Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
SEC's New Toughness On Breach Reporting And What It Means For Your IT Compliance
https://www.forbes.com/sites/forbestechcouncil/2018/08/13/secs-new-toughness-on-breach-reporting-and-what-it-means-for-your-it-compliance/#6ff8486a67da
In 2011, the Securities and Exchange Commission (SEC) warned public companies that cybersecurity incidents and security risks in their IT systems may have to be reported through public disclosures. The warning, in the form of a guidance, was a reminder that breaches can result in significant costs, remediation, litigation, regulatory fines and lost sales, and that investors must be informed of important or “material” news.
After devastating breaches at Yahoo ($350 million, 2013), Target (over $160 million, 2014), Anthem (over $200 million, 2015), and Equifax (over $240 million, 2017), the SEC’s advice has taken on new urgency.
The SEC recently issued a clarification earlier this year, and to put it bluntly, the agency means business. The SEC’s February 2018 statement got to the point: “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”
In April, the SEC announced a $35 million fine it levied against Yahoo for waiting almost two years to disclose its massive 2014 incident in its public SEC filings.
The U.S. doesn’t have a national breach notification rule similar to the EU’s GDPR with its strict 72-hour reporting, but with this series of announcements, the SEC has put public companies on notice of a de facto breach reporting requirement.
In practice, companies will have to report material cybersecurity incidents and their potential security risks in quarterly (10-Q), yearly (10-K) and, if necessary, current (8-K) filings.
To meet the SEC’s call for improved disclosure controls and procedures, many companies will need to up their game so that critical information about data theft and IT security risk reaches upper management and, ultimately, the public.
Breach Costs Are Material
The business community has known for years that data security costs can be significant. The Ponemon Institute conducts an annual breach costs survey, and for 2017, it calculated an average incident cost of about $3.6 million. This average remained fairly steady for the last few years -- $4 million in 2016 and $3.7 million in 2015 -- and represents both the direct costs (remediation, legal and regulatory) and indirect costs (customer loss and churn due to reputational damage).
We also have evidence from real-world cyber insurance claims. Based on a review of insurance data, NetDiligence, a cyber-risk firm, found the average claim for large companies to be about $3.2 million.
Insurance claims are based on hard costs and don’t include soft or indirect costs that Ponemon calculates, such as reputational damage. Even without indirect costs, we know from NetDiligence’s analysis that individual claims can reach tens of millions of dollars.
Insurance claim data and Ponemon’s analysis support the SEC’s stance that cyber-related incidents should fall in the need-to-tell category.
The SEC is asking companies to do a better job of informing investors about significant cybersecurity incidents and potential risks. In the language of attorneys, cyber information is significant or material if a reasonable investor would need to know about it.
C-levels in public companies are, of course, aware of this reasonable investor rule in their financial disclosures. The SEC is merely making the connection to this rule and cybersecurity.
When a public company learns that millions of records containing personally identifiable information -- such as social security or credit card numbers -- have been exposed, it will have to report this information quickly to investors.
Security Risks Must Be Disclosed As Well
The SEC also states that public companies must analyze and report on material cybersecurity risks.
A company that discovers customer records with inadequate controls that will require significant remediation (e.g., many folders with loose permissions) would likely have to disclose these risks to investors.
In weighing risks, the SEC guidance states that public companies should review past cyber incidents and the adequacy of current security technologies.
If the same company has broad access rights for customer records and a history of incidents, and its IT processes for correcting these permissions could take weeks to solve, then this looks very much like material cybersecurity information that must be reported in SEC forms without delay.
What Companies Need To Do To Meet SEC Cyber Disclosure Guidelines
Public companies have some wiggle room, as the SEC recognizes that too much detail might compromise an ongoing investigation. Companies should describe at a high level the nature of the security breach, an estimate of the number of people affected, the categories of affected data, the remediation efforts taken and plans to prevent future incidents.
In its latest guidance, the SEC asks public companies to ensure that cyberrisks and incidents are analyzed and that the appropriate reports are sent up the corporate ladder and reach executives who are responsible for actual disclosures.
How do you meet the SEC’s breach reporting guidelines? While the SEC leaves it up to companies to implement their own programs, long-standing IT data practices provide us with a proven approach to security risk management.
First, public companies should have a risk assessment program that focuses on their data. They should be able to identify sensitive and regulated data, map who has access to it, and monitor how it’s being used and by whom. They should be able to see whether sensitive data, such as credit card numbers or corporate IP, is broadly exposed or used in an unauthorized way. These are the keys to evaluating the risks of data theft, as the SEC requires.
Second, companies should remediate unacceptable risks. They should limit access to sensitive data by either archiving it if no longer needed or restricting access to as small a group as possible. This prevents hackers (or employees) with stolen credentials from easily finding sensitive data inside your file system.
Third, when an actual incident occurs, companies must detect it and quickly ensure that that the details reach the highest levels of the company.
These guidelines have always been good IT security practices. With the SEC’s new get-tough policy on breach reporting, they’re now enforceable and come with fines when not carried out.
================================================================
One preventative measure for the exposure of sensitive data discussed in the articlce is the use of Wave VSC 2.0!! The companies who use Wave VSC 2.0 could eliminate a lot of problems and save a lot of money with better security.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Trump Signs NIST Act to Benefit Small Businesses
https://www.infosecurity-magazine.com/news/trump-signs-nist-act-to-benefit/?utm_source=dlvr.it&utm_medium=twitter
Small businesses will soon receive help implementing voluntary cybersecurity frameworks as defined by the National Institute of Standards and Technology (NIST) after President Trump signed the “NIST Small Business Cybersecurity Act” S. 770 on 15 August.
In addition to providing resources to small businesses, the bill, which requires NIST develop and disseminate resources for small businesses to help reduce their cybersecurity risk, also states that future NIST standards consider the needs of small businesses.
The bill represents a step forward for both the cybersecurity industry and for SMBs struggling to be in accordance with the NIST standards. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” said Dr. Bret Fund, founder and CEO at SecureSet.
Widely seen as a step in the right direction toward cybersecurity compliance and readiness for SMBs, Fund said the bill also signals President Trump's intent to improve cybersecurity overall.
“With the increase in cyber-attacks, it is great to see the administration continue to invest in cybersecurity initiatives. Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks,” said Dirk Morris, chief product officer at Untangle.
Small businesses have long been at risk of cyber-attacks as nefarious actors know that SMBs are limited in both budgets and staff, making it difficult for most small businesses to implement strong security strategies. “Recent reports show that smaller businesses lose proportionately more to cyber-attacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures,” said Anupam Sahai, vice president of product management at Cavirin.
“This is a very positive step, as smaller enterprises may not have the skills or budget to implement a broad-based program. The Act will help with focus. The proof will be how the necessary resources are actually made available.”
=================================================================
Search under NIST
https://www.wavesys.com/search/node/NIST
Wave Endpoint Monitor
... agencies recognize malware as a growing threat. In 2011, NIST published guidelines for basic input/output system (BIOS) ... a chain of trust for the BIOS: Has it been tampered with? NIST actually looked to Wave for feedback on this document (see the ... Easy security compliance Comports with NIST guidelines for BIOS integrity Data protection Ensures ...
https://www.wavesys.com/products/wave-endpoint-monitor
Wave Chief Scientist to Present on Mobile Security Breakthroughs at Federal Cybersecurity Conference
... The National Institute of Standards and Technology (NIST) to offer guidelines and security recommendations for protecting a computer's BIOS in NIST special publication 800-147 (Initial guidelines, with more guidance ...
https://www.wavesys.com/buzz/pr/wave-chief-scientist-present-mobile-security-breakthroughs-federal-cybersecurity-conference
Wave Joins Global Online Identity Providers in Piloting Identity Ecosystems for NSTIC
... and the National Institute of Standards and Technology (NIST) as part of the National Strategy for Trusted Identities in Cyberspace ... “The Criterion team is committed to bringing NIST’s vision of a more secure, trusted and easy-to-use identity ecosystem to ...
https://www.wavesys.com/buzz/pr/wave-joins-global-online-identity-providers-piloting-identity-ecosystems-nstic
EMBASSY Trust Suite 2.10x
... Secure BIOS integrity measurements in compliance with NIST SP 800-155 EMBASSY Security Center for: Client ...
https://www.wavesys.com/products/embassy-trust-suite-210x
FISMA
... and information systems from unauthorized access. NIST is charged with developing standards and guidelines, and with assisting ...
https://www.wavesys.com/fisma
Necurs Rootkit – Not New But Spreading Fast Warns Microsoft; Wave's Bob Thibadeau is Quoted
... the BIOS,” said Bob Thibadeau, chief scientist at Wave. “NIST (National Institute of Standards and Technology) agrees, long espousing ...
https://www.wavesys.com/buzz/news/necurs-rootkit-%E2%80%93-not-new-spreading-fast-warns-microsoft-waves-bob-thibadeau-quoted
Wave Achieves an Industry First with the Launch of Wave Endpoint Monitor for Early Detection of Advanced Persistent Threats
... thought. The National Institute of Standards and Technology (NIST) recognized this reality and issued initial guidelines for protecting a ...
https://www.wavesys.com/buzz/pr/wave-achieves-industry-first-launch-wave-endpoint-monitor-early-detection-advanced-persisten
Wave Reports Q1 Revenues of $7M and Reviews Industry and Sales Pipeline Progress
... market. The National Institute of Standards and Technology (NIST) has published standards that call for industry standard hardware security ...
https://www.wavesys.com/buzz/pr/wave-reports-q1-revenues-7m-and-reviews-industry-and-sales-pipeline-progress
Partner News: Wave on TSCP Team Selected To Compete for NSTIC Grant
... the National Institute of Standards and Technology (NIST) as one of 28 organizations that will compete for grants to develop and ...
https://www.wavesys.com/buzz/news/partner-news-wave-tscp-team-selected-compete-nstic-grant
EMBASSY® Trust Suite (ETS) 2.10x
... Secure BIOS integrity measurements in compliance with NIST SP 800-155 EMBASSY Security Center for Client ...
https://www.wavesys.com/brochure-ets-2-10-x
================================================================
page 2
DMI and Wave Partner to Secure the Mobile Enterprise
... devices from accessing the network and meets emerging NIST guidelines for BIOS integrity. DMI/Wave solutions are offered as ...
https://www.wavesys.com/buzz/pr/dmi-and-wave-partner-secure-mobile-enterprise
Wave Endpoint Monitor Delivers a Powerful Weapon in the Battle against Advanced Persistent Threats
... The National Institute of Standards and Technology (NIST) has also recognized the importance of BIOS integrity and has issued ...
https://www.wavesys.com/buzz/pr/wave-endpoint-monitor-delivers-powerful-weapon-battle-against-advanced-persistent-threats
Partner News: Micron Technology, Wave Systems, Lenovo and American Megatrends Inc. Announce Intention to Create New Industry Standard to Meet Heightened Global Security Requirements
... to take enterprise supply chain security and eventual NIST 800-155 support to the next level." "By building on a hardware root of ...
https://www.wavesys.com/buzz/pr/partner-news-micron-technology-wave-systems-lenovo-and-american-megatrends-inc-announce-inte
Malware Protection
... detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic ...
https://www.wavesys.com/malware-protection
Wave Integrating MITRE’s Attestation Technique into its Endpoint Monitor for Remediating Advanced Malware
... by the National Institute of Standards and Technology (NIST) special publication 800-155, published in 2011. For more ...
https://www.wavesys.com/buzz/pr/wave-integrating-mitre%E2%80%99s-attestation-technique-its-endpoint-monitor-remediating-advanced-mal
Open Identity Exchange (OIX) Certifies Wave's Online Identity Service for Secure Authentication to Government Websites
... The National Institutes of Standards and Technology (NIST) publication 800-63 Electronic Authentication Guidelines defines four ...
https://www.wavesys.com/buzz/pr/open-identity-exchange-oix-certifies-waves-online-identity-service-secure-authentication-gov
Wave Reports Q1 Revenues of $5.8 Million and Reviews Recent Developments
... and regulations supporting TCG standards. FICAM, FIPS, NIST and NSTIC, along with ESG and others in Europe all support TCG standards. ...
https://www.wavesys.com/buzz/pr/wave-reports-q1-revenues-58-million-and-reviews-recent-developments
Wave Q3 2010 Revenues Rose 38% to $6.7 Million Driven By Software License Activity
... the U.S. National Institute of Standards and Technology (NIST). FIPS certification is required for government and other organizations to ...
https://www.wavesys.com/buzz/pr/wave-q3-2010-revenues-rose-38-67-million-driven-software-license-activity
===============================================================
It seems like Wave could satisfy some of the NIST guidelines with their cybersecurity products for small businesses and large companies as well.
AT&T Faces $224M Legal Challenge Over SIM-Jacking Rings
https://threatpost.com/att-faces-224m-legal-challenge-over-sim-jacking-rings/136645/
Cryptocurrency angel investor Michael Terpin seeks damages for “gross negligence” by the carrier, alleging it turned a blind eye to store employees’ malicious activities.
Cryptocurrency investor and Dogecoin founder Michael Terpin has filed a $223.8 million lawsuit against AT&T, alleging the mobile phone giant turned a blind eye to SIM fraud.
Terpin alleges that more than 3 million cryptocurrency tokens worth $24 million were lifted from his digital wallet at an AT&T store in Connecticut in January, when an AT&T employee swapped out the SIM card on his device to hijack his mobile phone content. The tokens were then transferred to an international criminal gang, which the FBI has been targeting with an ongoing investigation.
SIM cards are essentially the autheticator of a mobile device, containing the individual’s personalized settings and connecting the device with the network and an account. This allows people to take their settings, content and services/phone number with them when they switch handsets. Thus, a bad actor with physical access to a device can simply swap SIM cards in order to gain access to an unsuspecting person’s account, gaining the ability to initiate or receive that person’s calls and texts, application notifications, and, importantly, two-factor authentication codes and authorizations, such as those used for money transfers. They can also change security settings to prevent the victim from regaining access to the account.
The easiest way for a malefactor to do this is by working with a rogue mobile store employee who has regular access to people’s devices, or by coopting someone’s handset and then taking advantage of lax authentication methods to ask for a seemingly legitimate SIM swap from the carrier. Provided the thief can answer basic security questions, it’s possible to cancelled the old SIM and order a new one, and from there commandeer the victim’s mobile account.
“SIM-jacking arose as a response to the growing adoption of two-step verification (also referred to as two-factor authentication) as a means to protect online accounts from hackers,” Paul Bischoff, a privacy advocate at Comparitech.com, said via email. “Most two-step verification requires entering a PIN number sent to the user’s phone number. Unfortunately, employees who work at stores run by mobile carriers like AT&T have free reign to hijack a SIM card and transfer the phone number to a different device. This can be done unbeknownst to the user, so thieves will seek out store employees who can be bribed to assist with SIM-jacking.”
SIM-jacking has been on the rise, drawing law enforcement attention. The Feds in fact made two SIM-jacking arrests in July, including charging Joel Ortiz with 28 counts, including a $1.5 million SIM swap of an AT&T subscriber during New York Blockchain Week – he’s suspected of stealing at least $5 million in cryptocurrency. Then, Ricky Joseph Handschumacher was arrested in Florida on July 18 for his role in a gang that stole at least $460,000 in Bitcoin by hijacking SIM identities from AT&T customers.
While the criminal drama plays out, Terpin is suing AT&T as the responsible party in the situation, alleging that the carrier has been asleep at the switch while its store employees run rampant – despite the fact that this kind of insider fraud is notoriously difficult to pinpoint and root out, especially in a retail footprint of 16,000+ stores [PDF].
The lawsuit levels 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and related charges in US District Court in Los Angeles. He said that he had been SIM jacked before, after which, he claims, AT&T promised him a unique, purportedly unchangeable password with “unbreachable security.”
“AT&T’s studied indifference to protecting its customers’ privacy and financial assets is a metastasizing cancer, threatening hundreds of millions of unsuspecting AT&T’s customers,” said Pierce O’Donnell, senior partner at leading litigation firm Greenberg Glusker and lead counsel for Terpin in the complaint, in a media statement. “Our client had no idea when he initially signed up, nor when later he was promised the highest level of security for his account, that low-level retail employees with access to AT&T records, or people posing as them, can be bribed by criminals to override every system that AT&T advertises as unassailable.”
The 69-page complaint alleges that AT&T has not improved its account security protections despite knowledge that some of its employees are criminals: “AT&T is doing nothing to protect its almost 140 million customers from SIM card fraud. AT&T is therefore directly culpable for these attacks because it is well-aware that its customers are subject to SIM swap fraud, and that its security measures are ineffective.”
AT&T had not commented on the litigation at the time of publication, but John Gunn, CMO at OneSpan, told Threatpost that holding the phone giant liable may be fanciful thinking.
“If carriers, ISPs and MNOs had to bear full financial responsibility for every crime and act of fraud committed across their networks, they would all cease to exist,” he said. “Viewing this under the doctrine of assumed risk, it would be very difficult for the plaintiff in this action to prove they were unaware of the inherent risks of mobile and online transactions.”
================================================================
Trusted Logic Mobility and Wave Present Joint Security Solution for PCs and Mobile Devices
https://www.wavesys.com/buzz/pr/trusted-logic-mobility-and-wave-present-joint-security-solution-pcs-and-mobile-devices
San Francisco, CA and Barcelona, Spain -
February 28, 2012 -
Trusted Logic Mobility, the leading provider of security solutions for mobile and connected devices, and Wave Systems Corp. (NASDAQ:WAVX www.wave.com) will showcase their combined solution enabling enterprises to extend security architectures normally associated to their PC assets to also cover mobile devices. The joint solution complies with the latest industry security standards.
Utilizing the smartphone as a token to authenticate the user, the solution allows encrypted data held in a corporate laptop computer to be unlocked. This is enabled by secure software based on the industry standard Mobile Trusted Module (MTM) to check the integrity of the smartphone.
Trusted Logic Mobility provides the MTM software, building on its Trusted Foundations™ security solution while leveraging the ARM® TrustZone™ secure hardware architecture. Wave Systems developed the application in the smartphone for communicating with the laptop as well as the software to evaluate the smartphone's integrity and provides the service for managing the MTM and the laptop's Self-Encrypting Drives.
"Trusted Logic Mobility's MTM software is derived from, and perfectly compatible with the authentication solution that is widely used in laptops," says Olivier Leger, General Manager of Trusted Logic Mobility. "This means corporate IT departments can leverage their investment, thus reducing costs and simplifying security management across devices."
"As security solutions are deployed by the industry in a full range of devices from phones to PCs, the opportunity for Wave to extend our products and services to support these devices is a natural next step," says Steven Sprague, CEO of Wave Systems Corp. "This solution shows the future of interoperable security in both PCs and mobile devices."
"We welcome Wave and Trusted Logic Mobility's demonstration that shows enhanced device security," said Ben Cade, General Manager of Secure Services Division at ARM. "The mobile market is rapidly adopting security solutions based on our TrustZone technology as the foundation for exciting new services and applications that are delivering opportunities for innovation and business."
================================================================
https://www.wavesys.com/technology-brief-tpm-mobile
As the corporate perimeter continues to vanish, smartphones, tablets and other mobile devices are making data available anytime and anywhere. Unfortunately, with greater access comes greater risk to data protection and data privacy. Your network endpoints may still be multiplying. Advanced Persistent Threats (APTs) may still be evolving. Yet, you’re still accountable for ensuring the safety of all the critical business information and trade secrets that your organization is storing, accessing and sharing…out there.
Wave and Trusted Logic Mobility have teamed up to bring identity and health to mobile devices like smartphones and tablets. Using the Trusted Platform Module-Mobile (TPM-Mobile), defined by the Trusted Computing Group (TCG), organizations and cloud providers can now uniquely identify Android-based devices and monitor their health.
================================================================
Why wouldn't companies use the MTM (Mobile Trusted Module) as the identifier for their smartphone (Android) rather than the now controversial SIM card. It could save AT & T a lot from potential lawsuits. It could also benefit Wave in that customers/companies that use AT & T would need to manage the MTM, and the health of the device.
2.6 billion records exposed in 2,300 disclosed breaches so far this year
https://www.helpnetsecurity.com/2018/08/16/records-exposed-2018/
Risk Based Security released its Mid-Year 2018 Data Breach QuickView report, showing there have been 2,308 publicly disclosed data compromise events through June 30th. After a surprising drop in the number of reported data breaches in first quarter, breach activity appears to be returning to a more “normal” pace. At the mid-year point, 2018 closely mirrors 2016’s breach experience but still trails the high water mark set in 2017.
“2018 has been a curious year. After the wild ride of 2017, we became accustomed to seeing a lot of breaches, exposing extraordinary amounts of information. 2018 is remarkable in that the number of public disclosed breaches appears to be leveling off while the number of records exposed remains stubbornly high,” said Inga Goddijn, Executive Vice President for Risk Based Security. “It’s not easy to characterize 2.6 billion records exposed as an improvement, even if it is less than the 6 billion exposed at this time last year.”
Phishing for usernames and passwords then using the stolen credentials to access systems or services stands out as a particularly popular attack method utilized by hackers in the first 6 months of the year.
Additionally, the arrival of the GDPR in May brought another layer of nuance to the cataloguing and reporting of data breaches. After the GDPR took effect, data protection authorities across the EU reported sizable spikes in the number of breaches submitted to their offices. How many will become public – or have already been disclosed and are only now making their way to regulators attention – remains to be seen.
Similar to Q1, fraud continues to hold the top spot for the breach type compromising the most records, accounting for 47.5% of exposed records. As with prior reports, the number of incidents attributed to hacking remains high, accounting for well over 50% of disclosed breaches.
With the number of vulnerabilities reported this year on pace to exceed 2017 and over 3,000 of those vulnerabilities going uncovered by the CVE and National Vulnerability Database (NVD), it is tempting to attribute the high percentage of breaches from hacking to inferior or incomplete vulnerability intelligence.
Ms Goddijn remarked, “There are a lot of moving parts to an effective information security program and certainly patch management is one of the trickier components to tackle. That said, tried and true social engineering techniques combined with the ability to take advantage of unpatched weaknesses are some of the most effective tools malicious actors can use. That means defending against activities like phishing and solid vulnerability management go hand in hand when it comes to stopping hackers.”
“While we expect hacking to remain the leading cause of data loss, we can’t lose sight of the damage that can come from accidental exposure. Misconfigured services, exposed S3 buckets and even improper email handling have led to more than their fair share of recent breaches. This type of data loss is easily prevented and protecting against it is nearly entirely within the organization’s control. It shouldn’t be overlooked in the quest to prevent external attacks,” Ms Goddijn concluded.
=================================================================
Avoid many headaches of record exposure, and utilize the award winning Wave VSC 2.0!
https://www.wavesys.com/products/wave-virtual-smart-card
=================================================================
GDPR fines could be limited if a laptop was stolen and companies in the EU were using Wave managed SED laptops.
https://www.wavesys.com/products/wave-self-encrypting-drive-management
Easy proof of compliance
Your encryption is only as good as you can prove it to be. To comply with most data protection regulations, your organization has to prove encryption was in place at the time of a potential breach. Wave provides secure audit logs to help you demonstrate compliance.
If you lose a device with a Wave-managed SED, there’s no wondering or guessing. You know encryption was on by default, and you can prove it.
Trump Takes Offensive Cybersecurity Step Forward
https://www.infosecurity-magazine.com/news/trump-takes-offensive/?utm_source=dlvr.it&utm_medium=twitter
The Obama Presidential Policy Directive 20 (PPD-20) that outlined the interagency communications required for the US to deploy cyber-weapons was reversed by President Trump, according to a report from the Wall Street Journal Wednesday 15 August.
Infosecurity Magazine contacted the White House for comment, but the Trump administration reportedly has not issued an official statement on the decision to reverse PPD-20. A National Security Council spokesman told Inside Cybersecurity that the administration was not planning on issuing a public statement.
Cyber-threats and cyber-attacks from nation-state actors require action, but planning and executing offensive actions necessary to protect US interests and assets from foreign aggressions can take months or years, said John Gunn, chief marketing officer at OneSpan. “With proper safeguards, this is a positive initiative that will raise our security.”
The US is not the first country to permit offensive techniques in order to prevent cyber-attacks from reaching its borders. Many experts, including Joseph Carson, chief security scientist at Thycotic, are in favor of cyber-offensive capabilities. Yet challenges exist in cyberspace.
“The biggest problem we have is absolute attribution to knowing who exactly carried out the cyber-attack and is it possible that it was a misdirection to put political pressure on two or more countries,” Carson said.
“We have AI and other techniques, but cyber-criminals have the ability to make it look like someone else committed the crime," Carson continued. "With cyber-mercenaries on the increase, the only way to get attribution is to go back to the old methods of having human spies who can confirm the attack happened and was initiated by aggressive cyber-countries. Many countries are already committing cyber-attacks on a large scale, and the US has been poor at responding to such attacks. For example, the attack on the DNC and OPM. My personal stance is that cyber-offensive should only be carried out by government agencies and not permitted by citizens.”
The reversal of PPD-20 also sends a global message at a critical time for the US. "The change in the US government stance on cyber weapons being used for cyber-offensive against adversaries comes just ahead of the US midterm elections. This is very likely a public indication that any nation-state who tries to hack or manipulate the upcoming elections, the US government has taken the gloves off and will respond," Carson said.
================================================================
China aims to narrow cyberwarfare gap with US
https://www.zdnet.com/article/china-aims-to-narrow-cyberwarfare-gap-with-us/
While US blames China for cyber attacks on networks
China is looking to narrow the gap with the US in terms of cyberwarfare capabilities, according to an assessment of Chinese military capabilities published by the Department of Defense (DoD).
The Pentagon report said that in recent years the Chinese army has emphasized the importance of cyberspace for national security because of the country's increasing reliance on its digital economy.
It said Chinese military strategists see cyber operations as a low-cost deterrent that can demonstrate capabilities and challenge an adversary.
SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF)
The DoD's annual report to congress (PDF) points to a Chinese international cyberspace cooperation strategy in March 2017, which called for the expedited development of a military "cyber force" as an important aspect of the country's defense strategy.
However, the US report said that China also believes its cyber capabilities and personnel lag behind those of the US and that China "is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations."
The report lists "cyber activities" directed against the DoD by China and said: "Computer systems around the world, including those owned by the US government, continued to be targeted by China-based intrusions through 2017."
It said these intrusions focused on accessing networks and extracting information, and said China uses its cyber capabilities to support intelligence collection against US diplomatic, economic, academic, and defense sectors.
"Additionally, targeted information could enable PLA [People's Liberation Army] cyber forces to build an operational picture of US defense networks, military disposition, logistics, and related military capabilities that could be exploited prior to or during a crisis.
"The accesses and skills required for these intrusions are similar to those necessary to conduct cyber operations in an attempt to deter, delay, disrupt, and degrade DoD operations prior to or during a conflict."
For a number of years, the US has accused China of using hackers to steal US industrial secrets. In 2014 it indicted a number of Chinese hackers, accusing them of industrial espionage, and a similar indictment was made in 2017. However, the US has struggled to come up with a model of cyber deterrence able to stop such attacks and probing by foreign nations, most notably China and Russia.
===============================================================
Shouldn't the U.S. focus on (defensive) cybersecurity solutions that get the job done and are often times overlooked? The China article shows that the U.S. is missing that. Wave is backed by ESW now which should mean that Wave is thought of more positively with its excellent cybersecurity products. The products (defensive) really speak for themselves and links are posted below.
https://www.wavesys.com/products/wave-virtual-smart-card
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
PUB File That Drops Ammyy Targeted 2,700 Banks
https://www.infosecurity-magazine.com/news/pub-file-that-drops-ammyy-targeted/?utm_source=dlvr.it&utm_medium=twitter
A campaign that began weeks ago and targeted approximately 2,700 Fortune 100 banking institutions in the US and around the world with a widespread botnet attack came to a sudden halt as of 15:37 EST on 15 August, according to researchers at Cofense. The phishing emails appeared to be coming from India and contained the subject lines “Request BOI” or “Payment Advice.”
Malware analysts had been tracking the Necurs botnet for the last several months and observed the highly targeted phishing campaign as an attempt to go after the financial sector for the first time. The threat actors were reportedly attempting to get a foothold on the banks’ infrastructure and set the stage for potential further attacks.
First observed in 2012 and famed for sending Locky a few years ago, Necurs rootkit couples multiple Domain Generation Algorithms (DGAs) with .bit domain names and P2P communications.
After studying the increased botnet campaigns over the last several weeks, researchers found that all of the recipients were employed at banks. In addition, researchers noted a new file extension .pub, which belongs to Microsoft Publisher, attached to the phishing campaigns.
This unexpected change in file extension happened at 7:30 am on 15 August. “Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from malicious Word docs, Necurs adapts and throws you a curve ball,” researchers wrote.
“The banks range from small regional banks all the way up to the largest financial institutions in the world. We have not yet determined the actor(s) behind this specific campaign or the final goal.”
The .pub extension contained an embedded macro that, when executed, downloaded from a remote host, resulting in the FlawedAmmyy remote access Trojan (RAT). With this final payload, the attackers gained full remote control of the compromised host, enabling both credentials theft and the potential of future lateral movement within the banking institution.
================================================================
Wave VSC 2.0, and Wave Endpoint Monitor could help protect these banks from problems associated with credential theft, and malware such as a RAT. imo.
Spectre-Like Flaw Undermines Intel Processors' Most Secure Element
https://www.wired.com/story/foreshadow-intel-secure-enclave-vulnerability/
In cybersecurity circles, this has been the year of Spectre and Meltdown, not only because the chip vulnerabilities—first publicly disclosed in January—were so widespread that they're still being cleaned up, but because they've given rise to the discovery of many related flaws. Now, a team of researchers has found a Spectre-like vulnerability that specifically undermines the most secure element of recent Intel chips—and potentially has even broader implications.
Intel's Software Guard Extensions feature, known as SGX, allows programs to establish so-called secure enclaves on Intel processors. These are regions of a chip that are cordoned off to run code that the computer's operating system can't access or change. The secure enclave creates a safe haven for sensitive data, even if malware or another malady compromises the main computer. But a group of researchers, hailing from five academic institutions around the world, found that although SGX can mostly repel Spectre and Meltdown attacks, a related attack can bypass its defenses. They call it Foreshadow.
"There were certain aspects that were surprising and certain aspects that weren't," says microarchitecture security researcher Yuval Yarom, a member of the team that will present its findings at the Usenix security conference in Baltimore on Thursday. "We thought speculative execution could get some information from SGX, but we weren’t sure how much. The amount of information we actually got out—that took us by surprise."
Wild Speculation
Meltdown, Spectre, and Foreshadow all exploit various flaws in a computing technique known as speculative execution. A processor can run more efficiently by making an educated guess about what operation it will be asked to perform next. A correct prediction saves resources, while work based on an incorrect prediction gets scrapped.
"This is not an attack on a particular user, it’s an attack on infrastructure."
—Yuval Yarom, University of Adelaide
But the system leaves behind clues—how long it takes a processor to fulfill a certain request, for example—that an attacker can use to find weaknesses, ultimately gaining the ability to manipulate what path the speculation takes, and scooping up data at opportune moments that leaks out of a process's data storage cache. Speculative execution attacks tend to be convoluted and difficult to carry out in practice, and Intel emphasizes that none have been seen in the real world. They are important to guard against, though, because a truly motivated attacker could use them to access data and system privileges meant to be off-limits.
"It's not one thing. There's a lot of speculation going on in any modern computer," hardware security researcher and Foreshadow contributor Jo Van Bulck says. "Spectre is focused on one speculation mechanism, Meltdown is another, and Foreshadow is another."
The researchers say that after the initial discovery of Spectre and Meltdown, the SGX enclave was the obvious next place to look for speculative execution flaws. Some clever Spectre attacks did manage to undermine SGX under the right conditions, but the approaches weren't very effective overall. "When you look at what Spectre and Meltdown did not break, SGX was one of the few things left," says system security researcher Daniel Genkin, who contributed to the Foreshadow work. "SGX was mostly spared by Spectre, so it was the logical next step."
The researchers presenting Foreshadow—Van Bulck, Frank Piessens, and Raoul Strack of KU Leuven in Belgium; Marina Minkin and Mark Silberstein of Technion in Israel; Genkin, Ofir Weisse, Baris Kasikci, and Thomas Wenisch from University of Michigan; and Yarom from University of Adelaide in Australia—had originally worked in two smaller groups that both hunted for an SGX-focused speculative execution flaw. After the two teams separately disclosed Foreshadow to Intel within weeks of each other in January, they started collaborating to refine and expand the research.
Keys to the Kingdom
What they found is deeply problematic. Not only did both teams independently develop the same speculative execution attack that could access SGX-protected memory in a data cache called L1, they also realized that the attack could expose the secret cryptographic keys, known as attestation keys, that enable SGX's crucial integrity checks.
A fundamental concept underlying SGX is that an enclave's contents are signed with a key that Intel holds as a third party. An outside system can check the legitimacy of an enclave by reviewing its signature. You probably see the inherent danger in Foreshadow exposing these keys, but it actually gets even worse.
A privacy protection built into SGX, one that Foreshadow researchers applaud, is an anonymity feature called group signatures. Think of it like this: If you signed public guestbooks everywhere you went, someone could learn a lot about you by tracking all of the places you signed in, even if they didn't know detailed specifics of what you did at each stop. SGX uses group signatures to solve this problem, making it impossible to identify specific enclaves from their signatures. But once a set of attestation keys are compromised, they can be used to generate SGX signatures that will look legitimate in any context—even as attackers compromise an enclave, or set up a fake one.
"The root of trust in SGX is that the attestation key has never seen the light of day outside SGX," Genkin says. "As soon as the attestation key sees the light of day, then everything kind of crumbles."
Foreshadow attacks are effective against all Intel Core Skylake and Kaby Lake processors, which incorporate SGX, and the research is tailored specifically to Intel chips. The attacks are stealthy, leaving few traces in a computer's logs. And they can be launched from "user space," meaning an attacker doesn't need to have deep access to a system to launch the assault.
The Foreshadow researchers stress the limitations and challenges of actually carrying out the attack in the wild, though. They say that cheap, easy, and effective techniques like phishing and malware distribution are still the obvious and most cost-effective choice for targeting individuals. Compared to those, Foreshadow would be impractical. Plus, SGX is a specialized feature that most people don't use. In other words, don't freak out.
But the findings still speak to longstanding questions and concerns about reliance on SGX—and whether for all its benefits it also has the downside of becoming a single point of failure for everyone's most sensitive software and data.
Meanwhile, though not every user relies on SGX, more and more secure services are exploring the possibility of using it in their consumer products—like the password manager 1Password and the end-to-end encrypted messaging app Signal. "This is not an attack on a particular user, it’s an attack on infrastructure," Yarom says.
Incoming Fix
Intel is in the process of releasing mitigations for Foreshadow, which it calls L1 Terminal Fault, that address both the software and microcode (hardware) issues. The company started distributing microcode fixes as part of a May/June release and coordinated across the software ecosystem with numerous key developers, including Microsoft, to begin distributing patches today. Linux is also expected to begin receiving fixes. And Intel maintains that the research, while important, represents risks that are extremely limited in practice.
"L1 Terminal Fault is addressed by microcode updates released earlier this year, coupled with corresponding updates to operating system and hypervisor software that are available starting today," Intel said in a statement. "We’d like to extend our thanks to the researchers ... and our industry partners for their collaboration in helping us identify and address this issue.”
"As soon as the attestation key sees the light of day, then everything kind of crumbles."
—Daniel Genkin, University of Michigan
One reason Intel needs to patch things quickly and thoroughly is that the company discovered that even more processor systems are susceptible to Foreshadow-type attacks than just SGX. Secure enclaves act as a sort of computer within a computer, so it stands to reason that Foreshadow attacks actually apply to other features with similar traits. For example, Foreshadow could potentially erode the isolation between virtual machines—distinct computing environments that can all share the same hardware. That could pose a serious risk to cloud companies, which use VMs to let customers share their infrastructure.
Similarly, Foreshadow attacks may threaten "hypervisors," which underly and monitor virtual machines. There's even some evidence that Foreshadow could be used to attack a computer's fundamental coordinating layers that hold up the operating system, like the kernel and System Management Mode. The researchers themselves haven't empirically demonstrated these possible attacks, as they did with SGX, but Intel says that a big portion of its mitigation efforts are targeting toward ensuring that cloud providers and their users have the mitigations and guidance they need to fully implement protections.
And though the researchers applaud Intel's extensive efforts, they note that they can't know for sure that the defenses mitigate every possible permutation of a Foreshadow attack. "It's a very hard question," Genkin says. "We ran our code with the mitigations in place, and the attack didn’t work. But what does it mean? It's good for our set of tricks, but we cannot attest to something else."
The researchers and Intel both highly recommend that individuals and enterprises keep their devices up to date, and note that major cloud companies are already working on mitigating Foreshadow. The research "further underscores the need for everyone to adhere to security best practices," Intel executive vice president of product assurance and security Leslie Culbertson wrote in a blog post Tuesday.
Chip architecture continues to evolve to head off future speculative execution flaws; Intel says it has improvements in its pipeline that will come to market at the end of the year. But for now the parade of new, nasty attacks isn't over. Foreshadow may be a dramatic name, but in this case it's also apt.
=================================================================
Foreshadow and Intel SGX software attestation: 'The whole trust model collapses'
'The whole trust model collapses'; unless there is an activated TPM for sensitive data. imo.
After revoking the encryption keys (later in the article) used for authentication they could use better authentication in Wave VSC 2.0. imo.
https://www.theregister.co.uk/2018/08/15/foreshadow_sgx_software_attestations_collateral_damage/
El Reg talks to Dr Yuval Yarom about Intel's memory leaking catastrophe
Interview In the wake of yet another collection of Intel bugs, The Register had the chance to speak to Foreshadow co-discoverer and University of Adelaide and Data61 researcher Dr Yuval Yarom about its impact.
Dr Yarom explained that one of the big impacts of Foreshadow is that it destroys an important trust model – SGX attestations, which guarantee that the code you publish is the code someone else is running.
Think of it as tamper-evident packaging for software: having published your software, the SGX remote attestation will fail if someone changes it. If things are working properly, you only know a remote machine has signed the software – not whose machine it was.
If a Foreshadow (CVE-2018-3615) exploit were successful, it could break both the attestation and the privacy model.
Dr Yarom told us: “The main promise of SGX is that you can write code, and ship it to someone you do not fully trust. That person will run the code inside SGX on their machine, and you can see that whatever they run there is protected, because you know… they haven't modified your code, they haven't accessed the data that your code used.”
Someone writing a video player, he said, could use this as a rights protection mechanism: the player doesn't allow copying, and the publisher knows it's behaving correctly, because they're receiving the signed SGX attestation saying so.
“As part of our attack, what we managed to do is get the attestation keys.
“We can take your code, analyse it to see what it does, know how it should behave, change that behaviour – but we can fake the attestation,” he said – the code they run as attackers doesn't match the publisher's code, but the "tampered" code passes all the validity checks.
In the video player example, the attacker can change the code so it creates a copy of content, but still “allow it to attest to vendor of the software that it is still running, protected.”
"The whole trust model collapses," Dr Yarom told us.
In a press release from CSIRO/Data61, Dr Yarom said: "Intel will need to revoke the encryption keys used for authentication in millions of computers worldwide to mitigate the impact of Foreshadow."
As we observed reporting the vulnerability exploited by Foreshadow (and the other two vulnerabilities* that Intel discovered while investigating fixes), Intel created the exposure by prioritising performance over security, and Dr Yarom agreed.
“It's clear that Intel's recent design decisions focussed on how to optimise processors ... so that typical programs execute faster.
"What we now see is that these optimisations, particularly when we don't understand them, come at the cost of information about what the program is doing.”
He added that such decision-making isn't confined to Intel.
Dr Yarom said Intel's black-box approach to processors is the reason Data61 is putting its weight behind the RISC Foundation's open hardware efforts.
"It's about getting to know what's inside a processor, and getting to be able to make a guarantee of the behaviour of the processor.
"We need to make sure that these sorts of attacks aren't feasible, and for that we need the ability to reason about the behaviour of the processor," he said.
Dr Yarom was part of one of two teams who independently discovered Foreshadow, working with Marina Minkin and Mark Silberstein of Technion; Ofir Weisse, Daniel Genkin, Baris Kasikci, and Thomas Wenisch of the University of Michigan.
A team from the imec-DistriNet research group at the KU Leuven – Jo Van Bulck, Frank Piessens, and Raoul Strackx – made the same discovery independently.
Dr Yarom explained that after Meltdown and Spectre landed in January, it was clear to researchers that SGX was a logical next vector to attack.
"Marina [Minkin] had worked with SGX, we talked about it a bit, and she mentioned a scenario which in SGX caused an access violation exception, instead of falling into 'abort page semantics'. Because Meltdown is related to access violation exceptions we decided to give it a try."
Once you know where to look for a vulnerability, he said, "most of the hard part is done". ®
* The researchers have called two related vulns – CVE-2018-3620 and CVE-2018-3646 – "Foreshadow-NG" (next generation). Intel refers to the three flaws collectively as "L1 terminal fault".
Yarom and the rest of the team are presenting "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution" on 16 August at the Usenix Security conference.
To Identify a Hacker, Treat Them Like a Burglar
https://www.wired.com/story/case-linkage-hacker-attribution-cybersecurity/
Excerpt:
The hope is that behavioral patterns may be harder to spoof, and as a result, useful in unmasking digital perpetrators. Matt Wixey, the head of technical research at PwC's Cyber Security practice in the UK, sees potential value in that "case linkage" or "linkage analysis," a statistical technique historically used by law enforcement to connect multiple crimes to the same person. Wixey adapted case linkage for cybercriminals and conducted a study to see if it works, the results of which he will present at the DefCon hacking conference Sunday.
================================================================
PwC lauds Trusted Platform Module for strong authentication
migrating 150,000 users to TPM-based storage of private keys
https://www.wavesys.com/buzz/news/pwc-lauds-trusted-platform-module-strong-authentication
networkworld.com -
Wednesday, September 15, 2010 -
Auditing and business-services firm PricewaterhouseCoopers (PwC) today said it's built its next-generation authentication system by swapping out employees' older software-based private-key certificates for hardware-based storage of new certificates using the Trusted Platform Module (TPM).
What is TPM?
TPM is a small chip embedded in laptops, says Boudewijn Kiljan, solution architect for global information technology, infrastructure portfolio, at PwC, which is migrating 150,000 users to TPM-based storage of private keys. The vast majority of computers on the market ship with TPM inside, and by adding TPM-based software from Wave Systems, it was fairly easy for PwC, which already had a public-key infrastructure (PKI) in place, to switch to hardware-based storage of private keys, the foundation for employee desktop authentication.
In contrast, "private keys protected by TPM are not exportable," Kiljan said. The Microsoft-based software-only method that PwC had been using to store private keys does appear to be far more vulnerable to an attacker intent on stealing private keys, he noted.
TPM, developed as a specification by the Trusted Computing Group (TCG), is an open standard so there's less worry about vendor lock-in than if a more proprietary method were selected, Kiljan pointed out. One thing to note about TPM is that it's a restricted technology in the countries of China, Russia, Kazakhstan and Belarus, he noted.
But while making the conversion to TPM has been fairly easy by adding TPM-supporting software from Wave Systems, there were a number of processes that the IT department at PwC had to follow to make it all work.
These included issuing new certificates for TPM, installing TPM drivers, and a process called enabling and clearing the TPM in the BIOS.
Technically, the TPM specification doesn't yet have a specification that details a way to do this other than manually. But several vendors, including Wave Systems, now have toolkits to do this remotely and build management around it. That's what PwC used to activate TPM via administrator-controlled passwords.
PwC has already migrated about 35,000 employees to TPM, and expects to have all 150,000 over to TPM over the course of about a year or so. TPM works transparent to the user. Kiljan says estimates are that TPM is less than half the cost of going with a smartcard-based PKI device and a third of going with a USB PCI device.
===============================================================
If more companies were using two factor authentication like in PWC's case or Wave VSC 2.0, Matt Wixey (PWC) wouldn't have nearly as many cases to solve. imo. With a leading global financial services company (had signed a 5 year deal with Wave), PWC and a U.S. government agency having no visible complaints about Wave VSC 2.0 or two factor authentication (PWC), it would seem that Wave has two enormous companies and the U.S. government as shining examples for their technology.
================================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
==================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
==================================================================
Wave Announces 5-Year Master License Agreement for Virtual Smart Card 2.0 with Leading Global Financial Services Company
Wins competitive evaluation against market leader in two-factor authentication tokens
Lee, MA -
December 17, 2015 -
Wave Systems Corp. (NASDAQ: WAVX) announces a five-year master licensing agreement (MLA) with a leading global corporation (as determined by the 2015 Fortune Global 500 List) for its Virtual Smart Card 2.0 solution. This MLA sets the terms and pricing for licenses and maintenance across the customer’s global organization and establishes it as their preferred two-factor authentication solution. Instead of one large license purchase for the entire organization, each of the customer’s subordinate divisions will make separate orders in accordance with the terms of this MLA.
The first purchase of 2,000 VSC 2.0 licenses under this agreement, when added to a previous purchase, completes the requirement for the customer’s global IT division. That division will now lead the internal effort to standardize the remaining 150,000+ endpoints within their organization with the new Wave VSC 2.0 solution. While there are no minimum order requirements under the agreement, discussions for additional orders are underway.
“Our five-year agreement with this customer is the first very large scale contract for VSC 2.0 and is an important milestone for Wave,” said Bill Solms, President and CEO of Wave Systems. “This customer is a major global financial services company and their standards for protecting their systems from unauthorized access and the integrity of their data are of the highest order. Wave had to pass a very rigorous technical and business review to win the competition. We believe that this client’s decision to choose Wave Virtual Smart Card 2.0 over their incumbent solution gives us tremendous credibility in the two-factor authentication market. We will remain engaged with this company in order to complete the additional sales and deployments in the months ahead.”
Wave Virtual Smart Card 2.0 is a tokenless, hardware-based, two-factor authentication solution that offers superior security at less than half the cost of comparable solutions. It is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7, 8 and 10. It also provides management support for the Microsoft Virtual Smart Card on Windows 8 and 10. Wave’s VSC solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, significantly lower total cost of ownership, and a greatly reduced risk of unauthorized access.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure Passphrase and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with both TPM 1.2 and TPM 2.0 security chips
Hundreds of Netflix, HBO, DirecTV and Hulu credentials for sale on dark web
https://www.scmagazine.com/hundreds-of-netflix-hbo-directv-and-hulu-credentials-for-sale-on-dark-web/article/788467/
Hundreds of listings advertising login credentials for the most popular streaming services have been spotted on the dark web for the average price of less than a month's paid service on nearly any one of the platforms.
Hundreds of stolen Netflix, HBO, DirecTV and Hulu accounts found at an average price of $8.81, less than the cost of a monthly subscription for most of the services which range from $7.99 per month for Hulu's lowest tier plan to $15 per month for HBO Go.
In Aprils 2018, Irdeto researchers discovered 854 listings of OTT credentials from 69 unique sellers across more than 15 dark web marketplaces, the content-security firm told Variety.
Researchers also noted that illegal live streaming has become a global problem as well with an average of 74 million global visits per month to the top 10 live-streaming sites in Q1 2018 with most traffic coming from the U.S., the U.K., and Germany. Irdeto also noted several ads for “fully loaded” set top boxes that had been modified to illegally stream content, on e-commerce sites such as eBay.
================================================================
Use of the TPM for device authentication could save these companies a lot of money (as these credentials exist in probably much larger numbers). Wavexpress had this technology and it could be licensed out to these companies. imo. Also, as the network starts costing users money, downloaded movies in off peak hours could save users and providers money. It seems that AT & T, Verizon and/or Comcast would want to snap up the retired Wavexpress and its technology. With Terabytes being more common for storage, personal movie libraries could be the 'Wave'xpress of the future. imo.
New Vuln in Microsoft Active Directory lets attackers bypass multi factor authentication
https://www.cyberscoop.com/microsoft-active-directory-vulnerability-multi-factor-authenication/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=75745899&utm_medium=social&utm_source=twitter
A vulnerability in Microsoft’s popular identity management directory could let an attacker breach multiple employee accounts in an organization by circumventing multi-factor authentication, according to new research from identity security company Okta.
The directory in question is Microsoft’s Active Directory Federation Services (ADFS), which allows business partners from different organizations to sign in to shared web applications. A weakness in the multi-factor authentication protocol for ADFS means that a hacker equipped with a user’s password and second “factor,” such as an SMS message, could use that factor in place of any other employee’s in the organization, according to Okta. To breach another user in the organization, the hacker would need access to his or her user name and password on the same ADFS service.
“Simply put, if just one employee in a global company wanted to – or if a bad actor compromised the account of one employee – they could do a lot of harm by compromising unsuspecting colleagues, senior executives, or even the CEO with this vulnerability,” wrote Matias Brutti, Okta’s director of research and exploitation.
Microsoft has released a patch for the vulnerability. Given that ADFS is “a legacy, on-premises solution, customers and IT administrators are strongly encouraged to stay on their toes and patch their systems to ensure the security of their organizations,” Brutti wrote.
In a blog post, Andrew Lee, the Okta security engineer who found the vulnerability, likened its exploitation “to turning a room key into a master key for every door in the building – but in this building, each door has a second lock that accepts a passcode.”
The vulnerability stems from a “failure to cryptographically enforce the integrity and authenticity of relationships between the two pieces of identity — the primary credentials and the second factor,” Lee wrote.
Information security professionals have weighed in on the merits of two-factor authentication via SMS following the breach in June of Reddit, one of the world’s most popular websites. Hackers compromised the accounts of several Reddit employees by intercepting SMS messages used to log them in.
Experts say the breach was a reminder of the security limits of two-factor authentication via SMS, but also emphasize that it is, of course, still better than having no second factor at all. Upgrading to a hardware token thwarts attacks that rely on an SMS intercept.
=================================================================
Microsoft ADFS flaw allows attackers to bypass MFA safeguards
https://www.helpnetsecurity.com/2018/08/14/cve-2018-8340/
A vulnerability (CVE-2018-8340) in Microsoft Active Directory Federation Services (ADFS) allows a second authentication factor for one account to be used for all other accounts in an organization, Okta REX Security Engineer Andrew Lee has discovered.
By employing some simple phishing and leveraging the flaw, an attacker could compromise accounts belonging to other employees or executives and access sensitive information through a variety of company resources.
About the vulnerability (CVE-2018-8340) and possible attacks
“Many organizations rely on ADFS to manage identities and resources across their entire enterprise. In this role, ADFS functions as an organizational gatekeeper,” Lee explained.
“ADFS Agents are extensions of ADFS that enable it to interoperate with an MFA provider by delegating second-factor authentication to the provider. MFA providers include Microsoft itself and third-party vendors like Okta, Gemalto, Duo, Authlogics, RSA, and SecureAuth.”
The discovered vulnerability arises from the fact that the protocol checks the credentials and the second authentication factor for validity, but not whether the provided second factor is associated with the actual account being logged into.
“First, the attacker submits the credentials for Alice and Bob at the AD login page, in two separate browsers, one for each account. The attacker observes the responses from the AD server, and finds the information associated with the second factor authentication flow for each user, the MFA Context and MFA Token,” Leed shared.
“The responses also come with new session cookies. By combining Bob’s MFA Context with Alice’s session cookie, the attacker can finish logging in as Alice using Bob’s second factor and MFA Token. The attacker does not need Alice’s second factor to log into her account — Alice’s second factor could meanwhile stay safe and sound in her pocket as her account is being compromised.”
The most obvious person to perform a successful attack by leveraging this flaw is a malicious insider with his own legitimate account.
An attacker could also first compromise an account for which the legitimate owner has not yet enrolled a second factor (the attacker can do that instead after phishing the login credentials) or can social engineer the IT help desk into resetting the second factor of the first account he or she means to compromise.
These attack scenarios are easier to pull off with a lower-privileged account and, once that access is achieved, the attacker can leverage this vulnerability to easily compromise an account with high privileges.
What now?
Okta has attempted a mitigation in its ADFS Agent, but it turned out not to be compatible with all ADFS environments. They’ve also reported the flaw to Microsoft, and the company has released patches today.
“Organizations that have set up ADFS with an ADFS MFA Agent should consider updating Microsoft ADFS. Microsoft’s patch should fix the vulnerability without applying any update to ADFS agents,” Lee advised.
Okta did not have to implement changes in its ADFS Agent, but advises users of other ADFS Agents to check with thir vendors to see if they need to update them.
================================================================
Under Wave VSC 2.0 the attacker would have a difficult time in phishing the user's password since one can't phish a PIN number unless the targeted somehow made a password their PIN number. And the attacker would need to possess the potential target's PC.
It seems Wave VSC 2.0 has an advantage over the third parties in this article and is one of the many reasons why it has better security. imo.
Hacker Unlocks 'God Mode' and Shares the 'Key'
https://www.darkreading.com/vulnerabilities---threats/hacker-unlocks-god-mode-and-shares-the-key/d/d-id/1332543?_mc=KJH-Twitter-2018-07
At Black Hat USA and DEF CON, researcher Christopher Domas showed how he found backdoors that may exist in many different CPUs.
When a room filled with hundreds of security professionals erupts into applause, it's notable. When that happens less than five minutes into a presentation, it's remarkable. But that's what transpired when security researcher Christopher Domas last week showed a room at Black Hat USA how to break the so-called ring-privilege model of modern CPU security.
In the hardware, different types of accounts are assigned to different "rings of privilege," with users at ring three and the system administrator at ring 0. Domas in his research hacked the ring with a string consisting of four hexadecimal characters. Such an attack could allow a program from a "regular" user to assume kernel-level control, executing at a higher privilege than most security software - and bypassing the vast majority of techniques used by anti-malware and hardware control systems today.
Domas, well-known in the security research community for his dissections of the X86 instruction set, titled his presentation "God Mode Unlocked: Hardware Backdoors in X86 CPUs." In talks at both Black Hat USA and DEF CON in Las Vegas, he not only proved that he had done just that, but he also shared the "how" with the world.
There are, luckily for the global IT security community, limitations to the research. The target was an older processor, with the C2 Mehemiah core, generally used in the embedded systems market. As a proof-of-concept, though, the research has profound implications for IT security.
The secret, Domas found, was making use of model-specific-registers (MSRs) - special CPU registers used in addition to the normal registers used in programming - to instruct the CPU to do things that its designers don't want it to do. And the secret isn't in the existence of MSRs — those are known. It's in the existence of so many MSRs, including many that the system designers and vendors don't include in any documentation.
Domas' research computer farm and methodology included multiple computers running specific instructions and reporting which ones returned fault conditions.
On the target CPUs, Domas found 1,300 MSRs. He said exploring all of those would have taken far too long, so he developed a method for understanding which were unique - and therefore not functional duplicates of one the other, more commonly used registers - based on how long it took to send and instruction and return a value.
Justification for this (and later) effort came from a series of patent filings Domas analyzed which hinted at a mysterious core to the x86 core in modern Intel-architecture CPUs. This DEC - a term Domas invented to describe a secondary core not generally known to software developers that is designed to enable functions also generally unknown to developers - shares portions of the instruction pipeline with the x86. But it's also its own entity with its own architecture.
Getting access to the DEC, Domas speculated, would require a global configuration register and a launch instruction — neither of which is documented. And there, his research got very real.
Domas reverse-engineered both the architecture and instruction set of the DEC. The latter, he said, involved 4,000 hours of compute time which generated 15 gigabytes of logs. When analyzed, the logs yielded the instruction for launching the DEC, completing tasks, and completely bypassing all of the protections of the ring-privilege model.
So a limited user account could execute code as the system administrator without being known or challenged. This would break virtually every anti-malware and device security system in use.
This very specific CPU vulnerability is unlikely to be used in widespread attacks against an enterprise because of the age and limited application of the CPUs involved. As Domas says, though, this is a proof-of-concept that may lead other researchers to seek similar vulnerabilities in more modern and widely used CPUs.
Domas has released his toolset in Project Rosenbridge on GitHub, and is actively seeking other researchers to add to and continue the work.
================================================================
Hacker Finds Hidden 'God Mode' on Old x86 CPUs
https://www.tomshardware.com/news/x86-hidden-god-mode,37582.html
LAS VEGAS — Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU, security researcher Christopher Domas told the Black Hat conference here Thursday (Aug. 9).
The command — ".byte 0x0f, 0x3f" in Linux — "isn't supposed to exist, doesn't have a name, and gives you root right away," Domas said, adding that he calls it "God Mode."
The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces ("userland") run in ring 3, furthest from the kernel and with the least privileges. To put it simply, Domas' God Mode takes you from the outermost to the innermost ring in four bytes.
"We have direct ring 3 to ring 0 hardware privilege escalation," Domas said. "This has never been done."
That's because of the hidden RISC chip, which lives so far down on the bare metal that Domas half-joked that it ought to be thought of as a new, deeper ring of privilege, following the theory that hypervisors and chip-management systems can be considered ring -1 or ring -2.
"This is really ring -4," he said. "It's a secret, co-located core buried alongside the x86 chip. It has unrestricted access to the x86."
The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it's entirely possible that such hidden backdoors exist on many other chipsets.
"These black boxes that we're trusting are things that we have no way to look into," he said. "These backdoors probably exist elsewhere."
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents. He found one — US8341419 — that mentioned jumping from ring 3 to ring 0 and protecting the machine from exploits of model-specific registers (MSRs), manufacturer-created commands that are often limited to certain chipsets.
Domas followed the "trail of breadcrumbs," as he put it, from one patent to another and figured out that certain VIA chipsets were covered by the patents. Then he collected many old VIA C3 machines and spent weeks fuzzing code.
He even built a testing rig consisting of seven Nehemiah-based thin clients hooked up to a power relay that would power-cycle the machines every couple of minutes, because his fuzzing attempts would usually crash the systems. After three weeks, he had 15 GB of log data — and the instructions to flip on the backdoor in the hidden RISC chip.
"Fortunately, we still need ring 0 access to start the launch process, right?" Domas asked. "No. Some of the VIA C3 x86 processors have God Mode enabled by default. You can reach it from userland. Antivirus software, ASLR and all the other security mitigations are useless."
Domas has put all his research, plus tools to check whether your VIA C3 CPU might have an undocumented coprocessor and to disable the coprocessor by default, up on his GitHub page at https://github.com/xoreaxeaxeax/rosenbridge.
==============================================================
Are 'all' the security mitigations really useless?
==============================================================
https://www.wavesys.com/malware-protection
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
APT's extent seems wider each week. News stories about targeted attacks on organizations appear weekly. Even more stories do not appear, as some malware is not detected for very long periods of time. Some malware described as "cutting edge" has code components that have been available for 3 and 4 years, thus dating their undetected time of life in the wild. With online tools, even a non-technical person can create one easily. And there are more ways than ever for malware to spread: the Internet, personal computing devices, downloads, email, social media sites. Government agencies recognize it as a growing threat. Early detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic input/output system (BIOS), which initializes a computer when it boots up. This critical system is one of malware’s more consequential targets and an area specifically protected by Wave Systems in its products and in its thinking
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage.
Antivirus software can’t detect rootkits and other malware; it works at the level of the OS and isn’t very good at seeing deeper into the system. For example, it can’t tell whether the boot record is lying. The Wave alternative is to work with the Trusted Platform Modules (TPMs), or security chips, embedded in your devices. By using the TPM to attest to the security of the device each time that device boots, Wave looks below the operating system and can help detect threats lurking there. Every time a device boots up, Wave Endpoint Monitor makes a comparison against previous boot values, and if anything deviates from the norm, it alerts you immediately.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Vulnerabilities in smart card drivers open systems to attackers
https://www.helpnetsecurity.com/2018/08/13/vulnerabilities-smart-card-drivers/
Security researcher Eric Sesterhenn of X41 D-SEC GmbH has unearthed a number of vulnerabilities in several smart card drivers, some of which can allow attackers to log into the target system without valid credentials and achieve root/admin privileges.
“A lot of attacks against smart cards have been performed in the past but not much work has focused on hacking the driver side of the smart card stack [the piece of software that interacts with chip cards when a card is inserted into reader]. Smartcard drivers present a very interesting target from the attackers point of view since they contain multiple parsers and usually run with high privileges (e.g. root on linux systems),” Sesterhenn pointed out.
As the company’s CEO Markus Vervier noted, the potential for abuse of these vulnerabilities is frightening – (vulnerable) smart card software stack implementations are used in ATMs, door locks and so on.
About the vulnerabilities
Sesterhenn tested a number of open source smart card drivers developed by Yubico, OpenSC and the Apple Smart Card Services project.
He extended the company’s fuzzing framework and developed several tools that allowed him to test the OpenSC smart card stack, PCSC-based drivers on Linux and Winscard based smartcard drivers on Microsoft operating systems.
Most of the vulnerabilities he discovered are buffer overflows, out of bounds memory reads/writes, and logic bugs and successful exploitation of some of them can lead to code execution, DoS, and authentication bypass.
The flaws can be exploited via malicious smartcards.
All of the vendors and maintainers have been informed and some fixes have already been released (for Yubico PIV, the Apple Smart Card Services components).
The vulnerable libykneomgr library (used by Yubico) won’t be updated because it’s deprecated, and OpenSC has not yet provided fixes for OpenSC and the pam-pkcs11 library, so X41 has decided to release temporary bugfixes themselves.
Sesterhenn has presented his research at this year’s edition of DEF CON in Las Vegas.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Wave and LynuxWorks First to Demonstrate Management and Support for Self-Encrypting Drives in a Secure Virtual Environment
https://www.wavesys.com/buzz/pr/wave-and-lynuxworks-first-demonstrate-management-and-support-self-encrypting-drives-secure-v
This is certainly old news but the part about SEDs and hypervisors caught my eye. If board members are on multiple boards of different companies, a laptop such as this might be useful for the board members. Are many current board members on multiple boards taking their computer's security this seriously 10 years later from the 'whalephish' in the previous post?
Lee, MA and San Jose, CA -
September 14, 2010 -
Wave Systems Corp. (NASDAQ:WAVX www.wave.com) and LynuxWorksTM today announced their collaboration on the use of a self-encrypting hard drive to provide data-at-rest protection alongside the LynxSecure separation kernel and hypervisor securely running multiple operating systems on a PC. This capability is significant because it solves the complexity and performance issues typically associated with encrypting data on virtual machines running different operating systems. The demonstration takes place this week at the National Security Agency's (NSA) Trusted Computing Conference and Exposition (Orlando, September 14-16) and again at the Embedded Systems Conference (Boston, September 21-22).
Virtualization allows IT to run multiple virtual machines on a single physical machine. Each virtual machine shares the resources of a single computer across multiple environments, allowing different operating systems and multiple applications to run simultaneously. Although virtualization technology isn't new, it's becoming increasingly viable as computing becomes more powerful and disk capacity increases. Secure virtualization helps to partition traditionally unsecure environments like Internet browsing from corporate applications and data that are housed on the same PC.
The use of virtualization in a laptop (made possible via a component called a hypervisor) can make it difficult to protect data using software encryption, which is a key method for securing data on laptops against theft. A separate software encryption program must run on each virtual machine. Self-encrypting hard drives (SEDs) are a better option; they are more secure and because encryption is "built in," data is protected at all times, regardless of which virtual machine or operating system is used. The result: laptop data is always protected if a device is lost or stolen. The combination of an SED with a secure virtualization solution could offer laptop users the best of both worlds. As many companies are evaluating client-side virtualization as part of their overall security strategy, SEDs should be given strong consideration.
Demonstration in Focus: Two Operating Systems, One Laptop + One SED
For their demonstrations, Wave and LynuxWorks will use an off-the-shelf Dell Latitude equipped with a Seagate FIPS Level-2-compliant SED managed by Wave's EMBASSY® Trusted Drive Manager. Trusted Drive Manager will run within a Windows virtual machine managed by the LynuxWorks' LynxSecure hypervisor. Another operating system, either Linux or Google Chrome, will also run simultaneously on the laptop and provide a domain used for browsing and accessing the open Internet, without compromising the Windows virtual machine. With this configuration, the SED can be fully provisioned and managed on the laptop and Wave's enterprise management software can prove encryption is in place at all times to ensure regulatory compliance.
"There is tremendous benefit in combining industry-standard hardware encryption with secure virtualization technology," said Gurjot Singh, CEO and President of LynuxWorks. "The two technologies help to protect the important data that resides on a laptop either at rest or while on-line, and represents a huge leap forward in safeguarding information from physical or cyber crime."
"LynuxWorks is a first mover in the secure hypervisor virtualization field, as they immediately appreciated the value of secure drive technology and its applications to the enterprise," said Dr. Robert Thibadeau, Wave's Chief Scientist and Senior Vice President. "In addition to managing an SED on a hypervisor-controlled laptop, we'll showcase some additional security features—notably the capability for containing cyber attacks, and isolating the open Internet from corporate applications and data. We're excited to show these capabilities and more."
About LynuxWorks
LynuxWorks, a world leader in the embedded software market, is committed to providing open and reliable real-time operating systems (RTOS) and software tools. The company's LynxOS family of operating systems offer open standards with the highest level of safety and security features, enabling many mission-critical systems in defense, avionics and other industries. The latest product in the portfolio, the award-winning LynxSecure, offers a secure separation kernel and embedded hypervisor that forms a platform for the development of high-assurance systems. Since it was established in 1988, LynuxWorks has created technology that has been successfully deployed in thousands of designs and millions of products made by leading communications, avionics, aerospace/defense, and consumer electronics companies. LynuxWorks' headquarters are located in San Jose, California.
What is phishing? How this cyber attack works and how to prevent it
https://www.csoonline.com/article/2117843/phishing/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html#tk.twt_cso
Excerpt:
Whale phishing
Whale phishing, or whaling, is a form of spear phishing aimed at the very big fish — CEOs or other high-value targets. Many of these scams target company board members, who are considered particularly vulnerable: they have a great deal of authority within a company, but since they aren't full-time employees, they often use personal email addresses for business-related correspondence, which doesn't have the protections offered by corporate email.
Gathering enough information to trick a really high-value target might take time, but it can have a surprisingly high payoff. In 2008, cybercriminals targeted corporate CEOs with emails that claimed to have FBI subpoenas attached. In fact, they downloaded keyloggers onto the executives' computers — and the scammers' success rate was 10%, snagging almost 2,000 victims.
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Key Features:
Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
Low TCO
• Reduce operating expenses by eliminating password reset and shortening deployment times
• Minimize capital expenses by using hardware you already have
• Integrate with Microsoft Active Directory for IT familiarity
Superior User Experience
• No more tokens or smart cards to achieve two-factor authentication
• Eliminate VPN/WiFi/website passwords for faster access to resources
• No add-on software means improved OS performance
Flexibility
• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console
• Create custom management policies to suit your organization’s needs
• User and device authentication from a common console
Seamless Device Authentication
• Access control over wireless (i.e. 802.1x)
• Single sign-on
• VPN authentication (i.e. Microsoft DirectAccess)
=================================================================
https://www.wavesys.com/malware-protection
What is malware?
Malware is a general name for software that installs on your organization's computers and creates damage. It includes computer viruses, worms, Trojans, spyware, adware, rootkits, Advanced Persistent Threats and more. These malicious programs could be created by a tenacious adversary, or by financially motivated criminals and inserted into your organization's computers. They may lie there undetected for months or secretly do things like log your keystrokes, steal your passwords, harvest your address book, observe where you go on the Internet, report sensitive data to distant servers, or even wipe or encrypt your data. Recent high profile malware attacks on utilities and countries, even, introduced contaminated software reported to alter the working of physical devices, like uranium enrichment centrifuges, oil rig equipment and water pumps. Malware can be introduced through a web download, an email attachment or even a USB external device for networks that are not connected to the internet.
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
A further challenge for anti-malware software is that it commonly works at the OS level. It isn’t very good at seeing deeper into the system, where some malware lives. Malware can hide from anti-malware by feeding it false results as it lies lower in the stack.
APT's extent seems wider each week. News stories about targeted attacks on organizations appear weekly. Even more stories do not appear, as some malware is not detected for very long periods of time. Some malware described as "cutting edge" has code components that have been available for 3 and 4 years, thus dating their undetected time of life in the wild. With online tools, even a non-technical person can create one easily. And there are more ways than ever for malware to spread: the Internet, personal computing devices, downloads, email, social media sites. Government agencies recognize it as a growing threat. Early detection is the highest priority in this Cyberwar. In 2011 NIST published guidelines for establishing a chain of trust for the basic input/output system (BIOS), which initializes a computer when it boots up. This critical system is one of malware’s more consequential targets and an area specifically protected by Wave Systems in its products and in its thinking.
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
Which other attack vector should you watch? One common vector that is used to attack even the most secure networks is physical devices – connected to USB, FireWire or SD. Our Data Protection Suite AV scanner allows you to block any unscreened device from connecting to any machine in the organization, until it has been scanned for known malware.
Mobile Security Market - Wave
https://www.wavesys.com/search/node/mobile
Wave had some key partnerships with DMI, Trusted Logic (now Gemalto), ARM (the previous two make up Trustonic), Samsung, Widepoint and others. Wave seems to have a key piece of the puzzle and certain companies could serve up a Win/Win situation for a large mobile security market.
search on Wave's site under 'mobile'
Wave Joins Industry Thought Leaders on Mobile Security Panel at Interop NY
... New York, NY. The panel, titled “New Strategies for Mobile Security,” brings together industry leaders to discuss the current state of mobile security and the challenges present. WHAT: Interop New York ...
https://www.wavesys.com/buzz/pr/wave-joins-industry-thought-leaders-mobile-security-panel-interop-ny
Solution Brief: Data Protection for a Mobile World
... Solution Brief: Data Protection for a Mobile World Created on: Last updated: Version: ...
https://www.wavesys.com/solution-brief-data-protection-mobile-world
DMI and Wave Partner to Secure the Mobile Enterprise
... ) Digital Management Inc. (DMI) , a leading provider of mobile enterprise solutions and services, and Wave Systems Corp. (NASDAQ: ... a range of trusted computing solutions to better secure mobile environments. Under the terms of this partnership, DMI and Wave will ...
https://www.wavesys.com/buzz/pr/dmi-and-wave-partner-secure-mobile-enterprise
Trusted Logic Mobility and Wave Present Joint Security Solution for PCs and Mobile Devices
... Mobility, the leading provider of security solutions for mobile and connected devices, and Wave Systems Corp. (NASDAQ:WAVX ... normally associated to their PC assets to also cover mobile devices. The joint solution complies with the latest industry security ...
https://www.wavesys.com/buzz/pr/trusted-logic-mobility-and-wave-present-joint-security-solution-pcs-and-mobile-devices
Wave Chief Scientist to Present on Mobile Security Breakthroughs at Federal Cybersecurity Conference
... on open standards can thwart threats present in laptops or mobile devices at the firmware level. Dr. Thibadeau will educate attendees on ... of the Trusted Platform Module security chip and its mobile equivalent for detecting pre-boot attacks that have previously eluded ...
https://www.wavesys.com/buzz/pr/wave-chief-scientist-present-mobile-security-breakthroughs-federal-cybersecurity-conference
Gartner Names Wave a “Visionary” in the 2013 Mobile Data Protection Magic Quadrant
... by Gartner Inc. in its September 2013 Magic Quadrant for Mobile Data Protection (MDP), published by John Girard and Eric Ouelett. ... has been able to and will continue to lead not only in the mobile data protection space, but also in other areas as customers look to ...
https://www.wavesys.com/buzz/pr/gartner-names-wave-%E2%80%9Cvisionary%E2%80%9D-2013-mobile-data-protection-magic-quadrant
Gartner Positions Wave Systems as Visionary in 2014 Magic Quadrant for Mobile Data Protection
... analyst firm Gartner Inc. in its 2014 Magic Quadrant for Mobile Data Protection (MDP). This achievement marks the third consecutive year ... day-to-day business challenges.” “Gartner defines mobile data protection (MDP) products and services as software security methods ...
https://www.wavesys.com/buzz/pr/gartner-positions-wave-systems-visionary-2014-magic-quadrant-mobile-data-protection
Why A Hardware Root Of Trust Matters For Mobile
... the IT industry grapples with the security implications of mobile devices, some experts believe that one of the most important first steps ... up in irrelevancies. "We are lost in a conversation of mobile versus PC or phones versus tablets or whatever else, but that's not ...
https://www.wavesys.com/buzz/news/why-hardware-root-trust-matters-mobile
U.S. Army Awards Wave a Contract for the Design of Encryption Management for Vehicle-Based Mobile Computers
... that Wave brings in leveraging embedded security for mobile endpoints operating beyond the network perimeter," said Steven Sprague, ... Global LLC 212-924-9800 office / 917-734-0339 mobile wavx@catalyst-ir.com ...
https://www.wavesys.com/buzz/pr/us-army-awards-wave-contract-design-encryption-management-vehicle-based-mobile-computers
Wave Named a Visionary in Leading Analyst Firm’s Mobile Data Protection Magic Quadrant
... a Visionary by Gartner Inc. in its 2012 Magic Quadrant for Mobile Data Protection (MDP), published by John Girard and Eric Ouelett on ... Global LLC 212-924-9800 office / 917-734-0339 mobile wavx@catalyst-ir.com ...
https://www.wavesys.com/buzz/pr/wave-named-visionary-leading-analyst-firm%E2%80%99s-mobile-data-protection-magic-quadrant
===============================================================
Wave Joins ARM TrustZone Ready Program
... for implementing enterprise security capabilities in mobile devices. As a partner in the program, Wave joins other industry leaders ... interoperability across PCs, tablets, smartphones and other mobile devices. TrustZone Technology (developed by ARM, the world’s ...
https://www.wavesys.com/buzz/pr/wave-joins-arm-trustzone-ready-program
===============================================================
Scrambls Protects Twitter Posts with New iPhone App
... social for iOS devices extends the power of scrambls on mobile devices, where so many of us make the bulk of our posts and status ... Twitter app for iPhone extends scrambls’ commitment to the mobile marketplace. Android users can already download scrambls as a plug-in ...
https://www.wavesys.com/buzz/pr/scrambls-protects-twitter-posts-new-iphone-app
=================================================================
DMI
... DMI offers the world's most comprehensive set of mobile enterprise solutions and services, including Mobile Strategy, Mobile Application Solutions, Managed Mobility Services and ...
https://www.wavesys.com/partners/dmi
=================================================================
Wave CEO Steven Sprague to Deliver Plenary Address on Trusted Computing at AFCEA TechNet Land Forces East
... of more than 600 million laptops. Likewise, the TCG’s Mobile Trusted Module (MTM) extends strong device identity built on industry-standard hardware into the mobile realm. WHAT: Engaging the Device to Protect the ...
https://www.wavesys.com/buzz/pr/wave-ceo-steven-sprague-deliver-plenary-address-trusted-computing-afcea-technet-land-forces-
================================================================
Partner News: Micron Technology, Wave Systems, Lenovo and American Megatrends Inc. Announce Intention to Create New Industry Standard to Meet Heightened Global Security Requirements
... computing, consumer, enterprise storage, networking, mobile, embedded and automotive applications. Micron's common stock is traded ... 160 countries. Dedicated to exceptionally engineered PCs and mobile internet devices, Lenovo's business is built on product innovation, a ...
https://www.wavesys.com/buzz/pr/partner-news-micron-technology-wave-systems-lenovo-and-american-megatrends-inc-announce-inte
================================================================
Ingram Micro
... in information technology (IT) supply-chain management and mobile device lifecycle services. As a vital link in the technology value ... through unique marketing programs, outsourced logistics and mobile device lifecycle solutions, technical support, financial services and ...
https://www.wavesys.com/partners/ingram-micro
================================================================
Partner News: WidePoint Collaborates with Wave to Secure Digital Certificates Within Hardware for Today’s Increasingly Mobile Workforce
... security boundary; for business-class PCs, laptops, and mobile devices, the Trusted Platform Module (TPM) is the most widely deployed ...
https://www.wavesys.com/buzz/pr/partner-news-widepoint-collaborates-wave-secure-digital-certificates-within-hardware-today%E2%80%99s
=================================================================
Wave to Showcase Trusted Computing Innovations Alongside Samsung at CARTES 2011
... major trends impacting security and authentication in the mobile space are decided," said Brian Berger, Wave's Executive Vice President ... Global LLC 212-924-9800 office / 917-734-0339 mobile wavx@catalyst-ir.com ...
https://www.wavesys.com/buzz/pr/wave-showcase-trusted-computing-innovations-alongside-samsung-cartes-2011
=================================================================
Scrambls Wins ‘Cloud Innovation’ Category at Computer Weekly European User Awards
... and the capability to embed its service directly into other mobile apps.” “ Computer Weekly is an extremely reputable source of ... Global LLC 212-924-9800 office / 917-734-0339 mobile wavx@catalyst-ir.com ...
https://www.wavesys.com/buzz/pr/scrambls-wins-%E2%80%98cloud-innovation%E2%80%99-category-computer-weekly-european-user-awards
================================================================
Wave and Bell ID Partner to Combat Online Payment Fraud
... and enterprises worldwide to issue and manage credentials on mobile near-field communications (NFC) devices and EMV smart cards. For more ... Global LLC 212-924-9800 office / 917-734-0339 mobile wavx@catalyst-ir.com ...
https://www.wavesys.com/buzz/pr/wave-and-bell-id-partner-combat-online-payment-fraud
===============================================================
Samsung Partners with Wave to Extend Trusted Computing Security by Enabling its Semiconductor Capabilities in PC, Tablet and Consumer Devices
... including security chips for smart cards and NFC-enabled mobile devices. For more information please contact: ... Global LLC 212-924-9800 office / 917-734-0339 mobile wavx@catalyst-ir.com ...
https://www.wavesys.com/buzz/pr/samsung-partners-wave-extend-trusted-computing-security-enabling-its-semiconductor-capabilit
Government-backed research suggests millions of smartphones have built-in security flaws
https://bgr.com/2018/08/08/smartphone-security-flaws-found-could-let-hackers-take-over/
Well, this is comforting. Researchers funded by the Dept. of Homeland Security have found security vulnerabilities built into smartphones at the device level, vulnerabilities that reportedly exist across devices offered by the four leading U.S. cell phone carriers.
What’s more, those holes are such that hackers could use them to obtain access to a user’s emails, text messages and more, all without the owner’s knowledge.
A source familiar with the research told the news outlet Fifth Domain that millions of U.S. smartphone users are potentially affected. Homeland Security official Vincent Sritapan told Fifth Domain during this week’s Black Hat conference in Las Vegas that the security flaws are such that someone could use them to “escalate privileges and take over the device.”
The vulnerabilities apparently live deep in the operating system of affected phones from carriers including Verizon, AT&T, T-Mobile and Sprint, though other unmentioned carriers are affected. Kryptowire, a mobile security firm funded through a Homeland Security research center, led the research uncovering the vulnerabilities.
It was the discovery of a security flaw last year in Blu phones, which Amazon temporarily stopped selling, that kicked off this new research. It’s not yet clear how many smartphone users in the U.S. are affected, but Fifth Domain speculates that the potentially large pool may include government officials as well.
“This is something that can target individuals without their knowledge,” Kryptowire founder Angelos Stavrou told Fifth Domain. The outlet continues: “Stavrou said that manufacturers were notified of the flaws as early as February. However, some manufacturers did not publish their vulnerability disclosure process, and the researchers were initially not sure if the device makers had received the disclosure because Kryptowire did not receive a reply, Stavrou said. He said all manufacturers are now aware of the vulnerabilities.”
In related news, Reuters is also reporting this morning the existence of a chip with a security flaw inside Samsung’s Galaxy S7 phones that puts millions of devices at risk to hackers who can spy on the device owners.
“Researchers from Austria’s Graz Technical University told Reuters,” the outlet reported, “they have figured out a way to exploit the Meltdown vulnerability to attack Galaxy S7 handsets.”
Researcher Michael Schwarz told Reuters the team is looking into the impact of Meltdown on other smartphone makes and models and affect to find more affected devices soon. About the S7 news specifically, the team is expected to release findings today at the Black Hat conference.
==============================================================
https://www.wavesys.com/technology-brief-tpm-mobile
As the corporate perimeter continues to vanish, smartphones, tablets and other mobile devices are making data available anytime and anywhere. Unfortunately, with greater access comes greater risk to data protection and data privacy. Your network endpoints may still be multiplying. Advanced Persistent Threats (APTs) may still be evolving. Yet, you’re still accountable for ensuring the safety of all the critical business information and trade secrets that your organization is storing, accessing and sharing…out there.
Wave and Trusted Logic Mobility have teamed up to bring identity and health to mobile devices like smartphones and tablets. Using the Trusted Platform Module-Mobile (TPM-Mobile), defined by the Trusted Computing Group (TCG), organizations and cloud providers can now uniquely identify Android-based devices and monitor their health.
see link for technology brief -
===============================================================
Isn't it time for mobile security that's been ahead of its time?!?! - A technology that could be effective, and alleviate a lot of these potential mobile security issues! Wave had a head start in mobile security many years ago. It seems that with their collaborations and research (if resurrected) that they could have a big impact on the mobile security market in the near future. imo.
Hackers on new ‘secure’ phone networks can bill your account for their roaming charges
https://techcrunch.com/2018/08/10/hackers-on-new-secure-phone-networks-can-bill-your-account-for-their-roaming-charges/
I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g.
when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes.
One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network, which connected five Scandinavian phone systems in 1991, using the SS7 protocol suite secured entirely by mutual trust, has grown into a massive global “private internet” connecting more than 2,000 companies and other entities. It is this private network-of-networks that lets you fly to another country and use your phone there, among many other services.
The quote which stood out most starkly from her slides regarding IPX was this: “Security awareness only recently started (2014).” ?? That’s … awfully late to start thinking about security for a massive semi-secret global network with indirect access to essentially every phones, connected car, and other mobile/SIM-card enabled device on the planet. He understated grimly.
Still, better later than never, right? A new protocol, called Diameter, is slowly lurching into place, in fits and starts. (Technically the old system used two protocol suites, SS7 and Radius: Diameter is the successor to Radius, but flexible enough that it can and will absorb SS7’s functions too.) Alas, even Diameter has at least one flaw: its so-called “hop-by-hop” routing can be used by an attacker to spoof an endpoint, i.e. to pretend to be a company which they aren’t.
This, combined with the ability to harvest a unique ID number (known as the IMSI) from a phone, with a device such as a Stingray, and the ability to request a re-assessment of a phone’s quality of service and billing information at any point, ultimately means that a capable hacker could upgrade their phone service at your expense … or downgrade your service to e.g. 2G-only, while roaming, if they were feeling more malicious than greedy.
2G-only! The horror! OK, this is a lot better than the long litany of fundamental flaws to which SS7 was vulnerable, but it’s still sad. Worst of all is the list of countermeasures that Dr. Holtmanns suggested. There are long lists of things that companies and operators on the IPX network can do to fix or mitigate this vulnerability; but if you’re a user? All she can recommend is “check your bill” and “keep an eye on the news.”
This is yet another instance of what I call “the trustberg.” When you pick up your phone, because your bank texted you a one-time password, or to text something private, do you even know who you’re trusting to keep your texts and accounts unhacked? The bank itself, and Google or Apple, sure. Whatever Android app handles your texts, maybe. But it turns out this is only the tip of the trustberg.
Power generation and distribution; water and sewers; food processors and grocery trucks; industrial control systems; emergency response systems; microprocessor manufacturers; phone and satellite networks. We assume that somewhere, in some distant room, teams of competent grown-ups are taking care of these systems and making sure they’re safe — right?
Which is why coming to hacker conventions (such as infamous Def Con, from which I write this) is always such a sobering, saddening experience. Two days ago I wrote about satellite communications devices compromised worldwide … mostly because, it turns out, they relied on hard-coded, easily cracked passwords for “security.” Now I’m writing about new, improved security after a decade of catastrophic failures … and it’s still not actually secure. We can hope the even more important infrastructure I listed above is better taken care of … but the more hacker cons I go to, the harder this hope becomes.
==============================================================
Trusted Logic Mobility and Wave Present Joint Security Solution for PCs and Mobile Devices
https://www.wavesys.com/buzz/pr/trusted-logic-mobility-and-wave-present-joint-security-solution-pcs-and-mobile-devices
Solution Combining Industry Security Standards on Display at MWC and RSA
San Francisco, CA and Barcelona, Spain -
February 28, 2012 -
Trusted Logic Mobility, the leading provider of security solutions for mobile and connected devices, and Wave Systems Corp. (NASDAQ:WAVX www.wave.com) will showcase their combined solution enabling enterprises to extend security architectures normally associated to their PC assets to also cover mobile devices. The joint solution complies with the latest industry security standards.
Utilizing the smartphone as a token to authenticate the user, the solution allows encrypted data held in a corporate laptop computer to be unlocked. This is enabled by secure software based on the industry standard Mobile Trusted Module (MTM) to check the integrity of the smartphone.
Trusted Logic Mobility provides the MTM software, building on its Trusted Foundations™ security solution while leveraging the ARM® TrustZone™ secure hardware architecture. Wave Systems developed the application in the smartphone for communicating with the laptop as well as the software to evaluate the smartphone's integrity and provides the service for managing the MTM and the laptop's Self-Encrypting Drives.
"Trusted Logic Mobility's MTM software is derived from, and perfectly compatible with the authentication solution that is widely used in laptops," says Olivier Leger, General Manager of Trusted Logic Mobility. "This means corporate IT departments can leverage their investment, thus reducing costs and simplifying security management across devices."
"As security solutions are deployed by the industry in a full range of devices from phones to PCs, the opportunity for Wave to extend our products and services to support these devices is a natural next step," says Steven Sprague, CEO of Wave Systems Corp. "This solution shows the future of interoperable security in both PCs and mobile devices."
"We welcome Wave and Trusted Logic Mobility's demonstration that shows enhanced device security," said Ben Cade, General Manager of Secure Services Division at ARM. "The mobile market is rapidly adopting security solutions based on our TrustZone technology as the foundation for exciting new services and applications that are delivering opportunities for innovation and business."
Background Information
Trusted Foundations™ is Trusted Logic Mobility's hardware-software security architecture that stores, processes, and protects sensitive data in a dedicated zone, based on the ARM TrustZone chipset architecture which provides an isolated hardware area. This security architecture follows an industry standard known as Trusted Execution Environment (TEE).
Wave Systems developed the laptop security software known as EMBASSY Trust Suite.
==============================================================
Partner News: Trustonic: The New Standard of Trust and Security for Connected Devices
https://www.wavesys.com/buzz/pr/partner-news-trustonic-new-standard-trust-and-security-connected-devices
London, U.K. -
December 18, 2012 -
Trustonic, the new company formed by ARM, Gemalto and Giesecke & Devrient (G&D), has today launched as a new standard security provider to address the increasing need for trust built into smart connected devices. The company’s technology enables service providers to innovate, expand and simplify user experiences in areas such as enterprise, commerce, payments and entertainment.
Trustonic is proud to name key industry partners at launch include 20th Century Fox Home Entertainment, Cisco, Discretix, Good Technology, INSIDE Secure, Irdeto, MasterCard, NVIDIA, Samsung Electronics, Sprint, Symantec, and Wave Systems.
Trustonic CEO, Ben Cade, said: “Trustonic builds upon decades of experience between ARM, Gemalto and G&D in developing secure technology for connected devices. The launch of Trustonic marks a turning point in our connected world. It will enable us to trust our smart connected devices to protect us as they deliver essential services and innovative user experiences.”
The company will focus on the development of a GlobalPlatform compliant Trusted Execution Environment (TEE), which will offer a common security standard for connected devices. The TEE will be built upon ARM TrustZone® technology found at the heart of today’s leading system-on-chips, combined with leading security software and management systems contributed by Gemalto and G&D. Services that require high trust in people’s connected devices can gain access to the TEE on demand.
Trustonic will enable a connected device experience that begins and ends in complete security.
• Consumers will benefit from enhanced services; they will enjoy content on any screen, experience simpler, faster and safer payments and be able to use their device of choice at home or work.
• Service providers will be able to trust in people’s devices offering customers the services they want on the smart devices of their choice.
• Network operators have the option to incorporate revenue generating value added services, such as enterprise security, payment services, and convergent service charging, to existing contracts.
• Electronic device makers can integrate an application and service-independent security platform that isolates and protects sensitive assets such as passcodes, fingerprints and certificates, all of which enrich, expand and accelerate people’s digital lives with a seamless user experience.
• Silicon partners will benefit from embedded security at the core of their system-on-chips that will attract high value services.
Trustonic operates an open business model, allowing device manufacturers to incorporate the TEE security technology into their own products while also enabling service providers to activate these capabilities later based on the services that people desire. The company’s technology, business model, and focus on open standards provide a consistent trusted foundation to support a vibrant ecosystem of partners.
"The Trusted Execution Environment (TEE) from Trustonic will provide an ideal industry standard security foundation," states Steven Sprague, CEO, Wave Systems Corp. "Wave Systems plans to extend its Trusted Computing solutions to bring cross-platform security and compatibility to the new standardised TEE from Trustonic built upon ARM TrustZone technology."
================================================================
https://securityboulevard.com/2018/07/tcg-publishes-new-whitepaper-to-guide-use-of-its-mobile-and-trusted-network-communications-tnc-specifications-for-mobile-security/?utm_source=dlvr.it&utm_medium=twitter
Inside Dropbox and Microsoft Office phishing attacks
https://www.csoonline.com/article/3290374/security/salted-hash-sc-03-dropbox-and-microsoft-office-phishing-attacks.html
In this week's video, we look at a Microsoft Office phishing attack that leverages Dropbox as the lure.
Today on Salted Hash, we're going to look at a phishing attack that targeted me directly. It's got a few interesting elements, including a weak attempt to spoof an HTTPS connection, and a sort of hybrid lure, which starts as Dropbox but ends at Microsoft Office.
Top targets
Microsoft is a popular target with criminals, especially when it comes to phishing. If a criminal can compromise your Microsoft Office account, they have a good deal of leverage over your professional life, and it gets worse if your Microsoft Office password is used on other services (it happens, and criminals do check for this).
Email security vendor Vade Secure recently published a list of the top brands spoofed by phishing attacks, and Microsoft topped the list. This is notable because PayPal is usually in the top spot. According to Vade Secure's list, Microsoft held the number one position by more than 40 percent. PayPal drops to second, followed by Facebook, Netflix, Wells Fargo, Bank of America, DocuSign, Dropbox, DHL, and Apple to round out the top ten.
Hybrid phishing
Back in May, my spam trap got an unusual email. It was addressed to me, and offered a Dropbox invite to an Excel file. However, because I read my email in plain text, the visual cues normally leveraged in these types of attacks were lost on me.
I did notice, though, that the landing link in the email pretended to be an HTTPS connection by using sub-domains. Further investigation of the link revealed that it wasn't a Dropbox attack, but a Microsoft Office attack, designed to compromise my Microsoft Office credentials. Moreover, it was using a phishing kit I'd seen before.
As the video shows, clicking the Excel icon in the email launches the browser and takes the victim to a website that appears to have HTTPS, which is something most people now know to look for. Yet, it isn't actually HTTPS.
If the victim were to fall for the scam, the login page would harvest their username and password (twice) and then redirect them to the legitimate Microsoft portal.
Another interesting aspect to this attack was the follow-up that happened two days later. Different domain and file attachment, but it was the same scam.
Tips and tricks
Emails like this are looking to play on your curiosity and familiarity with Dropbox and Excel files. Business users deal with such files and services all the time. While basic, the scam works because if you're not paying attention you recognize the basic Dropbox format and move on from there.
The use of a sub-domain to spoof HTTPS isn't new, but it does work sometimes, so criminals don't hesitate when it comes to using it. Lately, though, they register for free SSL certificates, so the old adage of "don't trust a website unless you see HTTPS" isn't as valuable as it used to be.
When it comes to scams like this the best advice is to slow down and consider the source. Were you expecting a file? Do you know the sender? If so, call them and confirm. If not, sometimes it's best to play it safe and avoid clicking links and opening attachments. If you're at work, forward the email to IT and ask them for assistance.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Cyber criminals are using Facebook Messenger to trick people into opening malicious links that harvest their personal data, FBI officials warn
http://www.dailymail.co.uk/sciencetech/article-6046751/FBI-scam-WARNING-Bureau-claims-hackers-using-Facebook-Messenger.html
Cyber criminals are circulating a message that urges people to open a link
•The message reads 'Hey I saw this video. Isn't this you?' coupled with a URL
•The FBI office in Portland issued a warning about the popular new scam
•Intelligence agency highlighted Facebook Messenger in its warning, before updating the post to confirm the scam was prevalent on other messaging apps
FBI agents have issued a warning about a new scam that targets instant messaging apps, including Facebook Messenger.
The scam attempts to trick users into opening a malicious URL that harvests their personal data and login credentials for social networks, like Facebook.
In a bid to coerce people into opening the suspicious URL, cyber criminals pose a question to their targets: 'Hey I saw this video. Isn't this you?'
Although the original warning from the FBI highlighted Facebook Messenger as a particular platform of concern, this has since been amended after the scam was found on other rival platforms.
It's unclear how many people have been hit by the latest scam, or how exactly cyber criminals are generating revenue.
However, email address and password combinations used to login to popular social networks and websites are regularly sold on the dark web.
The most common version of the scam highlighted by the FBI's Portland office takes the user to a fraudulent website designed to resemble the Facebook login page.
The webpage is a fake controlled by a fraudster who is able to steal any details inputted by users mistakenly believing they're logging into their Facebook account.
If people use the same email address and password combination on other websites, hackers can use the stolen details to login to those as well.
This can allow criminals access to online banking, or frequent flyer miles.
Other forms of the scam can be more direct in approach, taking targeted users to a page that automatically harvests their login credentials, the FBI warns.
According to the FBI staff member, they first witnessed the scam after they were contacted by a friend on Facebook Messenger.
'The message included a video link and read: "Hey I saw this video. Isn't this you?",' the FBI agent explained. 'I was suspicious, so I didn't click on the link.
'The next day he contacted me outside of the app and said that fraudsters had hacked his account and to not click on any of the links that were sent because they contained a computer virus.'
Warning the public, the FBI said: 'The best way to spot and avoid these scams is to avoid clicking on any links that you receive from friends or family until you contact the sender outside of app to verify that he was the one who really sent the message.
'If you are concerned about the legitimacy of a particular account, report it through Facebook.'
==============================================================
https://www.wavesys.com/wave-alternative
Security that’s confirmed, not assumed
With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.
A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.
Do we need to say that with Wave, compliance is no problem?
Open, Cortana: Voice assistant used to bypass locked Windows 10 machine security
https://www.zdnet.com/article/open-cortana-voice-assistant-used-to-bypass-locked-windows-10-machine-security/
Exploit of Microsoft's Cortana did not require any external code.
Researchers have revealed how Microsoft's Cortana could be used to bypass the security protection of Windows 10.
Speaking at Black Hat in Las Vegas this week, security researchers Amichai Shulman and Tal Be'ery from Kzen Networks, alongside the Israel Institute of Technology's Ron Marcovich and Yuval Ron, said a vulnerability existed in the voice assistant which allowed the bypass of the Windows 10 lock screen.
As reported by Threat Post, the vulnerability, dubbed "Open Sesame," opens the door, bypassing the lock screen, and allows threat actors to locally perform "dangerous functions."
The bug, CVE-2018-8140, lay within Cortana's default settings. Described as a "Cortana Elevation of Privilege Vulnerability," the vulnerability impacts Windows 10 machines and Windows 10 Servers.
As the Windows 10 lock screen disables the keyboard, users are able to utilize their voice to issue a limited range of vocal commands. However, once Cortana is woken up, the keyboard is no longer restricted.
This allowed the research team to launch local commands without the need for authentication or user validation.
As a result, attackers are able to retrieve data from user input services -- including sensitive text and media content -- browse arbitrary websites, download and execute files from the Internet, and in some circumstances, elevate privileges.
As the attack circumvented the need to login to the system and no external code was required, the researchers said that antivirus software solutions were blind to the activity, according to the publication.
The team noted that the lock screen is far from impenetrable; rather, it acts as another "desktop" with limited access.
As more apps are added to the voice assistant in tandem with the lock screen, the potential attack surface increases.
"In the past, the operating system made sure the UI is not accessible when the computer is locked, therefore developers do not need to think about it," the researchers said. "Now, it's the developers' responsibility."
The vulnerability was reported to Microsoft on April 16 and the company issued a remedial patch on June 12. McAfee researchers also notified Microsoft of the same security flaw.
In the same month, the Redmond giant resolved 50 security flaws in the Patch Tuesday update, including a black screen problem, an Adobe Flash Player security flaw which was being exploited in the wild, and a set of remote code execution bugs.
================================================================
Continuing to use Windows 7, 8 and 8.1 with Wave VSC 2.0 could be a really good idea in light of the article above! imo.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
Cyber report details tricks used by hackers to target critical infrastructure
http://thehill.com/policy/cybersecurity/400620-cyber-firm-releases-report-detailing-tactics-used-by-hackers-to-target
A cybersecurity firm says it uncovered the methods and tools hackers use to target critical infrastructure organizations, activity it observed by creating a website that masqueraded as a major electricity provider.
Cybereason on Monday released a report on its "Honeypot Project," which is designed so that the firm's researchers could learn more about the tactics and techniques hackers employ while trying to compromise control systems.
The fake website, known as a honeypot in cyber-speak, was made to resemble a large, well-known electricity provider that served customers in both the United States and United Kingdom.
Cybereason found that the hackers acted quickly.
"Just two days after the honeypot went live, attackers had discovered it, prepared the asset for sale on the dark Web and sold it to another criminal entity who was also interested in [industrial control system] environments," according to the report.
The first set of hackers found ways around firewalls and other security measures by employing a tool called 'xrdp' to gain access to Remote Desktop Protocol (RDP) servers in environments.
The software helped the hackers get around certain administrator restrictions in Windows and quietly gain access to an environment using a compromised user's credentials. They also created backdoors for the new owners to eventually use.
The criminals appear to have bought xrdp from one of the largest underground criminal marketplaces known as xDedic, a digital black market.
By the time the new owners began to become active, they appeared only interested in gaining control of the operational technology (OT) environment, which operated utility providers' hardware systems like pumps, monitors, and breakers, according to the report.
"Whoever controls the OT environment determines who gets utilities like electricity, natural gas and water," Cybereason found.
But Cybereason said these "specialized" hackers did not appear to be part of the "upper echelon of attackers,” because they made some mistakes along the way.
rest is at the link.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
When we say “secure”…
…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).
Key Features:
• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications
German cyberwarriors assert right to ‘hack back’ when attacked
https://www.fifthdomain.com/global/europe/2018/08/07/german-cyberwarriors-assert-right-to-hack-back-when-attacked/
COLOGNE, Germany – German authorities believe they are on firm legal footing to retaliate against cyber attacks by unleashing digital or conventional counterattacks, according to a series of recent written responses by government officials to lawmakers.
The documents shed light on some of the legal considerations of cyber-warfare mulled in Berlin, just as the Bundeswehr moves toward full operational capability of a new command devoted to cyber operations.
Some of the assertions outlined in a missive last month are surprisingly hawkish for a country reflexively averse to the use of military force. While acknowledging certain gray areas in responding to potentially crippling cyber attacks, officials also made clear that defending the country would afford the security services broad leeway under international law.
“Just as in the land, air and naval domains, the Bundeswehr possesses 'active and reactive' capabilities that can be used for lawful operations,” Peter Tauber, the parliamentary deputy defense secretary, wrote to a collection of lawmakers from the opposition Green Party.
So-called hack backs, or the retaliatory targeting of an attacker’s information infrastructure, fall into that category, according to Tauber. As such, no new legal authorities for cyber defense would be required, he argued. At the same time, officials noted that such counterattacks would be permitted only as a counter-strike, not as an unprovoked act.
In a May response to lawmakers from the opposition FDP party, government officials went even further. In certain situations, cyberattacks could be judged as “armed attacks” as defined under the United Nations Charter, permitting self-defense with “all allowable military means.”
For acts of aggression below that threshold, Germany would still be entitled to initiate “countermeasures” depending on the severity of the incursion, including the deployment of forces, officials contended.
Critics here say hack-back operations are flawed because they occur in too nebulous of a battlefield. Sophisticated cyber foes are adept at concealing their identities, making it hard to know exactly where an attack originates. That could end up involving innocent parties in hack-back campaigns, who themselves strike back at whoever they believe is the aggressor.
Jakob Kullig, a research analyst at the Technical University of Chemnitz, said the German intelligence services have especially shown an interest in the topic of counterattacks in cyberspace. He cautioned against being too cavalier about their effects. “You have to be careful,” he argued, noting that critical civilian information infrastructure could easily get tangled up in an escalating cyberwar.
The German Defence Ministry created the Cyber and Information Space Command in the spring of 2017. Of the organization’s envisioned size of 15,000 staff members by 2022, there were 10,400 individuals assigned to it as of July, according to the ministry.
The move came as Germany’s armed forces found themselves increasingly targeted by online attacks. The government told lawmakers that officials had counted 2 million potentially harmful attempts to access Bundeswehr networks in 2017, of which 8,000 were classified as “highly” dangerous.
Asked by a lawmaker earlier this year about statistics on so-called advanced persistent threats — a crippling form of cyberattacks meant to steal or corrupt sensitive government information — the Defence Ministry clammed up, according to a written response dated June 15.
That information is considered so sensitive that releasing it even under the most stringent security rules and only to the smallest group of parliamentarians carries the risk of “enemy forces” getting wind of the information, possibly giving them a chance to plan future attacks accordingly, the Defence Ministry wrote.
Despite the German armed forces' newfound emphasis on all things cyber, shortcomings remain, according to Kullig. For one, authorities for cyber operations are spread across the federal government and states, which means the bureaucracy is sluggish, he argued. Government leaders also were “too dozy” in pushing the issue over the past years, which means the country is now playing catchup compared to others, he added.
================================================================
If only the German government knew about Wave ERAS, Wave Endpoint Monitor, and Wave VSC 2.0. The products could keep the bad guys off the network, stop APTs, and have better two factor authentication. Using these Wave products could very well change the need for the German government to 'hack back' or resort to worse.
================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
https://www.wavesys.com/products/wave-endpoint-monitor
https://www.wavesys.com/products/wave-virtual-smart-card
Medical Records of 90 Million People Left Vulnerable to Critical Security Flaws
https://gizmodo.com/medical-records-of-90-million-people-left-vulnerable-to-1828156611?rev=1533650888806&utm_source=gizmodo_twitter&utm_campaign=socialflow_gizmodo_twitter&utm_medium=socialflow
Security researchers have found more than 20 bugs in the world’s most popular open source software for managing medical records. Many of the vulnerabilities were classified as severe, leaving the personal information of an estimated 90 million patients exposed to bad actors.
OpenEMR is open source software that’s used by medical offices around the world to store records, handle schedules, and bill patients. According to researchers at Project Insecurity, it was also a bit of a security nightmare before a recent audit recommended a range of vital fixes.
The firm reached out to OpenEMR in July to discuss concerns it had about the software’s code. On Tuesday a report was released detailing the issues that included: “a portal authentication bypass, multiple instances of SQL injection, multiple instances of remote code execution, unauthenticated information disclosure, unrestricted file upload, CSRFs including a CSRF to RCE proof of concept, and unauthenticated administrative actions.”
Eighteen of the bugs were designated as having a “high” severity and could’ve been exploited by hackers with low-level access to systems running the software. Patches have been released to users and cloud customers.
OpenEMR’s project administrator Brady Miller told the BBC, “The OpenEMR community takes security seriously and considered this vulnerability report high priority since one of the reported vulnerabilities did not require authentication.”
All’s well that ends well. This isn’t the first time researchers have stepped in to give the group a helping hand with its security and it surely won’t be the last.
================================================================
If this scenario just came to light, one can wonder how many companies need a better two factor authentication like Wave VSC 2.0.
================================================================
https://www.wavesys.com/products/wave-virtual-smart-card
CIA and TPM to secure the IoT?
https://develop.trustedcomputinggroup.org/2018/03/20/cia-and-tpm-to-secure-the-iot/
CIA, TPM, and IoT: You might ask what these three acronyms have in common and how they relate to each other. To make a long story short, it is all about security, trust, and reliability.
The abbreviation CIA in this context does not mean the Central Intelligence Agency. It is an abbreviation for Confidentiality, Integrity, and Authenticity. The so-called CIA principle is a simple, but widely used, security model covering three key tenets that should be guaranteed by all security systems.
•Confidentiality is intended in the sense of hiding information from people not authorized to view it. It is perhaps the most obvious aspect of the CIA model when it comes to security. At the same time, it is also the one most under attack. Cryptographic symmetric and asymmetric encryption methods are examples of means to ensure confidentiality when transmitting data from one computer system to another.
•Integrity, on the other hand, represents the certainty that data is accurate and not changed on its journey from the original sender to the intended receiver. A common security attack, often called a man-in-the-middle attack, intercepts data and makes changes to it, before passing it on to the intended receiver. Cryptographic digital signature methods are one way to attest the integrity of code and data.
•In addition, authenticity is needed to address the concern about genuine information. In other words, you want to make sure the information you receive actually comes from the source that claims to be its genuine origin. Cryptographic digital certificates are used to prove the authenticity of the issuer.
Now that we understand why CIA is important for a secure system, let’s move to the third acronym: IoT.
After many years of being an overhyped marketing term, the so-called Internet of Things (IoT) is starting to become mature and real. Mark Weiser created the term “ubiquitous computing” first in his famous Scientific American article “The Computer for the 21st Century”, published September 1991. His thinking was so ahead of his time that it seemed like science fiction to most of his readers. In 2016, his vision has become reality. Ubiquitous computing (or ubicomp for short) became today’s – perhaps overhyped – IoT.
Weiser started his article, “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” He predicted that computing devices would become commonplace and part of all aspects of life, and he was right. Just consider, for example, the consumer gadgets like fitness bands, smartwatches, smartphones, or navigation systems that send and receive data all day long. Or, consider the home, which is connected to a power grid where a smart meter allows the energy provider to effectively calculate the resources needed to cover the demand of all households. Interconnected computing devices are everywhere nowadays.
Shifting focus to industrial applications, today’s business IoT applications are developed together, with devices and services coming from various sectors of industry: information technology, automation, and production technology, aerospace, maritime, and naval systems, railways, car manufacturers and their suppliers, energy providers, agricultural, medical technology, and building automation. All of those share characteristics, including long life in the field: reliability and robustness in harsh environments and reliable, long-term availability.
IoT systems rely on public networks, but public networks are not secure environments. While IoT creates new capabilities and services, allows greater efficiencies, increases flexibility, and enables the customization of single production units, it also opens up previously closed systems and allows attackers to get access to those systems from the outside world.
Attackers often use reverse engineering techniques to identify software vulnerabilities, which they can exploit to create counterfeit products, steal sensitive data, or tamper with the device for sabotage and espionage purposes. This can lead to serious and dangerous hacks, as recent attacks on safety-critical automotive, aerospace, and medical components have shown.
This brings us back to the CIA principle we started with. The only way to avoid situations like those listed above is to apply the CIA security model to the world of IoT devices. As we have learned, CIA is built around cryptographic operations. Today’s modern cryptography leverages standard crypto protocols. The Dutch cryptographer Auguste Kerckhoffs stated a maxim in the 19th century that would become known as Kerckhoffs’ principle: A cryptosystem should be secure even if everything about the system, except for the key, is public knowledge.
I repeat, everything is public knowledge except for the key, which is needed to encrypt and decrypt the content, either directly or in a derived form. So, how do you store a key in a secure manner? This brings me to the second acronym: TPM, the Trusted Platform Module.
In the world of cryptography, there is a ton of other acronyms referring to the various protocols and methods that are used to ensure the CIA principle. To name just a few of them, you have DES, AES for symmetric cryptography and RSA, ECC for asymmetric cryptography. The list of acronyms goes on and on. The really important part, however, is that the algorithms themselves are typically not secret; they are publicly available, just as Kerckhoffs’ principle demands it. The only part that really needs to be kept secret is the key itself. This sounds simple, but it is pretty hard to achieve. To keep the key secret, you need a secure place like a safe, which we will call a secure element, to securely store the key. A TPM (Trusted Platform Module) is such a secure element, and it offers a lot more, including the crypto protocols.
In a nutshell, a TPM is a specialized and dedicated device that offers crypto operations and secure storage for secret keys, all in one. This allows you to store the key in a secure place and, even more importantly, it allows the key to staying there, so it never leaves its secure location. All important crypto operations are done inside of the TPM itself, and only the results are exposed. This prevents the key from getting compromised. In case you want to know why it is important to have this dedicated functionality separated in a dedicated device, I recommend you to read the following two articles. These should make it obvious how important it is to have a dedicated, secure element like a TPM inside a computing device to make it secure, trustable, and reliable.
So how can incidents like these be prevented? Use technology that creates secured code and licenses that can be bound to a secure element in the target system, ensuring that the code and the licensed features can only be used on an individual system. License creation and deployment can be integrated into existing business processes, such as ERP systems or e-commerce platforms. This mechanism opens up new business models, such as feature-on-demand upselling and time-based or pay-per-use licenses for the IoT and other intelligent devices. The result is improved security from attacks, malware, theft, and other malfeasance for code and IP.
Licensing and Security for the Internet of Things
With its many promises, the Internet of Things is set to influence our lives, our way of working, and our future. Intelligent device manufacturers are called upon to assess cyber threats, redesign machines, and processes, safeguard facilities and devices, and ultimately engage in a totally new conversation with contractors, solution partners, and customers. Only businesses that are able to reinvent and secure themselves will succeed in the long term
=================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networks
https://www.bleepingcomputer.com/news/security/new-method-simplifies-cracking-wpa-wpa2-passwords-on-80211-networks/
A new technique has been discovered to easily retrieve the Pairwise Master Key Identifier (PMKID) from a router using WPA/WPA2 security, which can then be used to crack the wireless password of the router. While previous WPA/WPA2 cracking methods required an attacker to wait for a user to login to a wireless network and capture a full authentication handshake, this new method only requires a single frame which the attacker can request from the AP because it is a regular part of the protocol.
This new method was discovered by Jens "atom" Steube, the developer of the popular Hashcat password cracking tool, when looking for new ways to crack the WPA3 wireless security protocol. According to Steube, this method will work against almost all routers utilizing 802.11i/p/q/r networks with roaming enabled.
This method works by extracting the RSN IE (Robust Security Network Information Element) from a single EAPOL frame. The RSN IE is a optional field that contains the Pairwise Master Key Identifier (PMKID) generated by a router when a user tries to authenticate.
The PMK is part of the normal 4-way handshake that is used to confirm that both the router and client know the Pre-Shared Key (PSK), or wireless password, of the network. It is generated using the following formula on both the AP and the connecting client:
"The PMKID is computed by using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of a fixed string label "PMK Name", the access point's MAC address and the station's MAC address." stated Steube's post on this new method.
Previous WPA/WPA2 crackers required an attacker to patiently wait while listening in on a wireless network until a user successfully logged in. They could then capture the four-way handshake in order to crack the key.
"With any previous attacks on WPA an attacker has to be in a physical position that allows them to record the authentication frames from both the access point and the client (the user)," Steube told BleepingComputer. "The attacker also has to wait for a user to login to the network and have a tool running in that exact moment to dump the handshake to disk."
Now an attacker simply has to attempt to authenticate to the wireless network in order to retrieve a single frame in order to get access to the PMKID, which can then be cracked to retrieve the Pre-Shared Key (PSK) of the wireless network.
It should be noted that this method does not make it easier to crack the password for a wireless network. It instead makes the process of acquiring a hash that can can be attacked to get the wireless password much easier.
How long to crack a WPA/WPA2 wireless password?
While Steube's new method makes it much easier to access a hash that contains the pre-shared key that hash still needs to be cracked. This process can still take a long time depending on the complexity of the password.
Unfortunately, many users do not know how to change their wireless password and simply use the PSK generated by their router.
"In fact, many users don't have the technical knowledge to change the PSK on their routers," Steube told BleepingComputer. "They continue to use the manufacturer generated PSK and this makes attacking WPA feasible on a large group of WPA users."
As certain manufacturers create a PSK from a pattern that can easily be determined, it can be fed into a program like Hashcat to make it easier to crack the wireless password.
"Cracking PSKs is made easier by some manufacturers creating PSKs that follow an obvious pattern that can be mapped directly to the make of the routers. In addition, the AP mac address and the pattern of the ESSID allows an attacker to know the AP manufacturer without having physical access to it," Steube continued to tell us via email. "Attackers have collected the pattern used by the manufacturers and have created generators for each of them, which can then be fed into hashcat. Some manufacturers use pattern that are too large to search but others do not. The faster your hardware is, the faster you can search through such a keyspace. A typical manufacturers PSK of length 10 takes 8 days to crack (on a 4 GPU box)."
Protecting your router's password from being cracked
In order to properly protect your wireless network it is important to create your own key rather then using the one generated by the router. Furthermore this key should long and complex by consisting of numbers, lower case letters, upper case letters, and symbols (&%$!).
"There's actually a lot of scientific research on this topic. There's many different ways to create good passwords and to make them memorable," Steube told BleepingComputer when we asked for recommendations on strong wireless passwords. "Personally I use a password manager and let it generate true random passwords of length 20 - 30."
================================================================
https://arstechnica.com/civis/viewtopic.php?f=2&t=15735
One other note that anyone looking to improve their wireless protection and or control should consider. Any current AES implementation leveraging radius the client side keys should be put in the TPM. The trusted platform Module can provide the same level of assurance for WIFI keys that a sim module provides for Phones. By using machine certificates in the TPM there are no additional passwords or pin numbers and only authorized machines can be connected. The Keys on the TPM can be non migratable and as a result can only be deleted but never copied or moved. Using the TPM is simple as long as the client software is installed and the TPM is on all one has to do is select the TPM's CSP when the keys are requested from the Certificate authority and the rest just works. Almost all APs support this functionality. There is a good White paper on this subject at http://www.wave.com/about/whit...SecureWirelessWP.pdf
The TPM is already in over 275 million PCs and all corporate PCs have one. It is a vendor neutral Industry standard. The White paper above is done by my company who builds the software on all DELL PCs but the same methods would work with our competitors on HP and lenovo PCs
This simple step of leveraging the PC gives any WIFI network administator the same level of authentication security that exisits on a few billion cell phones
What we should have in the future is a method to just bond a consumer PC to a consumer AP using a proximity or USB so that the AP can put keys in the TPM. This would make it as easy to use WIFI as it is to use a portable phone.
Steven Sprague
CEO
Wave Systems Corp.
===============================================================
This post by SKS is dated in 2008 when there were 'only' 275 million TPMs in PCs. That number is in the 1 to 2 billion range and maybe even more. With most companies being close to or at 100% TPM saturation in their computer fleets, it seems that companies now would be more eager to turn on and use their TPMs for what Steven Sprague alluded to in 2008. imo.
Advice for the U.S. government: Stop talking and start doing
https://www.cyberscoop.com/us-government-cybersecurity-greg-touhill-multi-factor-authentication/?utm_campaign=CyberScoop%20-%20Editorial&utm_content=75327031&utm_medium=social&utm_source=twitter
When it comes to cybersecurity, the United States government is great at talking the talk, yet consistently falls short of walking the walk. Unless the U.S. government actually implements the cybersecurity best practices it touts, the nation and its citizens will continue to be at an increased risk of a cyberattack.
The government has already acknowledged the need for multi-factor authentication. In 2003, it started fielding Common Access Cards (CAC) in the military, as well as Personal Identification Verification (PIV) cards in civilian agencies. At that time, the game plan was to complete the MFA implementation across the government before the end of 2008. In April 2015, MFA implementation levels hovered below 50 percent.
The massive breach at the Office of Personnel Management (OPM), which leveraged compromised user name and password credentials, could have been stopped with more rigid MFA practices. It wouldn’t have made this attack impossible, but it would’ve dramatically increased the cost of the attack for the adversary.
The federal government must start acting on the very practices it advises, or else we’re likely to see more breaches. Here are three actions U.S. government agencies can take to reduce the risk of a cyberattack.
Understand your information
Most federal agencies don’t have a good understanding of what they possess or the value of their information. As a result, they attempt to protect all information equally. This is what happened with OPM, as well as in many private sector breaches. Not only is this approach ineffective, it’s also expensive.
Best practices dictate that information should be protected proportionate to the risk of loss or tampering. The greater the risk, the greater the controls in place to mitigate that risk.
Admittedly, this approach requires deliberate effort. At the minimum, agencies should annually review data inventory and identify high-value assets to align cybersecurity programs based on the value of the information and the organization’s risk posture. This approach helps ensure that data is adequately protected, but also reduces costs because the most expensive, secure methods are reserved for the highest risk assets.
Fully implement MFA
The federal government was supposed to implement MFA by 2008. In the aftermath of the OPM breach, it was discovered that not only had the OPM failed to implement two-factor authentication, but “most civilian agencies of the U.S. federal government still hadn’t implemented their own smart card (Personal Identity Verification, or PIV) systems at the time of the OPM breach.”
Even now, 18 months into the Trump administration, based on FISMA reporting, still fewer than 60 percent of agencies have implemented MFA.
It’s a known fact that MFA raises the cost for attackers to get into both public and private sector systems. The technology behind the CAC and PIV cards is dated, and there are plenty of less expensive and effective options to implement MFA (especially for mobile devices).
Combined with software-defined perimeter technology, MFA can easily make the government’s identity and access controls great again. It’s time for the government to follow through and complete the implementation of MFA.
Consolidate and optimize data centers
The government has done a lot of talking about data center consolidation—and for good reason. Today, nearly 11,000 aging, expensive and poorly secured data centers are reportedly in operation across the US government—and that’s two years after the White House’s Office of Management and Budget launched the Data Center Optimization Initiative (DCOI).
The government could save billions of dollars — and bolster its cybersecurity — by consolidating aging data centers and leveraging world class data centers offered by the commercial sector.
The government has already seen a glimpse of the cost savings that can come from this effort. According to Dave Powner, director of IT management issues at the Government Accountability Office, the retirement of 4,300 data centers from 2010 to 2016 resulted in cost savings of $2.8 billion. That is more than the cost of a B-2 bomber, or the amount the Center for Disease Control gets to protect against infectious diseases.
Closing government data centers and transferring the workload to more modern commercial facilities is an easy win for taxpayers. The commercial sector already processes classified information in its government-rated facilities. The question, then, is whether agencies go “all in,” and take full advantage of the cost savings and cutting-edge technologies of commercial data centers—or whether they continue to manage an overabundance of expensive and poorly secured data centers.
The government has access to the technology and IT services it needs to protect citizens data and significantly reduce spending, while simultaneously reducing cybersecurity risks. It’s time that the government finally walk the walk and put these best practices to service for the common good.
===============================================================
Wave Systems Announces First U.S. Federal Government Customer for Wave Virtual Smart Card 2.0
https://www.wavesys.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0
Lee, MA -
October 2, 2014 -
Wave Systems Corp. (NASDAQ: WAVX) marked an important sales milestone by announcing the first U.S. federal government customer for its Virtual Smart Card 2.0.
Since the Virtual Smart Card 2.0 became commercially available in late July 2014, Wave has entered into dozens of pilot deployments in multiple sectors, including healthcare, financial services, automotive, energy and utilities. However, today’s announcement marks the product’s first sale in the government sector.
“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”
“We believe that this sale, which was completed on a shorter sales cycle than we had anticipated, supports our view that customers are interested in the type of cyber security solution that Wave’s Virtual Smart Card 2.0 provides,” Solms added.
Wave Virtual Smart Card 2.0 is the industry’s only enterprise-grade virtual smart card management solution that works on Windows 7. It also supports Windows 8 and 8.1. Wave’s new solution emulates the functionality of physical smart cards or tokens, but offers greater convenience to users, lower total cost of ownership, and a reduced risk of unauthorized use.
Wave Virtual Smart Card 2.0 gives IT the ability to:
• Remotely create and delete virtual smart cards
• Provide help desk-assisted recovery
• Configure PIN and card policies
• View the status of virtual smart cards and enrolled certificates
• Generate reports for compliance
• Support virtual smart cards on laptops, tablets and desktops with TPM 1.2 or TPM 2.0
===============================================================
The government could be protecting 60% of the other agencies with a solution that has been used by a government agency that had significant security requirements. More than half the government agencies are unprotected and could be protected by Wave VSC 2.0 rather quickly, effectively and at half the cost!?!? imo.
https://www.wavesys.com/products/wave-virtual-smart-card
Who do you trust?
https://techcrunch.com/2018/08/05/who-do-you-trust/
Another week, another high-profile hack. This week it was (checks notes) Reddit. What makes this one marginally more interesting is that the victims were using two-factor authentication, i.e. SMS codes texted to them to verify their identities when their accounts were accessed — which turned out to be little more than a speed bump for the attackers.
This surprised exactly zero (good) security people. It has long been known that your phone service can be hacked either via SS7, the ancient and insecure system used to interconnect the planet’s phone networks, or by the more old-fashioned but even more effective method of walking into a store and talking a callow undertrained clerk into transferring your number to the attacker’s phone. Phone companies are trying to remediate both of these attack vectors, but you can’t trust them to protect you; not yet, and possibly not ever.
But you have to trust someone to protect all the things you hide behind passwords. You have no real choice but to implicitly trust your network, and your phone’s manufacturer, and the manufacturer of its baseband chip, and the whole basic stack from your BIOS to your browser.
You can choose Apple over Android, or Pixel over third-party Androids. But whichever choice you make, you are basically pledging your trust in all that you hold dear to Apple or Google. It’s sad to say, in an era when the tech giants are already too powerful and growing moreso every day, but from a security perspective, that is, for most people, probably currently the right thing to do.
Google’s security team is probably the best on the block, and its Pixel phones are more secure than other Androids, partly because they get the latest updates first, partly because they’re free of possibly vulnerable or even malicious pre-installed bloatware. I don’t like Apple’s hegemonic attitude towards software, philosophically; but its security people know what they are doing, and its strict gatekeeping of its App Store has very real security benefits.
But wait: this trust in those twin giants probably needs to extend beyond your phones to your computers and your emails, too. We’ve all been told again and again: don’t open email attachments. They’re not safe. And we are all told again and again, probably on a daily basis, by our family and/or co-workers, who may or may not have just been hacked themselves: open this email attachment, it’s something important you need to deal with right now. How to deal with this conundrum? The answer is, essentially: GMail, Google Docs, and Google Drive, on an Apple device or a Chromebook.
The new new security message is: “don’t use SMS authentication.” (Mind you, most Americans have never even heard of two-factor authentication full stop, and SMS two-factor is still better than one-factor, modulo the false sense of security it may instill.) What to do instead? Well, you could buy a Yubikey or a SecurID token, which is insanely, ludicrously, non-starter inconvenient for most people. Or you could use a phone app, such as, most commonly — yep, you guessed it; Google Authenticator.
Over the last few decades the tech industry has built systems so fundamentally insecure, so rotten to their core, that we now have no real choice but to trust its largest and most powerful companies to protect us. I’m all too aware of the grim irony. (Though in fairness the telecom industry has much to answer for too.) Things weren’t supposed to be this way; things didn’t have to be this way; but here we are.
==============================================================
I wonder if Mr. Evans has had the opportunity to familiarize himself with the TPM and the 150 companies (Trusted Computing Group) backing this standard which still seems to be surprisingly underutilized. If he and others knew more about Wave Systems and the TCG, the activated TPM movement would be going along at a brisk pace and helping many with their 'rotten systems'. imo.
TCG Publishes New Whitepaper to Guide Use of Its Mobile and Trusted Network Communications (TNC) Specifications for Mobile Security
Wave could play a big role in this large potential emerging market. imo.
https://securityboulevard.com/2018/07/tcg-publishes-new-whitepaper-to-guide-use-of-its-mobile-and-trusted-network-communications-tnc-specifications-for-mobile-security/?utm_source=dlvr.it&utm_medium=twitter
The Trusted Computing Group has released a new whitepaper describing how the combination of technologies developed in its mobile and Trusted Network Communications (TNC) workgroups can be combined to address challenges faced by mobile device, mobile network, and mobile service providers.
While both the mobile and TNC workgroups have existed for years and their specifications have been incorporated into multiple products, this is one of the first efforts to look at the benefits of using these two sets of technologies together. This collaboration comes at a time when the number of mobile devices in use and volume of data these devices are exchanging is rapidly increasing, partially due to the adoption of 5G communications standards. As such, mobile devices are a significant and growing part of the global communications infrastructure.
Increasingly, mobile devices have become the primary computer for many people in their day-to-day lives. However, these mobile devices now also face many of the same threats plaguing traditional endpoints, like personal laptops, and their software is subject to similar types of vulnerabilities that malicious parties can exploit.
This creates risks for users, who may wish to conduct sensitive transactions on their mobile devices, such as mobile banking; for service providers, who may wish to ensure that only paying customers receive their services; and for network providers, who need to worry about compromised mobile devices mounting attacks against other devices on their networks. In all cases, there is a need to measure the security health of mobile devices, and to report it to parties so then can use this to make decisions about access to resources.
Standards produced by the TCG Mobile workgroup have made significant strides in securing sensitive activities on mobile devices. The group’s TNC standards provide a way to gather health measurements from endpoints and deliver them securely to authorized parties.
Together, these two sets of technologies provide ways to develop accurate measurements of important mobile device elements and make it possible for authorized parties to use this information to manage device access. The new TCG whitepaper about using both sets of standards together is a conceptual model, rather than a detailed technical standard, and it is expected that some work will be necessary to achieve the described vision.
The intent of the whitepaper is to demonstrate both the benefits and the feasibility of using these technologies in a synchronized manner to address real problems. It is hoped that those who operate in the mobile device space, including device manufacturers, mobile service providers, and mobile network providers, will recognize the value of these standards and join the Trusted Computing Group to help ensure that the creation of standards that join mobile and TNC technologies fully address their specific needs and requirements to create a more secure and robust mobile ecosystem.
Apple's Sole Main Processor Supplier Just Got Hit With a Computer Virus
If Lenovo included Wave Endpoint Monitor with some of its computers, the unique technology must have been state of the art, and one that a company like TSMC could benefit from. imo.
https://gizmodo.com/apples-sole-main-processor-supplier-just-got-hit-with-a-1828109094?utm_medium=socialflow&utm_campaign=socialflow_gizmodo_twitter&utm_source=gizmodo_twitter
A computer virus infected systems at multiple Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, disrupting operations at precisely the same time it is attempting to ramp up production for tech giant Apple’s future lines of iPhones, Bloomberg reported.
According to Bloomberg, the company in question is the “sole maker of the iPhone’s main processor” and says this is the first time a virus has spread into production lines (namely computer-controlled fabrication tools):
The virus wasn’t introduced by a hacker, the company added in a statement.
It’s unclear who targeted TSMC, the world’s biggest contract manufacturer of chips for companies including Apple and Qualcomm Inc. It’s the first time a virus had ever brought down a TSMC facility, recalling the WannaCry cyberattacks of 2017 that forced corporations around the world to suspend operations as they rooted out the ransomware. TSMC is working on solutions now but said the degree of infection varied from factory to factory, and that it will provide more information Monday after it’s assessed the situation.
Production at TSMC could be disrupted until “at least Sunday,” Bloomberg wrote. The company did not say whether any of the facilities involved were producing for Apple’s supply chain, though TMSC announced earlier this year it had begun high volume production of 7 nm chips designed to perform well while simultaneously limiting energy usage. In May, it reportedly started using the process to manufacture A12 chips for Apple.
Per TechCrunch, cyberattacks on Taiwanese government institutions and the private sector are common and mainly originate from mainland China—which has a long history of strained relations with Taiwan and is far from fond of the latter’s President Tsai Ing-wen. Per Taiwan News, tens of millions of (mostly low-grade) cyberattacks hit the Taiwanese public sector each month, and a Reuters report from June 2018 cited a source close to the Taiwanese government as saying they were increasing in sophistication. Meanwhile, mainland China and Taiwan are competitors in the semiconductor sector.
However, the cause of this particularly attack is unknown at this point. Cybercriminals’ use of ransomware, malware designed to encrypt computers’ operating systems and files before demanding a ransom payment, skyrocketed in 2017. It’s hardly unprecedented for ransomware operators to target businesses which cannot handle system downtime, like health care companies. With a reported profit of $11.61 billion in 2017, TMSC could be a tempting target. Alternately, since the TMSC statement said the virus was not introduced by a hacker, it’s possible that someone on a company network somehow inadvertently downloaded malware.
It’s not clear whether the incident will noticeably offset availability of Apple’s next line of phones, which are expected to be announced this fall. However, Apple is habitually short on production targets, so a weekend-long delay at one of its suppliers probably won’t be the only thing to blame if it happens again in the future. Sanford C. Bernstein analyst Mark Li told Bloomberg that the impact of the attack would likely be limited.
Google: We'll warn you if government hackers are attacking your company email
A company wide installation of Wave VSC 2.0 could be more effective since this Google feature is off by default. Also, Wave VSC 2.0 doesn't warn the user, but it would just keep the attacker off of the web application (Gmail). Wave VSC 2.0 would stop the potential effects of the phishing rather than provide warnings for it. imo.
https://www.zdnet.com/article/google-well-warn-you-if-government-hackers-are-attacking-your-company-email/
Google adds a new feature to warn organisations if staff are being targeted by government-backed hackers using phishing or malware.
Google is adding a feature to alert organisations running its G Suite office package if it believes one of their user accounts is being targeted by government-backed hacking.
If an organisation's G Suite admin turns the feature on (it's off by default), he or she will receive an email alert if Google believes a government-backed attacker has attempted to access a user's account or computer via phishing, malware, or another method.
"It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization," Google noted.
Once warned, admins can choose to share information about the alert with others, warn the user, or add more security to the user account.
Spam email has been around for decades, but remains a highly effective tool for hackers of all types. However, state-backed hackers have been known to use phishing email -- messages that claim to come from a known source, but which in fact contain malware -- as part of their campaigns. For example, the Russian-backed hackers who broke into the Democratic National Committee began their infiltration using phishing emails, according to US Justice Department indictments.
Since 2012 Google has been sending warnings directly to users if it believes their Google accounts are being targeted by government-backed attackers in the last month.
These alerts can be triggered if a user has received emails containing harmful attachments, links to malicious software downloads, or links to fake websites that are designed to steal passwords or other personal information. Google said that attackers have been known to send damaging PDF files, Office documents, or RAR files.
"An extremely small fraction of users will ever see one of these warnings", said Google.
Windows 10 patch expert begs Microsoft: 'Please fix uptick in botched updates'
https://www.zdnet.com/article/windows-10-patch-expert-begs-microsoft-please-fix-uptick-in-botched-updates/
In a year of big malware outbreaks, one expert thinks Microsoft's faulty patches and speedy Windows 10 feature updates could be setting its users up for a dangerous situation.
Susan 'patch lady' Bradley, a patching expert who manages a bunch of Windows PCs and servers in business, has had enough of Microsoft's recent uptick in shoddy patches.
She posted an open letter to Microsoft CEO Satya Nadella, Microsoft corporate VP of Windows Servicing and Delivery Carlos Picoto, and the company's head of all things cloud, Scott Guthrie, pleading for them to urgently address the quality of recent Windows patches.
Her open letter was published on Computerworld's Woody on Windows column, taking a shot at the execs for putting people like her in the unenviable position of either installing patches that break machines or delaying patches and leaving them vulnerable to publicly known vulnerabilities.
"Today, as Windows 10 turns three years old, I am writing to you to ensure that you are aware of the dissatisfaction your customers have with the updates released for Windows desktops and servers in recent months," wrote Bradley.
"The quality of updates released in the month of July, in particular, has placed customers in a quandary: install updates and face issues with applications, or don't install updates and leave machines subject to attack."
As she points out, July 2018's Patch Tuesday contained 47 bulletins with known issues. Among the buggy patches include a .NET remote code injection flaw, the Intel CPU Lazy State bug, and the fourth Spectre flaw known as Speculative Store Bypass, which affected AMD, Arm, and Intel CPUs.
She posted the letter after members of patchmanagement.org community listserve, where she is a moderator, recently began complaining about the quality of updates and the speed of Windows 10 feature updates.
She's also published the results of a survey of members about what they think of the quality of Microsoft's recent patches.
The survey mostly asked admins about their feelings towards Microsoft's Windows 10 patches and she notes that the Windows Insider program isn't helping identify issues.
The overall responses, she says, showcase "that your customers who are in charge of patching and maintaining systems are not happy with the quality of updates and the cadence of feature releases, and feel that it cannot go on as is".
Microsoft recently declared Windows 10 April 2018 Update ready for business and boasted it is its fastest Windows 10 rollout ever, installed on 250 million PCs in about two months.
Despite complaints about the update breaking some PCs, Microsoft defended its speedy rollout as responsible.
Bradley said responses to parts of the survey aimed at Windows 10 consumer users are the same as those from patching admins in regards to the velocity and volume of Windows 10 feature upgrades each year.
"The majority thought that the feature updates occurred too many times during the year, and they said they were overall not happy with the quality of updates from Microsoft. The full survey results from Microsoft consumer customers can be found here," she wrote.
Her full post is worth a read for Windows 10 users and admins, as well as Azure users. The letter draws attention to a potential problem Microsoft could be creating via the Windows 10-as-a-service model it introduced in 2015.
The consequence of Microsoft's breakneck pace of feature releases is that Microsoft could be unintentionally creating a giant security problem, which follows a year of highly damaging malware outbreaks, such as NotPetya and WannaCry, as well as the leak of the extremely dangerous NSA-developed Windows zero-day exploits that enabled each of the malware's rapid spread across corporate networks.
"I am disturbed when I see users and consultants talk about taking drastic measures to take back control of updating and rebooting. Some are disabling Windows Update as a drastic measure to ensure that updates do not reboot systems when they are not wanted," she wrote.
And as she notes, Microsoft has acknowledged this problem, last week announcing a new predictive model to only restart Windows 10 PCs for an update when users really have stepped away from work for long enough to begin the process.
But as it is, Bradley believes Microsoft's mistakes and the effort it's demanded of Windows users have broken many users' trust in Microsoft's patches and software.
"We want Microsoft software to be such that we can indeed install all updates and patches immediately without reservation. As it stands right now, we do not trust the software and the patching quality enough to do so," she concludes.
===============================================================
Since malware can't really sneak by Wave Endpoint Monitor and Wave's ERAS helps prevent unknown devices from a network, it would seem that a computer with Microsoft's OS that has unpatched vulnerabilities could be protected by these two Wave products with the help of VSC 2.0. The Chinese (and other countries) that have an unsupported Windows 7 system on Jan. 2020 might be able to extend the life of a Windows 7 computer given the use of the Wave products above. imo.
Cisco to Acquire Duo Security for $2.35 Billion in Cash
https://www.securityweek.com/cisco-acquire-duo-security-235-billion-cash
Cisco announced on Thursday that it will pay $2.35 billion in cash to acquire cloud-based identity and access management solutions provider Duo Security.
Ann Arbor, Michigan-based Duo raised $70 million in Series D funding in October 2017, which valued the company at $1.17 billion at the time.
Through its flagship two-factor authentication (2FA) app, Duo's "Trusted Access" product suite helps verify the identity of users, and the health of their devices, before granting them access to applications. The platform supports Macs, PCs and mobile devices, and gives administrators visibility into end user devices accessing the corporate network.
“Integration of Cisco's network, device and cloud security platforms with Duo Security's zero-trust authentication and access products will enable Cisco customers to easily and securely connect users to any application on any networked device,” Cisco said.
Overall, Cisco says that by getting its hands on Duo’s technology, it will be able to extend intent-based networking into multi-cloud environments, simplify policy for cloud security, and expand endpoint visibility coverage.
The acquisition is expected to close during the first quarter of Cisco's fiscal year 2019, subject to customary closing conditions and required regulatory approvals.
Duo said previously that it has doubled its annual recurring revenue for the past four years, and currently has more than 500 employees globally, after doubling its headcount in 2016.
Duo serves more than 10,000 paying customers and said protects more than 300 million logins worldwide every month. Customers include Facebook, Etsy, Facebook, K-Swiss, Paramount Pictures, Toyota, Random House, Yelp, Zillow and more.
In addition to its Ann Arbor, Michigan headquarters, Duo currently maintains offices in Austin, Texas; San Mateo, California; and London, England.
Duo Security, which will continue to be led by Dug Song, Duo Security's co-founder and chief executive officer, will join Cisco's Networking and Security business led by EVP and GM David Goeckeler.
Cisco has acquired several emering security companies over the years. In June 2015, it announced its acquisition of OpenDNS for $635 Million. The move followed other acquisitions by Cisco in the security sector, including its acquisition of Porcullis, ThreatGRID, Neohapsis, Virtuata, and its $2.7 billion acquistionof Sourcefire in 2013. In June 2016, it agreed to pay $293 million to acquire cloud access security broker (CASB) CloudLock.
=============================================================
Given that Wave VSC 2.0 has better security and is at less than half the price of its competitors the true market value of Wave should be at least on par with the likes of Duo Security. imo. And that is only one of its products.
With the hundreds of millions of Chinese Windows 7 devices still on the market, Wave has a huge unmet market to sell its best in class Wave VSC 2.0 product. imo. The Chinese typically wait to upgrade Windows devices for as long as possible (ie. Windows XP). They stand to benefit from an excellent product like Wave VSC 2.0. Lenovo had or use to have Wave Endpoint Monitor bundled with their computers. Wave VSC 2.0 and WEM could be a windfall for the Chinese in having these two premier products.
48% of Customers Avoid Services Post-Data Breach
https://www.darkreading.com/risk/48--of-customers-avoid-services-post-data-breach/d/d-id/1332452
Nearly all organizations hit with a security incident report a long-term negative impact on both revenue and consumer trust.
Today's customers have higher standards for where they store their data – and their trust in businesses is falling, as evidenced by a new report investigating online trust in the digital age.
Nearly 80% of consumers report it's "very important" or "crucial" their personally identifiable information (PII) is protected online, and 86% say a high level of data protection is a priority in choosing online services, according to "The Global State of Online Digital Trust," from CA Technologies and Frost & Sullivan.
About half (48%) of organizations report involvement in a publicly disclosed data breach. Of those, nearly all say they have experienced a long-term negative impact related to client trust and/or revenue. Half of the respondents whose businesses had been breached report strong long-term negative effects on both consumer trust (50%) and business results (47%).
Consumer trust in businesses is in a precarious state following breaches at major organizations, including Equifax, Deloitte, Uber, CEX, and Ticketmaster. Most business leaders (84%) think trust is growing, but consumer responses indicate the opposite. Only 38% of users say their trust has increased – a sign that organizations aren't in touch with client needs and perceptions. Only half of consumers polled say they are willing to exchange personal data for online services.
To help prevent breaches:
https://www.wavesys.com/products/wave-virtual-smart-card
Army in search of new cyber capabilities to defend its networks
If only Bill Solms were on board!
https://www.fedscoop.com/army-search-new-cyber-capabilities-defend-networks/
The office in charge of acquiring enterprise tech for the Army is looking to add new capabilities to defend the service’s networks.
The Army’s Program Executive Office Enterprise Information Systems (PEO-EIS) issued a request for information Friday in search of potential cybersecurity, risk management and cybersecurity system engineering services — particularly in support of its defensive cyber-operations in the cloud.
“The scope of this effort includes Cybersecurity, Risk Management, and Cybersecurity
System Engineering activities to support [defensive cyber operations] assessments and authorization of [defensive cyber-operations Suite of Complimentary Systems], critical emerging technologies, and mission capabilities, across multiple secure computing environments, to include authorized CSP hosting environments,” the solicitation reads.
Under that broad need, the Army is looking to support its Cyber Protection Brigade and Cyber Protection Teams with cybersecurity program management, information security system engineering, continuous monitoring of its risk management framework, configuration management, and cloud hosting and security engineering.
The RFI doesn’t comment on possible contract length or value. Most work would be performed at Fort Belvoir, Virginia.
Responses are due by Aug. 3.
Spam Click Rates High, 2FA Use Low at Work
https://www.infosecurity-magazine.com/news/spam-click-rates-high-2fa-use-low/?utm_source=dlvr.it&utm_medium=twitter
Organizations continue to be at risk from insider threats because they lack strong identity management solutions, whether it's end users clicking on spam, issues with multifactor authentication (MFA), or companies keeping their decisions about security and identity separate, according to three new surveys released by F-Secure, SecureAuth Core Security and ObserveIT.
According to news from F-Secure, email spam, a decades-old threat, remains a popular attack method choice among cyber-criminals. “Spam is becoming an increasingly successful attack vector, with click rates rising from 13.4% in the second half of 2017 to 14.2% in 2018,” said Adam Sheehan, behavioral science lead at MWR InfoSecurity (which was acquired by F-Secure in June 2018), in a press release.
In addition to the risks from email spam campaigns, businesses continue to struggle when it comes to defending against insider threats. ObserveIT today released Multigenerational Workforce and Insider Threat Risk study, which found that there is a disconnect between cybersecurity awareness and insider-threat risk. Despite the fact that the survey found 65% of the 1,000 respondents know what insider threats are, those threats continue to rise.
The study went on to look at the different behaviors by generation and found that 90% of 45-54-year-olds adhere to their organization’s cybersecurity policy, while a third (34%) of 18-24-year-olds said they don’t know what is included in the cybersecurity policy of their employers.
Looking at the rise of email spam campaigns in conjunction with these statistics on insider threats highlights the formidable problem organizations face from their employees. Whether users click on malicious links is only one factor in the overall risks of insider threats, but defending against insider threats requires a strong identity management policy, which many organizations have yet to implement, according to SecureAuth Core Security.
Results of a Cybersecurity and Identity Gap Survey, conducted by SecureAuth Core Security, found that a majority of businesses continue to struggle with strengthening their overall cybersecurity posture because they’re not aligning cybersecurity measures with identity practices. Only half of the organizations surveyed reported using two-factor authentication (2FA) or MFA.
Of those who have implemented these strategies, 65% of respondents expressed dislike for 2FA and MFA. When it comes to downloading and using a mobile app to initiate the authentication process, 63% of respondents said they experience friction from employees.
“Despite increased spending on cybersecurity capabilities, breaches still continue to rise, showing the status quo is no longer good enough,” said Jeff Kukowski, CEO of SecureAuth Core Security, in today’s press release. “The industry must begin to approach cybersecurity and identity management together to better detect and mitigate risks, rather than treat them as disparate silos that don’t communicate with each other and actually increase the threat surface.”
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
What can it be used for?
What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
Reddit Announces Security Breach After Hackers Bypassed Staff's 2FA
https://www.bleepingcomputer.com/news/security/reddit-announces-security-breach-after-hackers-bypassed-staffs-2fa/
Reddit announced today a security breach. The social platform says a hacker(s) breached the accounts of several employees after bypassing two-factor authentication (2FA) and stole information such as some email addresses, logs, and a 2007 database backup containing old salted and hashed password.
The hack took place between June 14 and June 18. Reddit said it discovered the breach the next day, on June 19.
Reddit said the hacker never got "write access" to its servers.
"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems," the company said.
Hacker stole old passwords
But the hacker did get "read access," which Reddit says he used to download a copy of an older Reddit site backup from May 2007.
Reddit said this backup contained data on its users who were active on the site from the site's launch in 2005 until May 2007, the date of the backup.
"The most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then," Reddit said.
Users who registered after May 2007 or messages and posts published after that date are deemed safe.
Hacker also stole more recent usernames and emails
Reddit also said the hacker downloaded some logs for Reddit's email digest feature, and more precisely, for the email digests sent on June 3 and June 17, 2018.
"The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to," Reddit said.
The social platform said that all users whose data the hacker had taken would be notified via a Reddit message. Users who still use their 2007 passwords will be prompted to change them.
Reddit also said the hacker accessed the company's source code, internal files, configs, and employee work files.
Hacker bypassed 2FA
Reddit pinned the incident on the hacker's ability to bypass 2FA. Reddit said the hacker performed an SMS intercept attack for the phone numbers of some of its employees and intercepted the 2FA codes necessary to access the employees' accounts.
While Reddit didn't say it, this also means hackers knew the employees' account passwords, although, this was the main reason why two-step verification systems like 2FA were created, to begin with, to protect accounts against situations where a threat actor knows the password.
Reddit said it migrated employees from SMS-based 2FA to token-based 2FA and urged other companies and users to do the same. Other details are available in the Reddit site-wide announcement.
The US National Institute for Standards and Technology (NIST) has advised against using SMS-based 2FA, and academics have bypassed SMS-based 2FA for a few years now, but in recent weeks, SMS-based 2FA has been proven to be broken in the real world [1, 2]. Nevertheless, despite its problems, security researchers still recommend SMS-based 2FA over not using 2FA at all.
https://www.wavesys.com/products/wave-virtual-smart-card
Excerpts:
One helpdesk call you'll never get: "I lost my virtual smart card again..."
There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.
The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
Get better security at less than half the cost
Passwords are weak. Tokens are expensive. Don’t compromise on security or price.
DHS Establishes Center For Defense of Critical Infrastructure
https://www.darkreading.com/attacks-breaches/dhs-establishes-center-for-defense-of-critical-infrastructure-/d/d-id/1332442?_mc=KJH-Twitter-2018-07
Center foundational to new government-led 'collective defense' strategy for sharing and responding to cyberthreats, DHS secretary says.
The US Department of Homeland Security has established a new National Risk Management Center to facilitate cross-sector information sharing and collaborative responses to cyber threats against critical infrastructure.
At a cybersecurity summit in New York City on Tuesday, DHS Secretary Kirstjen Nielsen described the center as the foundation of a new collective defense strategy led by the US government to respond more forcefully to threats against US interests in cyberspace. The center will bring together security experts from government — including those from intelligence and law enforcement agencies — and security experts from the private sector.
"We are facing an urgent, evolving crisis in cyberspace," Nielsen said in a keynote address to cybersecurity leaders from government, the private sector, and academia at the DHS-led summit. "Our adversaries capabilities are outpacing our stove-piped defenses," to the point where virtual threats now pose an even bigger threat to national security than physical threats, she said.
Nielsen, a senior Trump Administration official, used the event to warn foreign adversaries against continuing hostile activities against US interests noting that the country is fully prepared to take a range of deterrent actions to stop them. She pointedly called out Russia's cyberattacks on the US energy grid and its "brazen campaign" to interfere in the 2016 Presidential election as examples of hostile state-sponsored activity against the US.
"Our intelligence community had it right. It was the Russians," Nielsen said, referring to Russia's role in the US elections. "We know that. They know that. It was directed from the highest levels." Such attacks will not be tolerated going forward, she said.
The goal in establishing the new risk management center is to provide a focal point for information sharing between government and private industry as well as between organizations across different industry sectors.
Operators of critical infrastructure, most of who are in the private sector, often have a lot of the threat information that must be pieced together for a more complete understanding of cyber threats. But because the data is siloed, government and the private sector have hard a hard time putting cyber threats into proper context and understanding their full implications and effects, Nielsen said.
"The private sector can help us contextualize threats," she noted. "We will look to their expertise to help us understand how the pieces work together," in order to develop actionable responses to those threats.
Unlike previous attempts at fostering closer collaboration between government and the private sector, the new National Risk Management Center's mission is not just about enabling better information sharing. The center will also facilitate 90-day sprints, when organizations from different critical sectors will conduct joint tabletop exercises and other threat operations to identify common vulnerabilities.
Sprints for Security
The center will assemble a national risk registry that will identify and prioritize the most critical threats across industry so they can be remediated quickly. The first of the 90-day sprints will involve organizations from the energy, financial services, and communications sectors. Representatives attending the summit from these industries expressed support for the DHS plan.
"This was an obvious thing to do for a decade but it didn't happen," said John Donovan, CEO of AT&T Communications. Organizations that are in a defensive posture in cyberspace cannot rely on attacks and threats playing out exactly the way they might have prepared for them, he said.
In the future, "resilience is going to be a function of our ability to understand and share experiences," across sectors, he said. Each organization in critical infrastructure sectors has a piece of what it takes to solve a larger threat puzzle and true threat mitigation can happen only through collective information-sharing.
Tom Fanning, CEO of gas and electric utility Southern Company, said that previous tabletop exercises have shown big vulnerabilities exist at the points of intersection with other sectors. A collective approach to cybersecrity of the sort that is being enabled by the new risk center is vital because of the interdependencies between organizations in different sectors, he said.
"When we do our biggest tabletop exercises, one of the things we learn very quickly is that as resilient as we think we may be, we can always be better," he said.
A collective effort is also critical because attackers often are looking for the weakest link that provides a way to the strongest, said Ajay Banga, CEO of MasterCard. When an organization gets attacked, it does not always happen because the entity belongs to a specific industry, but because of the access they might provide to other organizations that are of interest to an attacker, Banga said.
But for truly collective defense to happen, government will need to change regulations to the point where organizations feel comfortable to say something if they see something without fear of legal repercussions, he said.
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Secure device & user authentication
Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.
Here’s how it works:
Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication
Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
https://www.wavesys.com/products/wave-endpoint-monitor
Detect attacks before it’s too late
Malware can do its work for weeks or months before you ever know it’s there. But with Wave Endpoint Monitor, you can spot malware before it has a chance to cause damage
An open standard means Wave works with everything
Wave Endpoint Monitor works on your existing hardware, across platforms. That’s because our solutions are based on an open standard that’s already been implemented on many laptops and is now working its way onto mobile devices. We’re talking about those TPMs. We just don’t think that expensive new equipment and vendor lock-in are great selling points.
see more, informative information at the link above.
The AI that protects DoD networks from zero-day exploits
https://www.fifthdomain.com/dod/2018/07/27/the-ai-that-protects-dod-networks-from-zero-day-exploits/
The National Security Agency is set to transfer a program that guards against malware to the Defense Information Systems Agency, according to a spokeswoman for the agency.
The Sharkseer program protects the Department of Defense’s networks by using artificial intelligence to scan incoming traffic for vulnerabilities, according to program slides.
Because the Sharkseer program’s primary purpose is to protect the Department of Defense’s networks, it “better aligns” with the DISA mission, Natalie Pittore, a spokeswoman for the NSA told Fifth Domain.
The transition from NSA to DISA was laid out in the 2018 National Defense Authorization Act that lawmakers in Congress negotiated July 23, although the hand-off appears to have been long planned. Top NSA officials have identified the program as “among the highest priority cybersecurity initiatives” for several years, according to congressional records.
At a basic level, the program inspects incoming Defense Department traffic for zero-day exploits and advanced persistent threats, according to program slides. Sharkseer monitors emails, documents and incoming traffic that could infect the Defense Department’s networks.
Lawmakers have tasked the program with instantly and automatically determining the identity and location of computer hosts that have sent or received malware. The program was also charged with being a “sandbox,” which Pittore described as an application for U.S. government officials to test for suspicious files using automated behavior analysis
Congress has criticized the Defense Department’s cybersecurity for being deployed in a “piecemeal fashion,” but have praised the Sharkseer program’s apparent success.
Sharkseer has been responsible for detecting over 2 billion cyber events across the Defense Department’s classified and unclassified networks, according to a May statement from Rep. Barbara Comstock, R-Va.
The program appears to have gone from concept to reality sometime around 2014, when it received $30 million in congressional funding. Congress has sought to give the program additional funds in ensuring fiscal years, although it is unclear how much was eventually proportioned.
Pittore declined to provide the program’s budget.
The NDAA still needs to be approved by both houses of Congress and signed by President Donald Trump, although the Sharkseer provision is not considered controversial.
https://www.wavesys.com/malware-protection
Software can’t always detect malware
The big problem with malware is that antivirus software doesn’t always detect it. Anti-malware software is based on signatures of known bad software. However, there always needs to be a patient 0 that discovers he is infected, for the rest of the world to benefit from it. In the case of APTs (Advanced Persistent Threats), your organization may be the only target for the specific strand of malware. In that case, the signature detection process will not protect you. Modern anti-malware and other software packages that promise cyber security or protection from APTs would use various heuristics and "AI" (Artificial Intelligence) to detect malware based on a predefined set of behavioral parameters. A sophisticated attacker is able to fine tune the behavior of the malware he is writing against various known anti-malware software solutions, so that it can evade detection for long periods of time.
Wave’s solution: start with the device
If antivirus software doesn’t work, what does? The Wave alternative relies not on superficial layers of software but on standards-based hardware: self-encrypting drives (SEDs) and Trusted Platform Modules (TPMs), or security chips, that are already embedded in many of your computers and mobile devices. This hardware provides you with secure storage. When you turn the SED and TPM on and manage them with Wave, you suddenly have a broad, deep view into your network. Among other things, you’ll know immediately whether any one of your devices—computers, laptops, tablets, smartphones—has been tampered with. But Wave is proactive too: you can block the kinds of behaviors that invite malware in. Wave's Endpoint Monitor provides early detection for these low-lying sneaky attacks.
At T-minus 18 months, Windows 7 still powers 184M commercial PCs
https://www.computerworld.com/article/3293877/microsoft-windows/at-t-minus-18-months-windows-7-still-powers-184m-commercial-pcs.html
The aging operating system, still in wide use, leaves support in January 2020
About 184 million commercial PCs - in small- and mid-sized businesses, in large enterprises and in government agencies - are still running the quickly aging Windows 7, according to Microsoft.
That number included all markets except for China, the company said, with the largest percentage - one in four PCs, or approximately 46 million - in the U.S.
(Microsoft's number is just a fraction of the latest estimates of Windows 7's pervasiveness calculated by Computerworld using share data; that calculation pegged Windows 7 global consumer and commercial footprint at around 709 million PCs. The commercial side of that 709 million would be approximately 390 million using the long-accepted 55%-45% ratio of commercial/consumer PCs. Yet even that reduced number would be more than twice Microsoft's mark, leaving one to wonder if China had more than 200 million Windows 7 PCs, or if Computerworld's figure was out in left field. Presumably, Microsoft's number is the most accurate, as it was based on machine-to-Microsoft telemetry.)
Microsoft brought up the 184 million Windows 7 PCs earlier this month during its Inspire conference, where the Redmond, Wash. firm touted the partner opportunities during the home stretch of the Windows 7-to-Windows 10 migration.
Windows 7 is slated to drop off support Jan. 14, 2020. After that date, no security updates will be provided. In other words, most customers have just 18 months to get off Windows 7 and onto a newer operating system - Windows 10 is really the only choice - or risk leaving systems unpatched and thus at risk of hacking and exploitation.
Many businesses have already shifted to Windows 10, Microsoft claimed. Among the other statistics it trumpeted at Inspire, Microsoft said that there were 200 million commercial Windows 10 active monthly devices worldwide, or slightly more than those still on Windows 7 (excepting the massive Chinese market).
Of the commercial PCs still on Windows 7, 50% were within enterprises, 30% in small- and mid-sized businesses, and 30% in government. Nearly two-thirds of those machines were older than five years old, Microsoft said, a potential gold mine for partners bundling new hardware, software and services for customers eager to deploy Windows 10.
https://www.wavesys.com/system/files/03-000389.1.00_DS_VSC.pdf
Excerpt:
Wave VSC 2.0 is available on Windows 7, 8, and 8.1. Enterprises can support the operating system they have deployed now, while ensuring smooth transition to the next operating system.
By adopting Wave VSC 2.0, enterprises can leverage strong authentication at a lower TCO on the machines they have deployed today.
https://www.wavesys.com/products/wave-virtual-smart-card
What will you do with >50% TCO savings?*
Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.
Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.
Weaponized drones. Machines that attack on their own. 'That day is going to come'
https://www.cnbc.com/2018/07/20/ai-cyberattacks-artificial-intelligence-threatens-cybersecurity.html
•Artificial intelligence has clear positive uses, but it could be used to teach machines to attack people and their computer networks on their own.
•Drones and autonomous vehicles could be hacked using AI and turned into weapons
•Traditional cybersecurity methods won't know how to cope with new attacks carried out by smart machines
The idea of a computer program learning by itself, growing in knowledge and becoming increasingly sophisticated may be a scary one. It's even scarier when it's learning to attack things.
It's easy to dismiss artificial intelligence as yet another tech buzzword, but it's already being used in everyday applications via algorithmic processes known as machine learning.
Far from the killer robots of “Blade Runner,” machine learning applications are designed to train a computer to fulfill a certain task on its own. Machines are essentially “taught” to complete that task by doing it over and over, learning the many obstacles that could inhibit them.
“Such attacks, which seem like science fiction today, might become reality in the next few years,” Guy Caspi, CEO of cybersecurity start-up Deep Instinct, told CNBC’s new podcast “Beyond the Valley.”
Such technology promises to provide many benefits, such as smoother computing and the automation of many tasks we may, in years’ time, consider manageable without human intervention. But it also has experts worried.
Hacking, then weaponizing, drones and cars
Technicians and researchers are cautioning about the threat such technology poses for cybersecurity, that fundamentally important practice that keeps our computers and data — and governments' and corporations' computers and data — safe from hackers.
In February, a study from teams at the University of Oxford and University of Cambridge warned that AI could be used as a tool to hack into drones and autonomous vehicles, and turn them into potential weapons.
“Autonomous cars like Google’s (Waymo) are already using deep learning, can already raid obstacles in the real world," Caspi said, "so raiding traditional anti-malware system in cyber domain is possible.”
Another study, by U.S. cybersecurity software giant Symantec, said that 978 million people across 20 countries were affected by cybercrime last year. Victims of cybercrime lost a total of $172 billion — an average of $142 per person — as a result, researchers said.
The fear for many is that AI will bring with it a dawn of new forms of cyber breaches that bypass traditional means of countering attacks.
“We’re still in the early days of the attackers using artificial intelligence themselves, but that day is going to come,” warns Nicole Eagan, CEO of cybersecurity firm Darktrace. “And I think once that switch is flipped on, there’s going to be no turning back, so we are very concerned about the use of AI by the attackers in many ways because they could try to use AI to blend into the background of these networks.”
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management
Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.
With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs