Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
TCG Announces Two New Open Source Credentialing Tools for Trusted Supply Chain
https://www.oaoa.com/news/business/article_6ae57b04-ebf0-5299-b355-5e37b0eb5c9f.html
PORTLAND, Ore.--(BUSINESS WIRE)--Oct 2, 2018--Trusted Computing Group (@TrustedComputin) today announced the availability of two new open source tools for using the Trusted Platform Module (TPM) within a trusted supply chain, supporting TCG’s Platform Specification.
A recent Deloitte Touche Tohmatsu Limited survey* found that 85 percent of surveyed global supply chains had experienced at least one disruption in the past 12 months. These disruptions can disrupt business, result in production delays, incur significant fines and result in legal action.
The TPM can be used to cryptographically bind production lines and the devices they produce, including multi-vendor, multi-stage production. In this capacity, the TPM augments existing acceptance testing tools and validates the source of components and assembly – and can detect malicious component swaps.
TCG has published a specification for the trusted supply chain, defining how TPM credentials are used to verify supply chain entities in the manufacturing, assembly and delivery using the specific TPM on the device. The TPM manufacturer creates an endorsement key on the TPM and then separately creates a signed X.509 endorsement credential and installs it into the TPM to provide proof of the TPM’s source.
Any enterprise involved in the production, configuration or testing of a TPM-enabled device can create a platform credential which provides assertions about the device and used for any system component, such as motherboards, network cards, storage devices or other.
Two open source tools now are available supporting the TCG Platform Specification. Intel is offering an open source tool for creating platform certificates for manufacturers and assembly companies. The tool, available at GitHub Platform Certificate Validation Tool, requires PKI certificates, including those from third parties.
NSA Research, as part of NSA's Technology Transfer program, released new software on September 6, 2018, allowing technology users to mitigate risks with today's supply chain management. This software is intended to support the supply chain validation techniques prescribed by the Trusted Computing Group (TCG).
NSA's Host Integrity (HI) Attestation Certificate Authority (ACA) is available on the NSA Cyber GitHub site. The ACA provides an "Acceptance Test" policy, used to prove a device was produced by the claimed manufacturer, and contains the agreed upon list of components. Host Integrity will initially support Centos-based Linux devices; however, the TCG's supply chain validation process can work with any computerized device that includes a Trusted Platform Module (TPM) (1.2 or 2.0).
TCG further recommends that manufacturers review and update their policy and procurement processes; requiring TPMs with endorsement credentials and requiring platform certificates for motherboards and chassis. TCG plans to expand its work to additional components used in manufacture of various systems.
=================================================================
Wave ESC could help with managing the TPM and Wave VSC 2.0 could help with the enterprise's (2FA). Those global supply chains probably want an activated TPM in their company computers as well (with ESC and Wave VSC 2.0 too). The above article could open up a new and important market for Wave!
=================================================================
https://www.wavesys.com/products/embassy-security-center
This puts the endpoint in endpoint security
A key piece of the Wave alternative, Wave’s EMBASSY® Security Center is what lets you manage all the functions of your Trusted Platform Modules (TPMs) and self-encrypting drives (SEDs)—hardware security features already embedded in most business-class PCs and tablets. When installed on each of your desktops, laptops, tablets, and so on, this feature-rich software carries out the commands you issue remotely with our EMBASSY server products.
You can believe it works: Wave technology has been fully integrated with self-encrypting drives (SEDs) since 2007, and in 2012 Samsung licensed it for their TPM-equipped devices.
Strong authentication: beyond passwords
Traditional two-factor authentication only adds security to the user side of authentication. The Wave alternative is far more secure: EMBASSY Security Center turns on the TPMs, or security chips, already inside your devices, so you can identify both the users and the devices they’re using. Is that really Bob accessing your quarterly sales numbers? And is he doing it with a secure device? It’s a superior way to protect your data from theft and your system from infection.
We won’t slow you down
EMBASSY Security Center works in the background. It doesn’t interfere with day-to-day activities. When using a self-encrypting drive, integration with Windows gives you single sign-on (SSO) and password synchronization. That keeps your users happy. Not to mention your help desk—which will be spending a lot less time on the phone resetting forgotten passwords.
Apollo Faces Criticism for Breach of 200 Million Contacts
https://www.infosecurity-magazine.com/news/apollo-faces-criticism-for-breach/?utm_source=dlvr.it&utm_medium=twitter
Sales engagement startup Apollo, whose database of 200 million contacts across 10 million companies was reportedly hacked, is facing criticism for failing to protect the data it collects. According to TechCrunch, Apollo said its contacts database was stolen in a data breach.
While the company’s website offers no information on the breach, Apollo does admit that despite any security practices, it cannot guarantee the protection of the data it collects. “We understand the importance of the security of the information we collect, but we cannot promise that our security measures will eliminate all security risks or avoid any security breaches.”
Infosecurity Magazine contacted Apollo for more details but has not received a response. Bjoern Zinssmeister of Templarbit reportedly gained access to an email sent to affected Apollo customers. The communication acknowledged that the majority of exposed information came from its publicly gathered prospect database. According to TechCrunch, in Apollo's mandatory customer communication email, CEO Tim Zheng wrote that no additional information is available at this time given that the investigation is still ongoing.
Yet content from the email has been made public, and critics say Apollo's security efforts were insufficient. “In an email to affected customers, Apollo said the data breach was discovered weeks after system upgrades in July,” said Zohar Alon, CEO, Dome9. “Apollo is not the first company to have a breach go unresolved for a long period of time, proving organizations do not emphasize security to a high-enough degree.”
Acknowledging that there are security risks that could result in a breach does not go far enough in protecting customer data for a company that boasts a database of 200 million contacts from 10 million companies. “If other organizations want to prevent breaches like the one experienced by Apollo, they must leverage advanced security capabilities built for the cloud,” said Jacob Serpa, product marketing manager, Bitglass.
“They should employ multifactor authentication to verify users' identities more accurately, as well as contextual access control that can flexibly extend data access based on a user's location, device type, and more.”
“The breach of Apollo’s enormous database of 200 million prospective customers and 10 million companies adds to a growing list of companies that compile large amounts of data yet fail to keep it safe,” said Ruchika Mishra, director of products and solutions, Balbix.
“When you are expected to keep prospect, customer, supply chain and other business-critical contact information safe, you must be proactive about your security efforts and try to detect and mitigate cyber risks in your network before they are exploited.”
=================================================================
If Wave VSC 2.0 was being used more broadly, many of these breaches wouldn't happen! Wave has quite a list of worldwide partners that could be instrumental in a sales scale up in rapid fashion. Having ex-employees as well as current employees help this process could make the possibility of a rapid sales scale up a reality. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Dark Web Azorult Generator Offers Free Binaries to Cybercrooks
Another reason for companies to be using Wave VSC 2.0 is to have the TPM as a second factor of authentication. The malware below could be taken care of by Wave Endpoint Monitor, but if the company just has Wave VSC 2.0 a password stolen wouldn't lead to the consequences that could hurt Wave competitors' 2FA and their users. imo.
https://threatpost.com/dark-web-azorult-generator-offers-free-binaries-to-cybercrooks/137812/
The Gazorp online builder makes it easy to start stealing passwords, credit-card information, cryptocurrency wallet data and more.
A malicious build-it-yourself platform for the Azorult info-stealing malware has debuted on the Dark Web.
The online builder, which its authors have named Gazorp, allows cybercriminals to generate their very own strains of Azorult, along with the apparatus to control it. And, it’s free.
“Threat actors [gain] the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address,” wrote Check Point researchers Nikita Fokin, Israel Gubi and Mark Lechtik, in a posting last week on the generator. “This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”
Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.
Azorult is a fairly popular commercial malware, which is used for harvesting various kinds of information, including passwords, credit-card information, cryptocurrency wallet data and more. It also can download additional malware. It’s been around since at least 2016, when Proofpoint researchers identified it as part of a secondary infection via the Chthonic banking trojan.
Azorult 3.0 debuted five months ago, and while there have been two subsequent versions released into the wild since then with major improvements, “the outdated version has multiple stealing capabilities which can be leveraged by any actor to gather victim information and misuse it,” the Check Point team noted.
The researchers added that the Gazorp platform claims to offer multiple upgrades and enhancements to the Azorult’s existing leaked C2 panel code, which was uploaded to Github a few months ago.
Check Point said that Gazorp offers “major differences and additions” from the leaked source panel in Gazorp, with a main enhancement being a global heat map that provides statistics by country.
Gazorp is also in active development, and its creators are taking a hacker community-minded approach to the proceedings. The service has its own Telegram channel, where interested parties can get updates on the project and weigh in with their own ideas. So far, the Gazorp authors have promised future extensibility with a “modules” library, and features like the ability to configure the panel and export the various databases to a file.
“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code,” researchers said. “However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.”
As for monetization, the public can also donate to the project with Bitcoin. There are no fees to use Gazorp – further lowering the barrier to entry for cybercriminals.
“Given that the service is free, it is…possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild,” the researchers said.
Employees Share Average of 6 Passwords With Co-Workers
https://www.darkreading.com/threat-intelligence/employees-share-average-of-6-passwords-with-co-workers/d/d-id/1332933
Password-sharing and reuse is still prominent, but multifactor authentication is on the rise, new study shows.
An employee on average shares six passwords with his or her co-workers, and half of employees reuse passwords among work and personal accounts.
But there is a bit of good news: 45% of businesses are using multifactor authentication (MFA), up from 24.5% last year, according to a study by password manager LastPass of 43,000 organizations that use its service. Some 63% of organizations that employ MFA are in the US.
Even some smaller-sized companies are employing MFA: 41% of those doing so have 25 or fewer employees, the study found. Meantime, 3% of companies with 10,000 or more employees do so.
Read the full report here.
================================================================
97% of companies in this survey with over 10,000 employees could be using Wave VSC 2.0! It appears there still is a large untapped market that could be benefiting from the use of Wave VSC 2.0!! If these companies talked to a Wave rep. and read the article below they probably wouldn't be going without Wave VSC 2.0 for very long.
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Excerpt:
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Facebook Could Face Up to $1.63 Billion Fine for Latest Hack Under the GDPR
https://gizmodo.com/facebook-could-face-up-to-1-63-billion-fine-for-latest-1829426100?utm_source=gizmodo_twitter&utm_campaign=socialflow_gizmodo_twitter&utm_medium=socialflow
Facebook's Whatsapp was monetized at $1 a year after a year of use, and at least a billion people use it. Why not try 'Secure Facebook' and charge a little for the optional security of the TPM and get great security for a nominal cost and for security that's easy to use?! Wave Knowd (currently in retirement) would be a great platform for 'Premium Facebook Security'! The security platform could protect Facebook/users with the 'Trust Score' and could protect users with the optional TPM. Read link below for more details.
==================================================================
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
Russian hackers ‘Fancy Bear’ now targeting governments with rootkit malware
https://techcrunch.com/2018/09/27/russian-hackers-fancy-bear-now-targeting-governments-with-rootkit-malware/
Security researchers say that they have found evidence that for the first time Russia-backed hackers are now using a more sophisticated type of malware to target government entities.
ESET presented its case Thursday that the hacker group, known as Fancy Bear (or APT28), is using rootkit malware to target its victims. That marks an escalation in tactics, which the researchers say the group’s hacking capabilities “may be even more dangerous than previously thought.”
Although the researchers would not name the targeted governments, they said that the hackers were active in targeting the Balkans and some central and eastern European countries.
The malware, dubbed LoJax, uses a portion of LoJack, an anti-theft software that has been criticized for its brutal persistence making it challenging to remove — even when a user reinstalls their operating system. Arbor Networks found earlier this year that the LoJack agent now connected to a malicious command and control server operated by the hackers.
LoJax, like other rootkits, embeds in the computer’s firmware and launches when the operating system boots up. Because it sits in a computer’s flash memory, it takes time, effort and extreme care to reflash the memory with new firmware.
According to its investigation, ESET said that the hackers were “successful at least once” in writing a malicious module into a system’s flash memory.
Although attribution is typically difficult, the researchers found that systems hit by LoJax also contained other hacking tools known to used by Fancy Bear, including backdoors and proxy tools used for funneling network traffic to and from the hackers’ servers.
ESET said it could link the malware to earlier network infrastructure used by the hacker group “with high confidence.”
Fancy Bear has been active for more than a decade, but is best known for hacking into the Democratic National Committee and its disinformation and election influencing campaign against the U.S. in the run up to the 2016 presidential election. The hackers have also targeted senators, social media sites, the French presidential elections, and leaked Olympic athletes’ confidential medical files.
The researchers said that there are preventative measures. Because Fancy Bear’s rootkit isn’t properly signed, a computer’s Secure Boot feature could prevent the attack by properly verifying each component in the boot process. That can usually be switched on at a computer’s pre-boot settings.
ESET said that the discovery “serves as a heads-up, especially to all those who might be in the crosshairs of Fancy Bear.”
=================================================================
If a company fails to turn Secure boot on, there is Wave Endpoint Monitor to detect rootkits!
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
Excerpt:
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
Navy gives OTA authority to all systems commands
https://federalnewsradio.com/navy/2018/09/navy-gives-ota-authority-to-all-systems-commands/
The Navy is now giving each of its system commands the authority to use other transaction authorities up to $100 million.
The move comes as the Navy and other parts of the military and Defense Department are increasingly using the procurement method to pay for prototypes and use nontraditional defense companies to spur innovation.
Part of my challenge to those command leaders is, in their particular environment, what’s the right OTA for the job they have at hand?” said Navy Assistant Secretary for Research, Development and Acquisition James Geurts in a Tuesday interview with Federal News Radio at the Modern Day Marine conference in Quantico, Virginia. “Specifically, Space and Naval Warfare Systems Command (SPAWAR) has done some on information warfare. Our undersea warfare center has done some for undersea technologies and, quite frankly, there’s other great ones across the department that we might just leverage rather than create one of our own.”
Geurts said the use of OTAs depends on the mission area the commands is working in at the time.
“We need to have that full toolset available so that we can rapidly prototype and rapidly test stuff so we can take some of the time and cost out of looking at new products and getting them the hands of our warfighters,” Geurts said.
The Navy runs five different systems commands, meaning the commands have the authority to execute OTA agreements totaling up to $500 million.
The Navy gave SPAWAR OTA authority back in June. The command hoped it could get companies to pitch new technologies and products to the Navy.
“If you set this up right, you can encourage unsolicited suggestions for technology advancements,” said William Deligne, the deputy executive director of SPAWAR’s Systems Center Atlantic, the organization that created and is managing the Information Warfare Research Project OTA. “You don’t always know what you don’t know, right? And so what we’re trying to do is encourage a two-way exchange. We’re going to place orders into the consortium, but we want the consortium members to also feel like they can bring unsolicited research to the table that we could consider.”
With up to $500 million now on the line, Geurts said the Navy is treading lightly with how it uses the OTAs. As of right now, the procurement vehicles are hardly reviewed by Congress or any outside groups and do not have to follow the traditional acquisition regulations.
“OTAs, I think, are a tool. They’re not the perfect tool for every job, just like the hammer isn’t the perfect job for a screw, but if you don’t have a hammer, some jobs you can’t do,” Geurts said. “I look at OTAs as one of many tools we need to perfect. Prize challenges are great tools, cooperative research and development agreements are great tools, small business innovative research contracts are great tools. They really train and hold the workforce accountable for being knowledgeable and using all those tools in the appropriate manner.”
He added that he is making sure OTAs have the proper oversight.
OTAs fit into one of the core goals Geurts is focusing on, which is building the Navy’s agility by reducing iteration time, prototyping quicker, building things faster and bringing in new companies that traditionally don’t work with the service.
Geurts said part of doing that involves developing talent in the acquisition workforce, training them and giving them the right knowledge to know when to utilize different contracting methods.
===============================================================
The Navy could see, if given the chance, two products in Wave VSC 2.0 and Wave ERAS that could have a big, positive impact on its warfighters' security posture. Bill Solms who posted this article on his twitter page unfortunately works for another company. From what I understand, he had a big hand in Wave VSC 2.0 and helped sell it to the government. Wave needs a guy like him for suggestions of these products to the Navy. imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Facebook faces class-action lawsuit over massive new hack
https://www.theverge.com/2018/9/28/17916076/facebook-hack-lawsuit-login-info-50-million-users-affected
Facebook is already facing immense fallout from revelations this morning that a hacker exploited a security flaw in a popular feature of the social network to steal account credentials of as many as 50 million users. The company is now facing a class-action complaint filed on behalf of one California resident, Carla Echavarria, and one Virginia resident, Derick Walker. Both allege that Facebook’s lack of proper security has exposed them and additional potential class members to a significantly increased chance of identity theft as a result of the breach.
The lawsuit was filed today in US District Court for the Northern District of California. The complaint alleges Facebook is guilty of unlawful business practices, deceit by concealment, negligence, and violations of California’s Customer Records Act. The plaintiffs want statutory damages and penalties awarded to them and other class members, as well as the providing of credit monitoring services, punitive damages, and the coverage of attorneys’ fees and expenses.
Facebook doesn’t know who the hacker is or how severe the attack was
Although Facebook says it has fixed the issue that resulted in the breach, it still has little to no information to provide on who is behind the attack or when the attack even occurred. The company began notifying affected users this morning with a message on its website and mobile app, and it’s been holding a series of calls with reporters throughout the day to brief them on technical details and other information as it arises. Still, this is among the more serious breaches Facebook has ever suffered. It will likely only intensify criticism of the company’s handling of user data and its privacy policies in the wake of the Cambridge Analytica scandal earlier this year, in which more than 70 million users’ personal info was packaged and sold to a data-mining firm without their consent.
As it stands, in addition to this new lawsuit, Facebook is facing pressure from the New York State Attorney General Barbara Underwood, who announced on Twitter this afternoon that, “We’re looking into Facebook’s massive data breach. New Yorkers deserve to know that their information will be protected.” Federal Trade Commissioner Rohit Chopra had a terse public reaction, releasing a simple three-line tweet reading, “I want answers.” In addition to Underwood and Chopra, Sen. Mark R. Warner (D-VA) released a statement describing the hack is “deeply concerning” and calling for a full investigation.
“Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures,” reads the statement from Warner, who is the vice chairman of the Senate Select Committee on Intelligence and the co-chair of the Senate Cybersecurity Caucus. “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over.”
================================================================
Hardware security is better than software security alone!
The TPM, Scrambls, Wave VSC 2.0 and Wave Knowd could have mega benefits to Facebook's security, but two are unfortunately in retirement. imo.
Facebook Vulnerability Affecting 50 Million Users Allowed Account Takeover
https://www.bleepingcomputer.com/news/security/facebook-vulnerability-affecting-50-million-users-allowed-account-takeover/
Today, Facebook disclosed a security vulnerability that affected 50 million people on the social media network and allowed malicious third parties to potentially access the affected users account.
In a blog post, Facebook's Guy Rosen, VP of Product Management explained that the attackers exploited a vulnerability associated with Facebook's "View As" feature that allowed them to steal Facebook access tokens. These tokens could then be used to take over people's accounts.
"Our investigation is still in its early stages," stated Guy Rosen, VP of Product Management, for Facebook. "But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
When they discovered this vulnerability, Facebook fixed and then reset the security tokens for almost 50 million accounts, and to be safe, reset them for an additional 40 million other accounts. Finally they turned off the "View As" feature.
"Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security," the announcement continued "We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."
According to Facebook, this attack stemmed from a change they made in July 2017 to their video uploading feature.
As they have just started their investigation, it is not known how many account, if any, were affected by this vulnerability. Facebook has stated they will provide more information when the investigation has been completed.
Update 9/28/18 3:42 PM EST: It appears that three vulnerabilities were changed together in a large scale attack to steal account tokens. More info from Motherboard.
================================================================
Facebook discloses network breach affecting 50 million user accounts
https://www.zdnet.com/article/facebook-discloses-network-breach-affecting-50-million-user-accounts/
Excerpt:
"I'm glad that we that we found this and that we were able to fix the vulnerability and secure accounts," Zuckerberg said. "But it definitely is an issue that this happened in the first place. And I think this underscores the attacks that that our community and our service face, and the need to keep on investing heavily in security and being more proactive about protecting our community. And we're certainly committed to doing that."
================================================================
Scrambls would eliminate the need for the insecure Facebook 'View As' function. In Scrambls the user would already know who they scrambled and wouldn't need to do a 'View As' to check. imo.
=================================================================
Facebook also should have the TPM for a second factor of authentication (its already in well over a billion devices) and Wave could serve that security well with Wave VSC 2.0 and Wave Knowd. imo.
=================================================================
Protect Corporate Use of Social Media and Cloud Services with Scrambls for Enterprise
https://www.wavesys.com/buzz/pr/protect-corporate-use-social-media-and-cloud-services-scrambls-enterprise
Encrypt Postings and Shared Files to Ensure Privacy and Compliance
Lee, MA -
December 4, 2012 -
Scrambls for Enterprise launched today, giving organizations a means for their employees to safely collaborate over social media sites like Twitter® and Facebook, and share files with cloud services like Dropbox™ and Salesforce.com®. Scrambls protects data that is often overlooked in corporate security initiatives – information shared online via social media, files stored in the cloud and data in motion.
Employees are free to leverage existing social media infrastructures to enter status updates, Tweets, blog posts, files and more, without jeopardizing security or privacy. Scrambls for Enterprise encrypts data before it ever leaves a user’s computer or smartphone. Posts and files can only be viewed by those the enterprise grants permission to—everyone else sees scrambled text.
“Social media and cloud services are expanding the way business is done, but enterprises need greater control of the information they share across the public web,” commented Steven Sprague, scrambls co-creator and CEO of Wave Systems. “These services are often self-discovered by employees who use them to share critical information. Enterprises need to take responsibility for this new flow of data, and scrambls provides the privacy, security and audit controls similar to what you’d see with corporate email accounts.”
The power of scrambls lies in the permissions granted to group members. To read a post or descramble a file, the service automatically applies the permission to make it readable again for only those individuals granted access. Business administrators set the policy and manage the groups. Add or remove people from the groups at any time to change who can read messages and files, even after they’ve been published on the web.
“Scrambls can open up new business opportunities with use cases for every type of vertical market,” continued Sprague. “In healthcare, a private and protected channel for communication leads to better care and service. It’s easy for doctors, social workers and caregivers to have sensitive discussions about the care of a family member in real time using popular tools like Twitter or Facebook. Those conversations remain private with scrambls.”
Deploying scrambls in the Enterprise
The scrambls enterprise console gives employees, managers and IT staff the ability to manage accounts. You first create groups for access either by email addresses or through the existing corporate lists that enterprises already use (Active Directory, corporate email domains, etc.). Add more detailed rules as needed, like an expiration date for a file, or a password that can be used to view a blog post. Deploy the client install or have users download it, and they’re ready to scramble. It’s as simple as that!
Scrambls privacy and security can be added to an organization’s internal applications as well through a software developer kit. The SDK enables third-party apps and sites to integrate directly with scrambls to leverage the same groups for security, privacy and control.
Windows 10 passes 700 million devices, 1 billion still far off
https://arstechnica.com/gadgets/2018/09/windows-10-passes-700-million-devices-1-billion-still-far-off/
200 million users have been added in about 16 months.
Windows 10 is now on 700 million devices, according to executives speaking at the Ignite conference this week, reports Neowin.
Windows 10 has been the fastest-growing version of Windows, hitting 700 million in about three years on the market, but this nonetheless represents a big shortfall from Microsoft's original ambitions for the operating system. At its launch, the company said that it hoped to have one billion Windows 10 users within two to three years of release. At the time, the Windows 10 strategy covered not only desktop systems (and a number of Windows 10 variants, such as those used on HoloLens, Surface Hub, and Xbox), but also smartphones, with handsets expected to contribute hundreds of millions of users. With the abandonment of the smartphone market, Microsoft acknowledged that it wouldn't hit the user target on the original timeline.
The importance of that number was part of Microsoft's sales pitch to developers: the large potential market was intended to motivate developers to develop UWP applications that could run on desktops, tablets, phones, and Xboxes. While UWP still has benefits (for developers it provides an easier to use, more modern framework; for end-users, it gives easier and safer installation and updating), the reduced market reach and omission of the smartphone form factor has arguably diminished its appeal.
The company said it had reached 500 million users at its Build conference last year, increasing that to 600 million six months later in November. This new total of 700 million has been in the cards for some time, with the company saying that it was close to that many users back in May as part of the announcement of Terry Myerson's departure.
Even at this slower rate of growth, there's plenty of room yet for Windows 10 to eventually hit that one billion threshold. Net Marketshare estimates that Windows 10 is on about 43 percent of Windows machines to 45 percent using Windows 7; StatCounter puts the proportions at 48 percent Windows 10 and 39 percent Windows 7. Either way, there's opportunity for a near doubling of the user count as corporations continue to migrate away from Windows 7. This migration should start to pick up as Windows 7 approaches its end of support in 2020.
=================================================================
Wave VSC 2.0 still has a very sizable Windows 7 market to sell into given that Wave uniquely (VSC) can serve company/government computer fleets that have Windows 7, 8 and 10. With Microsoft extending its support to Windows 7 for another 3 years, the rate of Windows 10 conversion, they won the 2FA competition with a large global company and given Wave VSC 2.0 product features, it would seem that there would be a lot of companies/governments wanting to sign up for Wave VSC 2.0 (3 OSs for one 2FA platform).
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Chegg to reset passwords for 40 million users after April 2018 hack
https://www.zdnet.com/article/chegg-to-reset-passwords-for-40-million-users-after-april-2018-hack/
Chegg says it discovered the hack last week and that hackers didn't access financial or SSN data
Chegg, an US-based education technology company based in Santa Clara, plans to reset passwords for over 40 million users following the discovery of a security incident dating back to this year's spring.
The company reported the hack in an 8-K form [1, 2] filed with the Securities and Exchange Commission (SEC) yesterday.
Chegg said it discovered the hack a week ago, on September 19, but that the intrusion dates back to April 29.
"An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib," said Chegg in its SEC filing
An investigation is currently ongoing. Chegg said the hacker(s) "may have" gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and Chegg.com passwords.
The company said account passwords were protected by a hashing algorithm and were not stored in cleartext, albeit it did not mention which hashing algorithm. This is important as many of these algorithms can be broken and the passwords reverted to their plaintext forms.
Chegg said hacker(s) did not gain access to Social Security numbers nor financial information, such as payment card or bank account numbers.
The ed tech company said it plans to reset passwords and notify its userbase, estimated at over 40 million.
Phil Hill, an ed tech consultant who first spotted the SEC form, confirmed that Chegg had not yet started the notification process today, a day after the 8-K filing.
"I get that the company needs to notify the SEC, being a publicly traded company, but they certainly are not notifying the public very well. Seems focus is on guidance for stock price, not transparency," said Hill
Tech news site TechCrunch first broke the story, noting that Chegg's stock price went down 10 percent after news of the hack hit Wall Street.
Chegg was founded in 2005 and is largely known for its online tutoring and textbook rentals services offered through the chegg.com portal.
==================================================================
Wave VSC 2.0 and Wave ERAS could have prevented this unfortunate incident from happening. imo. An 'unauthorized party' would not have been allowed to get on the company network to access the database with Wave VSC 2.0 and Wave ERAS and thus this event wouldn't have occurred. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Uber to pay $148 million to states for 2016 data breach
https://www.cyberscoop.com/uber-data-breach-settlement-148-million/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=77649020&utm_medium=social&utm_source=twitter
Ridehailing company Uber will pay $148 million across all 50 states and Washington, D.C., as part of a settlement stemming from a data breach that revealed sensitive information on 57 million of the company’s users.
The breach took place in October 2016 and revealed names, email addresses, phone numbers and U.S. driver’s license numbers. The company paid the hackers $100,000 to stay quiet and delete the data.
Several attorneys general released statements after the settlement was announced, with each state getting a varying amount.
“Uber completely disregarded Illinois’ breach notification law when it waited more than a year to alert people to a serious data breach,” said Illinois Attorney General Lisa Madigan. “While Uber is now taking the appropriate steps to protect the data of its drivers in Illinois and across the country, the company’s initial response was unacceptable. Companies cannot hide when they break the law.”
“Uber violated Pennsylvania law by failing to put our residents on timely notice of this data breach,” Pennsylvania Attorney General Josh Shapiro said. “Instead of notifying impacted consumers of the breach within a reasonable amount of time, Uber hid the incident for over a year – and actually paid the hackers to delete the data and keep quiet. That is outrageous corporate misconduct, and today’s settlement holds them accountable and requires real changes in their corporate behavior.”
The data breach caused a firestorm around the company when it was announced last November. The company ultimately fired its then-chief security officer, Joe Sullivan, and his deputy, Craig Clark, for their roles in keeping the hack from the public for more than a year.
“I’m pleased that we’ve reached an agreement with the attorneys general of all 50 states and the District of Columbia to resolve their legal inquiries on this matter,” Uber Chief Legal Officer wrote in a blog post. “We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose. We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
=================================================================
Its obvious that Wave VSC 2.0 and ERAS could have been a much more cost effective and better solution for Uber to keep the hackers from penetrating their network and obtaining that sensitive information. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Bug? Feature? Power users baffled as BitLocker update switch-off continues
https://www.theregister.co.uk/2018/09/25/bitlocker_suspension_patching_mystery/
Microsoft claims issue confined to older kit
Three months on, users continue to report that Microsoft's BitLocker disk encryption technology turns itself off during security updates.
The problem, which has prompted much head-scratching in security circles, was raised by power user "kingcr" on Microsoft's technet forums back in June as part of an ongoing discussion.
He reported at the time that BitLocker automatically suspended itself the first time a machine logged in after a security patch was applied and following a restart of his Windows 10 machine.
A couple of factors may be at play. One contributor to the discussion claimed that feature upgrades – unlike regular cumulative updates – had always suspended BitLocker. Since the release of Windows 10 v1803 in early May it has been possible, in certain circumstances, to let BitLocker run unimpeded even when feature updates are applied. This facility only works when "when TPM [Trusted Platform Module] is the only protector (no password, no USB-key, no PIN)".
The original poster told the thread his machine had been suspending BitLocker even during cumulative updates, adding that he reckoned the PC was clear of scripts that might explain the odd behaviour. "kingcr" managed to replicate the odd behaviour even after a clean install on the same machine.
Others said they had encountered the same issue.
This was a worry because "BitLocker should 'never' suspend itself without explicit interactive permission from the administrator," as one contributor put it.
The protection offered by the technology is rendered irrelevant otherwise, some argued.
The glitch isn't remotely exploitable but is still a means for hackers with physical access to a computer to snaffle encryption keys, although only around the application of security updates.
Security experts quizzed by El Reg have noticed the BitLocker suspension snafu.
Sean Sullivan, a security advisor at F-Secure, told El Reg: "Automated BIOS/firmware updates recently required my laptop's BitLocker to disable itself. Haven't heard about it doing so in any other scenario, though."
Computer forensic expert David Cowen confirmed what several power users were reporting on the thread. "Updates put the volume in clearkey mode for one reboot."
Cowen blogged about the issue from a computer forensics perspective back in July.
BitLocker is Microsoft's full disk encryption technology and has been bundled with Windows since the days of Vista. Means and ways around the tech are of constant interest to hackers of various stripes.
So is what's happening expected behaviour or a glitch?
Microsoft said it was working on the issue.
Jeff Jones, senior director at Microsoft, said: “On older devices without a Trusted Platform Module, Bitlocker may be temporarily suspended during some updates. Protection resumes after the machine is restarted." ®
=================================================================
Companies should upgrade their Bitlocker fde computers (or at least the older ones) to SED computers with TPMs managed by Wave because of the problems in this article. imo.
=================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
Easy proof of compliance
Your encryption is only as good as you can prove it to be. To comply with most data protection regulations, your organization has to prove encryption was in place at the time of a potential breach. Wave provides secure audit logs to help you demonstrate compliance.
If you lose a device with a Wave-managed SED, there’s no wondering or guessing. You know encryption was on by default, and you can prove it.
No vendor lock-in
SED technology was created and standardized by a consortium of the best in the infosec industry, a standards body called the Trusted Computing Group (TCG). This means you can buy your drives wherever you want, from whatever vendor you want—any SED built to the TCG’s Opal specification can be managed by Wave.
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
Pick your platform
Wave SED management is available via the cloud or on-premise servers. Ask us for more details about which platform is right for your deployment.
Key Features:
Easy security compliance
• Active monitoring, logging and reporting of all user and device events
Data protection
• Local changes are prohibited
• Drive locking is supported in sleep or standby (S3) modes
• Manage clients inside or outside the firewall and on non-domain machines
Simplicity
• Everything is automatically encrypted—users don’t have to identify which data is sensitive
• Windows password synchronization and single sign-on
• Add or remove users remotely
• MMC snap-in is familiar and easy—less administrator training
• Role management allows delegation of tasks with customized or predefined roles.
No compromises
• Encryption is completely transparent to your users—they won’t even notice it's there
• Customizable pre-boot message at authentication screen
Microsoft Deletes Passwords for Azure Active Directory Applications
https://www.darkreading.com/cloud/microsoft-deletes-passwords-for-azure-active-directory-applications/d/d-id/1332880
At Ignite 2018, security took center stage as Microsoft rolled out new security services and promised an end to passwords for online apps.
It's looking like a password-less future for Microsoft, which will soon give users the option to eliminate passwords for applications by using Azure Active Directory (AD) for authentication.
This was one of many security announcements coming from Microsoft Ignite 2018, taking place this week in Orlando. In addition to password-free authentication, the company is rolling out its new Threat Protection Service and offering Azure Confidential Computing in preview.
Microsoft already lets Azure AD-connected apps authenticate via Microsoft Authenticator, an app it launched in 2016 to combine passwords with one-time codes for two-step verification. Now, users can avoid the password option entirely: the app serves as one form of verification, and a biometric authenticator (fingerprint or facial scan) or PIN serves as the second.
Rob Lefferts, Microsoft's corporate vice president of security, says the move to password-less authentication for Azure AD applications marks "a critical milestone" for both companies and their employees, who are targeted with increasingly subtle and complex phishing attacks.
"Social engineering is a play for end users," he said in an interview with Dark Reading. "So many of the threats and attacks we see on a day-to-day basis are designed to trick users into giving away their credentials."
Most users don't employ strong passwords, so multi-factor authentication is becoming mainstream as companies buckle down on security: SMS and email codes, hardware tokens, and authenticator applications are all widely accepted forms of MFA. For users who view MFA as a burden, Microsoft is aiming to provide the security of MFA while keeping the process simple, Lefferts explains.
"It's not just about more security; it's also about making end users feel more effective," he says. An easier MFA experience gives attackers fewer opportunities to trick people into doing the wrong thing. Employees who want to sign into Microsoft Authenticator will be redirected to its mobile app, where they can authenticate with a biometric factor, he explains.
To gauge the effectiveness of their security policies, businesses can use the newly expanded Microsoft Secure Score, which acts as an "enterprise-class dynamic report card" for security, Lefferts wrote in a blog post on today's news. A company's score serves as a simple metric of how well they're doing security-wise, he notes.
Secure Score already covered features in Office 365 and Windows; now, it will cover all of Microsoft 365 and hybrid cloud workloads in Azure Security Center. Scores are evaluated by integrating signals from Azure AD, Enterprise Mobility and Security, and other services, and bringing the data into one place. Factors are weighted differently based on importance, says Lefferts. At the top of the list are known good practices like enabling MFA for all users.
Microsoft Threat Protection, another service announced today, is designed to detect, investigate, and remediate threats across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. The idea is to pull together a unified vision of the "cacophony of alerts" that security operations teams handle daily, says Lefferts, and make it easier to spot anomalies they need to investigate.
Threat Protection's dashboard organizes data on active incidents and the users and devices at greatest risk to security threats. The information is organized according to which threats are most imminent, and problems are sorted into "resolved incidents" as admins address them.
Azure Confidential Computing, a platform that lets developers build cloud applications and store data in a trusted execution environment, is now available in preview mode. With data in an enclave, cloud computing ensures data and operations can't be viewed from the outside. If an attacker tries to manipulate the code, Azure denies the operations and disables the environment. An Early Access program for the service went live in September 2017.
"As organizations move to cloud computing, one of the most important things we can do it make sure data is protected in all stages of its lifecycle," says Lefferts. This includes data at rest and in transit, both of which are protected by Azure Confidential Computing.
=================================================================
Wave VSC 2.0 is apparently ahead of its time and could be ahead of Windows Hello after reading this article. Wave VSC 2.0 is the whole package rather than two systems! imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Security data reveals worldwide malicious login attempts are on the rise
https://www.helpnetsecurity.com/2018/09/21/worldwide-malicious-login-attempts/
According to the Akamai 2018 State of the Internet / Security Credential Stuffing Attacks report, worldwide malicious login attempts are on the rise.
Akamai detected approximately 3.2 billion malicious logins per month from January through April 2018, and over 8.3 billion malicious login attempts from bots in May and June 2018 – a monthly average increase of 30 percent. In total, from the beginning of November 2017 through the end of June 2018, researcher analysis shows more than 30 billion malicious login attempts during the eight-month period.
Malicious login attempts result from credential stuffing, where hackers systematically use botnets to try stolen login information across the web. They target login pages for banks and retailers on the premise that many customers use the same login credentials for multiple services and accounts. Credential stuffing can cost organizations millions to tens of millions of dollars in fraud losses annually, according to the Ponemon Institute’s “The Cost of Credential Stuffing” report.
“One of the world’s largest financial services companies was experiencing over 8,000 account takeovers per month, which led to more than $100,000 per day in direct fraud-related losses,” said Shaul. “The company turned to Akamai to put behavioral-based bot detections in front of every consumer login endpoint and immediately saw a drastic reduction in account takeovers to just one to three per month and fraud-related losses down to only $1,000 to $2,000 per day,” said Akamai’s VP of Web Security, Josh Shaul.
Combating credential stuffing attempts
In addition, the State of the Internet report details two instances where Akamai combatted credential stuffing attempts for clients, demonstrating the severity of the method.
In the first case, the report recounts the issues faced by a Fortune 500 financial services institution where attackers used a botnet to conduct 8.5 million malicious login attempts within 48 hours against a site that typically only sees seven million login attempts in a week. More than 20,000 devices were involved in this botnet, which was capable of sending hundreds of requests a minute. Researchers identified that nearly one-third of the traffic in this particular attack was generated from Vietnam and the United States.
The second real-world example from the report illustrates a “low and slow” type of attack identified at a credit union earlier this year. This financial institution saw a large spike in malicious login attempts, which ultimately revealed a trio of botnets targeting its site. While a particularly noisy botnet caught their attention, the discovery of a botnet that had been very slowly and methodically trying to break in created a much bigger concern.
“Our research shows that the people carrying out credential stuffing attacks are continuously evolving their arsenal. They vary their methodologies, from noisier, volume-based attacks, through stealth-like ‘low and slow’-style attacks,” said Martin McKeay, Senior Security Advocate at Akamai and Lead Author of the State of the Internet / Security report. “It’s especially alarming when we see multiple attacks simultaneously affecting a single target. Without specific expertise and tools needed to defend against these blended, multi-headed campaigns, organizations can easily miss some of the most dangerous credential attacks.”
==================================================================
This article is another reason for companies and governments to use Wave VSC 2.0. The article below shows Wave VSC 2.0 winning the competition in a large market. Wave Knowd if taken out of retirement could help those that do not have an enterprise two factor authentication or use BYOD with their respective companies. imo.
==================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wins competitive evaluation against market leader in two-factor authentication tokens.
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
==================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
DOD previews new cyber strategy
https://defensesystems.com/articles/2018/09/19/dod-cyber-strategy-williams.aspx
The Defense Department's newly released cyber strategy draws attention to election meddling, infrastructure protection and greater reliance on commercial technology to get ahead of the curve.
A summary of the DOD's cyber strategy released Sept. 18 boasted an assertive stance on election meddling and attribution, calling out cyber "challenges to [U.S.] democratic processes" as a means for Russia, China, North Korea and Iran to inflict damage without engaging in armed conflict.
However, the Pentagon remained firm in its infrastructure protection role. DOD will partner with the private sector and other agencies on improved information sharing "to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences," the document indicated.
"We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict," the department wrote. "We will strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages."
To meet that goal, the Defense Department said it will establish a talent management program that uses individual and team competitions to select talented cyber specialists who will go on to solve DOD toughest cyber problems.
Reinforcing cyberspace norms for state actors was also included in the stragegy. DOD wrote that it would support and promote the non-binding, voluntary principles created by the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security at the United Nations, which prohibit civilian critical infrastructure damage during peacetime. DOD also said it would "develop and implement cyber confidence building measures."
The Pentagon's strategy also highlighted increased reliance on commercial, off-the-shelf products and services to stay abreast of advanced technology.
"We will identify opportunities to procure scalable services, such as cloud storage and scalable computing power, to ensure that our systems keep pace with commercial information technology and can scale when necessary to match changing requirements," the document stated.
To imbue its entire workforce with a basic fluency in cybersecurity, the strategy announced DOD would hold all personnel and private-sector partners accountable for their cybersecurity choices and practices.
=================================================================
Some excellent choices:
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-self-encrypting-drive-management
==============================================================
If someone like the ex-CEOs could point out to the DOD again the many disruptive and powerful advantages they would have after using Wave's products, the DOD could be armed defensively with cybersecurity that keeps them from having to go offensive. imo. So far the current defensive posture doesn't reduce that risk strong enough.
Cyber crooks try to divert direct-deposit paychecks into their accounts, FBI warns
https://www.coloradoan.com/story/money/columnist/tompor/2018/09/22/direct-deposit-paycheck-scam-cyberscam/1361583002/
Hackers are now out to reroute the direct deposit of your paycheck into accounts controlled by the cyber crooks.
So, take a little extra time to verify that your paycheck hit your bank account. And beware of any official-looking emails related to company surveys, too.
According to the latest alert from the FBI, cybercriminals have been targeting online payroll accounts at school districts, universities, hospitals and commercial airway transportation.
Yet scammers have been known to target all types of businesses using all types of payroll providers, according to a report last year in PYMTS.com.
In some cases, employers discover the payroll-related scam only when employees start complaining that they did not receive their money via direct deposit.
The FBI reportedly has observed an increase of such scams. In 2017, the FBI and the Internet Crime Complaint Center identified about 17 payroll-related scam cases.
As of July, though, about 47 payroll diversion cases — with losses totaling $1 million — had been reported.
The scam starts out with a phishing email that aims to trick someone into handing over an employee's login credentials. Scammers will use social engineering to make emails look real, and they might appear to come from an address similar to a legitimate company account.
The credentials can then be used to access the employee's payroll account in order to change the direct deposit. The crooks typically have that money directly deposited onto prepaid cards.
The crooks then use the prepaid bank cards to receive cash withdrawals from ATM machines. Or they may make purchases at gas stations, grocery stores, retail stores, fast food restaurants and wireless phone carrier providers.
Atlanta Public Schools, for example, had to reissue 27 paychecks last year after cyber thieves engineered a payroll attack, according to a report in the Atlanta Journal-Constitution. Scammers stole about $56,000 in payroll.
The FBI is warning employers to alert their staff about such schemes. Employees should not supply log-in credentials or personally identifying information in response to any email.
Some other tips:
•Log-in credentials used for payroll should be different from those used for other purposes, such as employee surveys.
•Companies should be on the lookout for employee log-ins that take place outside of normal business hours.
•Employers should direct employees to forward any suspicious requests for personal information to the information technology or human resources department.
We've warned in the past that scammers had been spoofing emails to pretend to be the CEO or some other top executive at the company and demanding a long list of W-2 files via PDF format. Immediately.
Beware phishing emails, calls
The Internal Revenue Service issued an alert a few years ago to payroll and human resources professionals warning them to think twice about responding so quickly to the boss. Some of that information could be used to file fake tax returns to generate fraudulent tax refunds.
But this latest development is another warning on how we all have to once again watch out for phishing emails that could unleash information to be used divert paychecks to crooks.
Sometimes, according to payroll experts, this phishing email may request that an employee answer a brief survey and hit "confirm." The problem is that the employee is then directed to enter their credentials in an online form to confirm their identity.
Authorities also noted that in some cases, cyber crooks might pick up the phone to call the employee resource hotline, provide the employee ID number and the last four digits of the Social Security number to reset a password, as part of the process to redirect the direct deposit.
No doubt, plenty of paychecks continue to be directly deposited into accounts without any problems. But the latest warning gives us reason not to take too much for granted any longer.
=================================================================
In an ideal World 'Knowd' could be bundled with Wave VSC 2.0 as part of Wave's gold security package! Company employees would have their credentials protected on authorized devices with Wave VSC 2.0 as well as their 'direct-deposit' security protected by Knowd for those on BYOD devices. imo.
================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Open banking is coming to the U.S.: How secure will it be?
https://www.csoonline.com/article/3305940/identity-management/open-banking-is-coming-to-the-us-how-secure-will-it-be.html#tk.twt_cso
To protect customer data, open banking regulations in the U.S. must have teeth and enforcement.
The open banking trend continues around the world, and most recently, the U.S. has taken another step towards adopting the policy. On July 31, the U.S. Department of Treasury published a detailed, titled A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation that will likely serve as the catalyst for open banking in the United States.
The Department of Treasury places the U.S. on a growing list of nations that are modernizing their financial systems, including the UK, the European Union, South Korea, Singapore, Australia, Canada, and Japan. Traditional banks are modernizing through open banking and digital transformation to acquire and retain customers and remain competitive.
What is open banking?
As defined in Wikipedia, open banking includes the use of an open application programming interface (API) that enables third parties to develop and build applications and services around a financial institution. Open banking also provides account owners with additional financial transparency options, including open data and private data using open source technology.
Open banking promises to unlock innovation that will profoundly improve the banking experience and introduce new financial services. For example, third-party fintechs can provide applications that enable consumers to consult multiple bank accounts from a single application, or apps that make it easier for businesses to share data with their accountants.
Open banking and the identity ecosystem
Just hours after the Treasury published the report, the Office of the Comptroller of the Currency (OCC) announced that technology firms can apply for special-purpose fintech charters. The new entrants to the national banking system will be required by the OCC to follow the same standards governing all national banks.
Open banking is coming to the U.S. It’s just a matter of when.
Open banking is certainly more convenient for consumers and financial services firms, but it must be implemented securely. Echoing the Obama-era National Strategy for Trusted Identities in Cyberspace (NSTIC), the Treasury encourages financial institutions to “work on digital identity by enhancing public-private partnerships that facilitate the adoption of trustworthy digital legal identity products and services, and supporting efforts to fully implement the U.S. government federated digital identity system.”
The NSTIC vision was to create an identity ecosystem that could secure electronic commerce and combat online identity theft. The ecosystem was to be led by the private sector with support and guidance from the National Institute of Standards and Technology (NIST). NSTIC gave birth to the Identity Ecosystem Steering Group (IDESG) which developed a very detailed framework for trusted identities. The framework and all assets of IDESG were recently merged into the Kantara Initiative. [For full disclosure, I am a Director of the IDESG, and I hope policy makers review the Framework as they shape open banking.]
Digital identity products in open banking
In their report, the Treasury adds:
“Digital identity products and services hold promise for improving the trustworthiness, security, privacy, and convenience of identifying individuals and entities, thereby strengthening the processes critical to the movement of funds, goods, and data as the global economy races deeper into the digital age. Digital identity systems also have the potential to generate cost savings and efficiencies for financial services firms. For instance, trustworthy digital identity systems could improve customer identification and verification for onboarding and authorizing account access, general risk management, and antifraud measures.”
Digital onboarding is a foundational modernization component. The Treasury’s report and OCC’s announcement follow the passage of the Economic Growth, Regulatory Relief, and Consumer Protections Act(a.k.a. the Dodd Frank repeal). The lengthy law lightens regulations including a provision to permit the scan of a driver’s license or personal identification card to open an account with a financial institution or obtain a financial product or service from a financial institution. It also eliminates paper and permits a bank to store or retain such information in any electronic format. [Disclosure: My employer, OneSpan, provides digital onboarding solutions.]
Following the OCC’s announcement, the American Bankers Association, the Independent Community Bankers of America, Credit Union National Association, and the National Association of Federal Credit Unions sent a letter to the U.S. House of Representatives Subcommittee on Digital Commerce and Consumer Protection. That letter included a statement that reads:
“Any legislation enacted into law must ensure that all entities that handle consumers’ sensitive financial data have in place a robust – yet flexible and scalable – process to protect data, which must be coupled with effective oversight and enforcement procedures to ensure accountability and compliance. This is an important step to limit the onslaught of breaches and reduce risks to consumers and the significant costs imposed on our members from breaches. This standard should apply to all entities that handle sensitive personal and financial data in order to provide meaningful and consistent protection for consumers nationwide.”
PSD2 and strong customer authentication
The EU’s revised Payment Services Directive (PSD2) includes Regulatory Technical Standards on strong customer authentication and secure communication. These are key to achieving PSD2’s objective of enhancing consumer protection, promoting innovation, and improving the security of payment services across the European Union. Fintechs, banks, and other financial services firms have spent considerable time, effort, and resources in preparing to comply with the strong customer authentication and secure communication requirements, which go into effect on September 14, 2019.
These requirements, coupled with the modernization of the U.S. financial system through open banking, will enable fintechs, banks, and other financial services firms doing business in the U.S. to leverage some of the processes and technologies being deployed in Europe. This will expedite the Treasury’s vision.
Echoing the aforementioned associations, it is imperative that consumers’ personally identifiable information, including financial data, be protected. Of course, saying it is one thing; implementing it is another.
The Treasury’s report notes that “trustworthy digital identity systems could improve customer identification and verification for onboarding and authorizing account access, general risk management, and antifraud measures.” Like in the EU, open banking regulations in the U.S. must have teeth and enforcement. Personally, I would like to see the U.S. require all parties accessing this data undergo an identity verification process and have their identity bound to a unique and trusted digital authenticator. That most assuredly does not mean authentication by usernames and passwords, but via multi-factor authentication. Applications and communications between devices and servers must be through secure channels. Failure to do so should subject parties to severe penalties.
As a consumer, I am looking forward to secure, open banking. Given the constant wave of cyber-attacks and breaches, I do hope policymakers peek across the pond and require strong customer authentication along the lines detailed in PSD2.
==================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services
Lee, MA -
May 9, 2013 -
Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.
“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”
To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.
“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”
Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.
“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”
ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.
Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?
Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.
Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.
Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience.
Unwiped Drives and Servers from NCIX Retailer for Sale on Craigslist
https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-from-ncix-retailer-for-sale-on-craigslist/
Servers and storage disks filled with millions of unencrypted confidential records of employees, customers and business partners of computer retailer NCIX turned up for sale via a Craigslist advertisement.
Up until December 1, 2017, when it filed for bankruptcy, NCIX was a privately-held company in Canada in the business of selling computer hardware and software. It competed with Amazon and Newegg but its focus on walk-in outlets rather than online sales brought the company down.
NCIX abandoned company computers in a warehouse
Security consultant Travis Doering of Privacy Fly decided to act on a selling offer on Craigslist that promised two NCIX database servers for CAD 1,500, but he later found that the seller, identified as Jeff, actually had "NCIX’s entire server farm from the east coast."
The retailer's merchandise was auctioned earlier this year, but corporate computers were abandoned by NCIX in a warehouse in Richmond, British Columbia, when they couldn't pay CAD150,000 in rent.
Jeff told Doering that he was a former systems administrator for a Richmond-based telecommunications company and was helping the NCIX former landlord recover some of the money.
Many people erroneously believe that the Jeff selling the NCIX databases is the company's CEO Jeff Chiang. In a reply on Reddit, Doering clearly says that the person he met most likely used an alias and he was definitely not Jeff Chiang.
Server equipment and 109 unwiped disk drives
At least one data collection covers 15 years of orders in multiple database backup versions, Doering says.
One he's analyzed includes 3,848,000 order details between 2007 and 2010, with names, company names, items purchased and their serial numbers, addresses, phone numbers, and payment data. In an updated version he found corresponding email addresses.
In his examination of the storage drives as a potential buyer, Doering saw customer service inquiries containing full payment card details in plain text belonging to 258,000 users in the United States and Canada.
Additional entries in the database included 385,000 names, serial numbers with dates of purchase, addresses, company names, email addresses, phone numbers, IP addresses, and unsalted MD5 hashed passwords, which are easy to crack with today's computer equipment.
Jeff told Doering that he was in possession of about 300 desktop computers from NCIX corporate offices and retail stores, as well as 18 DELL PowerEdge servers, two SuperMicro servers with StarWind iSCSI software for back purposes. All included 109 storage units with unwiped data.
One backup image belonging to NCIX former owner Steve Wu, had data going back 13 years, with financial documents, employment letters containing social insurance numbers, and personal data from Wu's personal computer.
An inventory of the data trove Doering analyzed includes credentials, invoices, ID photos, bills, usernames and passwords in clear text and in unsalted MD5 hashes, email addresses, financial documents, social insurance numbers, phone numbers, and full payment card data in clear text.
"Data breaches by external actors are common in today's digital world but what makes this set of data so damaging is that it contains every record NCIX ever held. Including their backup files which had been kept in a segregated air-gapped machine that regardless of skill level no external attacker would have plundered," Doering writes.
Striking a deal for terabytes of data
Jeff offered to sell Doering the desktops and server hardware, including the data on it for CAD 35,000. This did not include a batch of hard drives with 13TB of SQL databases, though, because someone had already purchased them for CAD15,000, and received remote access to the data.
The seller later disclosed that at least five other buyers, some of them involved in businesses Jeff "did not want to know" about, bought access to the data on the data and then proposed Doering to copy the information from all the hard drives for CAD15,000.
"This scenario would play out with my employer paying fifteen thousand dollars to “Rent the Room” and he would provide me with a couple of desks and some servers to image all the data onto my own drives," Doering details.
It is possible that other potential buyers received the same offer, so there the data may be in possession of more individuals than Jeff cared to mention.
==================================================================
Using traditional disk erasure techniques can be painful from a usability standpoint and on the pocket book. Planning ahead and using Wave SED management can alleviate the pain for companies when it comes time to erase these drives. There are many other great features to Wave's SED management which are below.
==================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Enterprises choose Wave to manage SEDs
Why? From our single console, you can manage all your organization’s self-encrypting drives (SEDs) easily and remotely, whether they number in the hundreds, or hundreds of thousands.
SEDs are the most secure, best-performing and most transparent encryption option for protecting data on laptops. These drives automatically encrypt all data written to the drive, so you don’t have to decide what’s important enough to encrypt. They also perform this encryption in the hardware of the drive, so you don’t end up with the performance issues software full-disk encryption is infamous for. SEDs are available as HDD or SSD, and are sold by most major drive manufacturers.
Wave’s management solution delivers remote drive initialization, user management, drive locking, user recovery and crypto-erase for all Opal-based, proprietary and solid-state SEDs.
Easy proof of compliance
Your encryption is only as good as you can prove it to be. To comply with most data protection regulations, your organization has to prove encryption was in place at the time of a potential breach. Wave provides secure audit logs to help you demonstrate compliance.
If you lose a device with a Wave-managed SED, there’s no wondering or guessing. You know encryption was on by default, and you can prove it.
No vendor lock-in
SED technology was created and standardized by a consortium of the best in the infosec industry, a standards body called the Trusted Computing Group (TCG). This means you can buy your drives wherever you want, from whatever vendor you want—any SED built to the TCG’s Opal specification can be managed by Wave.
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2.
Pick your platform
Wave SED management is available via the cloud or on-premise servers. Ask us for more details about which platform is right for your deployment.
Key Features:
Easy security compliance
• Active monitoring, logging and reporting of all user and device events
Data protection
• Local changes are prohibited
• Drive locking is supported in sleep or standby (S3) modes
• Manage clients inside or outside the firewall and on non-domain machines
Simplicity
• Everything is automatically encrypted—users don’t have to identify which data is sensitive
• Windows password synchronization and single sign-on
• Add or remove users remotely
• MMC snap-in is familiar and easy—less administrator training
• Role management allows delegation of tasks with customized or predefined roles.
No compromises
• Encryption is completely transparent to your users—they won’t even notice it's there
• Customizable pre-boot message at authentication screen
Cyber defence: We'll hack back at attackers, says US
https://www.zdnet.com/article/cyber-defence-well-hack-back-at-attackers-says-us/
The Pentagon says that the US military must take on attacks before they reach its networks.
The military must be prepared to disrupt hacking attacks before they reach US computer networks, according to a new strategic vision from the Pentagon.
The Department of Defence (DoD) has updated its cyber strategy for the first time since 2015, advocating a more aggressive approach than the previous document.
Perhaps most controversially, under the new strategy the US should be ready to "defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict".
The DoD said this meant "confronting threats before they reach US networks". This is a bold but potentially risky strategy, as it's often hard to attribute attacks -- especially when they are launched from computer systems that have themselves been compromised, in order to mask the attackers' true identity and location. And threatening to take action against hackers may also increase the chances of other states taking similar action against probing attacks.
The DoD said its objectives for cyberspace include "deterring, pre-empting, or defeating malicious cyber activity targeting US critical infrastructure that is likely to cause a significant cyber incident." The Pentagon said it wanted to create a "more lethal" force for both war-fighting and countering malicious cyber actors.
The US has long warned that several countries -- particularly Russia, China, North Korea and Iran -- have used cyber attacks to steal secrets or meddle in its politics, and the new cyber strategy is part of the US government's attempt to deter these attacks.
"China is eroding US military overmatch and the nation's economic vitality by persistently exfiltrating sensitive information from US public and private sector institutions. Russia has used cyber-enabled information operations to influence our population and challenge our democratic processes. Other actors, such as North Korea and Iran, have similarly employed malicious cyber activities to harm U.S. citizens and threaten U.S. interests," the cyber strategy said.
Of course, the US also uses the internet to spy on its rivals, as the new strategy notes: "We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict."
But the US has struggled to find the right response to the ongoing attacks on its networks, particularly as many take place in a legal grey area below the level of an attack that would provoke a traditional armed response.
Attacks like the election meddling by Russia have been effective, but the US has not found an effective deterrent. It has tried naming-and-shaming the attackers, sanctions and even indictments of hackers, all to little avail. Threatening to target cyber threats before they are launched is yet another escalation of US cyber deterrence in the aftermath of Russia's meddling in the run-up to the 2016 Presidential election.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
The use of Wave's products, particularly Wave ERAS and Wave VSC 2.0 could have a profoundly positive effect on how certain countries of the World deal with one another in cyberspace!
Microsoft releases list of features being removed from Windows 10 October Update
https://www.theinquirer.net/inquirer/news/3063107/microsoft-releases-list-of-features-being-removed-from-windows-10-october-2018-update
It's not nearly as bad as it looks
MICROSOFT HAS released a list of features that are being moved, redeployed or removed altogether from the next version of Windows, due next month.
The October 2018 Update which will start being rolled out in… well, you get the idea, sees a couple of stalwart features replaced by new ones. These include Snipping Tool, which is to be replaced by a bolstered "Sketch and Clip" app, accessible by using Ctrl+S, and Hologram which is being upgraded to the new "Mixed Reality App".
Phone Companion, a specific app for letting Microsoft control your phone is going, with the functionality now folded into the main operating system. This will actually offer some significant new functionality including native SMS sync for Android devices, which Microsoft has been heavily supporting since the demise of its own Windows Mobile platform.
There are a number of lesser-known features, including Business Scanning, also heading for the bin. This is largely because, by Microsoft's own admission, no devices on the market actually support it. Font Smoothing has been removed, as Microsoft's ClearType font smoothing is now enabled by default, whilst the Trusted Platform Module management functionality is all being folded into Windows Defender.
Windows Embedded Update Developer updates are no longer to be published through Windows, but have to be manually updated through the Microsoft Update Catalogue.
Under the hood, the OneSync service has been added directly into Outlook (so you'll need an Office subscription, you lucky ducks, while the much-ignored Companion Device APIs are being superceded by the Bluetooth powered Dynamic Lock, similar to that in Chrome OS, which allows you to keep your device unlocked if it is within Bluetooth range of a phone or other nominated device. That feature has been available for some time.
Let's be honest, none of this is really going to put a crimp in your weekend plans. We were a bit worried at the depreciation of the Snipping Tool, but providing that Sketch and Snip does the same thing and more, we can't really argue.
=================================================================
What if a user wants to use TPM management, but not Windows Defender? If they want to use a different product like Wave Endpoint Monitor instead maybe they'll go with Wave's ESC to manage the TPM. (WEM per Wave's website is not available on Windows 10, however)
=================================================================
Wave TPM management needed with these products:
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/wave-endpoint-monitor
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
https://www.darkreading.com/endpoint/nss-labs-files-antitrust-suit-against-symantec-crowdstrike-eset-amtso/d/d-id/1332851?_mc=KJH-Twitter-2018-09
Suit underscores longtime battle between vendors and labs over control of security testing protocols.
Security product testing firm NSS Labs today filed an antitrust lawsuit against cybersecurity vendors CrowdStrike, ESET, and Symantec as well as the Anti-Malware Testing Standards Organization (AMTSO) over a vendor-backed testing protocol.
The lawsuit accuses the three security vendors and the nonprofit AMTSO, of which they and other endpoint security vendors are members, of unfairly allowing their products to be tested only by organizations that comply with AMTSO's testing protocol standard. NSS Labs, which also is a member of AMTSO, earlier this year voted against adoption of the standard and says it has no plans to comply with it.
A majority of AMTSO members voted in favor of the standard in May of this year, and most plan to adopt the protocol.
Friction between security vendors and independent testing labs is nothing new. Vendors and labs traditionally have had an uneasy and sometimes contentious relationship over control of the testing process and parameters. NSS Labs' suit appears to represent an escalation of that age-old conflict, security experts say.
NSS Labs is calling foul in its lawsuit: "NSS Labs has suffered antitrust injury as a result of the acts herein alleged because it is the direct and principal target of the concerted refusal to deal/group boycott" any testing organizations that don't adopt ATMSO's testing standard, the lawsuit says.
In an interview with Dark Reading, Jason Brvenik, chief technology officer at NSS Labs, said the ATMSO standard falls short. "Our fundamental focus is that if a product is good enough to sell, it's good enough to test," and NSS Labs shouldn't be forced to comply with ATMSO's standard, he says. "It should be an independent test."
Brvenik says the AMTSO standard does not support independent testing. "It's driven by vendors to create a picture of capabilities that are not true," for example, he says. "The standard is more like guidelines to interact with than a standard, and it doesn't make things better for products" or the way they are tested, he says.
According to the NSS Labs suit, other vendors that spoke out against the adoption of AMTSO's standards included AVComparatives, AV-Test, and SKD LABS. None of those vendors are named as parties in NSS Labs' case. Efforts to reach AV-Test, AVComparatives, and SKD Labs were unsuccessful as of this posting.
CrowdStrike declined to comment on the NSS Labs suit but said in a statement: "CrowdStrike supports independent and ethical testing — including public testing — for our products and for the industry. We have undergone independent testing with AV-Comparatives, SE Labs, and MITRE and you can find information on that testing here. We applaud AMTSO's efforts to promote clear, consistent, and transparent testing standards."
ESET said it had not been officially contacted about the suit, but that it refutes the allegations. "We are aware of the allegations stated in the blog post from NSS Labs, however, we have yet to receive official legal communication. As legal proceedings appear to have been initiated, we are unable to say more at this time, beyond the statement that we categorically deny the allegations," an ESET spokesperson said. "Our customers should be reassured that ESET’s products have been rigorously tested by many independent third-party reviewers around the world, received numerous awards for their level of protection of end users over many years, and are widely praised by industry-leading specialists."
Symantec would not comment on the case, and efforts to reach AMTSO were unsuccessful as of this posting.
In a blog post earlier this month, ATMSO president Dennis Batchelder wrote that the protocol is a voluntary framework for testing anti-malware software "fairly and transparently."
For enterprises, there aren't many options for vetting security software. Most don't have the resources to perform their own in-house testing of security products, so they rely on consulting firms' recommendations, third-party testing organizations — or the claims of their vendor.
Jon Oltsik, senior principal analyst with consulting firm Enterprise Strategy Group, says he's seen enterprises struggle with the testing dilemma. "Customers don't know how to test the efficacy of next-generation endpoint security products," he says. "No one trusts vendors to test their own product."
The concept of a vetted product testing standard is a "very good idea," says Oltsik, who notes that he has not specifically studied ATMSO's protocol.
Bottom Line
NSS Labs meantime argues that the AMTSO and its standard are anti-competitive. "They claim to try to improve testing but what they're actually doing is actively preventing unbiased testing. Further, vendors are openly exerting control and collectively boycotting testing organizations that don't comply with their AMTSO standards — even going so far as to block the independent purchase and testing of their products," Vikram Phatak, CEO of NSS Labs wrote in a blog post today announcing the suit.
Meanwhile, NSS Labs claims in its lawsuit that AMTSO's efforts have hurt its bottom line. "NSS Labs has lost sales and profits from the sale and license of its public testing reports, including its AEP Group Test reports, because it cannot charge customers who purchase reports that do not include all market participants as much as it could charge for reports that included all market participants."
=================================================================
Wave Endpoint Monitor = better antimalware product. imo.
=================================================================
https://www.wavesys.com/products/wave-endpoint-monitor
This Windows file may be secretly hoarding your passwords and emails
https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/
A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations.
If you're one of the people who own a stylus or touchscreen-capable Windows PC, then there's a high chance there's a file on your computer that has slowly collected sensitive data for the past months or even years.
This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.
The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.
The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.
"In my testing, population of WaitList.dat commences after you begin using handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on."
"Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.
Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text.
"The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet.
"On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added.
Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.
"If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file," he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.
The technique and the existence of this file have been one of the best-kept secrets in the world of DFIR and infosec experts. Skeggs wrote a blog post about the WaitList.dat file back in 2016, but his discovery got little coverage, mostly because his initial analysis focused on the DFIR aspect and not on the privacy concerns that may arise from this file's existence on a computer.
But last month, Skeggs tweeted about an interesting scenario. For example, if an attacker has access to a system or has infected that system with malware, and he needs to collect passwords that have not been stored inside browser databases or password manager vaults, WaitList.dat provides an alternative method of recovering a large number of passwords in one quick swoop.
Skeggs says that instead of searching the entire disk for documents that may contain passwords, an attacker or malware strain can easily grab the WaitList.dat and search for passwords using simple PowerShell commands.
Skeggs has not contacted Microsoft about his findings, as he, himself, recognized that this was a part of an intended functionality in the Windows OS, and not a vulnerability.
This file is not dangerous unless users enable the handwriting recognition feature, and even in those scenarios, unless a threat actor compromises the user's system, either through malware or via physical access.
While this may not be an actual security issue, users focused on their data privacy should be aware that by using the handwriting recognition feature, they may be inadvertently creating a giant database of all the text-based files found on their systems in one central location.
According to Skeggs, the default location of this file is at:
C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat
Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable "Personalised Handwriting Recognition" feature in their operating system's settings panel.
Back in 2016, Skeggs also released two apps[1, 2] for analyzing and extracting details about the text harvested in WaitList.dat files.
=================================================================
Another great reason for companies/governments to use Wave VSC 2.0. The SED and Bitlocker could help with the encryption of sensitive data and Wave's SED and Bitlocker management could help companies/governments with this critical situation. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-self-encrypting-drive-management
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Decrease expenses with virtual smart cards
You know what else happens when you take passwords out of the equation? A lot fewer calls to IT. Imagine if you took password resets out of the picture – that frees up a chunk of IT time, lowering your operating expenses significantly.
If your organization currently uses traditional tokens or smart cards, switching to virtual smart cards takes an even bigger burden off of IT – we use the hardware-protected credentials in the TPM to create a virtual smart card, which performs the same functionality as traditional smart cards. That means no need to purchase, deploy, replace or maintain external tokens, smart cards or smart card readers. Because virtual smart cards are already on your machines and can’t be forgotten, lost or stolen, you have lower capital expenses and lower operating expenses.
Wave's is the only management to support virtual smart cards on Windows 7, as well as Windows 8 and 8.1
The Art of (Cyber) War: How Adversarial Thinking Strengthens Cybersecurity
https://www.securityweek.com/art-cyber-war-how-adversarial-thinking-strengthens-cybersecurity
Cybersecurity is unique compared to most other business operations, even most IT operations. Unlike marketing or network management—both of which tackle difficult and ever-changing challenges in the business operating environment—cybersecurity pits defenders against intelligent, creative and deliberate opponents.
Hackers are aware that they are actively hunted and thwarted at every step between target scoping and data breach. That means they are applying the full brunt of their ingenuity and technical expertise to avoid cybersecurity defenses as they pursue their goal.
Even though this struggle takes place in cyberspace, the lessons from real battlegrounds retain their relevance and significance. In the ancient military strategy text, Art of War, Sun Tzu makes the point “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”
Cybersecurity teams need to adopt an adversarial mindset that allows them to tackle the unique challenges of the cyberspace. This involves clearly understanding what their enemies are capable of and preparing an appropriate response.
Communication and visibility
The most valuable weapon on the battlefield is information about your team and their current state as well as your enemy. “If ignorant both of your enemy and yourself, you are certain to be in peril.” This holds true in reverse as well. Hackers want to know as much about your networks as they possibly can.
The first step in a targeted cyber-attack is recon. By scanning public facing systems, hackers can learn a great deal about an organization’s IT infrastructure, including potential vulnerabilities. Once they have made their way onto the system, a hacker’s first priority is to establish a persistent connection that allows them to maintain visibility into the network they have infiltrated.
As a result, the first priority of a cybersecurity team needs to be cutting off communication between their systems and hackers. This is especially true for botnets or cryptojacking malware
in which the main benefit to hackers relies on sustained, two-way connections to the infected devices to leverage their computing power for DDoS attacks or mining cryptocurrency.
It is also important for cybersecurity teams to have visibility into their networks to understand what normal behavior is and what could be driven by hackers. It is easy for hackers to slip onto networks through unmonitored open ports or by infecting third-party devices that have access to internal networks if cybersecurity teams are watching them closely. By developing a strong understanding of the digital assets connected to the corporate network, cybersecurity teams can better protect themselves against threats targeting devices they are not regularly monitored.
At a higher level, cybersecurity teams need to know the current state of cyberspace, i.e. the latest malware, vulnerabilities and exploits in use by hackers so that they can better protect their systems. Monitoring and installing security patches to the systems they use on a regular basis significantly improves their defenses against these threats. They can also ensure that their malware defenses recognize and stop malware if they are consistently checking for new developments. This is easily achieved by monitoring new research from respected threat research teams or by joining an information sharing group that monitors threats relevant to that team’s industry.
Implement elite training
Cybersecurity skills are a constantly moving target that require continuous training. Hackers have a lot of bots at their disposal and a lot more IT appliance features they can exploit. Cybersecurity is a multidisciplinary field requiring comprehensive knowledge of computer network and systems, understanding the differences in IT/security architectures, and, of course, people and social engineering. It is a profession that requires continuous updates and training against the latest tools and techniques.
Militaristic philosophies of train, train, train against realistic opponents are necessary. “Victory usually goes to the army who has better trained officers and men.” By providing exposure to realistic situations that can arise during a cyber-attack, organizations can better prepare their cybersecurity teams to face whatever hackers throw their way, no matter what their previous experience level. Allowing your IT teams to play the roles of attackers and defenders also provides perspective. Red teaming with a multi-layered attack simulation that measures how people, networks, applications and physical security controls can withstand an attack from a real-life adversary is a must. But, it is equally, if not more, important for teams to practice in real-world environments which can be difficult to do.
There is a growing offering in the industry called “Cyber Ranges” that can simulate internet-scale environments to develop elite cybersecurity teams by imitating attacks on IT infrastructures. In these environments, cybersecurity teams can test their defenses against the latest hacker techniques and mimic successful breaches as case studies.
Cybersecurity is a rapidly-moving and evolving field, but the challenges it presents are not insurmountable. By taking some time to understand the enemy and how they work, cybersecurity teams stand a better chance of stopping them. “The supreme art of war is to subdue the enemy without fighting.”
================================================================
Wave keeps hackers from getting on the company/government network! See the links and highlights below for an explanation to 'subdue the enemy without fighting'.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Air Force mulls cyber RCO
https://fcw.com/articles/2018/09/17/usaf-cyber-rco-williams.aspx
The Air Force is considering launching a cyber rapid capabilities office, Air Force Cyber Commander Gen. Robert Skinner said during the Air Force Association's Air, Space, Cyber conference on Sept. 17.
The Air Force is "really pushing" for rapid cyber acquisition capabilities in line with the branch's existing rapid capabilities office and the one being stood up under its Space Command, Skinner said during a panel on cyber operations in a multi-domain environment.
"We have an Air Force RCO, we also have a space RCO that's just being stood up at Kirtland Air Force Base," Skinner said. "We're also looking at a cyber RCO and how do we leverage the DNA that is in the AF RCO, and Space RCO to tackle the cyber challenges from a rapid capabilities standpoint."
Updating the Air Force's acquisition strategy to be quicker and more agile -- especially through utilizing small businesses -- was a consistent theme throughout day one of the conference.
Brig. Gen. David Gaedecke, the director for the Air Force's Cyberspace Operations and Warfighting Integration and CIO for the Information Dominance office, pointed to the development of the Aeronet as an example of quickly fielding new capabilities.
"Aeronet is essentially taking a radio with a smartphone and some other components and being able to share information with any of our partners" on an open system and works with light-attack aircraft network.
Gaedecke said the commercial capability materialized in a matter of months, proving that things can be developed and fielded quickly.
"We know how to do this, we know how to be quick, we know how to take innovation and bring it to the field quickly," he said.
Valerie Muck, director of the Air Force's small business programs, said 20 percent of the Air Force's eligible dollars went small businesses in fiscal 2018, totaling about $11 billion. That was partly due to 55 awarded contracts in as many days as the result of a collaborative effort with the Air Force Research Laboratory and Small Business Innovation Research, she said during an acquisitions panel.
But the Air Force is looking to increase that number. Muck also highlighted the need to consider small businesses for subcontracting opportunities while Darlene Costello, the Air Force's principal deputy assistant secretary for acquisition, pushed for looser past performance requirements in contracts, quick contracting such as other transaction authorities for fixed amounts and using small businesses over prime companies for quick innovative work.
To get there, however, the Air Force may have rethink how it treats acquisition programs, said Lt Gen John F. Thompson, commander of the Air Force Space Command's Space and Missile Systems Center.
"We are program of record happy," Thomson said, who said the Air Force's Space Enterprise Consortium will far exceed its initial $100 million funding cap by year's end, reaching nearly $200 million in contracts awarded each under 90 days. "We have to get away from that addiction" by prototyping multiple capabilities to meet the same requirement on smaller scales and early on for large programs of record, which the Air Force Space Command is already doing.
================================================================
https://www.wavesys.com/ could be very useful information to the U.S. Air Force.
RDP Ports Prove Hot Commodities on the Dark Web
https://www.darkreading.com/endpoint/rdp-ports-prove-hot-commodities-on-the-dark-web/d/d-id/1332830?_mc=KJH-Twitter-2018-09
Remote desktop protocol access continues to thrive in underground markets, primarily to hackers who lack expertise to find exposed ports themselves.
Security trends come and go, but the sale of Remote Desktop Protocol (RDP) ports continues to thrive on the Dark Web as malicious hackers seek easier means of gaining access to corporate networks.
RDP is a Microsoft protocol and client interface used on several platforms including Windows, where it has been a native OS feature since Windows XP. Most of the time, RDP is used for legitimate remote administration: when companies outsource IT, or remote admins have to access a colleague's machine, they most commonly use RDP to connect to it.
But the same technologies that enable administrators to access remote machines can give hackers the keys they need to break into, move around, and steal data from enterprise targets.
"It really goes with the entire story of this growing crime-as-a-service market," says Ed Cabrera, chief cybersecurity officer at Trend Micro. The buying and selling of RDP credentials - like any other credentials bought and sold on the criminal underground - has evolved from one-stop shop transactional forums to a decentralized, specialized marketplace, he says. Attackers can buy RDP credentials in bulk or they can seek out data they need to target specific industries.
There are many actions a threat actor can take with RDP access (credential harvesting, account takeover, cryptocurrency mining among them) and it's easier for them to launch these threats if they have access to an RDP port. Skilled attackers often find the ports themselves by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.
Still, many threat actors of all skill levels buy RDP access on the Dark Web, where the ports are hot commodities, as are tools to delete attackers' activity once their work is done.
"Knockoff versions of some popular tools proliferate as well once the original developers decide to no longer support their tools," write Flashpoint's Luke Rodeheffer, cybercrime intelligence analyst, and Mike Mimoso, editorial director, in a blog post on the topic. The tools continue to generate interest on Dark Web forums, primarily Russian-speaking marketplaces, according to Flashpoint.
How much will attackers spend on these credentials? It depends what they're looking for. Earlier this year, researchers on the McAfee Advanced Research Team found RDP access for a major international airport was being sold via Russian RDP shop UAS for the low price of $10. However, actors may pay more for access to specific sectors and/or high-value targets.
Chet Wisniewski, principal research scientist in Sophos' Office of the CTO, says the quantities of RDP ports available on the Dark Web have kept prices low, "almost identical to what we see with stolen credit cards," he says. "Same with RDP, there are tens of thousands of open RDP systems across the Internet."
So You Have RDP Credentials. Now What?
Once they have RDP credentials, an attacker can use their access to launch several attacks. Stolen usernames and passwords mark the initial attack vector in just about every cyberattack, Cabrera says, noting they help start phishing campaigns, ransomware, and data breaches. RDP access helps attackers target server infrastructure directly.
"If I get access to a server, to RDP, I can just launch the Web browser that's built in and download anything and everything I want to build on that system," says Wisniewski. It doesn't take an advanced attacker to abuse RDP; as he puts it, "even the dumbest criminal" can do a reasonable amount of damage.
Once they're inside, attackers typically target the passwords of admin accounts to maximize their system access. They might download and install low-level system tweaking software and use it to disable or reconfigure anti-malware software on the machine, Sophos researchers explained in a post on RDP and ransomware distribution. They may also turn off database services to leave files vulnerable, or upload and run their choice of ransomware.
"If it's handy for a system administrator, it's handy for a hacker," Wisniewski adds. If you have remote control software facing the Internet, any attacker can find and abuse it.
However, advanced attackers can do more damage with the same level of access.
Hotter Targets, Higher Prices
Less skilled attackers are more likely to purchase bulk RDP access on the Dark Web, Wisniewski adds, because they lack expertise to find open ports. Skilled hackers are more likely to seek out and purchase credentials to high-value targets; for example, defense contractors.
"It's not only identifying and selling in bulk," says Cabrera. "I think what's happening with RDP credentials, like other services and commodities, is that the criminals today are becoming a little more sophisticated in what they're looking for." Instead of selling credentials in bulk, they can categorize them and provide guaranteed persistence or system access.
Someone who finds 100 exposed RDP servers can instead of selling access on a forum for $10 each, figure out who they belong to, says Wisniewski. Low-value credentials sell in bulk for cheap, but high-value targets can go for markedly higher prices – up to tens of thousands of dollars. The high dollar value is limited to adversaries who want that specific access.
Oftentimes high-value targets are sold by attackers who harvested many RDP ports, conducted reconnaissance, and recognized they had something valuable but didn't want to risk exploiting it and facing criminal penalties. Rather than risk jail time, they take their findings to the Dark Web in hopes a more skilled attacker will want to buy it, he continues.
Cybercriminals are serving other criminals and becoming more sophisticated in the offerings they're able to provide, Cabrera explains. Not every criminal enterprise is the same, and those that provide the best services and commodities will continue to grow. "It is incredibly valuable for [RDP] to be sold in the criminal underground," he says.
How to Stay Safe: Get Offline
"The way you know it's been compromised is it's on the Internet at all," says Wisniewski. Under no circumstances should RDP ports be exposed online, and they should always go through a VPN and be protected with multi-factor authentication.
"That's table stakes for 2018," he continues. "If it's on the Internet, someone's going to make money with it.
He advises companies to lock down their servers so they have fewer capabilities if and when they are compromised. Make sure any system that is exposed, or available via VPN, is locked down so it can't access critical systems. Most organizations are smart enough to be scanning their own network interfaces to ensure they're offline, he says.
Breaching networks and servers via RDP ports remains of great interest to cybercriminals, according to Flashpoint, and there is a clear trend toward automating the process of detecting exposed RDP targets and brute-forcing access. The company recommends using complex passwords for RDP instances and avoiding relying on default or weak credentials.
"Flashpoint assesses with high confidence that cybercriminals will likely continue to use such automated technology to obtain illicit RDP access, breach servers, and remove traces of their activity," Flashpoint's blog says. Flashpoint predicts "with moderate confidence" that the potential for RDP access tools in cryptomining will drive their popularity among criminals.
=================================================================
Another item (illicit RDP access) that Wave VSC 2.0 protects against and another reason to purchase Wave VSC 2.0. imo.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
more at link above -
Altaba Announces Class Action Settlement of $47m
https://www.infosecurity-magazine.com/news/altaba-announces-class-action/?utm_source=dlvr.it&utm_medium=twitter
In a letter addressed to its shareholders, Altaba Inc. (formerly Yahoo!) announced that it has sold the remaining shares of Yahoo Japan and that it has reached a settlement agreement in the class action lawsuit related to the 2014 Yahoo data breach.
In March of this year, as a result of the massive breaches that occurred between 2013 and 2016 at Yahoo, US District Judge Lucy Koh in San Jose, California, denied Verizon's attempts to dismiss claims of Yahoo's negligence and breach of contract, according to Reuters.
The legal woes resulting from the class action suit have today come to a close. “We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach,” Thomas J. McInerney, CEO at Altaba Inc., wrote.
“We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases. Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”
The settlement announcement comes 10 days after the plaintiffs and defendants engaged in a second day of mediation with Honorable Daniel Weinstein. As part of the agreement, the court has 45 days to approve the terms of the settlement.
“In the meantime, the parties to this action jointly and respectfully request the Court stay this litigation in its entirety to allow the parties to focus their efforts entirely on finalizing the settlement and to avoid any unnecessary waste of judicial resources,” John Yanchunis of Morgan & Morgan, lead counsel for the plaintiffs, and Ann Marie Mortimer of Hunton Andrews Kurth, LLP, attorney for the defendants wrote in a September 14 filing.
Shareholders were also informed that company proceeds will be used to repurchase stock, according to McInerney. He wrote, “Today we are announcing a new share repurchase authorization of $5.75 billion.”
=================================================================
Another reason for companies and governments to purchase Wave VSC 2.0 and help them protect from breaches like the one that happened to Yahoo and others.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Survey: Nearly one-third of breached companies reported job losses after data breach
https://www.scmagazine.com/home/news/survey-nearly-one-third-of-breached-companies-reported-job-losses-after-data-breach/
Nearly one-third of surveyed companies that experienced a data breach in the previous 12 months said the incident cost certain employees their jobs.
Conducted by Kaspersky Lab last March and April, the “Global Corporate IT Security Risks Survey” elicited responses from 5,878 businesses across 29 countries. Among this data set, 1,062 small-to-medium-sized businesses and 863 enterprises acknowledged suffering at least one data breach at some point in their history. As a consequence of these breaches, 325 SMBs (31 percent) and 267 enterprises (also 31 percent) had to lay off staff.
When such incidents occurred, senior IT security staffers were most commonly the ones given the pink slip, with 36 percent of SMBs and 45 of enterprises letting these employees go. The next most frequently fired employees were senior IT executives (33% of SMBs, 37% of enterprises) and senior non-IT staffers (29% of SMBs, 27% of enterprises).
Even C-level executives were not immune either, with 15 percent of SMBs and 24 percent of large enterprises dismissing these high-ranking officers following data loss. Such firings were most common in North America, where 32 percent of breaches resulted in a CEO, president or similar corporate leader getting the boot.
The survey exposed additional ramifications as well: 45 percent of SMBs and 47 percent of enterprises had to pay compensation to affected customers, while 27 percent of SMBs and 31 percent of enterprises were forced to pay penalties or fines. Additionally, more than a third of all breached businesses reported difficulties acquiring new customers following their respective incidents.
And the risk for further penalties could be even greater, considering that 61 percent of respondents said that next year they anticipate an increase in volume of sensitive customer data.
Additionally, 31 percent said they currently store data that is protected by the European Union’s strict GDPR regulations — and yet only 27 percent of this contingent said they have fully met GDPR’s requirements.
“While a data breach is devastating to a business as a whole, it can also have a very personal impact on people’s lives — whether they are customers or failed employees — so this is a reminder that cybersecurity has real-life implications and is in fact everyone’s concern,” said Dmitry Aleshin, VP of product marketing, Kaspersky Lab, in a company press release. “With data now traveling on devices and via the cloud, and with regulations like GDPR becoming enforceable, it’s vital that businesses pay even closer attention to their data protection strategies.”
=================================================================
More reason to use Wave VSC 2.0 (Better security at less than half the cost). Current employees on the C-level and in the IT department may want to read the press release below before they choose or continue with a given 2FA solution.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
=================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
https://www.wavesys.com/buzz/pr/wave-announces-5-year-master-license-agreement-virtual-smart-card-20-leading-global
Wins competitive evaluation against market leader in two-factor authentication tokens.
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
Phished credentials caused twice as many breaches than malware in the past year
Personal device use for remote work poses the biggest security risk to organisations safeguarding their increasingly mobile and cloud-based IT environment, according to a new survey of 100 UK-based senior IT security professionals.
Conducted from March to May by Rant, the survey found 58 percent of respondents believe that network access from non-corporate and personally-owned devices such as laptops, desktops or mobile phones is the highest risk in managing remote users, among other findings.
Remote work on the rise
75 percent of respondents reported that their users now connect remotely to work applications at least 25 percent of the time. While this remote work trend has created unmatched flexibility and has helped organizations attract top talent globally, it has introduced a major predicament for IT and security teams.
“Enterprise mobility is one of the biggest IT security challenges and personal devices are a massive blind spot,” said Richard Archdeacon, Advisory CISO at Duo Security. “If you don’t know what’s connecting to the network, how can you protect data from being compromised? What’s clear from this survey is that decision makers still don’t feel comfortable with the sea of devices entering the workplace.”
When it comes to different groups of remote workers, nearly half of all security professionals (48 percent) ranked external suppliers and service providers as the most risky, compared to internal employees such as the C-suite, sales and field support workers.
This data is underlined by several recent high profile security breaches that originated from third-party suppliers. According to Forrester’s 2017 Global Business Technographics Security Survey, 41 percent of breaches in the past 12 months were incidents within the organization or involved business partners/third-party suppliers.
Phishing: The leading cause of breaches
The findings also reveal the extent to which phishing attacks targeting user credentials continue to dominate as the primary source of security breaches, underscoring the need for robust policies around device health and user authentication.
When asked about the biggest security incident in the last 12 months that resulted in unauthorised access to corporate applications, nearly half of respondents reported phishing as the cause. The findings reveal:
•Phishing resulted twice as many breaches than malware (48 percent compared to 22 percent)
•Phishing resulted in more breaches than malware and unpatched systems combined (48 percent compared to 41 percent).
“Outdated devices are particularly vulnerable to being compromised, which can easily spiral into a full-blown, major breach,” Archdeacon added. “Organisations don’t necessarily need to block individuals from using their personal devices, but they do need to re-shape their security models to fit these evolving working practices.”
Operating on a basis of zero trust where the user’s identity and device health are checked and verified every time they access an application, helps to minimise the security risks inherent in any Bring Your Own Device (BYOD) culture.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
=================================================================
Wave Systems Security Solution for Windows 8 Tablets Eliminates Need for Passwords on Enterprise Systems
https://www.wavesys.com/buzz/news/wave-systems-security-solution-windows-8-tablets-eliminates-need-passwords-enterprise-syst
================================================================
Why an old technology gives Windows 8 tablets a huge security edge
https://www.wavesys.com/buzz/news/why-old-technology-gives-windows-8-tablets-huge-security-edge
=================================================================
Does Windows 8 Surface Pro's security credentials signal the decline of MDM?
https://www.wavesys.com/buzz/news/does-windows-8-surface-pros-security-credentials-signal-decline-mdm
Data breaches affect stock performance in the long run, study finds
https://www.zdnet.com/article/data-breaches-affect-stock-performance-in-the-long-run-study-finds/
Study finds that stocks from 28 companies that suffered large breaches had underperformed on the stock market.
A multi-year study on the stock price evolution for breached companies reveals that data breaches have a long-term impact on a company's stock price, even if it's somewhat minimal.
The study, carried out by the research team behind the CompariTech web portal, looked only at companies listed on the New York Stock Exchange (NYSE) that suffered and publicly disclosed breaches of one million records and over in the past three years.
In total, the list included 28 companies, such as Apple, Adobe, Anthem, Community Health Systems, Dun & Bradstreet, eBay, Equifax, Experian, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone, and Yahoo.
"In the long term, breached companies underperformed the market," the CompariTech team concluded in their report.
"After 1 year, Share price grew 8.53% on average, but underperformed the NASDAQ by -3.7%. After 2 years, average share price rose 17.78%, but underperformed the NASDAQ by -11.35%. And after three years, average share price is up by 28.71% but down against the NASDAQ by -15.58%."
Study authors noted that the impact of data breaches likely diminished over time, but the damage was still visible in the stock's NASDAQ performance indicator even after three years, in some cases.
Although other factors also weighed into how a stock performed, the fact that all of the analyzed breached companies had a poor performance cannot be ignored.
Experts say that companies usually suffered the worst hit, with stock prices hitting their lowest point, 14 market days following a breach when share prices fell 2.89% on average, and underperformed the NASDAQ by -4.6%.
In most cases, share prices rebounded with NASDAQ performance indicators after one month, started performing even better than before the breach, but later started falling in the long run.
CompariTech said finance and payment companies saw the largest drop in share price performance, while the healthcare sector was the least affected.
Another observation was that breaches that leaked highly sensitive information like credit card and social security numbers saw the larger drops in share price performance on average when compared to breaches where financial data was not included.
This is the second iteration of this particular CompariTech study, with a previous version being published last year, in 2017.
=================================================================
Wave VSC 2.0 could save companies, their boards, and shareholders a lot of headaches and a lot of money in being able to help prevent these breaches.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Files With 42 Million Emails and Passwords Found On Free Hosting Service
https://www.bleepingcomputer.com/news/security/files-with-42-million-emails-and-passwords-found-on-free-hosting-service/
A huge database with email addresses, passwords in clear text, and partial credit card data has been uploaded to a free, public hosting service.
The operator of the sharing service sent the set to Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, to compare it and check whether it was the result of an unknown data breach.
Most likely intended for credential stuffing
Based on the format of the data, Hunt thinks the lists are most likely intended for credential stuffing attacks, which combine into a single list cracked passwords and email addresses and run them automatically against various online services to hijack the user accounts that match them.
Credential stuffing attacks take advantage of the fact that users, for convenience, are likely to reuse credentials on multiple websites.
"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before. (Later, after loading the entire data set, that figure went up to 93%.)," Hunt writes in a blog post (https://www.troyhunt.com/the-42m-record-kayo-moe-credential-stuffing-data/) today.
The security researcher was able to determine that over 91% of the passwords in the dataset were already available in the Have I Been Pwned collection. You can query the service for yours here (https://haveibeenpwned.com/Passwords).
Hunt says that filenames in the collection do not point to a particular source because there is no single pattern for the breaches they appeared in.
For years, security researchers have advised users to kick the habit of recycling passwords, specifically to avoid credential stuffing attacks.
Cybercriminals trade credential databases on a daily bases, not just on the dark web, but on publicly accessible forums, too. They rely on automated processes for cracking the passwords and test them against online services.
Using a password manager that can generate strong unique passwords for every site you visit and turning on two-factor authentication (where possible) are good measures against this type of attack.
=================================================================
All it takes is one employee's credentials (from a list such as this) to break into a company network. Why not use a two factor authentication product like Wave VSC 2.0 instead of a 2FA product like RSA Securid which has had demonstrated holes in it.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
*Actual number may vary. Contact us today to receive more details and a free quote
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
Almost 'all modern computers' affected by cold boot attack, researchers warn
https://www.cnet.com/news/almost-all-modern-computers-affected-by-cold-boot-attack-researchers-warn/
Security researchers have discovered a flaw with nearly all modern computers that allow potential hackers to steal sensitive information from your locked devices.
The attack only takes about five minutes to pull off, if the hacker has physical access to the computer, F-Secure principal security consultant Olle Segerdahl said in a statement Thursday. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot.
These attacks have been known since 2008, and most computers today have a safety measure where it removes the data stored on RAM to prevent hackers from stealing sensitive information. It's also not a common threat for the average person, since both access to the computer and special tools -- like a program on a USB stick -- are needed to carry out the attack.
But Segerdahl and researchers from F-Secure said they've found a way to disable that safety measure and extract data using cold boot attacks.
"It takes some extra steps compared to the classic cold boot attack, but it's effective against all the modern laptops we've tested," he said in a statement.
There's no immediate fix available for the new vulnerability, F-Secure said. The cybersecurity company recommends that you configure your laptops to automatically shut down or hibernate instead of having it enter sleep mode when you close your screen.
The company said it's contacted Microsoft, Intel and Apple about its discovery. Intel didn't respond to a request for comment.
"This technique requires physical access. To protect sensitive info, at a minimum, we recommend using a device with a discreet Trusted Platform Module (TPM), disabling sleep/hibernation and configuring BitLocker with a Personal Identification Number (PIN)," Jeff Jones, a senior director at Microsoft, said in a statement.
Microsoft told ZDNet that it's updating its BitLocker guidance, while Apple said all devices using a T2 chip aren't affected.
F-Secure's researchers presented their findings at a conference in Sweden on Thursday, and are set to present it again at Microsoft's security conference on Sept. 27.
=================================================================
With Microsoft's recommendation to configure Bitlocker with the TPM, SED's with the TPM can't be far behind. imo. This should be a selling point for Wave and its management of at a minimum Bitlocker and probably SED's. imo.
=================================================================
https://www.wavesys.com/products/wave-self-encrypting-drive-management
No SEDs yet? No problem.
If your organization hasn’t yet deployed SEDs, you can skip the process of retro-fitting and simply incorporate SEDs on all new laptops as part of your regular refresh cycle. In the meantime, the same Wave console can manage BitLocker and SEDs, so you can protect the devices you have now with BitLocker and add those with SEDs as they are deployed. And if you’re using Wave’s cloud platform, you can also support OSX FileVault2
-more information at the link above
AT&T, Sprint, T-Mobile and Verizon Unveil First-Look at Future of Mobile Authentication
https://www.marketwatch.com/press-release/att-sprint-t-mobile-and-verizon-unveil-first-look-at-future-of-mobile-authentication-2018-09-12
LOS ANGELES, Sept. 12, 2018 /PRNewswire/ -- The Mobile Authentication Taskforce, comprised of AT&T, Sprint, T-Mobile and Verizon, gives a first look at its authentication solution that is less dependent on passwords to secure user accounts. The demo of the taskforce's solution debuts today at Mobile World Congress Americas 2018.
Developed collaboratively by the four largest U.S. wireless carriers, the prototype reveals the taskforce's approach to multi-factor authentication, which combines the carriers' proprietary, network-based authentication capabilities with other methods to verify a user's identity. Once the user signs up and provides consent, the solution then generates a device-based ID that serves as the user profile at the center of the authentication process.
"This initiative expands upon our global operator initiative, Mobile Connect, to bring standardized authentication and identity services to the US market," said Alex Sinclair, Chief Technology Officer, GSMA. "The solution aims to deliver a seamless experience for service providers from many sectors, helping to drive rapid adoption and scale."
The demo features three test apps for Mobile World Congress Americas attendees to experience at the GSMA Innovation City. The authentication solution demo showcases the experience within mock-up banking, photo and social media apps. The three-day show is taking place in Los Angeles from Sept. 12-14, 2018.
Addressing user authentication-related risks could help safeguard consumers from attacks designed to acquire login credentials and mobile phone numbers for use in fraudulent schemes such as phishing and social engineering. It could also help provide businesses and consumers with extra layers of protection from identity theft, bank fraud, fraudulent purchases and data theft.
In conjunction with the prototype's unveiling, the taskforce also launched a website to engage and onboard developers at https://mobileauthtaskforce.com. Additionally, the four carriers are exploring opportunities to offer other products that could use this authentication technology.
For more information and guidance on joining the taskforce's community of developers, please visit https://mobileauthtaskforce.com. Experience a demonstration of the prototype at GSMA's Innovation City at The Los Angeles Convention Center, South Hall, S1346.
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords
https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords
Lee, MA -
May 9, 2013 -
Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.
“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”
To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.
“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”
Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.
“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”
ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.
Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?
Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.
Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.
Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience.
================================================================
The authentication in the first article was a prototype and reveals that Wave Knowd could be a good alternative that was tested under NSTIC. Wave Knowd (in retirement) works with all a user's devices. In other words, one platform for the user. Companies could prefer the 'Trust Score' over the authentication technology in this Alliance. Wave is ahead of its time and its Knowd solution appeared to be far ahead of the solution in the first article. imo. It would be nice if it was taken out of retirement.
Tech Giants Call on Governments to Invest in Defensive, Not Offensive, Cyber Tech
https://www.meritalk.com/articles/tech-giants-call-on-governments-to-invest-in-defensive-not-offensive-cyber-tech/
Tech giants including Microsoft, Facebook, Oracle, Cisco, Dell, and VMware are calling on the United States and other governments to invest in defensive, rather than offensive, cyber technologies.
The Cybersecurity Tech Accord–which represents a public commitment among more than 40 global companies to protect and empower civilians online and to improve the security, stability, and resilience of cyberspace–wrote on its website yesterday that “governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information.”
The signatories stressed that cybersecurity is the new battlefield, but that it is unlike any battlefield from the past and must be treated differently.
“To create a cyberweapon, governments and sophisticated threat attackers exploit unintentional weaknesses or ‘vulnerabilities’ found in mass-market hardware and software products or services and apply techniques developed to exploit those weaknesses,” the signatories wrote. “The damaging effects of the resulting cyberweapons–especially when mishandled–can extend far beyond an intended target, potentially impacting millions of innocent users around the world.”
While many countries are beginning to acquire and develop offensive cybersecurity weapons, the Cybersecurity Tech Accord cautions that this approach may bring more harms than benefits, and against stockpiling known cyber vulnerabilities.
“While there may be national security benefits from acquiring and retaining such vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities may be used against a government’s own computing infrastructure, all its citizens, and, potentially, interdependent organizations around the world,” the letter said.
The U.S. government earned praise in the letter for publicly releasing significant portions of its Vulnerability Equities Process (VEP) at the end of last year. The VEP shares when and how the U.S. government will choose to disclose cyber vulnerabilities that it discovers or purchases.
“The 2017 update enhanced the transparency of the process, in part by identifying the respective departments and agencies represented on the vulnerability review committee (a mix of intelligence and civilian agencies), the criteria used for determining whether to disclose a vulnerability, and the mechanism for handling disagreements within the committee,” the letter said.
The Cybersecurity Tech Accord raised concerns over whether other nations have their own VEPs in place, saying the “number of VEPs around the world is even more difficult to ascertain, with the United States being one of the few governments willing to openly discuss its process.” According to the letter, it is rumored that other countries have similar frameworks in place and a few more will likely adopt them soon. However, the Accord stressed the importance of transparency and public-private collaboration in developing a framework.
The Accord encouraged all countries to develop their own version of the VEP framework, saying that countries should operate with a “presumption of private disclosure over the retention of vulnerabilities.” When it comes to developing the framework, the letter said the principles underpinning this process should:
•“Presume disclosure as the starting point;
•Clearly consider the impact on the computing ecosystem if the vulnerability is released publicly and the costs associated with cleanup and mitigation;
•Clearly define the process of making a disclosure decision and identify the stakeholders at the departmental level, ensuring that stakeholders represent not only national security and law enforcement but also economic, consumer, and diplomatic interests;
•Make public the criteria used in determining whether to disclose a vulnerability or not. In addition to assessing the relevance of the vulnerability to national security, these criteria should also consider threat and impact, impact on international partners, and commercial concerns;
•Mandate that all government-held vulnerabilities, irrespective of where or how they have been identified, go through an evaluation process leading to a decision to disclose or retain it;
•Prohibit any vulnerability non-disclosure agreements between governments and contractors, resellers, or security researchers and limit any other exceptions, e.g., for sensitive issues;
•Prohibit use of contractors or other third parties as a means of circumventing the disclosure process;
•Ensure any decision to retain a vulnerability is subject to a six-month review;
•Establish oversight through an independent body within the government with an annual public report on the body’s activities;
•Expand funding for defensive vulnerability discovery and research;
•Ensure disclosure procedures are in line with coordinated vulnerability disclosure, an industry best practice; and
•Ensure that any retained vulnerabilities are secure from theft (or loss).”
“The signatories of the Tech Accord have always believed that protecting the public interest in cyberspace requires robust collaboration between the government and private sectors,” the letter concludes. “When the government approach to vulnerabilities favors stockpiling over disclosure, this critical collaboration is weakened, and we risk losing the public’s trust in cyberspace.”
==================================================================
Wave Systems = the cybersecurity solutions that are sorely missed in the defensive cybersecurity offering of the World. (wavesys.com). The World is missing out on security that can protect effectively!
State Department is failing at basic cybersecurity standards, senators say
https://www.cnet.com/news/the-state-department-is-failing-at-basic-cybersecurity-standards-senators/
The agency was told to adopt basic cybersecurity measures. Less than 11 percent of its devices actually did.
Senators want to know why the State Department isn't using basic cybersecurity protections.
In a letter sent to Secretary of State Mike Pompeo on Tuesday, a bipartisan group of five senators called out the department's poor cybersecurity practices.
The agency was required to adopt multifactor authentication for all accounts with "elevated privileges" as part of the Federal Cybersecurity Enhancement Act. An inspection found that only 11 percent of required agency devices actually enabled it, according to the letter.
The State Department has received the letter and is carefully reviewing it, a spokesperson said.
Cybersecurity has become a major concern for government officials as nation-state hackers from countries like North Korea, Russia and Iran set their sights on the US for espionage and cyberattacks. These hacks, which have infiltrated power grids and routers, give spies an opening for future attacks. As these cyberattacks are often politically motivated, it's alarming to the group of senators that the State Department isn't meeting federal cybersecurity standards.
In another investigation, the Department of State's inspector general found that security experts were able to exploit vulnerabilities in the agency's email accounts, as well as its applications and operating systems.
The senators noted that a simple password isn't enough to protect State Department email accounts anymore. Multifactor authentication is a simple security measure that requires two forms of verification -- like a password and a PIN code, for example -- to gain access to an account. Even if hackers steal your password, it'll be harder to hijack an account.
"We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA," the letter says.
The letter was signed by Sen. Ron Wyden, a Democrat from Oregon; Sen. Cory Gardner, a Republican from Colorado; Sen. Ed Markey, a Democrat from Massachusetts; Sen. Rand Paul, a Republican from Kentucky; and Sen. Jeanne Shaheen, a Democrat from New Hampshire.
They're seeking answers from Pompeo on these points, with a deadline of Oct. 12:
01What actions has the Department of State taken in response to the Office of Management and Budget's designation of the Department of State's cyber readiness as "high risk"?
02What actions has the department taken to rectify the near total absence of multifactor authentication systems for accounts with elevated privileges accessing the agency's network, as required by federal law?
03Provide statistics, for each of the past three years, detailing the number of cyberattacks against Department of State systems located abroad and including statistics about both successful and attempted attacks.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
=================================================================
With regard to cyberattacks on the State Department what is below could help the State Dept. in a big way. imo.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
Wave has already had experience with multi factor authentication and the government:
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
Who is responsible for cyber security in the enterprise?
https://www.information-age.com/responsible-cyber-security-enterprise-123474640/
Uncertainty is widespread across companies over who takes the lead on cyber security, according to Willis Towers Watson
Different organisations place the responsibility of cyber security at the feet of different roles. This depends on the type of organisation, its culture and size.
This idea is confirmed by a Global Economist Intelligence Unit survey, sponsored by Willis Towers Watson, which found that there is a variety of approaches on how leadership implements cyber resiliency across their organisations.
Stronger communication and collaboration is needed across all various cyber security functions and practices, including between the board and the CTO or CISO.
The cyber security responsibility
With the increase of more stringent data regulations – like GDPR and California Consumer Privacy Act – and the widespread media coverage of data breaches, the impetus on cyber security has never been so high. Poor security practice will now inevitably lead to a breach, which will in turn cause financial loss and reputational damage. Corporate heads will also roll.
The problem is that the majority of executives around the world feel they face a “specialist-generalist” dilemma as to whom leads on cyber resiliency, according to the survey from Willis Towers Watson. This is because, the challenge of security is company-wide, but whoever is in charge of it needs specific, up-to-date cyber training. Are these business-focused, cyber-savvy, “specialist-generalist” individuals in short supply?
Ultimately, there is a huge disparity across organisations as to who should be responsible for cyber security. The survey of over 450 companies found that almost 40% of executives felt that the board should oversee cyber, compared with 24% who felt it should be the role of a specialised cyber committee. This would presumably be overseen by the CTO or CISO. A small portion of respondents surveyed believed it should be the responsibility of audit, risk or some other subgroup.
“When you dig into the details of a breach you will find warnings from the information security team well before the problem is finally exposed,” said Stephen Moore, Chief Security Strategist at Exabeam. “Most of these warnings are ignored. The real question is why is that?”
“It’s often said that security is everyone’s responsibility and academically the CISO has the authority, both are lies. Organisationally, we should worry less about responsibility and more about barriers to success. The responsible owner is the person or team who can best enact the qualified recommendations of the security team. Often the threat isn’t the adversary, it’s the lack of internal support, warnings being buried, and even the fear of outages that creates the conditions for failure.”
“Recommendations should be tied observable failures to prevent, detect, or disrupt attacks – not things like workbook-based audit findings. The ownership and delivery of cyber security in an organisation must be owned outside of the IT department.”
Tim Brown, VP of Security at SolarWinds MSP, agreed and said that cyber security isn’t the responsibility of one department. Security needs to be built into how a business operates.
“From finance, to HR, to marketing, to operations – everyone needs to be a good cyber steward. It’s really all hands on deck to make sure the entire organisation is adhering to the right protocols, practicing good cyberhygiene, and understanding how their specific job plays into the cyber landscape.”
Cyber security challenge
The main challenge, hindering the decision of who is responsible for cyber security, is a lack of communication within leadership roles.
Alarmingly, or perhaps unfairly, only 8% of executives said that their CISO or equivalent performs above average in communicating the financial, workforce, reputational or personal consequences of cyber threats. At the same time, under 15% go executives gave their CISOs or equivalent a top rating from a scale of one to ten.
>Read more on Cyber security – the unrelenting challenge for readership
“It is no surprise that one of the main challenges companies face when implementing a cyber risk mitigation or resiliency plan is the communication gap between the board and the CISO,” said Anthony Dagostino, global head of cyber risk with Willis Towers Watson.
“Cyber resiliency starts with the board because they understand risk and can help their organizations set the appropriate strategy to effectively mitigate that risk. However, while CISOs are security specialists, most of them still struggle with adequately translating security threats into operational and financial impact to their organisations – which is what boards want to understand.”
“To close this communication gap, CISOs [or CTOs] need tools that can help them quantify and translate the vulnerabilities uncovered from their cybersecurity maturity assessments. These tools enable them to better communicate the risk to the board, seek adequate budget, and enable the board to provide meaningful guidance.”
Cyber security budget
Enterprise security budgets depend on the size of the organisation and the type of industry they are a part of. In general, funds dedicated to security move between 3% and 15% of an IT budget.
“With enterprises, the budget is often shared across many different departments and the budget can be fairly significant depending on their specific needs,” said Brown.
“With affordable and scalable outsourcing options available through today’s managed service providers, security certainly doesn’t have to break the bank to be effective and even smaller businesses can ensure they’re doing these types of basics. Couple that with the idea that security should be viewed as a ubiquitous function of the organisation, and you’ve got a great foundation.”
“The budget allocation depends on your companies appetite for risk – most companies will be aware of attacks on their business, many will have put estimates of the financial cost to loss of business and reputational damage it can cause,” according to Terry Storrar, Sales Director, End User Sales at MCSA Group.
“Over the last few days British Airways revealed details of a breech and that they are prepared to repay any financial losses incurred by their customers, the cost in financial terms is often dwarfed by the ongoing damage to the company’s reputation. Companies need to have the right level of systems security for their business, a detailed and practiced business recovery plan and a process that kicks into action so that in the event of an attack their business continuity strategy is implemented and minimises the risks to their customers and to their business.”
More budget: Better security?
More budget doesn’t mean better security, according to Moore. “Money alone won’t save a company; the organisational co-operation must match budget, otherwise security maturity and efficacy will not change.”
“If placed within the IT organisation, information security will operate in a conflict of interests. Security requires reactive corrections to flawed environments. Corrections always come at an operational cost, often in the form of an outage. IT works on performance and availability, and cares little for security – especially if it erodes their two favourite metrics – often tied to their bonus dollars.”
How Hackers Compromised 380,000 British Airway Customer Payments
https://gizmodo.com/how-hackers-compromised-380-000-british-airway-customer-1828968523
A British Airways data breach that exposed as least 380,000 card payments was caused by a card-skimming malware that customers were inadvertently exposed to through the airline’s website and mobile app, according to research from security firm RiskIQ.
British Airways announced last week that hackers had breached the company’s system, compromising hundreds of thousands of card payments. The statement, from the airline’s parent company IAG, said the attack on the site and app began on August 21 and was stopped on September 5. The company said passport and travel information were not included in the hack.
A company spokesperson told Gizmodo at the time that a third-party first discovered the concerning activity and alerted British Arlines, prompting a response and investigation. RiskIQ told Gizmodo that when it discovered the breach, it shared its findings with FBI and the UK’s National Crime Agency, which then alerted British Airways.
Tuesday morning, RiskIQ released a report on its investigation into the breach. The analysis, written by threat researcher Yonathan Klijnsma, shows that hackers compromised the company’s website and app with a card-skimming malware in late August. After this breach, customers who bought plane tickets online had their credit card information scanned and sent to a fraudulent site operated by a server in Romania. This data included email addresses, names, billing addresses, and bank card information.
Similarities between this breach and the Ticketmaster breach in June led RiskIQ researchers to believe that British Airways was attacked by the same group—Magecart. Since Magecard formed in 2015, the collective has been accused of installing card-skimming malware on thousands of sites. “Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK,” the RiskIQ report reads.
British Airways would not provide comment for Gizmodo on RiskIQ’s report, citing the criminal investigation.
“Magecart had direct access to the [British Airways] server,” Klijnsma told Gizmodo. “While they only performed skimming, it could have possibly gone further with the access they had.”
================================================================
Law firm seeking leak victims to launch £500m suit at British Airways
https://www.theregister.co.uk/2018/09/11/ba_lawsuit/
Prosecutors rub their hands with glee
British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers.
The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app.
However, an group-action suit* led by SPG Law contends BA has not gone far enough and should be paying travellers for the "compensation for inconvenience, distress and annoyance associated with the data leak".
The action points to compensation rights in the European General Data Protection Regulation, which came into effect in May.
SPG Law, the Brit limb of US firm Sanders Phillips Grossman, set up a dedicated micro-site to get victims to sign up to the case.
The firm, which cynics might dismiss as an ambulance chaser, is recruiting participants on a "no win, no fee" basis. It has suggested its offer is the best and most straightforward way passengers might be able to secure up to £1,500 compensation.
SPG Law said it would cap its fees at a maximum of 35 per cent including VAT.
If the case goes to court, SPG Law acknowledged the possibility that the airline may win and might even be awarded legal costs.
"In the event that it is necessary to litigate, we will arrange insurance on behalf of all Claimants who sign up with us," it said. "This will protect you against having to pay BA's costs in the unlikely event that the claim is lost."
British Airways is yet to respond to a request for comment from The Register. ®
Bootnote
*A group-action lawsuit is the English law equivalent of a class-action lawsuit. SPG Law is also "campaigning" to mount a group-action lawsuit over the VW emissions scandal on behalf of affected drivers. The firm is acting just days after the breach was disclosed and before the dust has settled and the facts are known.
=================================================================
If only Wave and Bell Id was being used before this British Airways breach. It seem that this 4 year old press release has relevance today and the product could save a lot of money for consumers and companies going forward. imo.
=================================================================
Wave and Bell ID Partner to Combat Online Payment Fraud
https://www.wavesys.com/buzz/pr/wave-and-bell-id-partner-combat-online-payment-fraud
Lee, MA -
July 31, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) announced it is partnering with chip lifecycle management solutions company, Bell ID, to offer a joint solution aimed at reducing online payment fraud. The solution will be marketed primarily to card issuing banks, as well as online merchants, governments, and enterprises worldwide.
Using Bell ID’s Trusted Service Manager and Secure Element in The Cloud (SEiTC) server, alongside Wave’s ERAS for TPM management and Wave’s endpoint identity and monitoring expertise, the combined offering provides robust protection for transactions and stored payments. The companies have executed a letter of intent and anticipate the signing of a definitive agreement in August.
The incident rate of card-not-present (CNP) fraud has been growing steadily over the past several years. According to a recent FICO Banking Analytics Blog, CNP fraud now accounts for close to half of all credit card fraud. Countries that have already adopted the EMV® card specification have seen CNP fraud rates increase. In the United States, CNP fraud is expected to rise significantly over the next eighteen months, as the EMV standard is put into effect. The EMV directive, which implements a global standard for a secure chip-based payment application, will make merchants liable for any fraud resulting from transactions on systems that are not EMV-capable.
“Wave’s robust product portfolio is very complementary to Bell ID’s strongly positioned solution set in the financial services market,” said Bill Solms, CEO, Wave Systems. “We see the EMV transition creating high demand for more secure transaction capabilities, and are confident that together we can provide financial institutions with a comprehensive solution for payment authorization and storage.”
“Bell ID has been a pioneer in developing and delivering cloud-based payment platforms,” adds Pat Curran, Executive Chairman at Bell ID. “We also have extensive experience in delivering EMV solutions globally and have witnessed fraud transition online as point-of-sale terminals in face-to-face transactions become more secure. We are therefore delighted to extend our offering with Wave to provide a secure online transaction and storage payment solution, which will mitigate against an expected rise in online fraud and provide a trusted link between device identity and internet services.”
New WordPress Phishing Campaigns Target User Credentials
https://securityintelligence.com/news/new-wordpress-phishing-campaigns-target-user-credentials/
A new phishing attack targeting WordPress sites uses fake database upgrade messages to cause serious problems for site owners and operators.
As reported by research firm Sucuri, this attack differs from previous phishing campaigns because it uses an email that is designed to look like a legitimate WordPress request prompting users to upgrade their database immediately. Using style and font choices similar to those of actual WordPress updates — along with a footer resembling that of parent company Automattic — fraudsters attempt to lure users into clicking an “Upgrade” button. Next, victims are asked for their username and password, followed by a request for website name and administrator username.
Indicators of illegitimacy include multiple grammatical errors in the emails themselves and the mention of an imminent “deadline,” neither of which is consistent with WordPress or hosting providers in general.
Pressing Problems for Site Owners
When attackers collect usernames, passwords and website addresses, they have everything they need to deface site content and deliver malware to users. Additionally, full access to WordPress sites enables malicious actors to install backdoors, allowing them to come and go as they please. As a result, businesses may experience a sudden drop in site traffic or discover that they’ve been blacklisted by popular search services.
This new campaign is also worrisome for its human element. While employee awareness of phishing techniques is on the rise, the simplicity of this attack, combined with its at-a-glance authenticity, makes it a real risk for WordPress administrators and anyone in charge of content creation. Given the repeated advice of security experts to upgrade services and sites ASAP to avoid compromise, it’s no surprise that some administrators are fooled by the sudden appearance of this WordPress “upgrade.”
How to Raise Awareness of Phishing Campaigns
Security experts recommend conducting comprehensive employee training to promote the concept of shared responsibility for enterprise security. Security leaders should follow this up with videos, newsletters and in-person training sessions to ensure that employees have the most up-to-date information.
IBM experts also recommend implementing phishing identification and reporting mechanisms that use machine learning and advanced phishing detection algorithms to spot new campaigns before they compromise corporate networks.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Token-free, password-free user authentication
We know you’ve dreamt about shredding your list of passwords. Go on and do it.
Because you are starting the authentication process in the device’s hardware, the user doesn’t have to interact with it. All users see is their usual Windows log-in screen – no more additional passwords to access the VPN or other resources. They just sign in once, and the secure credentials in their TPMs securely and quickly connect them to everything they need. Say goodbye to user frustration and slow OS performance.
Decrease expenses with virtual smart cards
You know what else happens when you take passwords out of the equation? A lot fewer calls to IT. Imagine if you took password resets out of the picture – that frees up a chunk of IT time, lowering your operating expenses significantly.
If your organization currently uses traditional tokens or smart cards, switching to virtual smart cards takes an even bigger burden off of IT – we use the hardware-protected credentials in the TPM to create a virtual smart card, which performs the same functionality as traditional smart cards. That means no need to purchase, deploy, replace or maintain external tokens, smart cards or smart card readers. Because virtual smart cards are already on your machines and can’t be forgotten, lost or stolen, you have lower capital expenses and lower operating expenses.
Wave's is the only management to support virtual smart cards on Windows 7, as well as Windows 8 and 8.1.
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Low TCO
• Reduce operating expenses by eliminating password reset and shortening deployment times
• Minimize capital expenses by using hardware you already have
• Integrate with Microsoft Active Directory for IT familiarity
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
Flexibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• Create custom management policies to suit your organization’s needs
• User and device authentication from a common console
Seamless Device Authentication
• Access control over wireless (i.e. 802.1x)
• Single sign-on
• VPN authentication (i.e. Microsoft DirectAccess)
<p><em>Microsoft, Windows, and BitLocker are either registered trademarks or trademark of the Microsoft group of companies.</em></p>
Why the focus is shifting to boards on cyber security
https://www.ft.com/content/c70caa94-2d88-3ece-b802-79e9bac2f32c
Great article on Board of Directors' and large asset management firms' relationships around cybersecurity and their approaches.
I believe Wave could simply market their awesome products to these highly influential parties.
How the Equifax hack happened, and what still needs to be done
https://www.cnet.com/news/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/
A year after the revelation of the massive breach, there's unfinished business.
Excerpt:
The thieves spent 76 days within Equifax's network before they were detected. According to the report, the hackers stole the data piece by piece from 51 databases so they wouldn't raise any alarms.
=================================================================
These hackers should have been unknown to the network and therefore not allowed access. That would have been the case if Equifax was using Wave's ERAS. See links below for more details on how Wave's awesome products can effectively keep hackers out of company and government networks and much more. It's a revolution in the making! imo.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/