.wave.com) a leading developer of
trusted computing solutions and services, today reported record net revenues
for the fourth quarter (Q4) and year ended December 31, 2007 and reviewed
recent corporate progress and developments. For the full year 2007, over 18
million copies of Wave's EMBASSY Trust Suite (ETS) software were shipped by PC
OEM partners. To date, a total of over 22 million ETS copies have shipped
since the product's inception.
Principally reflecting a 119% increase in software license revenues in Q4
2007 versus Q4 2006, Wave's Q4 2007 net revenues rose 116% to a record
$1,875,000, compared to Q4 2006 net revenues of $866,000. The higher level of
license revenues was principally due to royalties earned from a significant
increase in the number of bundled shipments of Wave software by OEM partners.
Gross profit rose to $1,643,000 in Q4 2007, or a gross profit margin of 88%,
compared to gross profit of $656,000 in Q4 2006, or a gross profit margin of
76%, principally reflecting higher sales volumes on fully amortized software
costs, offset somewhat by higher customer support costs.
Reflecting higher levels of SG&A and research expense related to headcount
additions and higher salary and expense, Wave reported a Q4 2007 net loss of
$5.3 million, or $0.11 per basic share, compared to a Q4 2006 net loss of $4.8
million, or $0.12 per basic share. Per share figures are based on a weighted
average number of basic shares outstanding in the fourth quarters of 2007 and
2006 of 49,699,460 and 41,054,796 respectively.
For the full year 2007, Wave's net revenues rose by 102% to a record $6.3
million, compared to net revenues of $3.1 million in 2006. Wave's SG&A expense
rose 21% in 2007 reflecting a range of costs related to higher levels of
sales, marketing, business development, corporate communications and customer
support activities. R&D expenses increased by 24% to accommodate salary
increases and new hires related to Wave's expanding product development
activities.
As a result of higher overhead levels, which more than offset the
year-over-year increase in revenue, Wave reported a net loss in 2007 of $20.0
million, or $0.43 per basic share, compared to a net loss in 2006 of $18.8
million, or $0.51 per basic share. The weighted average number of basic shares
outstanding in 2007 and 2006 were 46,660,794 and 36,735,059, respectively.
Steven Sprague, Wave's president and CEO, commented, "Wave made substantial
progress in 2007 and that momentum continues in 2008, driven in part by
growing enterprise interest in Dell's Seagate Full Disc Encryption (FDE)
solution which features our ETS software. This solution, actively marketed by
Dell as the 'The World's Most Secure Notebook,' is generating broad interest
among enterprises seeking to secure confidential data and applications on
mobile PCs, and has led to some initial enterprise upgrades to Wave's EMBASSY
Remote Administration Server. While modest upgrade activity continued in Q4
2007, we are seeing increasing interest from enterprises considering the use
of FDE solutions, including several large organizations which have informed us
that they have begun or plan to begin FDE pilots.
"In 2008, Wave has completed a number of Embassy Remote Administration
Server sales and installations. These range in size from a few units to
hundreds of seats in a single installation. As these customers order new PC's
we believe that many will require FDE Drives, TPMs and our software on those
platforms. We are actively working with a number of organizations to plan the
roll out of our server either in anticipation of their purchasing new PCs with
Seagate FDE drives or for integration with existing PC's. Our customers
include enterprises in industries including healthcare, law, financial
services, government and manufacturing, located both domestically and abroad.
"We believe that recent, high-profile coverage of the inherent challenges of
software-based disc encryption solutions has helped to increase focus on the
benefits of hardware-based full disc encryption and related security
solutions. In addition, many of our FDE customer prospects are expressing
interest in the use of our solutions with their trusted platform modules
(TPMs) and are allowing us to demonstrate how Wave solutions can deliver
hardware-based security, authentication and network access functions in a cost
effective manner by leveraging the TPM security chips already deployed in many
of their PCs.
"As we proceed through 2008, we remain focused on working closely with our
partners to convert enterprise leads into upgrade customers for our full
client/server solutions. This process is providing us with valuable experience
and enhancements to our marketing efforts. With the growing availability of
trusted computing hardware and the increasing awareness of the unique benefits
of TPM security chips and our solutions, we anticipate continued growth in
2008 in both our bundled software sales and our upgrade sales of client and
server software, although, the slope of that growth remains difficult to
predict."
Balance Sheet Snapshot & Auditor's Opinion Letter Disclosure
As of December 31, 2007 Wave had total current assets of $6.0 million,
including cash equivalents of $3.7 million and no long-term debt. Pursuant to
Rule 4350 of the FINRA Marketplace Rules, Wave is announcing, as it has done
the past three years at this time, that its auditors' opinion letter which
will be contained in Wave's Form-10-K for the year ended December 31, 2007
raises "substantial doubt" about Wave's ability to continue as a going concern
given its recurring losses from operations, working capital position and its
accumulated deficit.
Summary of recent progress/developments:
(for more details, please visit www.wave.com):
-- Dell Software License Amendment: In early January, Wave signed
an amendment to its software license agreement with Dell
extending the term of the agreement to January 2011. Pursuant
to the agreement, Dell is permitted to distribute Wave's ETS
software on certain of its PCs that include TPM security
chips. Reflecting value-added features incorporated into a new
version 3.0 of Wave's ETS software, starting later in 2008
Wave will receive a higher per-unit royalty based on the
volume of products shipped by Dell with this software. The
contract does not provide for guaranteed minimum royalties or
shipped quantities of units containing Wave software.
-- NEC Unveils Laptop with TPM and Wave Management Software: In
mid December, NEC Computers unveiled its advanced,
hardware-based Laptop Security for small and medium-sized
businesses featuring advanced authentication and data security
solutions that include the trusted platform module and Seagate
encrypting drives with Wave management software.
-- Wave Releases Embassy Remote Administration Server Version
1.5: In late January, Wave released EMBASSY Remote
Administration Server (ERAS) version 1.5. ERAS is
multi-platform server software that provides centralized
administration and management for trusted hardware security
throughout the enterprise. ERAS 1.5 features new,
compliance-focused enhancements that are designed to enable
organizations with full disk encrypting (FDE) hard drives from
Seagate to generate a detailed audit log of drive security
events, thereby helping to establish that encryption was not
disabled by the user and that data on the drive remained
protected. ERAS also gives systems administrators the ability
to enable and leverage TPM security chips for a variety of
security capabilities, including strong authentication to
virtual private networks (VPN) and wireless access.
-- Frontline Technologies: In late November, Wave completed a
reseller agreement with Frontline Technologies Corporation
Ltd., a leading IT Services provider in Asia. Frontline is
authorized to market and sell Wave's line of client and server
software solutions in the greater Asia Pacific region, as well
as advise its clients on the uses of those solutions to
strengthen data protection, strong authentication and network
access control throughout the client's enterprise.
-- Dell Advertising Campaign: In early December, Dell initiated
the "The World's Most Secure Notebook" advertising campaign.
The campaign highlights the Dell/Seagate/Wave notebook
solution and was featured on the back covers of Business Week,
Fortune, Forbes, The Wall Street Journal, and The New York
Times, as well as on home page ad campaigns at
www.usatoday.com and www.businessweek.com.
-- SC Magazine Awards Program: In late December, Wave was named a finalist in the SC Magazine Awards program for outstanding achievement in information-technology security. Wave's EMBASSY(R) security management software had been recognized in the Reader Trust Award Best Endpoint Security Solution category of the competition. Wave's elite endpoint security solution was among more than 600 entries submitted in more than 30 technology categories.
-- TVTONIC Expands High-Definition Offerings through On Networks: In mid February, Wavexpress, a provider of broadband media technology and services, majority-owned by Wave, entered a content license with ON Networks, a leading new media company. The content license allows Wavexpress to feature five of ON Networks' TV shows ("Golf Tips with Joe Beck," "On Dating," "The Parent Code," "Backpack Picnic" and "Bif! Bam! Pow! Wow!") in high-definition in its free Internet television application, TVTONIC.
Wave Announces EMBASSY(R) Support for Seagate FDE Hard Drives Available from Lenovo on Select ThinkPad Series Computers
By Business Wire
Last Updated: 03/13 04:01PM
LEE, Mass.--Wave Systems Corp. (NASDAQ: WAVX), today announced that it has completed the qualification and testing of its EMBASSY Trust Suite, including the EMBASSY Trusted Drive Manager software, on Lenovo PCs with Seagate Momentus(R) FDE hard drives, adding Lenovo to the list of its supported OEMs offering robust hardware data protection. Wave's Trusted Drive Manager software, Lenovo Edition, is now available as an option on the ThinkPad R61 series with Seagate Momentus Full Disc Encryption (FDE) hard drives.
The combination of the Seagate Momentus FDE hard drive and Wave Systems' software can provide a number of advantages over software-based encryption, including stronger security, faster performance and always-on encryption. Wave's EMBASSY Remote Administration Server, also available as an option through Lenovo channels, is designed to provide quick password recovery and an event log that can establish that all data on a lost or stolen notebook was encrypted.
Network administrators who deploy Lenovo machines with Seagate drives and Wave's management software can bypass many of the time-consuming steps required by software encryption, such as the requirement to verify drive integrity by running CHKDSK, a process that can often take an hour or longer. Imaging and maintenance of each PC can also be faster and easier with this solution. In addition, multiple leading OEMs have tested and qualified Wave's software, allowing for simplified deployment of the drives in mixed environments.
"Recently published findings have cast doubt on the extent of the security provided by software FDE solutions, and the industry is embracing hardware-based encryption," said Steven Sprague, CEO of Wave Systems. "Leading PC manufactures like Lenovo recognize the value of offering hardware-based FDE drives and Wave's management solutions to provide their customers with comprehensive data protection. By adding Lenovo as a supported manufacturer, Wave is further fortifying its broad distribution of management solutions for trusted drives."
Pricing and Availability
Please contact Lenovo for pricing and availability.
About Wave Systems Corp.
Wave provides software to help solve critical enterprise PC security challenges such as strong authentication, data protection, network access control and the management of these enterprise functions. Wave is a pioneer in hardware-based PC security and a founding member of the Trusted Computing Group (TCG), a consortium of nearly 140 PC industry leaders that forged open standards for hardware security. Wave's EMBASSY(R) line of client- and server-side software leverages and manages the security functions of the TCG's industry standard hardware security chip, the Trusted Platform Module (TPM). TPMs are included on tens of millions of PCs and are standard equipment on many enterprise-class PCs shipping today. Using TPMs and Wave software, enterprises can substantially
Wrong, Vader EMEA = Europe, Middle East, Asia e/
internet, might I suggest
sincerely or not
FM
Clarification on FDE attack
http://umwitsec.com/2008/02/22/disk-encryption-bad-news/
UMW IT Security
February 22, 2008
Disk Encryption Bad News!
Filed under: Drive Encryption — ccalvert @ 6:27 pm
After being excited about the new version of Truecrypt and learning of FREE Compusec, this study really yanked the rug out from under full disk encryption. Researchers at Princeton discovered fairly easy ways to get a disks encryption key if a computer is on and even recently turned off. What is really bad news for some implementations of Bitlocker, and possibly other disk encryption techniques that store the key in a TPM chip, is that the computer can be turned off for months and this attack is still effective.
Other then making sure one’s computer is turned off completely — no sleep mode, even hibernation in some cases — there isn’t a good defense for software based full disk encryption. Segate’s Momentus FDE isn’t currently subject to this attack because the drive stores the key in it’s own memory chip independent of the system RAM.
This research from Princeton is certainly going to cause manufacturers to make new hardware technology to protect against RAM dump attacks.
Laptop Disks Get Encryption
http://www.pcworld.ca/news/how_to/3b5a461b0a010408003580ab3a7f96ce/pg0.htm
Lock Down the Data on Your Portable Drives
Author
Becky Waring
Thursday, January 03, 2008
New hardware and software simplify the task of keeping your sensitive information safe from data thieves.
Barely a week seems to go by without a headline story on the latest laptop data breach--millions of veterans' files here, thousands of medical records there, and credit card numbers everywhere. But laptops aren't the only targets: The proliferation of portable USB hard disks and flash drives with huge capacity makes the loss or theft of critical data likelier than ever.
A Computer Security Institute survey of 494 security practitioners in large organizations found that though about half of respondents had had a laptop or mobile device stolen, only two-thirds used encryption to safeguard the data on their portable devices.
If security experts at large companies haven't bothered with encryption, it stands to reason that most smaller companies have not either. Why? Simply because it has been a pain for IT staff and employees. Users forget passwords (potentially locking a drive forever), and software-based encryption can sap PC performance.
New hardware and software products, however, promise to simplify portable-drive encryption, making the task fast and transparent.
Information Age, Meet Encryption
Many new portable drives come with encryption, but it is also available as an add-on from Cryptainer PE ($30 and up), Migo Portable Vault ($15), or TrueCrypt (free). You just type in a password to access files encrypted with strong algorithms such as 256-bit AES or 448-bit Blowfish. These are simple and inexpensive options (as long as you don't lose your password). Since they are software-based, however, they slow things down, and can be breached by an infected host PC that captures the password. You could also lock your data with Windows' built-in encryption capabilities, namely EFS in Windows XP and BitLocker in Vista Ultimate (for instructions, read "The Simple Way to Keep Your Private Files Private").
For better and faster protection, consider a drive with built-in hardware encryption, such as the new Apricorn Aegis Vault (80GB to 250GB, $139 to $269), a USB hard drive with real-time 128-bit AES support, or the SanDisk Cruzer Professional (1GB to 4GB, $55 to $145), a flash drive with 256-bit AES. Both allow you to create unencrypted drive areas for public access, and since they require no software, you can take them on the road easily. SanDisk also makes an Enterprise version of the Cruzer (1GB to 4GB, $75 to $185), which allows central management of passwords.
No matter how strong the encryption, security is only as strong as your password. Biometric devices are more stringent, allowing access only to authorized users. Apricorn's Aegis Bio portable drive (80GB to 250GB, $169 to $299) provides both a fingerprint reader and 128-bit AES hardware encryption, and La Cie's SAFE Mobile Hard Drive with Encryption (160GB, $220) combines fingerprint access with 128-bit DES. Both devices allow up to five users.
Leave No Trace: Go Virtual
While encrypting the data on your portable drive is a good start and should protect your drive if it is lost or stolen, several potential security holes remain. First, as long as a drive is running, your files are unlocked, so they are vulnerable to malware and hacking through the host PC and any network to which you are connected. Second, programs you use may leave unwanted traces on the host PC, even after you've disconnected the encrypted drive. System virtualization software such as Ceedo Personal ($30), MigoSync Premium ($50), and RingCube MojoDrive ($99) can help plug those holes by limiting your applications and settings, as well as your data, to the portable drive--that is, they let you connect to a guest PC while replicating your personal environment and keeping your files off the host. All claim to leave no trace of you on the host computer after you sign off, and MigoSync and MojoDrive also encrypt your data in case you lose the drive itself. Ceedo works with optional add-on encryption software. Lexar's JumpDrive Lightning USB flash drive (4GB, $199) bundles both Ceedo and AES encryption.
Laptop Disks Get Encryption
Hardware-based encryption is also coming in internal laptop drives from Hitachi and Seagate. Dell's new Latitude D630 and D830 are the first notebooks to use Seagate's Momentus 5400 FDE.2 full-disk-encryption hard drive.
While not yet built into any laptops, Hitachi's Bulk Data Encryption option is available for all of its popular TravelStar hard drives. Since the data encryption functions work at the hardware level on these models, the performance impact is minimal, and you can make your data inaccessible instantly simply by throwing away the encryption key.
Data Breaches Hit New Heights in '07
http://www.technewsworld.com/story/Data-Breaches-Hit-New-Heights-in-07-60992.html
By Mark Jewell
AP
12/31/07 9:12 AM PT
"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."
Free WiFi Hotspot Locator from TechNewsWorld
Wondering where to find the nearest publicly available WiFi Internet access? Our global directory of more than 100,000 locations in 26 countries is a terrific tool for mobile computer users.
The loss or theft of personal data such as credit card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to turn around anytime soon as hackers stay a step ahead of security and laptops disappear with sensitive information.
While companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment often is too little too late.
"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself.
More Records = More Theft?
Foley's group lists more than 79 million records reported compromised in the United States through Dec. 18. That's a nearly fourfold increase from the nearly 20 million records reported in all of 2006.
Another group, Attrition.org, estimates more than 162 million records compromised through Dec. 21 -- both in the U.S. and overseas, unlike the other group's U.S.-only list. Attrition reported 49 million last year.
"It's just the nature of business, that moving forward, more companies are going to have more records, so there will be more records compromised each year," said Attrition's Brian Martin. "I imagine the total records compromised will steadily climb."
However, the biggest difference between the groups' record-loss counts is Attrition.org's estimate that 94 million records were exposed in a theft of credit card data at TJX, the owner of discount stores including T.J. Maxx and Marshalls. The TJX breach accounts for more than half the total records reported lost this year on both groups' lists.
Bypassing Safeguards
The Identity Theft Resource Center counts about 46 million -- the number of records TJX acknowledged in March were potentially compromised. Attrition's figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX.
The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami -- an entry point that led the hackers to eventually break into TJX's central databases.
TJX has said that before the breach, which was revealed in January, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."
With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information security professionals.
"Within a year or two, these folks are catching up," Tumas said.
Human Error
The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lose sensitive data, as opposed to cases of hacking.
Besides TJX's problem, major 2007 breaches include lost data disks with bank account numbers in Britain, a hacker attack of a U.S.-based online broker's database and a con that spilled resume contact information from a U.S. online jobs site.
"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Foley said. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."
Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. They've been keeping track for only a handful of years, with varied and still-evolving methods of learning about breaches and estimating how many people were affected.
A Record Year
Despite those challenges, the two nonprofits say it's clear 2007 will end up a record year for the amount of information compromised, because of greater data loss and increased reporting of breaches.
Both groups acknowledge many breaches may be missing from their lists, because they largely count incidents reported in news media that they consider credible. Media coverage has risen in part because of the growing number of states requiring businesses and institutions to publicly disclose data losses. Thirty-seven states, plus Washington D.C., now have such requirements.
Because of proliferation of such laws, "it may take a year or two before things stabilize and we can see what's really happening," Foley said. "If that's the case, then we'll know whether businesses are practicing better information-handling techniques."
© 2007 Associated Press. All rights reserved.
Solid state, cloud storage on tap for a power-hungry 2008
By Jon Stokes | Published: December 30, 2007 - 09:10PM CT
http://arstechnica.com/news.ars/post/20071230-solid-state-cloud-storage-on-tap-for-a-power-hungry-2008.html
IDC has released a new report on the near-term future of the storage market, giving its top ten predictions for storage in 2008. Below is a list of the predictions from the report's executive summary, followed by some analysis from yours truly. In a nutshell, the problem in the datacenter is the same as it ever was, but with a power-aware twist: backing store (in the form of hard disk arrays) is getting too slow and too hot, while demand rises and cost-per-bit plummets. So the answer is to add a little cache, in the form of flash memory.
Online storage services (storage as a service [SaaS]) such as online backup, archiving, and replication will be accepted as a viable option.
New role-based storage systems will enable vendors to target specific storage and data management issues but will require tighter integration between the content-generating application and storage layer.
Vendors will begin to design object-based storage systems that focus on addressing attributes associated with specific data types.
Solid state disks (SSDs) will become more viable for mainstream storage solutions as a result of declining price points.
Virtual servers (e.g., VMware) will emerge as the killer application for iSCSI.
Value-added storage services will begin to be divorced from storage subsystems, resulting in further commoditization of storage subsystems.
A growing number of enterprises will adopt full-disk encryption (FDE) into the datacenter to fall within the safe harbor provisions of many compliance regulations. Vendors will create more attractive "all in one" solutions using an integrated server and storage approach to address the lucrative SMB market.
Partial hardware refreshes that require nondisruptive expansions/replacements will be demanded by customers to up the ante on "green" initiatives
Deduplication, single instancing, VTL, and thin provision will become standard options on storage systems to enable customers to become more "green."
The major tension behind this list is apparent from even a casual perusal of it: demand for networked storage will continue to grow, but the industry will have to figure out how to meet that demand while staying within reasonable datacenter power budgets.
From my own perspective, the case for SSDs in the enterprise seems pretty straightforward, built as it is on two constraints: latency and power. Latency comes into play when solid state memory is used as cache for a larger pool of magnetic backing store; such cache can improve response times for databases and Web-based apps.
The power factor is also compelling, though, especially in light of a recent Google study that shows the hard disk to be one of a server's most poorly power-optimized components. Large storage arrays from vendors like EMC suck up major wattage and throw off a ton of heat, so there's a huge and growing appetite for hardware and software technology that either makes more efficient use of storage or cuts down on the amount of times that drives must spin up. Flash-based caches can make it possible for drives to spin down during certain types of low load conditions (functionally an active sleep state), and that could make bimodal power optimization at least feasible for servers. As for the more forward-looking solid-state drives, flash arrays should be more power efficient per-byte, even if they don't offer that much in the way of dynamic power optimization at the moment.
At any rate, the trend to use smaller, more expensive (but faster and lower-power) pools of solid state storage as cache for larger pools of magnetic backing store is pretty much the same old storage hierarchy that has been with us since the dawn of computing, but done at the network level with flash plus disc drives. At this point, backing store capacities are huge and growing, but latency and power are overriding concerns—these are the perfect conditions for inserting another level into the storage hierarchy.
This talk of the storage hierarchy brings me to another topic from the list: the growth of the online storage market in 2008 is also a pretty safe bet. Fortune 500 companies need datacenters for network applications, but SMBs and individuals can also use those same datacenters as long-term, off-site backing store for archival, backup, and disaster recovery purposes.
This type of Internet-based storage is the so-called "cloud" that gets so much press. I've been kind of a "cloud storage" basher, but that's only because it's clear to me that cloud storage is useful in non-Web-application contexts solely as backing store. There will always be a place for plenty of storage close to whatever processor you're using at the moment, whether that processor is in your mobile phone, media player, or desktop PC. Those processor-local pools of storage are only going to get larger—they definitely will not give way to networked cloud storage.
Even more importantly, I think that home users will increasingly want their own dose of storage hierarchy medicine on their home networks, in the form of NAS or Windows Home Server boxes. As the amount of data that each household accumulates continues to balloon, the cloud won't replace a pool of storage on the local LAN, but it will begin to serve as long-term backup and archival storage for a family's digital assets—both purchased and user-generated—in 2008.
More larger UAC implementations in large enterprises in 2008 seen
The year 2008 will see larger and larger implementations of unified access controls (UAC) into the enterprise sector, a top official of Juniper Networks, says.
In an e-mail Q & A interview facilitated by the firm’s local PR counsel, Brad Grey, Vice President- Asia South Pacific, Juniper Networks, adds that UAC is one of the top security trends that Information Technology heads should watch out for in 2008.
He believes UAC implementations will be driven by three requirements. Namely: Greater need for compliance, more and better endpoint security due to the growing number of attacks targeted towards endpoints, and also the greater ease of implementation.
http://www.mb.com.ph/INFO20071228112796.html
Dear Wave Systems Investors and Followers:
Below is a link to a full-page Dell advertisement appearing on the
back cover of the December 24, 2007 edition of BusinessWeek now on
newsstands.
http://www.wave.com/news/recent_articles/Dell_BusinessWeek_Ad_12-07.pdf
The ad highlights "The World's Most Secure Notebook" which includes
Dell, Seagate and Wave Systems solutions. The ad is part of a larger,
multi-million dollar ad campaign, that includes a full-page pop-up
advertisement and narrow banner ad appearing today on the home page
of www.usatoday.com. (Click on "expand" to see the full-page
advertisement; we do not know the timing or duration of this online
campaign)
Both ads also direct readers to a link to the Dell website:
www.dell.com/secure which discusses the solutions in greater detail.
The momentum for Trusted Computing is growing, and we couldn't think
of a better way to enter 2008 than with an OEM-sponsored national
advertising campaign for our joint solution.
As we enter 2008, please make sure Trusted PCs and laptops are on
your and your IT department's shopping list. If they are not, please
ask them why!
Thank you for your ongoing support.
Best regards and holiday wishes,
Matt... your post is noted....
and you are correct in some things you say...but I'm standing by mine.. and, related to your post, MMBG was an apparent supporter, until his current position suited him otherwise.
Actually, we need shorts and sideliners like him once the fuse is lit.
FM
mymedulabgone,
How can you be serious when you write these uneducated and uninformed posts?
The state of Ohio was under a mandate to shore up security in their LEGACY machines... ones that don't have TPMs!!!
Their only choice was SafeBoot or some other software FDE solution. If this was so secure and so easy, why did Seagate, and soon Hitachi, enter the FDE market? After all, they could have just continued their old product line and suggested users download SafeBoot.
There are many posters here that fully grasp the concept of trusted computing. There are also many posters here, like you, that see only share price. You're talking apples and oranges, and are about to learn a hard lesson from under-estimating Wave.
Securing the Enterprise Beyond the Perimeter
....no pipe dream. It's already underway. Computer manufacturers like Dell, Hewlett-Packard, IBM, and Fujitsu have all made trusted platform module (TPM) technology a standard feature in their enterprise-class laptops, enabling users to securely lock away in hardware the secret digital keys that are crucial to encrypted communications. These keys let users securely encrypt and decrypt information with their laptops, and give administrators the ability to verify not only that a user is safe, but also that the user's machine is safe.
Dell, for one, has gone a step farther and has put smart-card technology in its laptops so network administrators can assign a digital identity to each user instead of relying on the notoriously insecure usernames and passwords.
http://coldfusion.sys-con.com/read/159567.htm
Securing the Enterprise Beyond the Perimeter
Recent high-profile security breaches have taught us a clear lesson: organizations that rely primarily on a secure perimeter to protect sensitive data are fooling themselves. This year, hardly a week has passed without headlines about a security breach involving sensitive data.
However criminals get the data, whether through a traditional perimeter breach, use of insider credentials or outright theft of physical storage media, the lesson is the same. Organizations can no longer regard everything inside the traditional perimeter (people, machines, and networks) as "trusted," requiring only a "soft" approach to security that consists primarily of procedural controls and weakly enforced permissions.
It's an approach to IT security that's like a candy M&M: once criminals penetrate the hard shell that protects the network from the wholly untrustworthy public Internet, they can easily devour the data at the soft center. Actually they often don't have to penetrate the perimeter at all. They can simply go around it by stealing unencrypted backup tapes, for instance, out of the back of a cargo van.
Not only are attackers constantly blowing open security cracks in perimeter security, but enterprises themselves are also willingly, and often unwittingly, contributing to the perimeter's disintegration.
For example, virtual private networks frequently tunnel through the perimeter, which often provides all-or-nothing access to network resources. Web Services, which are starting to finally fulfill the early hype, are meant to interconnect business processes and often reach into the core of an enterprise network. Factor in the mass of mobile devices, wireless networks, portable media storage and off-site data archival, and it's not outlandish to suggest that there really isn't a perimeter at all. Instead, enterprises need a "jawbreaker" model in which the network is "hard" all the way through to the center.
Drivers Behind the Jawbreaker
Unfortunately the traditional perimeter model doesn't just fail to provide adequate security. It's also far too expensive and inefficient to deploy, given today's far-flung workforce. Enterprises have to manage an exploding number of network connections for employees working at home, traveling and staffing remote offices, not to mention the connections they've built to the networks of partners, outsourcers, and customers.
Enterprises need a unified management approach to the identities of users, their rights and roles, and ultimately the enforcement of those rights. The search for a unified approach has led many security experts to believe that security will soon be deperimeterized.
In a deperimeterized world, every user is "remote," whether he's on the corporate campus or in a coffeehouse halfway around the world. Instead of building a perimeter around the network, in a deperimeterized architecture there's a virtual perimeter around every user or internal system that establishes "islands" of trust that securely exchange information.
The Jericho Forum (www.opengroup.org/jericho), a security organization recently founded by corporate CIOs, is taking a stab at defining the requirements for both the short-term and long-term transition to a deperimeterized world - a unified world with an inherently less expensive, more consistent approach to identification, authentication and authorization. By and large, its vision doesn't require the development of brand new, whiz-bang technologies, but rather strings together existing technologies into a unified whole.
The Jericho Forum's vision is no pipe dream. It's already underway. Computer manufacturers like Dell, Hewlett-Packard, IBM, and Fujitsu have all made trusted platform module (TPM) technology a standard feature in their enterprise-class laptops, enabling users to securely lock away in hardware the secret digital keys that are crucial to encrypted communications. These keys let users securely encrypt and decrypt information with their laptops, and give administrators the ability to verify not only that a user is safe, but also that the user's machine is safe.
Dell, for one, has gone a step farther and has put smart-card technology in its laptops so network administrators can assign a digital identity to each user instead of relying on the notoriously insecure usernames and passwords.
Pervasive Encryption
So a world in which every user is a secure "island" raises important questions like how one know who's actually "on" each island?
The foundation of a deperimeterized security architecture is knowing whether users and their machines are who and what they should be. Enterprises will have to use strong methods of authentication such as smart cards, USB tokens and ultimately biometrics to validate users and embedded digital identities to recognize devices such as laptops, phones and even peripherals.
It also begs the question: How will these islands communicate securely with one another?
At the end of the day, the only sure way to enforce confidentiality is though encryption. No enterprise in its right mind would ever send sensitive data across the Internet without encrypting it first. That mindset is now starting to be applied to all networks. There are well-established means for securing data as it travels "outside" the traditional perimeter, means that can be re-applied in a deperimeterized world. SSL, virtual private networks, and Web Services will all be used to link up the islands protecting data "inside" as it moves between cubicles or campuses.
You also have to ask: How will enterprises protect sensitive data and the processes that use them once they've arrived on the islands?
The reality is that pockets of stored data are virtually everywhere and that much of this data is sensitive in nature. In a deperimeterized world, the situation is probably going to get worse. There is a "data at rest" problem that goes well beyond backup tapes. There will be need to be the islands responsible for protecting the data on the island - whether the data is stored in a database, file system, tape drive, or the laptop's hard drive. In some cases, tightly integrated access controls may suffice but, once again, encryption will often be used to provide a last line of defense. If all else fails, a thief's efforts will be in vain - he may have access to data, but because it's encrypted, he won't see anything except gobbledygook.
Clearly, encryption plays a pivotal role in a deperimeterized security environment. But as encryption penetrates deeper into enterprise operations, enterprises will need to deploy new systems to manage - cost-effectively - the exploding number of private keys on which pervasive cryptographic security will depend. There will have to be a mechanism for recovering lost data and separating duties.
It's a big challenge, but once deperimeterization becomes a reality, the payoff will be enormous. Not only will the headlines about security breaches recede but enterprises will be able to expand their networks efficiently and securely to include remote employees, new branches, partners, customers, and outsourcers.
It's only a matter of time before the walls fall down. The question is whether there will be systems and policies available that can raise the security bar sufficiently to cope. Life in a deperimeterized world might be a liberating experience and should certainly be less costly in the long run.
The security industry still has plenty of work to do. What seems clear is that the using cryptography will become more widespread, often under the covers, but nonetheless a fundamental component behind strong authentication and enterprise-wide data protection.
goodgerm...........................
nicely said:
Share price... changes. Character... stays the same.
Fullmoon
After hours bid just jumped 24 cents e/
Snackman, you have mail.... e/
Thanks unclever!! e/
Hi Rick
Institutions that buy "in the market|" are generally considered investors; funds or pensions that are willing to hold until the stock makes a move. They have identified a theme or a "play" and will hold until the rest of the market takse notice and pushes up the stock's price
My opinion is that the entities buying on a private placement have a much shorter time horizen.... one that can be neasured in days or weeks!!
So, the increase in institutional ownership identified by oknpv and wavxmaster is a very good thing, imo......
Vista's DRM "protects" users
from high definition media
http://www.theinquirer.net/?article=41635
Treacherous computing arrives
By Egan Orion: Saturday 11 August 2007, 14:40
VISTA'S DRACONIAN "content protection" features often degrade its users' video and audio quality and have led to design hurdles and higher costs for PC components, a speaker told the USENIX Symposium in Boston last week.
Peter Gutmann, a researcher at the University of Auckland, New Zealand, implied that the design of Vista makes the user the enemy. In an earlier paper, he had called the DRM rules built into Vista "the longest suicide note in history."
Shamelessly pandering to the Big Media copyright holders, Vista automatically degrades so-called "premium" content such as high definition movies and audio tracks when they are output to less than bleeding-edge new devices that don't happen to support Intel's High-bandwidth Digital Content Protection (HDCP) DRM scheme. It apparently does this even if the media files being played are not copyright protected commercial media but the users' own home movies or music they've recorded in high-definition format, Gutmann said.
He said that Vista's DRM features have also been frustrating to PC component manufacturers, because the new content protection functions in Vista make it harder to develop new drivers. When ATI finally shipped new video drivers for Vista, they crashed the OS, forcing both Dell and Gateway to delay shipping Vista compatible computers, Gutmann reported. He also said that PC hardware costs have increased because component vendors have had to get written approval of their designs from Hollywood studios before they can begin production.
Big Media content protection measures also incorporate encryption that drives higher CPU and GPU loads, according to Gutmann. This results in higher electricity usage and heat output and can degrade the graphics performance of some high-end video cards, he said.
Gutmann surmised that the Vole made new DRM features its highest priority in developing Vista, speculating that it gained approval and money from Hollywood for doing so. In his opinion, Microsoft should rather have focused its efforts on developing security features to protect users.
Thus we find in the DRM features of Vista the actualisation of the darkening, dystopian future that Richard Stallman warned us about several years ago when he renamed the Vole's Trusted Computing as Treacherous Computing. µ
Weby, related to your post...
and fwiw
If I'm on margin with a 50% balance, selling $1000 dollars of marginable stock only frees up $500 in money to my account.. the other $500 goes toward the loan, or the "debit" balance.
If I sell $1000 worth of Wave, it brings $1000 into my account.
FM
Intel unveils mobile vPro platform
http://www.vnunet.com/vnunet/news/2187218/intel-releases-mobile-business
Remote management capabilities brought to mobile systems
Tom Sanders in California, vnunet.com 05 Apr 2007
Intel has launched a mobile version of its vPro business computing platform under the Centrino Pro brand.
The platform allows IT departments to manage and patch systems remotely. First unveiled in April last year, vPro enabled desktops have been shipping since September.
Systems that qualify for the logo programme have to meet certain hardware and software requirements.
This ensures compliance with a company's security policies, and enables remote management features such as the ability to boot up systems over a network to apply updates and patches at night.
Centrino Pro and vPro will be slightly different, however. "There will be a gap in the features between Centrino Pro and vPro," Intel spokeswoman Christine Dotts told vnunet.com.
The Centrino platform allows systems to be managed over a Wi-Fi connection, for instance, whereas vPro supports only Ethernet connections.
Researchers Unpick VISTA Kernal Protection
http://www.channelregister.co.uk/2007/04/04/vbootkit/
The attack does not lend itself immediately toward the creation of root kits that work on the final Vista build. Even so, the Kumars' work illustrates fundamental design weaknesses the researchers reckon can only be fully addressed by using TPM (Trusted Platform Module) hardware to stop unsigned program code from being executed.
ForeScout bolsters NAC appliance
http://www.networkworld.com/news/2007/040307-forescout.html
CounterAct security device gets directory, identity support
By John Fontana, Network World, 04/03/07
Network access control (NAC) vendor ForeScout has added Oracle to the list of directory and access management software that integrates with its network appliance.
The company said Monday that its CounterAct appliance, which sits on the network and ensures compliance with security policies, will now incorporate user and policy information from Oracle’s Identity Management software lineup.
The move comes a month after ForeScout announced a similar integration with the Sun Java Access Manager and Identity Manager family of products.
“We looked at where we could take network access control to the next step,” says Ayelet Steinitz, vice president of business development and partnerships for ForeScout. “Our appliance had no visibility into role-based information and we quickly realized that it makes sense from a technology perspective to see how we can collaborate with the information identity systems can provide.”
She said that CounterAct becomes the policy enforcement point for all the user-based roles and policies stored in the directory and in other identity management software such as access management and provisioning.
In addition, ForeScout can provide device information such as the media access control and IP address to identity management systems.
ForeScout’s integration with Oracle is supported via a plug-in for CounterAct that uses the Lightweight Directory Access Protocol to extract information from identity systems and apply those policies down to the network device level. The distinguishing characteristic of ForeScout's product is that it is an agentless system which does not require modification to the directory or network architecture when deploying the appliance.
The plug-in integrates with Oracle’s Access Manager, Identity Manager, Identity Federation, Virtual Directory, Directory Services, Enterprise Single Sign-On Suite and Web Services Manager.
ForeScout's greatest challenge is likely to come from the partnership forged by Microsoft and Cisco to integrate their NAC wares – Cisco’s Network Admission Control and Microsoft's Network Access Protection (NAP). Juniper and the Trusted Network Connect group, which is working on a set of open NAC specifications within the Trusted Computing Group (TCG) industry association, are also working on NAC wares. In addition, the IETF is working on a number of NAC standards, and a list of open source vendors are putting together NAC technology, including a pair of Harvard University IT staffers who recently released a free virtual appliance that supports their open source NAC platform.
ForeScout’s Oracle plug-in is available now for free, but in the future, the company says, it may become a fee-based offering.
All contents copyright 1995-2007 Network World, Inc. http://www.networkworld.com
bne, a public question
Could you please inform the board why you have elected to
place on "IGNORE" the three board moderators?
In reading the fluff you post, it seems not-so-strange to me,
but, perhaps you could enlighten our community as to why you ask so many questions publicly but refuse any contact privately. Let me add, the reason i'd like to PM you is to not bore the board with repetitive info that has been hashed so much as to deserve zero board time.
FM
I just returned from the SRA conference
which I believe was webcast.....
Things seem to be on track....
I expect to see Seagate advertising their
Momentus 5400.2 FDE within the next two-to-few weeks...
That, seems to be their official launch...which is what
their October 2006 PRs indicated.
The break out session afterward was great and I have
only two words to describe the potential I heard: WINTEL Standard.
A must-read report:
http://www.rand.org/pubs/technical_reports/2007/RAND_TR406.pdf
This report considers five specific disruptive technologies: Voice over Internet Protocol (VoIP); Radio Frequency Identification technology (RFID); Wireless Microwave Access (WiMAX); Trusted Computing and Internet Protocol version 6 (IPv6). Each technology was considered in the light of an implementation within an organization, as a discrete case study.
Beyond Cellphone PINs
(From THE WALL STREET JOURNAL ASIA)
By Yukari Iwatani Kane
TOKYO -- Mobile phones in Japan have never been more convenient. The latest
phones can be used as train tickets, prepaid cash cards and credit cards, as
well as to check email, take photos and, of course, handle calls. Many
businesspeople check email, make appointments and work on documents via their
phones.
But as more Japanese replace the contents of their wallets and briefcases
with their cellphones, the protection of information inside the handsets is
becoming increasingly important. Losing personal information is bad enough,
but it can also mean exposing data about business contacts and others, which
can carry heavy consequences in Japan. Under a tough privacy law enacted two
years ago, companies can face prosecution if information about their clients
leaks out.
"Especially since the phone began taking on the function of a wallet,
there's greater demand for protection measures," says Hitoshi Itakura, a
director in NTT DoCoMo Inc.'s product department. Wallet-like services offered
on many of the company's phones enable customers to store money or credit-card
information to make purchases at stores or restaurants.
DoCoMo, the largest Japanese mobile operator, has made a big push in the
security area by offering identification methods such as fingerprint, voice
and facial recognition on nearly all of its high-end phones. These features
are now made possible in large part because the processing chips in handsets
have quadrupled in speed in recent years, so phones can recognize authorized
users and unlock themselves very quickly.
Biometric technology, which uses the characteristics of a body part to
confirm a person's identity, isn't new to Japan. For example, Bank of Tokyo
Mitsubishi-UFJ gained notice in 2005 when it issued cash cards with images of
the holders' blood vessels stored inside them.
But it is only recently that this security technology has gained a higher
profile in mobile phones as more users -- especially companies -- no longer
feel comfortable relying on simple personal-identification, or PIN, codes used
to protect many phones in the past. Many users never change their default
PIN-code setting, and those that do often pick easy-to-guess numbers such as
birthdays.
And while Japanese cellphone-service providers also offer a locking
mechanism that can be triggered remotely, users must take the time to set it
up. Further, each handset can be locked only when dialing from a couple of
designated phone numbers.
DoCoMo is the most aggressive of three Japanese mobile operators to offer
wallet-phone service, with 18.3 million subscribers, or about 35% of its total
customers.
Fujitsu Ltd., the fourth-largest Japanese electronics conglomerate, has been
at the forefront of security-related technology and was the first to
incorporate it into phones four years ago as DoCoMo was about to introduce
wallet-phone service. A tiny chip identified and processed the ridges on a
user's fingerprint to decide whether a phone should be unlocked.
The technology isn't without problems. The phone can fail to recognize the
owner if the finger that is being used is dirty, sweaty or wet. Fujitsu and
DoCoMo decline to say how expensive the technology is, but say it adds a
significant cost, making the fingerprint phone one of DoCoMo's more expensive
models.
Still, Fujitsu says its phones are popular. About half of its users employ
the feature, and some companies even require its employees to use the Fujitsu
phones.
While Fujitsu is the only company with fingerprint recognition in its phones
-- the company owns fingerprint technology -- other companies have followed
with other biometric-security features. Phones by Matsushita Electric
Industrial Co., NEC Corp. and Sharp Corp. come with facial-recognition
technology that identifies the owner by using the camera to read the distance
between eyes, nose and mouth as well as facial contour. A voice-recognition
phone by Mitsubishi Electric Corp. picks up on voice patterns when a user says
a previously designated phrase.
These technologies can be added at a much lower cost than fingerprint
identifiers because they are based on software, but they also have a lower
rate of recognizing authorized users. Facial makeup and shadows can interfere
with the picture-recognition systems, while voice identification could be
interrupted by surrounding noise. A phone owner might have to try several
times before the phone successfully identifies the user.
Among some of the more intuitive ideas is a new Panasonic-brand phone by
Matsushita that comes with a separate slim, square key similar to a car key.
Both the phone and the key contain a transceiver-like technology that emits
radio waves. The phone locks up when it is separated from the key by a certain
distance. The setting can be chosen by users, depending on whether they want
to limit the area to around the desk, in the home or in a building.
DoCoMo said it plans to go even a step further. A new phone this spring will
come with an option allowing users to request that all its data be erased
remotely if the phone is lost.
SKS' presentation transcript:
Steven Sprague
Thank you, Erik. The obligatory Safe Harbor statement for everybody. I thought I would just start with a brief overview of who we are. Wave is a software company. We are focused on building software for the trusted computing market, which is a chip-based security device in your PC. Our revenue ramp is really underway now with customers like Dell, Intel, Gateway, Seagate, STMicro, and a number of others.
We are one of the leading experts in this trusted computing space and I’ll tell you more about that in a minute. Now, we are also one of the Board members. We are one of the three elected Board members by the body of the Trusted Computing Group organization. You can see the other Board members are in the presentation.
We have about 100 employees. We are based in Western Massachusetts. We also have offices in Cupertino, California, a group in New York, a small group in France, and we are a National Market Cap on NASDAQ.
So, I’ll touch very briefly, and the problem is, it’s a Security Conference, so I don’t think anyone needs to know that PC security is a mess. I think the thing that’s interesting and isn’t yet really being talked about is that there is an amazing solution that is underway in its deployment, and in general, people are very unaware of what’s going on. So, we know the problem. We know we are losing records. We know we have poor authentication. And we know users hate user ID and password. We are working for single sign-on to reduce that mess. But really, all of it is a series of band-aids.
I mean, industry is underway right now in deploying what would be the foundation for the real solution for strong authentication on the network. So what is that?
It's a hardware security device that is now standardized on the motherboard of almost every PC you buy today, as far as enterprise-class machines. It's not yet on consumer machines. We expect the first adoption in the consumer market probably in '08. And what this is?
It's a hardware container that can safely store your credentials. So the new paradigm becomes, I log into my PC and my PC stores credentials that it releases that log me into the rest of the world. And the beauty of an industry standard-based solution is that it's the same framework for everybody.
So, I know something that no one else knows. I know how we as consumers are going to log into E*TRADE, and Amazon, and eBay, and PayPal, and every other service on a global basis -- maybe not tomorrow, and may be not the next day, but in certainty within the next generation of PCs. Because eventually, we'll all have the ability to have hardware-based authentication on to the network and we don't need user ID and password any more. I think the real trick of this technology is the obsolete user ID and password, and let's go put it in the science museum.
So, why does the enterprise want strong authentication? The nature of this technology, it's in every box, but just like networking was picked for, in many aspects it was. At one point in time Microsoft said, we’re going to use Ethernet. And guess what? After we all got a 1 billion SAN Ethernet ports, the RJ-45 port, we all had consumers who know what an RJ-45 port is. All other networking technologies disappeared.
We used to talk about Token Ring, and ATM, and Silent Networks, and all of these kind of stuff. Same in multimedia; for a while, multimedia was a highly fractioned market with lots of acquisitions going in smaller players, and then we ended up with audio built into the chipset by Intel and standard software stack from Microsoft, so I can send you an MP3 file. And what did the multimedia business become? It became about the services that multimedia enables, not about what fidelity in audio I like to deliver.
And so, this market, we believe, will follow the same track that networking did, start in the enterprise and move into the consumer market. And so, we’ve become very focused as a software company in building the tools necessary for an enterprise to deploy this infrastructure, but we are ultimately very focused on how we take this technology ultimately to the next step, and enable everyone to turn it on.
So, it's about really three areas, strong authentication, strong data protection, and strong network access control. What's driving those is compliance, reduction in helpdesk cost, but it's really about trust. Do I know which PC is on my network with which user running which application? And if I absolutely knew that and trusted that information, I would be a lot farther down the path.
So, Trusted Platform Modules are in very broad distribution, shipped about 50 million units in '06, will ship close to 100 million units in '07. What this chart is telling you is, '06 we got about half of the PC enterprise business that’s shipping. '07 gets you to the entire enterprise-class machines, has a TPM on it, and you are beginning to see the penetration in '08 of the consumer market. This year, about 220 million total PCs shipped globally. And this technology is shipping globally today.
So, our mission is to provide the software, to enable and manage and deploy this technology on every machine. So, we built a collection of products and we really break our products into three fundamental areas; solutions for the user to manage their own trusted platforms, a single user environment.
This is typically very inexpensive software we provide to the OEMs, they bundle with their machines. So, Dell Latitude 620 comes with our software preinstalled on the machine. And that’s actually true across all the enterprise-class Dell machines.
Then we sell solutions that are there for the corporation to manage their install base of Trusted Platform Modules. We actually, just the other day, announced our remote administration tool, where with no touch by the IT Department of a single machine, they can go and actually turn the Trusted Platform Modules on and engage them in their network electrically. You still have to physically turn on the TPM in BIOS. But as long as you order your machines with the TMP turned on in BIOS, we now no longer have to physically touch every machine. We can electronically deploy those machines within the enterprise.
And then, ultimately, solutions that enable the use of this technology for different applications. One of the first examples of that is, we've built a software for Seagate for their new trusted drives, which they are showing here at the RSA Show. They’ve announced back in the fall timeframe. So, this is actually where the drive controller on your hard drive encrypts every bit of data.
If you were to lose your laptop and did not know the password, you will never break the drive. And never is a pretty strong word. But, this is very sophisticated hardware level technology protecting the drive. Actually, one of the problems is, you have to have very good Key Management in these infrastructures, because if you accidentally delete all your drives, you might want to recover the keys.
And so, we built a collection of products, both for client product or EMBASSY Trust Suite, and then a series of server products, our Remote Administration Server and Authentication Server and our Key Management Server, which is how we do backup and recovery for the enterprise of all the keys on different machines.
Our business model has been to put this brand and this technology in the machine, ship it to as broader marketplace as possible, and then up-sell the enterprise. This is a very horizontal business. It has all the benefits of a very horizontal business and all of the true nightmare of a horizontal business. This is hardware and the challenge with hardware is you got to wait till it gets there until you get enough saturation that market can really begin to turn it on.
And so, in our first phase, we partnered with number of major OEMs. Dell is our primary partner in this space. We've included our software in all their enterprise-class machines. It started shipping last April. We have shipped millions of copies of software and we continue to increasing volumes on a quarter-by-quarter basis. We are seeing better traction out of Gateway. We are seeing much better traction out of Intel. We expect to sign other OEMs going forward as well. We actually think the Seagate business with Trusted Drive, which is also an OEM component business is going to bring a whole another tier of OEMs to us as well.
But then the trick is the up-sell of that, because we only make sub of a dollar per machine for the software we provide to the OEMs and in many cases sub $0.50. However, when we provide an enterprise solution, it's much more of a client server solution, and we get paid typically around $50 of fee in actual revenue to Wave. So, the customer cost is in the $70 to $100 range. And long-term, this lays the foundation for services because once you have strong identity on every machine, you actually build the basis of what looks like a subscription network. And so, there are really tremendous capabilities you can provide on a services basis, it's very early on now. It's something I think we understand. We do some transactional business today. We do some work in electronic signatures. We are actually paid per document signed. So transactionally, as the infrastructure deploys that everyone could electronically sign then having the tools necessary to participate in those transactional businesses is very useful.
We have a great tier of partners, both at the OEM level and the silicon level, but now also in the services and server level distribution. It's continuing to grow. It's still very early on in the process.
To put this up just to show that, we have really good established relationships on OEM distribution that will put our software on millions of machines. We have commitments from our OEM partners to include us on this year's models and next year's models, and these are commitments in some ways there is too strong word. We are today their provider of choice. As long as we continue to provide the right solution to them, they'll continue to ship us. We work to make their switching cost very, very high. Bringing for example, things like, the fact that our solution today manages not only the biometrics on Dell's machines, but also the Trusted platform module, also the Smart Card infrastructure, and now we are adding infrastructure for Seagate Full Disc Encrypting drive. So when and if Dell decides to put a Seagate drive in a Dell machine, they have access to the software to manage that drive through Wave.
It's important in Trusted computing to understand that this ecosystem doesn't encompass just the client's PC, but it also covers servers, mobile devices, you are now seeing the emergence of the first peripheral in storage. So it's our intention to provide the software to administer the trusted devices, those machines that show up with hardware level credential support in your household or in your business. We think that that really will have a tremendous expanding business over the next period of time, as the framework for identity finally has a standard to hang off a bit. We know how you are going to authenticate to these different services.
Just a moment on Seagate's drive, I think this is going to be a very interesting component and expansion of our business. In essence, it's a second OEM business for us. We get paid on a per drive basis. We also provide enterprise tools for the organization to manage these drives. This is hardware-based Full Disk Encryption in the drive, and it's done at the drive controller level. So, if the password is not supplied to the drive or the Trusted platform module doesn't supply authentication to the drive, the drive will never spin-off. And so, this completely addresses the issue of how do I solve, I lost my last password and I had this certain data on it, how do I know it was encrypted. We are providing the software to support that and to encrypt, to provide administration and management for the end-user of those drives.
Our competitive advantage in this market is that we are the only company who has done the work to run our software across all known implementations in the Trusted platform modules today. To an essence, three providers; ourselves, Infineon, who build software today that HP carries and a number of the Japanese OEMs carry, but you must use an Infineon core. So, either a Infineon chip or some of the Broadcom chips. Broadcom actually last year signed a licensing deal with us. So, now they support both Infineon software and Wave software. The other four silicon vendors in the marketplace today only work with Wave.
The other vendor in the marketplace really isn't a competitor is the old IBM ThinkPad now purchased by Lenovo, but it's a captive software team and they only support Lenovo. Again, the Lenovo software only runs on Lenovo machine. So, if you are a large enterprise and you have some Dell, some HP, some Lenovo, the only solution that runs across all those machines today is Wave. We are also the only company now that has demonstrated remote administration. We are the only company that's doing enterprise level back up and recovery of keys. So, we are really building out the infrastructure that's necessary to turns this on.
We think that the pre-boot environment is going to be a very interesting place. Once you start to encrypt all your drives, you've heard from a dozen companies today about strong authentication. What they don't know is that all their software won't work in a couple of years. And the reason is, once they have a Full Disk Encrypting drive, I have no operating system anymore. All my authentication takes place without an operating system. So, you have to build authentication independent of the OS environment. And so, it's a very interesting constraint that come along with that because clearly in BIOS you have a lot less space. And this is going to be true for anybody who turns on Full Disk Encryption even within the context of what Microsoft has done is a very limited OS that works with Microsoft Vista BitLocker.
So, the enterprise business is starting. We are actively installing pilots today. We have a growing list of identified customers who are working through Dell distribution channel and Intel's distribution channel. We continue to work to sign value-added resellers. So, it's early on in the process. A typical value-added reseller shows up to an enterprise. They may show up in an enterprise who has not just done a refresh cycle on their PCs. We find the OEMs are still our best channels partners to find companies who just went out and replace half of their computers, because if they just replaced them, they most likely have TPM.
We have identified over 400,000 seats that are on our active hot list. We are closing those seats. Revenues are beginning to grow. It's still learning how to be an enterprise software company. I won't say it's a train rolling freely down the track [flat]. But we can see that coming. And the good pipeline, the pipeline is getting stronger and we are beginning to close the business. We are beginning to understand where we can push back on the enterprise, because they need to understand where these solutions have their edges and where we have to go modify our solutions to meet their needs in the marketplace. You have to have a balance of both sides of that.
We do a tremendous number of joint sales calls. We've done a ton of training in last six months in Europe, in Asia and we were just out training the whole Dell Asia team couple of weeks ago. And so it gives you tremendous presence in the marketplace with those partners that they are very shallow. So once they identify the customer is interested, it turns into our hands fairly quickly.
We also -- last summer a reseller agreement with NTT DATA. We are working with them in Japan to deploy this in number of large opportunities in Japan. There are actually really good security requirements out of the government in Japan to drive such platform modules into the market.
The other place that I think we've had tremendous traction is within the Federal government particularly the DoD. We got Army to specify that all Army machines must have Trusted Platform Modules, Air Force follows that. We see the OSD or Office of Secretary of Defense is drafting requirements and stated this public, they are drafting requirements to put TPMs on all DoD machines as a requirement for purchase.
And most importantly, so great -- it's great to have devices on every machine, but a device on a machine doesn’t necessarily generate for us all kind of revenue. The most important thing that happened is that the data-at-rest Tiger team included in our list of requirements for their data protection solutions for the defense department and will most likely be copied for all Federal machines that they would like to see TPMs part of the data-at-rest solution. So it's not an absolute requirement but it’s a very much like to have requirements of the key management for data-at-rest leverages the Trusted Platform Module.
There is good process interest for this because Microsoft is already doing that in Vista with something called BitLocker, which is their data-at-rest solution. So we actually see tremendous potential in the Federal space, they have a simple problem. They have always these TPMs coming in, they are out of control right now, they don’t have US Army property written on them. We provide the tools that would make it possible for them to let them put up spray paint new property, US Army and take control of these devices. And so we think actually that’s a tremendous opportunity we are working it into the architecture. I think we understand how it could be used and deployed and hopefully we're ultimately the vendor that wins the business as we help them to understand what they need to deploy.
So revenues have been growing. The bottom part is our licensing business. We had a small service business you see that was nice WIP in Q1 and Q2 that actually was defense department business for a small contract. We actually see extension of similar contracts like that adding to a broader services component of our business. We have a lot of expertise in this area and people are beginning to tap it.
These numbers need to grow. They are driven ultimately by our enterprise business. We are shipping millions of copies of our software, our brand is in the box, as the enterprise becomes aware of how they can secure their network with TPMs they are turning to us first. And, so it’s then converting them in that cycle. And so we are still early on in the enterprise adoption. But we can see the momentum of this running. And this is driven by a standard. So the probability that Trusted Platform Modules do ultimately get turned on is very high. We hope that we are in the right position to help them execute turning that on at the right place and the right time.
So we continue to build market share, we are very focused on that, anything that we can do to attach our software and our brand to more OEMs. I think what we have done with Seagate, Seagate ships over 170 million drives a year, they have been pretty clear that this is the type of technology they do put on every drive in a year or two. So we like being one of the key software providers and helping them to accomplish that. You can see a demonstration of that at RSA Conference of our software managing the Seagate drive. Our partners are expected to ship over 50 million end unit machines of that software over the next couple of years.
Our OEM licensing is continuing to expand. I think we are actually starting to build a little strength slowly, but surely in our pricing capability here. So that first you come in and then it tapers down as they beat you up, but I think they are realizing there is value that we are bringing to the market. So hopefully we are beginning to build a little strength on that side. But, ultimately at the end of the day it's driven by our Enterprise business. Enterprise business is engaging we'd like it to be faster than it is, it's still slogging through the mud, but we're beginning to see good traction. We'll be very happy when it reaches cash flow breakeven for us, that's really the goal here and that shouldn't be too far in the distance.
We continue to invest in maintaining leadership in this space. We just finished building and delivering our Vista solution to our prime OEM partners, it will be generally available in a few weeks. And that's a huge effort. We actually are the façade that shows all the security solutions for the biometrics the Smart Card integration et cetera. And it requires the support of all the other partners that are in the machine. And that just has a tremendous challenge, especially when you don't have a direct relationship necessarily with all the suppliers, so through your OEM partners and based on who they introduce.
That's the presentation I have. I'm open to take any questions anybody has and I'd like to leave everybody with one important thought. This is our standard anyone who invests in, participates in, or is building solutions in the security space. Who can't articulate where Trusted Computing touches their business, needs to go figure it out. This thing has been very, very, very quietly launched by Microsoft and Intel as part of logo compliance. They are going to put it on every single machine. It is the basis of how you could do subscriber management for a billion people. It has all the strength necessary to run a subscription-based network like an IPTV network, and it's in every single box.
So watch this space very carefully. If you look at strong authentication, this is why most likely certificate-based authentication will win in the long-term. This is the basis for the root of trust, as to how all network access control works. So Cisco's NAC solution versus what Microsoft is doing with NAP versus what the standard body here with 70 companies are doing in Trusted Network Connect and melding those pieces together.
So it's I think a very important place to watch and understand in the whole security space, how standards will affect the competitive landscape in the business and how competitors respond to it. So are there any questions I can answer?
Question-and-Answer Session
Unidentified Analyst
(Question Inaudible)
Steven Sprague
Yeah, I think it's really going to be a combination of that and we've seen tremendous interest as we data tested this remote administration. I'd say that remote administration has been one of the enabling technologies, that's been missing from the Trusted Platform Module space. Today, if you wanted to go to turn this on, you physically have to go with an IT guy and touch every machine. We now are in a position where we can basically automatically roll that out. So, let me use an example. We automatically rolled it out inside Wave and then we went out and bought $150 Cisco hotspot -- WiFi hotspot that has 802.11a and then we turned on Secure Wireless Authentication with hardware and there is no user involvement.
So, the machines know that they belong on Wave’s wireless network. They don't ask the user, every single time you connect, can you provide me with your password? Right? And so, my IT Department knows that there are 30 machines that are authorized for this hotspot. There are only 30 machines that will ever get access to that hotspot. This is very interesting capabilities. We ship this for free. In every single Dell box, it's free. I can't tell you the number of IT guys we go to visit who are totally unaware of the [new box]. So, that means that awareness is our biggest challenge.
Unidentified Analyst
(Question Inaudible)
Steven Sprague
Well, I think they could in time. They are not there today. I mean -- this is the perfect question in my opinion. So, on paper, what's your plan? There is going to be 1 billion machines that need Key Management for Trusted Platform Modules, what's your plan? And what's fascinating is, this is not in any of the presentations, you didn't see the letter TPM anywhere. We've never seen a solution that operates Key Management for a TPM. So, at some point in time, they are getting way behind the curve. I am on Generation II, maybe Generation III of Key Management infrastructure for TPM, and I just finished building Key Management infrastructure for consumer Seagate drives. If you ask EMC why they spent $2.1 billion in RSA, they will tell you, it's for Key Management, as a part of storage solutions. Where are they?
So, I look at consumer drives at a 170 million drives a year doesn't take very long before you start to touch everybody's machines and it's getting way late in the game. I am working on how do I get my software completely bundled in the box and packaged with the solution it just derives. And so, you as a user or as a corporation going to have mentally uninstall that and what we've learned is it has to be somewhat customized on an OEM-by-OEM basis to really effectively work as well you'd like it to work. So, it's not going to be that trivial that show up with the solution later on in the market and then roll it out across an enterprise. And if you break the stuff, it's a huge mess. Right, like the CEO's machine goes, because you lost the keys to your drive. They don't like that.
So, we think key management is a very important area in this space. We are very heavily invested in it. There is a ton more work to be done. I think we have a very rich patent portfolio in the space and we have -- something we are doing for five or six years. I think we have an awareness of what people are building. Just a simple fact, that all strong authentications are moving pre-OS. Nobody here is saying that. Your army just discovered this. They just went on and said we are going to put all our machines to have data protection in the machines and then they discovered that in the act of that they are fundamentally breaking all of their strong authentication solutions. So, it's a fascinating space to watch.
So, I think my time is up. So, thank you very much and we are around all afternoon if anybody has any questions.
Symantec Says Identity Management Is Big Issue
Microsoft Corp.'s (MSFT) new Vista operating system alone won't provide
security against tomorrow's threats, he added.
Besides, businesses don't want an operating systems company to be the one
that secures them from a wide range of risks, he said to applause. "It's a
huge conflict of interest."
PALO ALTO, Calif. (Dow Jones)--Managing and protecting online identities is
the most significant job facing the computer security industry, Symantec Corp.
(SYMC) Chief Executive John Thompson said Tuesday.
When consumers feel more confident online, they will buy more and
increasingly trust Web sites with valuable data, such as those of a bank,
Thompson said during a keynote at the RSA Conference in San Francisco.
"We're living in an age of more online collaboration and transactions," he
said. Kids hang out online at MySpace. Adults check email on their
BlackBerries from Research In Motion Ltd. (RIMM).
But while online sales this holiday season rose 26% in the U.S. to $22
billion, they would have been higher if online security were better, Thompson
said. Researchers at Gartner Inc. found that almost $2 billion wasn't spent
online last year because of security concerns, he said.
In addition, 60% of businesses expect at least one major
information-technology incident will occur each year, Thompson added. The
average cost per incident is $85,000.
For businesses, "managing user identities is the most pressing challenge
facing our industry today," Thompson said.
And Microsoft Corp.'s (MSFT) new Vista operating system alone won't provide
security against tomorrow's threats, he added.
Besides, businesses don't want an operating systems company to be the one
that secures them from a wide range of risks, he said to applause. "It's a
huge conflict of interest."