Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
WAVX) today reported financial results for
its third quarter ended September 30, 2012 (Q3 '12) and highlighted
recent progress and new product launches.
Wave reported total net revenues of $7.0 million for Q3 '12, including
$1.5 million in licensing revenues from its Safend subsidiary, and
services revenue of $40,000 from the final billing of a government
contract. Wave's Q3 '11 total net revenues were $9.5 million, including
$156,000 in revenues from Safend, which was acquired in late September
2011, and $274,000 in services revenue related to a government contract.
The year-ago third quarter also benefitted from approximately $2 million
in additional revenue related to two "large" enterprise-customer upgrade
sales recorded ratably during 2011. Total net revenues in Q2 '12 were
$7.8 million.
Wave's Q3 '12 and year-to-date results reflect lower levels of OEM
bundling revenue resulting from both lower PC shipment volumes as well as
revisions to the Company's royalty rates starting in November 2011 which,
on a blended basis, have reduced per-unit revenues. In aggregate, Q3 '12
was impacted by a $1.6 million decrease in OEM royalties versus the prior
year period, and since the beginning of 2012 Wave's OEM bundling revenue
has declined by $3.2 million versus a year ago, providing another
headwind in year-over-year comparisons.
Total billings declined to $6.1 million in Q3 '12, compared to $6.4
million in Q3 '11 and $6.9 million in Q2 '12. Total billings for Q3 '12,
Q3 '11 and Q2 '12 included $1.3 million, $143,000 and $1.4 million,
respectively, from Safend.
Wave's Q3 '12 combined SG&A and R&D expenses declined to $12.6 compared
to $13.7 million in Q2 '12 but rose over Q3 '11 expenses of $10.9
million. The year-over-year increase in SG&A and R&D expenses reflects
expanded staffing in engineering, sales & marketing and administration,
principally due to the addition of approximately 60 team members and
related overhead resulting from the Safend acquisition. The increased
staffing & expenses support a broader base of OEM relationships, growth
in the prospective customer base and pipeline of order opportunities on a
global basis and investments in the development of new products and
product capabilities.
Wave recorded a Q3 '12 net loss of $6.1 million, or $0.06 per basic and
diluted share, as compared to a Q2 '12 net loss of $6.5 million, or $0.07
per basic and diluted share and its Q3 '11 net loss of $1.8 million, or
$0.02 per basic and diluted share. Per share figures are based on a
weighted average number of basic shares outstanding during Q3 '12, Q3 '11
and Q2 '12 of 98.0 million, 83.7 million and 92.5 million, respectively.
In order to highlight its operational performance on a cash-flow basis,
Wave reports EBITDAS, a non-GAAP measure defined as earnings before
interest income (expense), income taxes, depreciation and amortization
and stock-based compensation expense. Wave recorded negative EBITDAS of
$4.2 million in Q3 '12, compared with negative EBITDAS of $0.3 million in
Q3 '11 and negative EBITDAS of $4.6 million in Q2 '12.
As of September 30, 2012, Wave's total current assets were $6.5 million
and total current liabilities, including the current portion of deferred
revenue of $4.5 million, were $12.6 million. Cash and cash equivalents
were $2.2 million at September 30, 2012, as compared to $1.6 million at
June 30, 2012.
Wave continues to utilize a variety of approaches to fund its operations,
including active working capital management methods, a receivables
financing relationship to monetize its largest receivables and common
stock sales. During Q3'12, Wave completed the sale of 2.6 million shares
of Class A common stock at $0.6425 per share, yielding net proceeds of
approximately $1.5 million. Purchasers also received warrants to purchase
up to 1.3 million shares of Class A common stock at $0.58 which expire in
August 2017. In October (Q4 '12), Wave raised approximately an additional
$3.1 million in net proceeds through the sale of 3.3 million shares of
Class A common stock at $1.0025 per share. Purchasers also received
warrants to purchase up to 1.7 million shares of Class A common stock at
$0.94 which expire in October 2017. Both of these private placements were
pursuant to Wave's effective shelf registration statement.
Also during Q3 '12, Wave raised net proceeds of approximately $3.6
million through the issuance of approximately 4.0 million shares of its
Class A common stock at an average price of $0.93 per share through its
At The Market (ATM) structure. Since the end of Q3 '12, shares sales
through the ATM raised additional net proceeds of approximately $0.3
million at an average price of $0.99. Since the ATM's inception in
January 2012, Wave has raised total net proceeds of $9.1 million through
the issuance of 7.9 million shares of Class A common stock at an average
price of $1.18 per share. The share sales are completed at market prices,
with a 3% commission and without any warrant issuance.
CEO Commentary:
"During the third quarter, sales fell short of
expectations due to challenges in completing enterprise deals, as well as
a lower level of OEM bundling revenues. Our performance has prompted a
'redoubling' of efforts to bring sales in the pipeline to fruition in the
current quarter as well as expanded efforts at developing new
opportunities," commented Wave CEO Steven Sprague. "In light of our sales
results, we've also taken a closer look at ways to curtail expenses,
realizing a $1.2 million reduction in operating expenses in Q3 versus Q2
and a $2.2 million reduction versus Q1 of this year.
"Nonetheless, we remain optimistic about the future and our prospects in
this growing market. As anticipated, Wave released several new products
and product enhancements during the third quarter, including Wave Cloud,
a SaaS (software as a service) offering that provides central management
for hardware-based endpoint encryption, and Wave Endpoint Monitor, a
first-of-its-kind solution that detects malware threats in the 'pre-boot'
mode. We believe these new capabilities extend our leadership position in
the Trusted Computing space at a time when Trusted Computing capabilities
are receiving global visibility through the launch of the Windows 8
operating system across PCs, tablets and mobile devices.
"We view Windows 8, which utilizes industry standard hardware to deliver
a range of convenient and secure new features, as a validation of the
benefits of Trusted Computing and Wave's solutions. Wave is uniquely
positioned to support Windows 8 deployments via server-based or cloud
management solutions, as well as to deliver a range of Windows 8
capabilities to enterprise customers running Windows 7 and earlier
versions. Though Trusted Computing is based on industry-standard hardware
used to protect your identity, the powerful user benefits are ease of
use, ease of connection, and ease of access to the critical data that you
need to do your job; it just works. Further, by building these
capabilities on top of Trusted Computing hardware now being deployed
across PCs, tablets and mobile devices via Windows 8, governments,
enterprises, and even individuals, are able to benefit and manage all of
their devices using one solution."
"As the mobile security space continues to expand -- especially with the
rising use of consumer smartphones in the enterprise, in mobile commerce
and for sensitive applications -- Wave has taken a leadership role in
promoting the adoption of hardware-based industry standards for greater
security. Last quarter, Wave announced its inclusion in the influential
ARM TrustZone Ready Program, whose partners have pledged to help chipset
vendors design and integrate Trusted Computing hardware features in the
chipsets they are building today.
"We are making great progress with scrambls to address security issues
posed by the rising use of Cloud storage services in the enterprise as
well as the evolution of social media into a tool increasingly used by
businesses for the dissemination of critical information. We see strong
interest within the corporate environment for solutions that enable the
safe sharing of files and communications over the Internet and social
media."
Recent News and Developments
-- Wave launched several significant products in Q3, including Wave
Cloud, which provides central management for hardware-based endpoint
encryption, and Wave Endpoint Monitor, the first-ever solution using
industry standard hardware to detect malware and other threats at the
BIOS level.
-- Wave outlined unique Trusted Platform Module (TPM) management
capabilities within its upcoming version of EMBASSY Remote
Administration Server (ERAS), including the ability to secure
credentials in hardware for DirectAccess deployments and to use a TPM
as a Virtual Smartcard.
-- Gartner, the world's leading IT research and advisory firm, elevated
Wave to the "Visionary" section of its Mobile Data Quadrant.
-- SC Magazine awarded Wave's flagship server, ERAS, a four and 1/4 star
rating in its group endpoint encryption review.
-- Wave received broad media coverage discussing the Trusted Computing
capabilities and significance of the Windows 8 launch across PCs,
tablets and mobile devices: Forbes, eWeek, PC Magazine,
ComputerWeekly, Redmond Magazine.
-- Wave joined the ARM TrustZone Ready Enablement Program to provide
support and infrastructure for implementing enterprise security
capabilities in mobile devices.
About Wave Systems
Wave Systems Corp. reduces the complexity, cost
and uncertainty of data protection by starting inside the device. Unlike
other vendors who try to secure information by adding layers of software
for security, Wave leverages the security capabilities built directly
into endpoint computing platforms themselves. Wave has been a leading
expert in this growing trend, leading the way with first-to-market
solutions and helping shape standards through its work as a board member
for the Trusted Computing Group.
Safe Harbor for Forward-Looking Statements
This press release may
contain forward-looking information within the meaning of the Private
Securities Litigation Reform Act of 1995 and Section 21E of the
Securities Exchange Act of 1934, as amended (the Exchange Act), including
all statements that are not statements of historical fact regarding the
intent, belief or current expectations of the company, its directors or
its officers with respect to, among other things: (i) the company's
financing plans; (ii) trends affecting the company's financial condition
or results of operations; (iii) the company's growth strategy and
operating strategy; and (iv) the declaration and payment of dividends.
The words "may," "would," "will," "expect," "estimate," "anticipate,"
"believe," "intend" and similar expressions and variations thereof are
intended to identify forward-looking statements. Investors are cautioned
that any such forward-looking statements are not guarantees of future
performance and involve risks and uncertainties, many of which are beyond
the company's ability to control, and that actual results may differ
materially from those projected in the forward-looking statements as a
result of various factors. Wave assumes no duty to and does not undertake
to update forward-looking statements.
All brands are the property of their respective owners.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Statements of Operations
(Unaudited)
Three months ended Nine months ended
September 30, September 30, September 30, September 30,
2012 2011 2012 2011
------------- ------------- ------------- -------------
Net revenues:
Licensing $ 6,930,724 $ 9,259,722 $ 20,950,093 $ 24,617,967
Services 39,539 274,416 763,781 486,533
------------- ------------- ------------- -------------
Total net
revenues 6,970,263 9,534,138 21,713,874 25,104,500
------------- ------------- ------------- -------------
Operating
expenses:
Licensing -
cost of net
revenues 395,188 459,002 1,317,055 1,139,943
Services - cost
of net
revenues 7,521 28,122 144,111 102,169
Selling,
general, and
administrative 7,847,873 7,021,658 26,246,347 19,304,601
Research and
development 4,793,453 3,869,833 14,861,557 10,717,346
------------- ------------- ------------- -------------
Total operating
expenses 13,044,035 11,378,615 42,569,070 31,264,059
------------- ------------- ------------- -------------
Operating loss (6,073,772) (1,844,477) (20,855,196) (6,159,559)
------------- ------------- ------------- -------------
Other income
(expense):
Net currency
transaction
gain (loss) 1,965 - 11,753 231,368
Net interest
expense (36,685) (1,074) (99,294) (3,128)
------------- ------------- ------------- -------------
Total other
income
(expense) (34,720) (1,074) (87,541) 228,240
------------- ------------- ------------- -------------
Net loss $ (6,108,492) $ (1,845,551) $ (20,942,737) $ (5,931,319)
============= ============= ============= =============
Loss per common
share - basic
and diluted $ (0.06) $ (0.02) $ (0.22) $ (0.07)
Weighted average
number of common
shares
outstanding
during the
period 97,987,172 83,680,753 93,585,723 82,929,284
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Supplemental Schedules
(Unaudited)
Three months ended Nine months ended
September 30, September 30, September 30, September 30,
2012 2011 2012 2011
------------- ------------- ------------- -------------
Total net
revenues $ 6,970,263 $ 9,534,138 $ 21,713,874 $ 25,104,500
Increase
(decrease) in
deferred revenue (884,795) (3,182,659) (1,900,663) (3,823,218)
------------- ------------- ------------- -------------
Total billings
(Non-GAAP) $ 6,085,468 $ 6,351,479 $ 19,813,211 $ 21,281,282
============= ============= ============= =============
Net loss as
reported $ (6,108,492) $ (1,845,551) $ (20,942,737) $ (5,931,319)
Net interest
expense 36,685 1,074 99,294 3,128
Depreciation and
amortization 539,001 177,933 1,611,521 438,794
Stock-based
compensation
expense 1,343,510 1,355,100 3,987,588 3,938,605
------------- ------------- ------------- -------------
EBITDAS (Non-
GAAP) $ (4,189,296) $ (311,444) $ (15,244,334) $ (1,550,792)
============= ============= ============= =============
Non-GAAP Financial Measures:
As supplemental information, we provide
the non-GAAP performance measures that we refer to as total billings and
EBITDAS. Total billings is provided in addition to, but not as a
substitute for, GAAP total net revenues. Total billings means the sum of
total net revenues determined in accordance with GAAP, plus the increase
or minus the decrease in deferred revenue. We consider total billings an
important measure of our financial performance, as we believe it best
represents the continued increase in our software license upgrades. Total
billings is not a measure of financial performance under GAAP and, as
calculated by us, may not be consistent with computations of total
billings by other companies. EBITDAS is defined as net income (loss)
before interest income (expense), income taxes, depreciation and
amortization and stock-based compensation. EBITDAS should not be
construed as a substitute for net income (loss) or net cash provided by
(used in) operating activities (all as determined in accordance with
GAAP) for the purpose of analyzing our operating performance, financial
position and cash flows, as EBITDAS is not defined by GAAP. However, we
regard EBITDAS as a complement to net income (loss) and other GAAP
financial performance measures, including an indirect measure of
operating cash flow.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Balance Sheets
(Unaudited)
September 30, December 31,
2012 2011
------------- -------------
Assets
Current assets:
Cash and cash equivalents $ 2,163,046 $ 3,385,035
Accounts receivable, net of allowance for
doubtful accounts of $-0- September 30,
2012 and December 31, 2011 2,640,528 7,198,645
Collateralized receivables 795,416 -
Prepaid expenses 886,919 823,761
------------- -------------
Total current assets 6,485,909 11,407,441
Property and equipment, net 983,920 1,236,844
Amortizable intangible assets, net 9,711,906 10,925,306
Goodwill 6,216,059 6,216,059
Other assets 325,393 336,607
------------- -------------
Total Assets 23,723,187 30,122,257
============= =============
Liabilities and Stockholders' Equity
Current liabilities:
Secured borrowings 672,107 -
Accounts payable and accrued expenses 7,366,079 6,701,026
Current portion of capital lease payable 63,197 72,074
Deferred revenue 4,484,362 6,619,257
------------- -------------
Total current liabilities 12,585,745 13,392,357
Long-term portion of capital lease payable - 44,659
Other long-term liabilities 93,969 66,283
Royalty liability 4,116,656 4,043,163
Long-term deferred revenue 1,194,152 1,035,220
------------- -------------
Total liabilities 17,990,522 18,581,682
------------- -------------
Stockholders' Equity:
Common stock, $.01 par value. Authorized
150,000,000 shares as Class A; 100,999,248
shares issued and outstanding in 2012 and
89,574,385 in 2011 1,009,992 895,744
Common stock, $.01 par value. Authorized
13,000,000 shares as Class B; 35,556 shares
issued and outstanding in 2012 and 2011 355 355
Capital in excess of par value 388,618,723 373,598,144
Accumulated deficit (383,896,405) (362,953,668)
------------- -------------
Total Stockholders' Equity 5,732,665 11,540,575
------------- -------------
Total Liabilities and Stockholders' Equity $ 23,723,187 $ 30,122,257
============= =============
WAVE SYSTEMS CORP <WAVX.O> Q3 SHR LOSS $0.06
WAVE REPORTS Q3 REVENUES OF $7.0M AND REVIEWS RECENT DEVELOPMENTS AND NEW PRODUCT LAUNCHES
WAVE SYSTEMS CORP <WAVX.O> Q3 REVENUE $7 MLN
Baked-in Cybersecurity Goodness
http://www.afcea.org/signal/signalscape/index.php/2012/08/16/19248/
The next generation of cybersecurity will not deal with securing computer networks but rather with ensuring the inherent security of devices that connect to those networks. That’s the prediction of Steven Sprague, president and chief executive officer of Wave Systems Corporation, who delivered a plenary address to kick off the final day of the TechNet Land Forces East conference in Baltimore on Thursday.
Sprague’s company manufactures the Trusted Platform Module (TPM) chip, a device that has been a part of more than 600 million devices ranging from smartphones to desktop personal computers and servers. The TPM embeds a suite of applications and protocols designed to allow continuous, fully encrypted security verification of the devices in which it is installed. The TPM is the basis around which the Trusted Computing Group was formed. The group represents 130 information technologies around the world that build devices around the TPM and its specifications.
The TPM makes possible a significant redefinition of mobile, which Sprague describes as “a transition of the network architecture from a network based on connections to a network based on identity.”
Sprague said until recently, only a handful of products used the security verification capabilities of the TPM, including Apple. Windows 8 smartphones, due to be introduced this fall, will finally be able to use the TPM for security verification, and Sprague predicts that in the years to come, more manufacturers will choose to turn on the “baked in” security capabilities of the chip.
Indeed, forthcoming smart ID specifications set to be published by the National Institute of Standards and Technology this fall will call for more embedded security protocols in badges and other devices.
The TPM makes it possible to produce “a smartphone that is safe to lose,” said Sprague, and the latest iterations of the chip help to power self-encrypting, solid-state electrical disk drives. The self-encryption makes it possible to remotely disable a device and, if needed, erase critical data. It also makes remote management of devices possible.
Sprague declared that, “This will be the most important technology in the next decade,” and he believes that the TPM will herald a cybersecurity doctrine, which he dubs “Only Known Devices.”
.
LEE, MA, Aug 09 (Marketwire) --
Wave Systems Corp. (NASDAQ: WAVX) today reported financial results for
its second quarter (Q2) ended June 30, 2012 and highlighted recent
progress in the expansion of its PC & mobile OEM distribution
relationships.
"Wave has had a productive yet challenging first half of 2012," said Wave
CEO Steven Sprague. "Enthusiasm remains strong for the benefits of
trusted computing technology within important industry sectors. However,
converting interest into steady sales growth remains one of our biggest
challenges. Q2 revenues were slightly better than those in the first
quarter of this year, but were not as strong compared to Q2 '11, which
benefitted from revenue recognized from two large enterprise orders.
Expenses have also increased as a result of the substantial investment
Wave has made to grow its sales infrastructure throughout Europe, expand
its sales force in the US and consolidate the personnel and resources
from the Q3 '11 acquisition of Safend.
"Wave's disclosures over the past several months demonstrate the progress
we have made in expanding the reach of our distribution channel. Our
channel partners are on the front lines learning about the threats that
many end-customers face and are seeking to address, including lost
laptops, employee credentials being phished and corporate network
vulnerabilities. Wave is very focused on supporting the channel to
educate enterprises on how Trusted Computing technology can mitigate
these threats at a competitive total cost of ownership. Ultimately, we
believe our OEM channel partners serve as the foundation for our efforts
to expand our Wave sales globally.
"In this vein, we were proud to announce a worldwide distribution
agreement with Lenovo, the world's second largest PC manufacturer. Lenovo
has tested and approved Wave's client and server software and is now able
to promote and sell our solutions to enterprises and governments around
the world. Also of significance was our license agreement with Samsung
which permits the distribution of our EMBASSY Security Center and
middleware on devices that include a Trusted Platform Module (TPM)
security chip, for which Wave will receive a per unit royalty. In
addition, Wave secured an approved vendor arrangement with NATO, enabling
NATO's 28 member countries, including the United States European Command,
to access our security portfolio.
"I am also pleased to report that we are realizing benefits from our
investment in Safend. During the second quarter we completed the
integration of Safend's products, staff and operations into Wave. The
Safend portfolio is a robust addition to our product suite and extends
security capabilities into future Cloud-based services. Safend's
performance has been in-line with our expectations so far this year, and
we are working toward continued improvements in the subsidiary's sales
contributions.
"Finally, our continued investments in research and development will
yield a series of new product enhancements and offerings that will be
announced in the next few months. We believe these innovations will
further improve our competitive position by addressing new security
threats and trends such as Bring Your Own Device (BYOD) and Cloud
services that are shaping the way business is conducted."
Recent Developments:
-- Samsung Software License and Distribution Agreement For Devices
Including a TPM
-- Global Software Distribution Agreement with Lenovo, World's 2nd
Largest PC Maker
-- NATO Communications and Information Agency Names Wave as Approved
Vendor
Financial Review
In Q2 '12, Wave reported total net revenues of
$7.8 million, including $0.4 million in services revenues and $1.6
million in licensing revenues from its Safend subsidiary. Wave's Q2 '12
performance represents an 11% increase over Q1 '12 total net revenues of
$7.0 million, but a 4% decline from total net revenues of $8.1 million in
Q2 '11.
Year-ago second quarter revenues benefitted from two "large"
enterprise-customer licenses that were recorded ratably during 2011 and
amounted to an additional $2 million in the period compared to Q2 '12 or
Q1 '12. Total billings were $6.9 million in Q2 '12, a 27% decline from
the $9.4 million total in Q2 '11 which included a $3.5 million enterprise
order from BASF. Total billings for Q2 '12 and Q1 '12 included $1.4
million and $1.8 million, respectively, from Safend, versus no
contribution in Q2 '11. Q2 '12 billings also reflect approximately $0.4
million in professional services billed on a time and materials basis
during the quarter.
Wave's Q2 '12 combined SG&A and R&D expenses decreased by roughly $1.1
million to $13.7 million from Q1 '12, but rose $3.9 million over Q2 '11.
The year-over year increase in SG&A and R&D expenses reflects an increase
of approximately 60 new team members resulting from the Safend
acquisition, as well as expanded staffing in engineering, sales &
marketing and administration. The increased staffing & expenses support
the development of new products and product features for the PC and
mobile device markets. Additionally, higher overhead reflects increased
sales and marketing and administrative staffing and programs required to
support the geographical expansion of Wave's marketing efforts and the
support of an expanding base of OEM partners. The decrease in SG&A and
R&D expenses versus Q1' 12 reflects a variety of factors including lower
professional services fees and lower salary and related expense from a
modest decrease in employee headcount. Principally as a result of the
Safend acquisition in Q3 '11, depreciation and amortization expense rose
to $0.5 million in Q2 '12 versus $0.1 million in Q2 '11 and $0.5 million
in Q1 '12.
Wave recorded a Q2 '12 net loss of $6.5 million, or $0.07 per basic and
diluted share, as compared to a Q2 '11 net loss of $1.8 million, or $0.02
per basic and diluted share, and a Q1 '12 net loss of $8.3 million, or
$0.09 per basic and diluted share. Per share figures are based on a
weighted average number of basic shares outstanding during Q2 '12, Q2 '11
and Q1'12 of 92.5 million, 82.9 million and 90.2 million, respectively.
Wave reports EBITDAS, a non-GAAP measure defined as earnings before
interest income (expense), income taxes, depreciation and amortization
and stock-based compensation expense, in order to highlight its
operational performance on a cash-flow basis. Wave recorded negative
EBITDAS of $4.6 million in Q2 '12, compared with negative EBITDAS of $0.3
million in Q2 '11 and negative EBITDAS of $6.4 million in Q1 '12.
As of June 30, 2012, Wave's total current assets were $6.9 million and
total current liabilities, including the current portion of deferred
revenue of $5.1 million, were $13.9 million. Cash and cash equivalents
were $1.6 million at June 30, 2012, as compared to $2.3 million at March
31, 2012. Wave continues to utilize a variety of approaches to fund its
working capital needs. In addition to its At The Market Issuance (ATM)
structure and active working capital management methods, Wave has also
established a receivables financing relationship that enables it to more
readily monetize its largest receivables.
During the second quarter and to date in Q3 '12, Wave has raised net
proceeds of approximately $3.8 million through the issuance of
approximately 4.1 million shares of its Class A common stock at an
average price of $0.97 per share through its At The Market Issuance (ATM)
structure; share sales to date in Q3 '12 represent approximately $1.0
million of the net proceeds. Since inception of the ATM in January 2012,
Wave has raised total net proceeds of $6.4 million through the issuance
of 5.2 million shares of Class A common stock at an average price of
$1.23 per share. The share sales are completed at market prices, with a
3% commission and without any warrant issuance.
Additionally, Wave announced earlier today that it has agreed to raise an
additional $1.66 million through the sale of Class A common stock
pursuant to its effective shelf registration statement.
About Wave Systems
Wave Systems Corp. reduces the complexity, cost and
uncertainty of data protection by starting inside the device. Unlike
other vendors who try to secure information by adding layers of software
for security, Wave leverages the security capabilities built directly
into endpoint computing platforms themselves. Wave has been a leading
expert in this growing trend, leading the way with first-to-market
solutions and helping shape standards through its work as a board member
for the Trusted Computing Group.
Safe Harbor for Forward-Looking Statements
This press release may
contain forward-looking information within the meaning of the Private
Securities Litigation Reform Act of 1995 and Section 21E of the
Securities Exchange Act of 1934, as amended (the Exchange Act), including
all statements that are not statements of historical fact regarding the
intent, belief or current expectations of the company, its directors or
its officers with respect to, among other things: (i) the company's
financing plans; (ii) trends affecting the company's financial condition
or results of operations; (iii) the company's growth strategy and
operating strategy; and (iv) the declaration and payment of dividends.
The words "may," "would," "will," "expect," "estimate," "anticipate,"
"believe," "intend" and similar expressions and variations thereof are
intended to identify forward-looking statements. Investors are cautioned
that any such forward-looking statements are not guarantees of future
performance and involve risks and uncertainties, many of which are beyond
the company's ability to control, and that actual results may differ
materially from those projected in the forward-looking statements as a
result of various factors. Wave assumes no duty to and does not undertake
to update forward-looking statements.
All brands are the property of their respective owners.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Statements of Operations
(Unaudited)
Three months ended Six months ended
June 30, June 30, June 30, June 30,
2012 2011 2012 2011
------------ ------------ ------------ ------------
Net revenues:
Licensing $ 7,361,102 $ 8,094,126 $ 14,019,369 $ 15,358,245
Services 400,372 - 724,242 212,117
------------ ------------ ------------ ------------
Total net revenues 7,761,474 8,094,126 14,743,611 15,570,362
------------ ------------ ------------ ------------
Operating expenses:
Licensing - cost
of net revenues 458,237 382,060 921,867 680,941
Services - cost of
net revenues 74,760 - 136,590 74,047
Selling, general,
and
administrative 8,624,691 6,222,036 18,398,474 12,282,943
Research and
development 5,050,625 3,548,726 10,068,104 6,847,513
------------ ------------ ------------ ------------
Total operating
expenses 14,208,313 10,152,822 29,525,035 19,885,444
------------ ------------ ------------ ------------
Operating loss (6,446,839) (2,058,696) (14,781,424) (4,315,082)
------------ ------------ ------------ ------------
Other income
(expense):
Net currency
transaction gain
(loss) (13,812) 231,368 9,788 231,368
Net interest
expense (60,504) (753) (62,609) (2,054)
------------ ------------ ------------ ------------
Total other income
(expense) (74,316) 230,615 (52,821) 229,314
------------ ------------ ------------ ------------
Net loss $ (6,521,155) $ (1,828,081) $(14,834,245) $ (4,085,768)
============ ============ ============ ============
Loss per common
share - basic and
diluted $ (0.07) $ (0.02) $ (0.16) $ (0.05)
Weighted average
number of common
shares outstanding
during the period 92,483,493 82,939,649 91,358,548 82,547,321
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Supplemental Schedules
(Unaudited)
Three months ended Six months ended
June 30, June 30, June 30, June 30,
2012 2011 2012 2011
------------ ------------ ------------ ------------
Total net revenues $ 7,761,474 $ 8,094,126 $ 14,743,611 $ 15,570,362
Increase (decrease)
in deferred revenue (820,021) 1,258,300 (895,599) (640,559)
------------ ------------ ------------ ------------
Total billings (Non-
GAAP) $ 6,941,453 $ 9,352,426 $ 13,848,012 $ 14,929,803
============ ============ ============ ============
Net loss as reported $ (6,521,155) $ (1,828,081) $(14,834,245) $ (4,085,768)
Net interest expense 60,504 753 62,609 2,054
Depreciation and
amortization 545,731 137,053 1,072,520 260,861
Stock-based
compensation
expense 1,288,326 1,389,622 2,644,078 2,583,505
------------ ------------ ------------ ------------
EBITDAS (Non-GAAP) $ (4,626,594) $ (300,653) $(11,055,038) $ (1,239,348)
============ ============ ============ ============
Non-GAAP Financial Measures:
As supplemental information, we provide
the non-GAAP performance measures that we refer to as total billings and
EBITDAS. Total billings is provided in addition to, but not as a
substitute for, GAAP total net revenues. Total billings means the sum of
total net revenues determined in accordance with GAAP, plus the increase
or minus the decrease in deferred revenue. We consider total billings an
important measure of our financial performance, as we believe it best
represents the continued increase in our software license upgrades. Total
billings is not a measure of financial performance under GAAP and, as
calculated by us, may not be consistent with computations of total
billings by other companies. EBITDAS is defined as net income (loss)
before interest income (expense), income taxes, depreciation and
amortization and stock-based compensation. EBITDAS should not be
construed as a substitute for net income (loss) or net cash provided by
(used in) operating activities (all as determined in accordance with
GAAP) for the purpose of analyzing our operating performance, financial
position and cash flows, as EBITDAS is not defined by GAAP. However, we
regard EBITDAS as a complement to net income (loss) and other GAAP
financial performance measures, including an indirect measure of
operating cash flow.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Balance Sheets
(Unaudited)
June 30, December 31,
2012 2011
------------- -------------
Assets
Current assets:
Cash and cash equivalents $ 1,570,573 $ 3,385,035
Accounts receivable, net of allowance for
doubtful accounts of $-0-
June 30, 2012 and December 31, 2011 3,521,934 7,198,645
Pledged receivables 1,009,430 -
Prepaid expenses 758,306 823,761
------------- -------------
Total current assets 6,860,243 11,407,441
Property and equipment, net 1,076,726 1,236,844
Amortizable intangible assets, net 10,116,206 10,925,306
Goodwill 6,216,059 6,216,059
Other assets 327,010 336,607
------------- -------------
Total Assets 24,596,244 30,122,257
============= =============
Liabilities and Stockholders' Equity
Current liabilities:
Secured borrowings 852,948 -
Accounts payable and accrued expenses 7,785,449 6,701,026
Current portion of capital lease payable 74,883 72,074
Deferred revenue 5,146,640 6,619,257
------------- -------------
Total current liabilities 13,859,920 13,392,357
Long-term portion of capital lease payable 6,502 44,659
Other long-term liabilities 96,324 66,283
Royalty liability 4,121,397 4,043,163
Long-term deferred revenue 1,185,587 1,035,220
------------- -------------
Total liabilities 19,269,730 18,581,682
------------- -------------
Stockholders' Equity:
Common stock, $.01 par value. Authorized
150,000,000 shares as Class A; 94,371,623
shares issued and outstanding in 2012 and
89,574,385 in 2011 943,716 895,744
Common stock, $.01 par value. Authorized
13,000,000 shares as Class B; 35,556 shares
issued and outstanding in 2012 and 2011 355 355
Capital in excess of par value 382,170,356 373,598,144
Accumulated deficit (377,787,913) (362,953,668)
------------- -------------
Total Stockholders' Equity 5,326,514 11,540,575
------------- -------------
Total Liabilities and Stockholders' Equity $ 24,596,244 $ 30,122,257
============= =============
Conference call: Today, August 9, 2012 at 4:30 p.m. ET
Webcast / Replay URL: www.wave.com/news/webcasts
Dial-in numbers: 415-226-5361 or 212-231-2915
Contact:
Wave Systems Corp.
Gerard T. Feeney
CFO
413-243-1600
Investor Relations
David Collins, Eric Lentini
212-924-9800
wavx@catalyst-ir.com
Copyright 2012, Marketwire, All rights reserved.
-0-
--------------------------------------------------------------------------------
Category Codes:
Americas(R=AMR), North America(R=NAMR), United States of America(R=US), Computer Services(I=TSX), Software & Computer Services(I=SS), Technology (Supersector)(I=ET), Electronic Office Equipment(I=OFF), Technology Hardware & Equipment(I=TH), Technology (Industry)(I=TEC), English(L=EN)
Companies:
WAVE SYSTEMS CORPORATION(WAVX)
CC Phone #s 415-226-5361 0r 212-231-2918 e/
WAVE REPORTS Q2 REVENUES OF $7.8M AND REVIEWS RECENT EXPANSION OF ITS OEM SALES CHANNEL
4:03 PM Eastern Daylight Time Aug 09, 2012
Copyright © 2012 (C) Reuters 2012. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters.
WAVE SYSTEMS CORP <WAVX.O> Q2 SHR LOSS $0.07
4:03 PM Eastern Daylight Time Aug 09, 2012
Copyright © 2012 (C) Reuters 2012. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters.
WAVE SYSTEMS CORP <WAVX.O> Q2 REVENUE $7.8 MLN
4:03 PM Eastern Daylight Time Aug 09, 2012
Copyright © 2012 (C) Reuters 2012. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters.
--------------------------------------------------------------------------------
C
Security Vendor Wave Systems Q4 Revenues Rose 57% to $11.0M on Growing Software Sales and Safend Contribution<WAVX.O>
Market Wire
4:01 PM Eastern Daylight Time Mar 28, 2012
LEE, MA, Mar 28 (MARKET WIRE) --
Wave Systems Corp. (NASDAQ: WAVX) today reported financial results for
its fourth quarter (Q4) and year ended December 31, 2011, having
previously postponed its year-end reporting due to the discovery of
certain pre-acquisition accounting errors in the financial statements of
its Safend Ltd. subsidiary acquired September 22, 2011. Wave expects to
file its annual report on Form 10-K on or before March 30, 2012.
Wave CEO Steven Sprague commented, "2011 was a pivotal year for Wave as
we built the business across several important fronts, deepening our
engagement into exciting new product markets and geographies. As a result
of significant enterprise deals closed in Europe, we expanded our
presence in the region, adding a team of seasoned sales professionals and
establishing offices in France, Germany and the United Kingdom to support
our market outreach. Through our acquisition of Safend, we rounded out
our product portfolio with a robust set of award-winning Data Loss
Prevention (DLP) products, added to our roster of customers, expanded our
engineering and sales teams and secured a foothold in Israel and other
global markets. While the pre-acquisition accounting errors we have
reported for Safend are regrettable, they do not change our view of the
importance of this acquisition for Wave.
"We took an equally forward-leaning stance on the product development
front, investing aggressively to position Wave to address a range of
additional potential opportunities, including our service contract
announced yesterday with the U.S. Army. In response to the emergence of
sophisticated viruses such as Stuxnet, we were the first to market with a
product for the early detection of BIOS-level threats, Wave Endpoint
Monitor. In the mobile space, we joined with partners Trusted Logic
Mobility and ARM to create an industry-first mobile security
demonstration in which an Android phone was used as an authentication
token. We also extended our management solutions into the Cloud with the
launch of Wave Encryption Service, and today we are working on a
next-generation, feature-rich cloud service that we plan to make
commercially available later this year.
"The coming launch of the Windows 8 operating system is a major
development because of its increased emphasis on trusted computing.
Microsoft has made security a primary focus for Windows 8 and is
integrating hardware-level support for access control, encryption and the
early detection of malware using trusted computing security. These
capabilities should provide additional opportunities for the adoption of
Wave's enterprise management solutions to manage such functions.
"Finally, in the coming weeks you'll hear more from Wave in the consumer
space, as we plan the 'beta' launch of a service we've developed called
scrambls. Demonstrations started in November and have yielded strong
interest and positive feedback from a broad array of users. The solution
leverages Wave's deep expertise in encryption and data protection to
return control of content shared over social networks to individual
creators.
"In summary, we believe Wave is at the forefront of important innovations
for cyber security, and we continue to actively pursue a growing range of
market opportunities. We believe that investments in these initiatives,
though challenging to near-term profitability, are essential to solving
key security challenges, supporting our partners and positioning Wave for
long-term success."
Recent Development Milestones:
-- Wave Teamed with Samsung Electronics to provide engineering and
consulting services, validation and a customized version of Wave's
local management software for Samsung's Trusted Platform Module (TPM)
security chips for OEM distribution. (Nov. 2011)
-- scrambls, an online social media privacy service that uses encryption
to let users control access to their communications, is released for
initial testing. Made available in November on Mozilla FireFox,
scrambls has since added support for the Android, Google Chrome &
Safari browsers. There are plans for the release of an Internet
Explorer-compatible version soon, as well as new features for secure
posting of photos and videos. (Nov. 2011)
-- Wave Encryption Service (WES) Wave launched a powerful, scalable
subscription-based Cloud service that allows organizations to secure
data and centrally enforce strong data encryption policies to achieve
regulatory compliance. (Jan. 2012)
-- Wave Announced Windows 8 Support for hardware-based security
components including TPM, Unified Extensible Firmware Interface (UEFI)
and Encrypted Drives. (Feb. 2012)
-- Wave and Trusted Logic Mobility Demonstrate Mobile Solution enabling
enterprises to extend PC security architectures to mobile devices. The
solution authenticates a user utilizing an Android device as a token,
allowing encrypted data on a laptop to be unlocked. The solution
combines Wave's software with Trusted Logic's Mobile Trusted Module
compliant software and the ARM(R) TrustZone(TM) secure hardware
architecture. (Feb 2012)
-- CMS and Wave Announce First-Ever Opal External Self-Encrypting Drive
bundled with Wave's client software to activate and manage the drives'
advanced security features. The agreement marked Wave's entry in the
external SED drive market. (Feb. 2012)
Financial Review
Wave's Q4 '11 total net revenues rose 57% to $11.0
million compared to $7.0 million in Q4 '10 and rose 16% over Q3 '11 net
revenues of $9.5 million. The increase in total net revenues was
primarily the result of the recognition of $2.4 million of revenue from
"large" enterprise customers and $1.6 million of Safend net revenue for
the full quarter. Wave recognizes "large" enterprise orders (5,000 or
more licenses) as earned revenue ratably over the arrangement's
maintenance term which is typically twelve months.
Total billings declined to $11.5 million in Q4 '11, versus $14.2 million
in Q4 '10 (which included $8.1 million in billings related to a large
global automaker order) but increased over Q3 '11 total billings of $6.4
million. Q4 '11 total billings included $1.7 million from one of the
world's leading international oil and gas companies and a full quarter of
Safend billings. Total net revenues are reconciled to total billings
below.
Wave continues to accelerate investments in sales and marketing and R&D
initiatives in line with the strategy management has articulated over the
past several quarters. The investments are intended to maintain Wave's
market leadership, to build its technology and product portfolios, to
expand into new areas of growth such as mobile security and to drive
increased awareness and customer engagement on a global basis.
Principally related to increased engineering and sales & marketing
activity and headcount increases, as well as the addition of Safend
operations in late September 2011, Wave's aggregate SG&A and R&D expenses
in Q4 '11 rose 30% or $3.3 million over Q3 '11 levels, $2.6 million of
which was attributable to Safend. Wave's 2011 SG&A and R&D expenses rose
$15.9 million or 56% over 2010 levels, reflecting the company's
substantial expanded OEM, product and geographic engagement, as well as
$2.8 million of SG&A and R&D expenses attributable to Safend.
Non-cash stock-based compensation expense nearly doubled to $1.4 million
in Q4 '11 as compared to Q4 '10 and rose 6% over the Q3 '11 level. The
increase reflects the substantial expansion of Wave's headcount over the
past year, as stock-based compensation remains an important component of
Wave's company-wide recruitment and retention strategy. In addition, Wave
recorded approximately $1.0 million of expense during Q4 '11 and the full
year 2011 to reflect adjustments to the purchase accounting for the
Safend acquisition.
Wave recorded a Q4 '11 net loss of $4.9 million, or $0.05 per basic and
diluted share, compared to a Q4 '10 net loss of $1.2 million, or $0.01
per basic and diluted share, and a Q3 '11 net loss of $1.8 million, or
$0.02 per basic and diluted share. Per share figures are based on a
weighted average number of basic shares outstanding during Q4 '11, Q4 '10
and Q3 '11 of 88.5 million, 81.2 million and 83.7 million, respectively.
Wave reports EBITDAS, a non-GAAP measure defined as earnings before
interest income (expense), income taxes, depreciation and amortization
and stock-based compensation expense, in order to highlight its
operational performance on a cash-flow basis. Wave recorded negative
EBITDAS of $2.8 million in Q4 '11, compared with negative EBITDAS of $0.3
million in both Q4 '10 and Q3 '11. A reconciliation of net loss to
EBITDAS is presented below.
Wave's cash and cash equivalents were $3.4 million at December 31, 2011
compared to $3.6 million at December 31, 2010 and $6.9 million at
September 30, 2011. As of December 31, 2011, Wave's total current assets
were $11.4 million and total current liabilities -- including the current
portion of deferred revenue of $6.6 million -- were $13.4 million. In
late January 2012 Wave entered into an At The Market Issuance (ATM) sales
agreement with investment banking firm MLV & Co. (the "Sales Agent"),
pursuant to which Wave may issue and sell up to $20 million of its Class
A common stock from time to time through July 2014. Such sales would be
pursuant to an effective shelf registration statement. As of March 26,
2012, Wave has issued approximately 1.1M shares of its common stock
through the ATM structure at an average price of $2.185 per share,
raising net proceeds of approximately $2.4M after deducting offering
costs of approximately $73,000.
About Wave Systems
Wave Systems Corp. reduces the complexity, cost and
uncertainty of data protection by starting inside the device. Unlike
other vendors who try to secure information by adding layers of software
for security, Wave leverages the security capabilities built directly
into endpoint computing platforms themselves. Wave has been a leading
expert in this growing trend, leading the way with first-to-market
solutions and helping shape standards through its work as a board member
for the Trusted Computing Group.
Safe Harbor for Forward-Looking Statements
This press release may
contain forward-looking information within the meaning of the Private
Securities Litigation Reform Act of 1995 and Section 21E of the
Securities Exchange Act of 1934, as amended (the Exchange Act), including
all statements that are not statements of historical fact regarding the
intent, belief or current expectations of the company, its directors or
its officers with respect to, among other things: (i) the company's
financing plans; (ii) trends affecting the company's financial condition
or results of operations; (iii) the company's growth strategy and
operating strategy; and (iv) the declaration and payment of dividends.
The words "may," "would," "will," "expect," "estimate," "anticipate,"
"believe," "intend" and similar expressions and variations thereof are
intended to identify forward-looking statements. Investors are cautioned
that any such forward-looking statements are not guarantees of future
performance and involve risks and uncertainties, many of which are beyond
the company's ability to control, and that actual results may differ
materially from those projected in the forward-looking statements as a
result of various factors. Wave assumes no duty to and does not undertake
to update forward-looking statements.
All brands are the property of their respective owners.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Statements of Operations
(Unaudited)
Three Months Ended Twelve months ended
December 31, December 31,
2011 2010 2011 2010
----------- ----------- ------------ ------------
Net revenues:
Licensing 10,482,551 6,340,419 35,100,518 24,736,029
Services 551,964 696,820 1,038,497 1,314,763
----------- ----------- ------------ ------------
Total net revenues $11,034,515 $ 7,037,239 $ 36,139,015 $ 26,050,792
----------- ----------- ------------ ------------
Operating expenses:
Licensing - cost of
net revenues 455,139 311,227 1,595,082 1,177,114
Services - cost of
net revenues 86,998 165,586 189,167 599,704
Adjustments to
purchase accounting 1,033,206 - 1,033,206 -
Selling, general and
administrative 8,821,113 5,088,842 28,124,623 18,019,707
Research and
development 5,369,783 2,608,846 16,087,129 10,288,460
----------- ----------- ------------ ------------
Total operating
expenses 15,766,239 8,174,501 47,029,207 30,084,985
----------- ----------- ------------ ------------
Operating loss (4,731,724) (1,137,262) (10,890,192) (4,034,193)
----------- ----------- ------------ ------------
Other income
(expense):
Net currency
transaction gain
(loss) (55,273) - 175,004 -
Net interest expense (1,461) (3,251) (4,589) (15,842)
----------- ----------- ------------ ------------
Total other income
(expense) (56,734) (3,251) 170,415 (15,842)
----------- ----------- ------------ ------------
Loss before income
taxes (4,788,458) (1,140,513) (10,719,777) (4,050,035)
Income tax expense (74,959) (72,782) (74,959) (72,782)
----------- ----------- ------------ ------------
Net loss (4,863,417) (1,213,295) (10,794,736) (4,122,817)
Loss per common share
- basic and diluted $ (0.05) $ (0.01) $ (0.13) $ (0.05)
=========== =========== ============ ============
Weighted average
number of common
shares outstanding
during the period 88,544,911 81,209,017 84,344,729 79,924,475
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Supplemental Schedule
(Unaudited)
Three Months Ended Twelve months ended
December 31, December 31,
2011 2010 2011 2010
----------- ----------- ------------ ------------
Total net revenues $11,034,515 $ 7,037,239 $ 36,139,015 $ 26,050,792
Increase (decrease) in
deferred revenue 491,688 7,197,729 (3,331,530) 6,303,168
----------- ----------- ------------ ------------
Total billings (Non-
GAAP) $11,526,203 $14,234,968 $ 32,807,485 $ 32,353,960
=========== =========== ============ ============
Net loss as reported $(4,863,417) $(1,213,295) $(10,794,736) $ (4,122,817)
Net interest expense 1,461 3,251 4,589 15,842
Income tax expense 74,959 72,782 74,959 72,782
Depreciation and
amortization 566,274 57,293 1,005,068 404,795
Stock-based
compensation expense 1,441,356 731,403 5,379,961 2,813,816
----------- ----------- ------------ ------------
EBITDAS (Non-GAAP) $(2,779,367) $ (348,566) $ (4,330,159) $ (815,582)
=========== =========== ============ ============
Non-GAAP Financial Measures:
As supplemental information, we provide
the non-GAAP performance measures that we refer to as total billings and
EBITDAS. Total billings is provided in addition to, but not as a
substitute for, GAAP total net revenues. Total billings means the sum of
total net revenues determined in accordance with GAAP, plus the increase
or minus the decrease in deferred revenue. We consider total billings an
important measure of our financial performance, as we believe it best
represents the continued increase in our software license upgrades. Total
billings is not a measure of financial performance under GAAP and, as
calculated by us, may not be consistent with computations of total
billings by other companies. EBITDAS is defined as net income (loss)
before interest income (expense), income taxes, depreciation and
amortization and stock-based compensation. EBITDAS should not be
construed as a substitute for net income (loss) or net cash provided by
(used in) operating activities (all as determined in accordance with
GAAP) for the purpose of analyzing our operating performance, financial
position and cash flows, as EBITDAS is not defined by GAAP. However, we
regard EBITDAS as a complement to net income (loss) and other GAAP
financial performance measures, including an indirect measure of
operating cash flow.
WAVE SYSTEMS CORP. AND SUBSIDIARIES
Consolidated Balance Sheets
(Unaudited)
December 31, December 31,
2011 2010
------------- -------------
Assets
Current assets:
Cash and cash equivalents $ 3,385,035 $ 3,595,076
Accounts receivable, net of allowance for
doubtful accounts of $-0- at December 31,
2011 and 2010, respectively 7,198,645 11,594,549
Prepaid expenses 823,761 319,209
------------- -------------
Total current assets 11,407,441 15,508,834
Property and equipment, net 1,236,844 507,247
Amortizable intangible assets, net 10,925,306 953,333
Goodwill 6,216,059 -
Other assets 336,607 114,469
------------- -------------
Total Assets 30,122,257 17,083,883
============= =============
Liabilities and Stockholders' Equity
Current liabilities:
Accounts payable and accrued expenses 6,701,026 4,399,579
Current portion of capital lease payable 72,074 66,770
Deferred revenue 6,619,257 8,454,029
------------- -------------
Total current liabilities 13,392,357 12,920,378
Long-term portion of capital lease payable 44,659 116,734
Other long-term liabilities 65,503 -
Long-term deferred revenue 1,035,220 1,350,000
Royalty liability 4,043,163 -
------------- -------------
Total liabilities 18,580,902 14,387,112
------------- -------------
Stockholders' Equity:
Common stock, $.01 par value. Authorized
150,000,000 shares as Class A; 89,574,385
shares issued and outstanding in 2011 and
81,331,737 in 2010 895,744 813,317
Common stock, $.01 par value. Authorized
13,000,000 shares as Class B; 35,556 shares
issued and outstanding in 2011 and 2010 355 355
Capital in excess of par value 373,598,144 353,967,031
Accumulated other comprehensive income 780 -
Accumulated deficit (362,953,668) (352,083,932)
------------- -------------
Total Stockholders' Equity 11,541,355 2,696,771
------------- -------------
Total Liabilities and Stockholders' Equity $ 30,122,257 $ 17,083,883
============= =============
Conference call: Today, March 28, 2012 at 4:30 p.m. ET
Webcast / Replay URL: www.wave.com/news/webcasts
Dial-in numbers: (415) 226 5356 or (212) 231 2902
Contact:
Wave Systems Corp.
Gerard T. Feeney
CFO
413-243-1600
Investor Relations
David Collins, Jennifer Neuman
212-835-8500
wavx@jcir.com
Copyright 2012, Market Wire, All rights reserved.
-0-
--------------------------------------------------------------------------------
Category Codes:
Americas(R=AMR), North America(R=NAMR), United States of America(R=US), Computer Services(I=TSX), Software & Computer Services(I=SS), Technology (Supersector)(I=ET), Electronic Office Equipment(I=OFF), Technology Hardware & Equipment(I=TH), Technology (Industry)(I=TEC), English(L=EN)
Companies:
WAVE SYSTEMS CORPORATION(WAVX)
Email Print
WAVE SYSTEMS CORP <WAVX.O> Q4 REVENUE $11 MLN VS $7
Wave Systems Reschedules Q4 Conference Call for Wednesday, March 28th at 4:30 p.m. ET
LEE, MA, Mar 26, 2012 (MARKETWIRE via COMTEX) -- Wave Systems Corp. /quotes/zigman/102385/quotes/nls/wavx WAVX +2.96% ( www.wave.com ) announced that on Wednesday, March 28, at 4:30 p.m. ET it will host a webcast/conference call reviewing its fiscal fourth quarter and full-year 2011 financial results and recent progress. Wave's Q4 2011 results will be issued after the market's close that day.
Earlier this month, the company postponed its regularly scheduled conference call after making a determination that it would need additional time to complete its annual financial statements due to certain pre-acquisition accounting errors identified in the financial statements of its subsidiary Safend Ltd. (acquired by Wave in September 2011). Wave filed a 15-day extension (Form NT 10-K) for the filing of its annual report.
WEBCAST/REPLAY: Available at http://www.wave.com/news/webcasts.asp
TELEPHONE: (415) 226-5356 or (212) 231-2902
While we won't know the details
for a while, I think this will probably reveal Wave might have paid too much for Safend. It doesn't cover the period after the merger where Safend's revenues are included with Wave's. Ultimately, it may be a write-down for Wave with no change or re-statement to their operating results.
LEE, MA--(Marketwire -03/14/12)- Wave Systems Corp. (NASDAQ: WAVX - News) announced today that it is postponing its fiscal-year 2011 financial results announcement and related conference call that were originally scheduled for this afternoon. Wave has made a determination that there are certain accounting errors in the financial statements of its subsidiary Safend Ltd. (acquired by Wave September 22, 2011) for the 2009 annual period, the 2010 annual period and the interim six-month period ending on June 30, 2011. Wave requires more time to complete its assessment of these errors and the preparation of the company's fiscal 2011 financial results and Form 10K, particularly the consolidation and related purchase accounting for Safend Ltd. Wave will be filing a report on Form 8-K providing additional details.
As a result of the delay, Wave also expects to file a 15-day extension (Form NT 10-K) for the filing of its annual report on Form 10-K which is due on March 15, 2011. Once the financial statements are finalized, Wave will announce a new date for its Q4 news release and conference call and will file its Form 10-K.
Berger: Changing the Status Quo for Security
http://www.ctoedge.com/content/changing-status-quo-security
When a problem is recognized that impacts virtually everyone and a group of experts provides a solution, what can possibly prevent the solution from being used? If the problem were global warming, with the need to reduce CO2 as the solution, it would be easy to identify the extensive buy-in required from scientists and governments around the world as a major issue.
If the problem were finding a computing and communication tool that did not require a keyboard as the human machine interface and you introduce a product (the iPad) that costs $499, you could have sold over 3 million units in 80 days. That’s immediate acceptance by a significant portion of the world’s population and cost is not an issue.
In contrast, for improved computer security that comes with virtually every enterprise-level computer and server (in other words, it’s free) and just requires activation, the adoption rate has been incredibly slow. According to a study by Aberdeen Research, even though it’s installed in over 300 million desktop and portable computers, only a small fraction of users have activated the embedded security.
Turn It On
Most people are not even aware of the security technology in their computer. That’s okay if the technology is enabled when they purchase the computer, but the Trusted Platform Module, or TPM, is an opt-in tool. The TPM, a secure cryptographic integrated circuit (IC), provides a hardware-based root of trust that enables improved computer and network security compared to software-only approaches that can be defeated by the same software they are attempting to detect and block. The TPM was developed by the Trusted Computing Group (TCG) as an open standard, so several companies compete to supply the TPM, making it cost competitive. As a result, most leading computer companies install the technology in their computers. In addition to industry experts in computing software, hardware and services, TCG’s members also include companies that have a goal of improving the security in their own operations.
While it can be difficult to establish trust with people, you can easily establish a trusted relationship with a TPM-equipped machine and protect systems and networks. For consumers and enterprises that have PCs, servers and other products with a TPM, they just need to turn the TPM on. It only takes four easy steps. While not as easy as simply flipping a switch, for corporations with an IT organization, it is a trivial technical challenge. Several companies offer tools to make the widespread implementation of the TPM in an organization even easier. With an activated TPM, users can easily encrypt files, folders and e-mails, as well as more securely manage passwords to avoid unauthorized access to computers and networks.
The TPM provides a hardware security foundation for networks based on hooks in TCG’s Trusted Network Connect standard. A recent extension of that standard even provides secure social networking for machines through an interface to a Metadata Access Protocol (IF-MAP) server. In addition, self-encrypting drives have been introduced based on TCG’s Trusted Storage standard that takes advantage of the TPM.
Join the Club
Companies that make computing and network products should investigate and analyze the benefits they can provide consumers by incorporating the TPM in their new products. Several companies already have new products based on TCG standards including the TPM that demonstrate what can be accomplished. As a result, early adopters have already taken advantage of improved TPM-based security in these existing products for organization-wide implementation.
As part of its High Assurance Platform (HAP) Program, the National Security Agency (NSA) uses the TPM in a virtualized approach to run multiple secure environments. In addition, NSA adopted a full disk encryption standard based on the TPM. Since July 2007, the Department of Defense explicitly requires a TPM in all its new computers.
Government agencies outside of the U.S. are also embracing the TPM for improved security. CESG, the UK government's National Technical Authority for Information Assurance (IA), has determined that the TPM can be used to protect security-critical data at Business Impact Level 3 for RESTRICTED classified data.
Governments that have not bought into the TPM include China, Russia, Kazakhstan and Belarus. This alone should be sufficient reason for most people in all the other countries to activate their TPM.
Companies that have acknowledged the TPM's value and are pioneering the implementation of TPM-based security include PricewaterhouseCoopers (PwC). PwC’s next-generation authentication system will replace employees' software-based private-key certificates for hardware-based storage of new certificates using the TPM. With over 35,000 employees already enjoying improved TPM security, PwC expects to have all of its 150,000 users converted in about a year.
PwC is not alone in its efforts. Other companies embracing the TPM and associated TCG standards that take advantage of the TPM include Boeing, BAE Systems, General Dynamics and Rockwell Collins.
With cloud computing growing rapidly, the need for improved security increases even further. TCG expects the TPM to play an important role to strengthen and complement the security services in any cloud operating system or hypervisor, especially with the strong authentication that the TPM enables. A working group (Trusted Multi-Tenant Infrastructure Work Group) aimed at developing an open standards framework for cloud computing security has been established recently. However, some of the TPM’s capabilities can already be used for cloud security.
Having a high level of security does not normally get an organization in the news. In contrast, companies and government entities with vulnerable security frequently are in the headlines. So, how much proof does it take to activate and use the TPMs that are already in the organization? It’s not like embracing a solution for global warming and doesn’t require shelling out almost $500 bucks. You would think that anyone with proprietary information would do whatever it takes to protect unauthorized access to that information – before it appears on WikiLeaks.
(Trusted Computing Group is exhibiting at Infosecurity Europe 2011 – the No. 1 industry event in Europe – where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held from 19th – 21st April at Earl’s Court, London, the event provides an unrivalled free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk)
n16m15: yawn..............e/
Hey barge, check it out!!!!!
Intel wants to make chips 'cool'
http://www.techeye.net/business/intel-wants-to-make-chips-cool
With the release of the Sandy Bridge line of second generation core processors Intel is attempting the tough task of getting the general public interested and aware of its chips.
When TechEye attended a press briefing for Sandy Bridge towards the end of last year the point was made that the new product range would attempt to push the Intel brand further into the public’s consciousness by simplifying the message put across to consumers.
A tough job, as the average customer purchasing the ubiquitous chip will have little knowledge of the ins and outs of how, for example, the i5 2500k and the i7 2600S actually compare.
One of the ways which Intel has attempted to change this is by simplifying the almost bewildering amount of products, such as focusing on the i5 as its ‘hero product’ in marketing parlance.
Indeed it is clear that Intel is intent on making significant changes to the way that it is perceived by the majority of the public and, dare we say it, lend some ‘coolness’ to what is essentially a tradionally unsexy company.
While a firm like Apple may be the real crowd pleaser, with an exciting range of marquee products that are instantly recognisable by most of the planet, the problem with Intel’s product range is that they are basically the equivalent of the engine inside a flash car.
Nothing wrong with that of course, Intel is a successful brand with a great product range. But now the firm is attempting the tough job of moving itself further into the spotlight, and it is partially through social media marketing that they plan to reach out to a new audience.
The man tasked with the difficult job of marketing Intel to a public with little knowledge and, to a certain extent, interest is Brian Elliot, CEO of Amsterdam Worldwide, the company in charge of Intel’s social media campaign.
Elliot explained the mammoth challenges involved. Talking to TechEye, he said::
”Historically it has been a challenge for Intel to appeal to the wider public,” he says, “however the things that the products actually do are genuinely interesting. As the average consumer may not be aware of much of the technical language it is certainly a challenge to get this message across considering that the products are so hidden in a physical sense.”
The firm has been doing this by focusing on reaching out to consumers through online media such as YouTube, Facebook and Twitter.
“We have chosen the most popular sites on purpose to reach people, as it is the most effective method in the contest to bring consumers into this world,” Elliot said.
It is all part of a bid to raise awareness about the brand amongst a market that would not traditionally be affiliated with a company like Intel. For example Intel has been busy, over the last couple of years, sponsoring nights at London’s trendy but overpriced indie hangout the Proud Gallery in Camden, not perhaps the most usual place to see the famous Intel logo.
“It is critically important for Intel to try to move into the consumer sphere and we are doing this with an idea-centric campaign that can easily be passed from friend to friend. We want to show how the technology affects people’s lives in a fun and accessible manner by showing the ways that it can be applied in real life.
“For example The Sartorialist has been a fantastic success on YouTube, and this highlights the way Intel affects people, and not necessarily those with a background in technology.”
Amsterdam Worldwide had been representing Intel for around 18 months now in Europe before representing the firm across the world, with regards to the second gen Sandy Bridge core, and Elliot says that a close relationship has been formed with Intel’s own marketing department.
“We work intimately, around the same table,” he says. “We are very close and it is a terrific working relationship within which there is much collaboration, for example for events such as CES where we are under the pressure of deadlines.”
Read more: http://www.techeye.net/business/intel-wants-to-make-chips-cool#ixzz1Bggvp8hX
New DOD CIO calls for partnerships in first public appearance
http://fcw.com/Articles/2011/01/20/DOD-CIO-Takai-first-public-remarks.aspx?p=1
Teri Takai says efficiencies, cybersecurity top priorities
By Amber Corrin
Jan 20, 2011
New Defense Department CIO Teri Takai has called for partnership and maximizing technology as DOD continues to transform into a 21st century military force with emerging cyber capabilities.
“Technology is at the forefront of [Defense Secretary Robert Gates’] mind and the minds of other executives at DOD,” Takai said Jan. 19 at a reception held by TechAmerica. “This is an important backdrop for the things we’re doing.” The event was Takai's first public appearance since becoming CIO.
She said IT must be part of broader DOD efforts to restrain spending and increase efficiencies, and also said her office would be focusing on cybersecurity, including partnering with the new U.S Cyber Command.
“Our heavy dependence on technology in DOD is going to be make-it-or-break-it in securing our information and infrastructure,” Takai said, adding that she foresees a close relationship between DOD's CIO office and Cybercom.
“We’re going to be the cyber team," Takai said. "Going forward, there’s going to be a very strong partnership. I’m looking forward to working with [Cybercom Commander Gen. Keith Alexander] – it’s a privilege and honor to have that working relationship with him."
Takai also said she plans to work closely with federal CIO Vivek Kundra and that key partnerships are high on the list of priorities.
“Many of the things we’re embarking on won’t be successful without partnership,” she said.
“DOD is not so different from other departments" when it comes to budget problems, Takai said. “Having budget deficits doesn’t stop us from doing the things we have to do. It’s about taking money we do have and figuring out how to use it more effectively.”
The CIO office won’t be immune to the belt-tightening across DOD, Takai added.
“We’re not protected or isolated from our share of efficiencies – we have to stand up and be counted as part of that,” she said. “But it doesn’t mean we’re going to be less secure or less effective.”
Juniper Networks Awarded Government Security Certifications for Numerous Networking Solutions
More Than 20 Juniper Networks Routing, Switching, Security and Network Access Control (NAC) Solutions Pass Rigorous Security Testing Procedures
http://www.sys-con.com/node/1683709
01/20/11 -- Juniper Networks (NYSE: JNPR) today announced that more than 20 of its solutions for network routing, switching, security and access control have recently completed the rigorous testing and certification procedures pursuant to the U.S. Federal Information Processing Standard (FIPS) and international Common Criteria standards that are considered prerequisites in many of the world's defense, civilian government and public sector network acquisitions. Newly certified are various members of Juniper Networks® J Series Services Routers; M Series Multiservice Edge Routers; T Series Core Routers; MX Series Universal Edge Routers; EX Series Ethernet Switches; SRX Series Services Gateways; the LN Series Mobile Secure Router; and IC Series Unified Access Control (UAC) Appliances.
National Program Office Planned for Online Trusted Identity Strategy
Released: 1/20/2011 9:00 AM EST
Source: National Institute of Standards and Technology (NIST)
http://www.newswise.com/articles/national-program-office-planned-for-online-trusted-identity-strategy
Newswise — At a January 7, 2011 forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard Schmidt announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust.
To be established within the Department of Commerce, with support from agencies such as the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA), the National Program Office would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies intended to make the online environment more secure and convenient. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge.
The NSTIC strategy does not call for a single, government-required Internet ID. Instead it would rely on multiple, voluntary, identity providers—both private and public—and interoperable digital credentials that are based on agreed-upon standards for security and privacy. Such a marketplace-driven solution, among other advantages, would ensure that there is no single credential or centralized database. If people chose to opt into such a solution, they would continue to have the ability to communicate anonymously online, but still have secure authentication for business and sensitive on-line transactions.
A web site on NSTIC, including a frequently asked questions section and a webcast of the Jan. 7 forum, can be found at http://www.nist.gov/nstic. Read the Commerce Department's Jan. 7 news release, "U.S. Commerce Secretary Gary Locke, White House Cybersecurity Coordinator Howard A. Schmidt Announce Next Steps to Enhance Online Security, Planned National Office for Identity Trust Strategy," at www.commerce.gov/news/press-releases/2011/01/07/us-commerce-secretary-gary-locke-white-house-cybersecurity-coordinato. More information and materials on the strategy will become available over the coming months.
Dell hosting a business event on Feb 8th
http://www.ubergizmo.com/2011/01/dell-hosting-a-business-event-on-feb-8th/
Dell has been rather busy sending out media invitations to an event in San Francisco that will be held on February 8th. There wasn’t any indication of what will be unveiled, though the invitation promises to showcase the “new generation of business computing solutions designed to meet the evolving needs of IT and end users.” Considering that the tagline also says that “Dell means business”, chances are that the hardware will be geared towards to the enterprise scene. With Intel’s Sandy Bridge processors set to make a big splash this year, we’re assuming that it will play a part in the event too, so stay tuned!
And Louis Navellier.....e/
Is The Government Really Developing A National Internet ID?
Chadwick Matlin | January 14, 2011, 1:10PM
http://tpmdc.talkingpointsmemo.com/2011/01/is-the-government-really-developing-a-national-internet-id.php
Last week, CNET's Declan McCullagh reported that the government was trying to create an "Internet ID for Americans," and that the Department of Commerce was orchestrating the plan. The article quickly spread around the Internet, leading to a common understanding that Obama was trying to replace systems like Facebook Connect or OpenID with a top-down, government-controlled competitor.
But if the Department of Commerce was supposed to create from whole cloth a national Internet ID for all Americans, somebody forgot to tell the Department of Commerce.
The agency leading the initiative for the Department of Commerce says that they have no intention of developing their own proprietary, let alone mandatory, internet identification system. "The federal government is not going to provide an alternative to Facebook Connect or any other services. What we're going to do is help to convene the existing people that are doing authentication and try and make sure they're moving in an interoperable way and a way that protects privacy and security," said Ari Schwartz, the senior Internet Policy Advisor at the National Institute of Standards and Technology.
A preliminary draft of that strategy has been released, but how that strategy will be implemented is yet to be determined. For now, NIST is focusing on ways to improve security, efficiency, and privacy. Eventually the goal is give the government's stamp of approval to vendors or authentication systems -- not because the vendor would use a government system, but because the system they would be using complies with the government's established standards.
Schwartz stressed that following the guidelines will be strictly voluntary, so if Facebook or others don't wish to comply with the guidelines, they won't have to do so. But, as with other governmental seals of approval (like that used for organic products), consumers may express a preference for or show more confidence in a product that carries the government's imprimatur.
Commerce's willingness to work with outside vendors is heartening to Jim Dempsey, the Vice President for Public Policy at the Center for Democracy and Technology (and Schwartz's former colleague). He wrote on the Center's blog, " I have been skeptical of the federal government on many issues, from PATRIOT Act to FBI proposals for tapping the Internet. But this time, on Internet identities, I have to say that the Administration is on the right path."
But it's a path that will take some time. Schwartz estimates that it'll will be "towards the end of the decade" before there is fully interoperable system of identity online assurance.
Gov't trusted Internet identities a long way off
http://www.networkworld.com/news/2011/011411-experts-govt-trusted-internet-identities.html
By George V. Hulme, CSO
January 14, 2011 12:50 PM ET
The National Strategy for Trusted Identities in Cyberspace aims to set the benefits, overall strategy, goals and objectives of the government's plan to improve how users (and even devices) are authenticated onto the Internet. The plan, so far, calls for very limited government involvement in the development of the identity infrastructure. As it stands today, the government's role will be essentially promoting leadership, encouraging speed of deployment, and the use of certain identity solutions.
Cybersecurity Coordinator and Special Assistant to the President Howard A. Schmidt said the initiative is necessary to help fight online fraud and identity theft. "We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the "keys to the kingdom," he wrote.
Few would argue the need for improved Internet identities and authentication. But the devil, if there is one, would reside in the details of the plan. The initial version of the plan was published last summer. Late last week, Commerce Secretary Gary Locke and Schmidt announced the Commerce Department will host a National Program Office (NPO) in support of the National Strategy.
The National Strategy for Trusted Identities in Cyberspace aims to set the benefits, overall strategy, goals and objectives of the government's plan to improve how users (and even devices) are authenticated onto the Internet. The plan, so far, calls for very limited government involvement in the development of the identity infrastructure. As it stands today, the government's role will be essentially promoting leadership, encouraging speed of deployment, and the use of certain identity solutions.
Cybersecurity Coordinator and Special Assistant to the President Howard A. Schmidt said the initiative is necessary to help fight online fraud and identity theft. "We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the "keys to the kingdom," he wrote.
Few would argue the need for improved Internet identities and authentication. But the devil, if there is one, would reside in the details of the plan. The initial version of the plan was published last summer. Late last week, Commerce Secretary Gary Locke and Schmidt announced the Commerce Department will host a National Program Office (NPO) in support of the National Strategy.
The answer is "possibly" as the government is, so far, only working to encourage the adoption of technologies by private industry. And that, analysts say, means anything concrete coming from this plan is years away.
"It's not clear to me how the government can influence identity much further than where things are today already," said Scott Crawford, research director at Enterprise Management Associates. "They can say something is a good idea, such as by getting behind a standard," he said. "But how are they going to create an ecosystem of identity providers? That can happen only if they become an identity provider for the Internet themselves, otherwise they can't do much more than provide moral support."
Wave Systems Corp. (NASDAQ:WAVX) spike up by 3.63% to trade close at $4.57 after climbing to its new 52 week high of $5.31 following the news that the Obama Administration is working on a cybersecurity ID program. With the use of this program, without having to remember different passwords, the users will be able to log onto different sites.
Shares of the company that offers software that enables hardware encryption and the ability to do away with multiple passwords have traded in the range of $1.65 and $5.31 during the past 52 weeks. The company’s current market cap is $370.92 million. It reported its latest EPS at ($0.05). The stock traded with heavy volume of 7.83 million shares, about 10 times above its daily average volume of 753,094 shares.
The company announced in SecurityStockWatch.com interviews that it has expanded its carmaker contract and has received additional license and maintenance orders worth $5.2 million via its OEM partners.
In that interview, the company said that it will increase the speed of the deployment of its services and the total value of the automaker’s software orders to $10.9 million. Of $10.9 million, $1.9 million in contracts was reported as revenue for 2010, $6.7 million as revenue will be recognized over the period of next 12 months & the remaining amount will be recognized in the period of 2012 to 2014.
Steven Sprague, President and CEO said “Having utilized our solution during 2010, the customer has accelerated and significantly expanded its deployment of ERAS seats, furthering our belief that a centrally managed, hardware encryption solution can offer superior data protection.”
On Jan 11, The Company announced that MicroStockProfit.com which is a small-cap research and investment commentary provider provided an investment report featuring Wave Systems Corp which included financial, comparative and investment analyses, and industry information investors need to know to make an educated investment decision.
Wave Systems Corp. (Wave) develops, produces and markets products for hardware-based digital security, including security applications and services that are complementary to and work with the specifications of the Trusted Computing Group (TCG), an industry standards .
Google's Open Web Advocate Talks White House Web ID Plan
http://www.webpronews.com/topnews/2011/01/14/googles-open-web-advocate-talks-white-house-web-id-plan
By Chris Crum
As previously reported, the White House is working on a "National Strategy for Trusted Identities in Cyberspace" or NSTIC, in which it has placed the Commerce Department in charge of an "Identity Ecosystem". The initiative has drawn a mixture of praise and criticism, and judging by our own readers' comments, there is a whole lot of criticism. More on this here.
We had a discussion on the subject with Chris Messina, Google's Open Web advocate. Messina was there when the plan was revealed, and is rather knowledgeable in the subject of online identity (besides working for Google, he's on the board of the OpenID Foundation, and has worked with Mozilla to produce a concept on implementing identity in the browser called "The Social Agent") , which is why we felt he would be a good person to share his views on the strategy.
"As it stands, I can see why people are angry or confused, but, while vague, the NSTIC isn't as bad as people seem to think — the fact that it's being run out of commerce means that the government is looking for innovation and competition — not to own these identities," Messina tells WebProNews. "Of course I can't say what this means about surveillance and security, but anyone who uses a cell phone or hosted email should already understand that they're susceptible to government wiretaps and data seizure — oftentimes without needing to be informed (Twitter is the rare exception recently). Anyway — if you can pick an identity provider that's certified to meet certain criteria and that you also trust — that seems win-win to me."
What the government has suggested appears to be the use of platforms like OpenID. " We need a vibrant marketplace that provides people with choices among multiple accredited identity providers – both private and public – and choices among multiple credentials," said Cybersecurity Coordinator and Special Assistant to President Obama, Howard A. Schmidt, upon the announcement of the plan. "For example, imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. Such a marketplace will ensure that no single credential or centralized database can emerge."
"The government's NSTIC plan is designed to promote OpenID and other existing (and not-even-invented) initiatives," explains Messina. "In fact, the NSTIC was written with input from many of these groups including the OpenID Foundation. It went through an open comment period as well — so it's not as if many of these concerns weren't raised before. Since the final draft of the NSTIC hasn't been released yet, I expect many of them will be reflected in the final draft."
"The NSTIC calls explicitly for the creation of an 'identity ecosystem' — fancy words for saying 'we don't want a system where there's only one identity provider' (least of all the government!),' Messina continues. "Now, one of the challenges with creating an 'ecosystem' is that you end up with potentially non-interoperable solutions, leading to consumer confusion and frustration (think: 'Sorry, we don't accept American Express here'). So while the government intends to rely on private industry to develop the technologies and protocols — such as OpenID — that will enable this ecosystem, I believe that the government has a role in placing pressure on the industry to eventually select a set of standards we can all live with."
"I, for one, would prefer to avoid a government-developed identity standard at a time when industry is rapidly innovating in this space and wants to solve this problem as much as — if not more than — government does," he adds. "But I also know that there are a lot of vested interests that would love to have their pet protocol selected as the gold standard here (pun intended) and that's going to require leadership, persistence, and an open process so that the best solution(s) to the problem eventually shake out from several years of competition and experimentation."
A common concern expressed by the public has been along the lines of: a single username and password for all sites is a bad idea, and is not secure, compared to having many usernames and passwords.
"The user's concern is valid," says Messina. "One username and password for everything is actually very bad 'security hygiene', especially as you replay the same credentials across many different applications and contexts (your mobile phone, your computer, that seemingly harmless iMac at the Apple store, etc). However, nothing in NSTIC advocates for a particular solution to the identity challenge — least of all supporting or advocating for a single username and password per person."
"In reality, different applications requiring different levels of security, and different behaviors require different kinds of protections," he says. "As Howard A. Schmidt pointed out, for many people, you don't necessarily want to use the same password that you use for Facebook that you do for your bank. For someone like me, however, where my social media presence is both very important and valuable to me, I want to protect all of my accounts — financial and social networking — equally. So there's no one-size-fits-all solution, but that's closer to the reality today — where I as a user often DON'T have a choice about how strong the security deployed to protect my accounts is — versus the future, where we'll have an ecosystem of identity providers all offering different kinds of protections."
"To restate this point: when I sign up for an account today, why can't I choose to login in everywhere with my Google account and then rely on Google's anti-fraud and second factor authentication features to protect my account? Or, if I'd prefer to use someone other than Google, why can't I use them instead, and rely on, say, their biometric security features?"
"Until a competitive marketplace and proper standards are adopted across industry, we actually continue to have fewer options in terms of how we secure our accounts than more," he says. "And that means that the majority of Americans will continue using the same set of credentials over and over again, increasing their risk and exposure to possible leaks (see: Gawker)."
In the comments section of our previous article, one reader asked who would be responsible "WHEN (not if)" the systems proposed get hacked.
"Going back to my previous point, if we truly arrive at a user-centric ecosystem, then the party that you choose to represent you as your identity provider will be responsible should anything happen to your account," says Messina. "And I hope that people actually choose their identity provider carefully, and based on the steps that they take to secure your account and keep it safe."
"A user-centric model demands that users be in charge of selecting their identity provider, and that this free choice creates a competitive marketplace where identity providers compete for customers," he adds. "If one provider has lax security or onerous identity proofing requirements, the market will ideally reflect that situation by rewarding or punishing them economically, leading to user-positive improvements. Some of this does depend on users having some understanding of what's at stake when it comes to their online identities and profiles, but just as people safeguard their cell phones today, I think people will feel similarly protective of their online accounts in the future (if they don't already) and will look for ways to keep those accounts safe and secure."
As we reported before, there doesn't appear to be anything in the NSTIC indicating that people will be required to use ID systems spawned by the initiative - a point that some people may have overlooked.
"The last thing that I'll add — which itself is controversial — is that this whole system, at least at the outset, will be voluntary and opt-in," Messina says. "That means that if you don't want the convenience of not having to use passwords anymore, you won't have to. If you're okay rotating your passwords and maintaining numerous discreet accounts across the web, that's cool too. I don't think a mandatory system would succeed — at least not without proving its security, stability, convenience, and utility over several years."
"Furthermore, the fact that this initiative is being run out of the Commerce Department, which has an interest in stimulating growth, business, and innovation, means that we hopefully won't end up with a set of technologies designed only by security wonks that are completely unusable by regular folks, but that the market will see the exploration of a number of different competitive solutions, and from them, a few will stand out as leading the way forward."
"I am hopeful that NSTIC, at the very least, is raising these issues at a critical time on the web — where the future of competition for who owns your identity online is in question," Messina concludes. "My hope is that we arrive at a place where people have a choice, and they can go it alone as steadfast libertarians might prefer, or they can choose to get some assistance from the Googles and Facebooks of the web in dealing with this increasingly important issue."
Speaking of Facebook, any system - existing or spawned from NSTIC - will have a hell of a time competing with Facebook for "owning" users' online IDs. Facebook has nearly 600 million users worldwide, according to recent estimates, and has a pretty big competitive advantage with its Open Graph and Facebook Log-in features already implanted firmly across many sites around the web.
Weby, how about this one?
http://www.nist.gov/director/oism/its_day_gburg.cfm
Share your thoughts with CNBC
http://www.cnbc.com/id/41054421?__source=yahoo%7Cheadline%7Cquote%7Ctext%7C&par=yahoo
NIST Leads the Charge on Online Authentication
http://www.huffingtonpost.com/susan-landau/post_1538_b_806394.html
It's been a long time coming. After any number of heavy-handed approaches to online identity management, the federal government looks like it is trying a more enlightened approach. Last week the White House announced that the Commerce Department will be in charge of developing identity systems for the internet. This is not an easy nut to crack --- but assigning Commerce, and its technical sidekick, the National Institute for Standards and Technology (NIST), is definitely a move in the right direction. Having an agency that knows about working with business, and a lab that knows about working with industry to develop technical standards, is the right move.
A decade ago, industry began developing identity systems for "single sign-on" online identity management. Authenticate yourself once and you could travel around the network with ease, having proved you were who you said you were. But these early systems had problems. Microsoft's Passport system centralized all the data -- creating privacy problems -- and was eventually abandoned, while the Liberty federated system effort driven by Sun Microsystems was aimed more at satisfying corporations' needs than those of individuals (full disclosure: I worked on the Liberty system while I was at Sun). Success was elusive. The broader problem of simple, easy, secure, privacy-preserving online authentication for everyday use remained unresolved.
Bits and pieces were suggested. When blogging -- and commenting -- developed, sites sought a lightweight identity system, and OpenID fit the spot. Frequently based on email addresses, these identity mechanisms were easy to use -- but quite a bit less than fully secure. The need for simple, easy, secure, privacy-preserving online authentication did not go away. Indeed, with more and more critical infrastructure online, and high-level cyberexploitations of U.S. industry, the need for such authentication was increasing. OpenID did not fit the bill. But while Defense Department online authentication solutions might solve security issues, they don't provide simple, easy, secure, privacy-preserving online authentication for everyday use.
The issue is that there are many needs for online authentication, from protecting the control structure of the electric power grid, to authenticating the user who is buying a pair of jeans at L.L. Bean. That is exactly the point. Authentication to access critical infrastructure should be highly secure and robust. Authentication to leave a comment on a blog should be simple and easy to use. Authentication for someone to access their online medical records should be easy to use and secure; authentication for a doctor to access all her patients' records should be easy to use and highly secure. And some things shouldn't be authenticated. Some people really enjoy Amazon's book recommendations, while others want to be able browse the "shelves" anonymously. The latter might not be easy to do -- even with cookies shut off, your browser provides a "fingerprint" of who you are -- but there are plenty of people who want a fair bit of anonymity as they traverse the network, and there are plenty of times that such anonymity is more than appropriate.
Now industry doesn't have all the answers (and tracking shows that the public and industry will often diverge in interests). But industry does care about building products that the public wants. In cryptography NIST's Information Technology Lab has shown it can manage a process that results in trusted security standards supported by government and industry. So putting Commerce and NIST in the forefront of developing online authentication standards is a belated but useful first step for providing online authentication solutions.
Internet,
My memory escapes me.....did Needham ever have analyst coverage of Wave?
Does this sound like Wave to you?
http://gcn.com/Articles/2011/01/12/NSTIC-Web-site-no-national-ID.aspx?Page=1
Commerce Secretary Gary Locke announced the office Friday during a symposium at the Stanford Institute for Economic Policy Research, at which public- and private-sector officials discussed the need for a trusted system to support online transactions. The program office will:
Promote private sector involvement.
Build consensus on the necessary legal and policy frameworks to enhance privacy, free expression, and open markets.
Work with industry to identify new standards or collaboration that might be needed;
Support and coordinate interagency collaboration.
Assess progress in meeting the goals, objectives, and milestones of the strategy.
Promote pilot projects and other implementations
The identity solutions must be secure and resilient.
They must be interoperable.
They will be voluntary.
They must cost-effective and user-friendly.
“We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are,” Schmidt wrote in a blog posting about NSTIC last week. “Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the ‘keys to the kingdom.’”
Great work awk..tnx! e/
Commerce Secretary Locke's Remarks (great read!)
(This seems to scream Wave and Trusted Computing)
I want to thank our hosts today, TechAmerica, TechNet, the Churchill Club, Stanford University, and the TRUST Center.
And I want to thank all of you for joining us this morning.
There may be some other people here, who, like me, can remember when Time’s “Man of the Year” was a personal computer, and, according to reports, most of that story was composed on a typewriter.
That was in 1982, well before terms like “cyberspace” and “virtual reality” and “social networking” would enter the popular lexicon.
There were precious few cell phones and certainly nothing called a blog. The Internet was the private preserve of the Defense Department, federal researchers and certain universities.
Fifteen years ago, we saw the dawn of the commercial Internet.
Flash forward to 2011.
Nowadays, the world does an estimated $10 trillion of business online. Nearly every transaction you can think of is being done over the Internet:
Consumers pay their utility bills from their smart phones;
People download movies, music and books online; and
Companies, from the smallest local store to the largest multinational corporation, order goods, pay vendors and sell to customers via the Internet.
E-commerce sales for the third quarter of 2010 were estimated at over $41 billion; up 13.6 percent over the same period last year. And early reports indicate that the recent holiday buying season saw similar growth, with year-over-year sales up by over 13 percent.
Despite these ongoing successes, the reality is that the Internet still faces something of a “trust” issue. And it will not reach its full potential until users and consumers feel more secure than they do today when they go online.
The threats on the Internet seem to be proliferating just as fast as the opportunities. Data breaches, malware, ID theft and spam are just some of the most commonly known invasions of a user’s privacy and security. People are worried about their personal information going out, and parents are worried about unwanted explicit material coming in to their children.
And the landscape is getting more complex as dedicated hackers undertake persistent, targeted attacks and develop ever-more sophisticated frauds.
Dealing with these evolving threats has been an issue of high priority for President Obama since the earliest days of his administration. It was back in May 2009 when he said, “America’s economic prosperity in the 21st century will depend on cybersecurity.”
And he went on to declare that “This cyber threat is one of the most serious economic and national security challenges we face as a nation.”
To help meet these challenges, the Obama administration released a comprehensive Cyberspace Policy Review outlining a series of necessary actions by the public and private sector including: improving identity solutions, identity management services, and privacy-enhancing technologies.
This review has helped to lay the groundwork for the administration’s forthcoming National Strategy for Trusted Identities in Cyberspace.
The final version of this strategy will be signed by the president in the coming months, and Howard will be talking about this in a few minutes.
Many of you participated in the open public process to comment on the strategy and are familiar with the public draft released this past summer. And we want to thank you for your thoughts and recommendations.
The end game, of course, is to create an Identity Ecosystem where individuals and organizations can complete online transactions with greater confidence. . . putting greater trust in the online identities of each other. . . and greater trust in the infrastructure that the transactions run across.
Let’s be clear. We are not talking about a national ID card. We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.To accomplish this, industry leadership is essential. We need the private sector’s expertise and its involvement in designing, building and implementing this Identity Ecosystem.
To succeed, we will also need a National Program Office at the Department of Commerce that is focused on implementing the Trusted Identities Strategy.
The Commerce Department already has extensive experience in this realm. Last April for instance, we launched an Internet Policy Task Force to address the most pressing Internet issues of the day.
The Task Force is made up of experts from across the department – experts in trade policy, intellectual property, information policy, cybersecurity, and standards.
The Task Force is working on developing cybersecurity policy recommendations for the commercial sector, as well as policy recommendations on other critical Internet issues like privacy, copyright protection and international e-commerce.
We have reached out extensively for public comments on all of these topics. And the Task Force just last month released initial recommendations on strengthening online privacy protection.
The Commerce Department’s National Institute of Standards and Technology also has significant, long-standing investments in cybersecurity R&D and in standardization programs.
All of this experience can help a new our program office be effective facilitators for both government and private sector engagement and indeed private sector leadership.
In the end, we want to:
Build consensus on legal and policy frameworks necessary to make the Trusted Identities Strategy successful, including ways to enhance privacy, free expression and open markets;
We want to work with industry to identify where new standards or collaborative efforts may be needed;
Support inter-governmental collaboration; and
Promote important pilot projects.
These are important undertakings, and today’s meeting is just one part of a much longer journey.
Of course, we all know that these pilot projects, any follow-on commercial deployments, and the emergence of an Identity Ecosystem itself will be no panacea. There is no magic bullet to solve all cybersecurity issues.
However, in this room we also know that robust identity solutions can substantially enhance the trustworthiness of online transactions. They can not only improve security, but, if done properly, can enhance privacy as well.
That’s why Howard and I, along with Pat Gallagher, director of NIST, have come to Silicon Valley to announce our plans to move our Trusted Identities Strategy forward.
And Pat’s going to be here for the rest of today to talk more about our efforts and to gather input from all of you.
The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.
But the solutions allowing us to actually achieve that goal are very likely to emanate from your firms here in the Valley.
We know that you understand the basic equation: the greater the trust, the more often people will rely on the Internet for more sophisticated applications and services.
We look forward to working with you to build that trust.
Thank you.
adjida, and this:
Open Identity Exchange (OIX) Certifies Wave’s Online Identity Service for Secure Authentication to Government Websites
Wave Joins Industry Leaders Google, PayPal, Equifax, Verizon, VeriSign and others in
Building Trust in the Exchange of Online Identity Credentials across Public and Private Sectors
Lee, MA — October 5, 2010 — Wave Systems Corp. (NASDAQ:WAVX www.wave.com) today announced that id.wave.com, its identity service that enables strongly authenticated single sign-on to web services and applications in the cloud, has been certified by the Open Identity Exchange (OIX), the first “trust framework” provider authorized by the US government. A trust framework provides a new way for one site to delegate the identity, security and privacy assurances to another site, thus simplifying a user’s interaction with multiple web services.
Traditionally, websites and online services utilize proprietary identity systems requiring users to register individually for every relationship they establish. New technologies now exist that open up the model to let users bring their own identity and login credentials to a website, instead of registering with a new username and password for every site and relationship.
“The Open Identity Exchange provides a critical business and legal framework to enable the ecosystem of Internet identity to prosper,” said Drummond Reed, Executive Director of the Information Card Foundation. “By brokering the certification of trust to a defined specification, an identity provider such as id.wave.com can, with a user’s permission, automatically log him or her into the many sites that participate in that framework.”
With the certification of id.wave.com to the US Identity, Credential and Access Management (ICAM) specifications, Wave joins Google, PayPal, Equifax, Verizon and others as the first commercial identity providers authorized to provide login access to websites affiliated with the government such as the National Institute of Health (NIH) and the Library of Congress (LOC).
Wave’s service enables users to log in to web services securely without a username or password. What makes id.wave.com unique is that it is the only service that ties identity to the device. Credentials are stored in a closed cryptographic security chip called a Trusted Platform Module or TPM, which allows the machine to be identified to the web account. Once a user logs into his or her PC, id.wave.com logs the user into participating websites, while passwords and encryption keys remain locked away in the TPM chip, safe from any software-based attacks.
“As the first ‘trust framework’ provider for OpenID and Information Cards, OIX is providing a very important service for government agencies and users, and we’re pleased by their decision to certify id.wave.com as one of only a handful of trusted identity providers,” said Steven Sprague, CEO and President of Wave. “The cellular and cable industries realized more than a decade ago that secure device identity improves security and the user experience. With an installed base of 350 million TPM-equipped PCs, and the proliferation of sites that support OpenID and SAML, id.wave.com offers ease-of-use to users and peace of mind to the CIO.”
Earlier this year, the US General Services Administration (GSA) and the Identity, Credential and Access Management Committee (ICAM) approved OIX as the first trust framework provider to the US government. This provided OIX with the authority to issue certifications for the US ICAM LOA 1 trust framework to identity providers who are assessed to meet its identity, security and privacy requirements. The National Institute of Health is the first US federal agency to move into production status to accept OpenID and Information Card credential issued by OIX-certified identity providers.
The US Government’s Open Identity for Open Government program was announced in 2009. The first government pilots provide for electronic authentication of Open Identities at a Level 1for accessing government documents. The National Institutes of Standards and Technology (NIST) publication 800-63 Electronic Authentication Guidelines defines four levels of assurance with Level 1 being the lowest level and Level 4 being the most strongly authenticated level. While Wave’s OIX current certification is for Level 1, Wave’s objective is to provide solutions that can be certified at the higher levels of assurance based on the TPM security hardware. Wave has joined the OIX Working Group for Level 2-3 Assurances.
Use of id.wave.com extends to users of PCs which include Trusted Platform Modules and have Wave EMBASSY Trust Suite client software.
About Open Identity Exchange
The Open Identity Exchange (OIX) is a neutral, technology agnostic, nonprofit provider of certification trust frameworks for online identity. Its certification credentials can be used across multiple sites, jurisdictions and networks. OIX was founded by grants from the OpenID and Information Card Foundations and support from companies including Google, PayPal, AT&T, Equifax, VeriSign, Verizon, and CA Technologies. For more information, visit www.openidentityexchange.org.
About Wave Systems Corp.
Wave is a pioneer in hardware-based PC security that provides software to help solve critical enterprise PC security challenges such as data protection, strong authentication, network access control and the management of these enterprise functions. Wave is a founding member of the Trusted Computing Group (TCG), a consortium of more than 100 companies that forged open standards for hardware security. Wave’s EMBASSY® line of client- and server-side software leverages and manages the security functions of the TCG’s industry standard hardware security chip, the Trusted Platform Module (TPM) as well as hard drives that comply with TCG’s “Opal” self-encrypting drive (SED) standard. Self-encrypting drives are a growing segment of the data protection market, offering increased security and better performance than most existing software-based encryption solutions. TPMs are standard equipment on many enterprise-class PCs shipping today and have shipped on an estimated 300 million PCs worldwide. Using TPMs and/or SEDs and Wave software, enterprises can substantially and cost-effectively strengthen their current security solutions. Visit http://www.wave.com for more information.
Safe Harbor for Forward Looking Statements
This press release may contain forward-looking information within the meaning of the Private Securities Litigation Reform Act of 1995 and Section 21E of the Securities Exchange Act of 1934, as amended (the Exchange Act), including all statements that are not statements of historical fact regarding the intent, belief or current expectations of the company, its directors or its officers with respect to, among other things: (i) the company's financing plans; (ii) trends affecting the company's financial condition or results of operations; (iii) the company's growth strategy and operating strategy; and (iv) the declaration and payment of dividends. The words "may," "would," "will," "expect," "estimate," "anticipate," "believe," "intend" and similar expressions and variations thereof are intended to identify forward-looking statements. Investors are cautioned that any such forward-looking statements are not guarantees of future performance and involve risks and uncertainties, many of which are beyond the company's ability to control, and that actual results may differ materially from those projected in the forward-looking statements as a result of various factors. Wave assumes no duty to and does not undertake to update forward-looking statements.
All brands are the property of their respective owners.
Shares of Wave Systems Corp (NASDAQ: WAVX)
http://www.americanbankingnews.com/2011/01/10/wave-systems-corp-nasdaq-wavx-posts-large-volume-increase-hits-4-48/
saw unusually high trading volume on Monday. Approximately 1.972 million shares changed hands during mid-day trading. During the most recent quarter, the stock had an average daily volume of 437,603 shares. The stock last traded at $4.48.
Wave Systems Corp. (Wave) develops, produces and markets products for hardware-based digital security, including security applications and services that are complementary to and work with the specifications of the Trusted Computing Group (TCG), an industry standards organization consisted of computer and device manufacturers, software vendors and other computing products manufacturers. Specifications developed by the TCG are designed to address a range of digital security issues. These issues include identity protection, data security, digital signatures, electronic transaction integrity, platform trustworthiness, network security and regulatory compliance.
Wave Systems Corp (NASDAQ: WAVX) traded up 12.97% during mid-day trading on Monday. The stock has a 52 week low of $1.65 and a 52 week high of $4.75. Its 50-day moving average is $3.31 and its 200-day moving average is $2.79. The company has a market cap of $367.7 million
Why embedded systems security is growing in importance
http://www.newelectronics.co.uk/article/30523/Technology-Watch-Connect-to-chaos.aspx
The Chevy Volt will be the first car of its type: not because it is a hybrid electric/petrol vehicle, but because GM plans to give each one the company sells its own IP address.
The Volt will have no less than 100 microcontrollers running its systems from some 10 million lines of code. This makes some hackers very excited and Adriel Desautels, president of security analysis firm Netragard, very worried.
Before now, you needed physical access to reprogram the software inside a car: an 'air gap' protected vehicles from remote tampering. The Volt will have no such physical defence. Without some kind of electronic protection, Desautels sees cars such as the Volt and its likely competitors becoming 'hugely vulnerable 5000lb pieces of metal'.
Desautels adds: "We are taking systems that were not meant to be exposed to the threats that my team produces and plug it into the internet. Some 14 year old kid will be able to attack your car while you're driving.
"'Black hats' are poised and waiting for this car to come out."
Most of the systems attacked by hackers today are regular computers. But hackers have enjoyed breaking into other connected electronic systems for decades. In the autumn 2010 issue of hacker magazine 2600, Barrett Brown describes a side career in breaking into a variety of telephone switches, as well as computers. But as they join the internet alongside pcs and servers, a growing number of embedded systems are becoming targets. Annoying you by randomly switching the lights in your house on and off when your home automation system is penetrated is not the only concern. Fraudsters, counterfeiters and rogue manufacturers present a growing threat.
An embedded system may not even be able to trust what is directly attached to the processor bus or one of its I/O ports. A widely publicised attack on point of sale (POS) terminals in UK petrol stations in 2006 captured the personal identification numbers (PINs) of credit and debit cards. The following year, security researchers at the University of Cambridge showed how supposedly tamper proof terminals could be subverted by replacing some of the internal hardware with their own. Both episodes showed how vulnerable hardware can be if it is not designed to trust only other devices that have the right credentials.
The dodgy hardware need not be there to capture personal data: it might simply be an unapproved peripheral, such as a counterfeit compute or I/O card. The shift to China for manufacturing has led to an increase in hardware copying or overbuilding – in which a licensed subcontractor makes too many subsystems and sells the surplus on the black market. If the counterfeit parts themselves use lower quality components – which may be themselves counterfeit parts or devices that failed testing, but were salvaged from the scrap bins – manufacturers can wind up with an expensive increase in warranty claims.
If you cannot trust the users or even the hardware in the system, who or what can you trust? At some point, you have to have some sort of trusted module in the system that can vouch for the integrity of at least some of the code. This is the idea behind the 'root of trust': a fundamental piece of software that you can verify because it has the right cryptographic key associated with it.
Root of trust methods demand that the first piece of code to run after system reset is check on the hardware itself. This runs a cryptographic hash such as SHA-1 over the next piece of software to load, which will generally contain the system initialisation functions. That software, in turn, will analyse the next piece of code to load. Only if its hash matches the expected result will it be allowed to run. If it has been altered by someone tampering with the system, it should fail the test and be rejected. The Trusted Computing Group calls this process a 'measured boot'.
You can break the code down into relatively small chunks, but each one that runs is responsible for measuring the next, effectively generating a 'chain of trust'. Not all code needs to be protected in this way, but anything that is involved in trusted transactions has to be measured.
To minimise the amount of storage that needs to be protected against manipulation by malware, each successive measurement is hashed into the same memory location.
You can use the chain of trust to guard against counterfeit hardware as well as corrupted or altered firmware. Software running within the trusted chain can interrogate other boards in a chassis by issuing challenges that only valid boards can respond to correctly. Printer manufacturers, among others, use this challenge-response technique to check that the ink cartridges sitting inside their hardware were made by them.
Stryker, which makes microsurgery equipment, makes sure that the cutting tips are used once for safety reasons by fitting them with RFID tags that are invalidated after use by the tool. If a tip does not contain a valid tag, the tool will not start.
A measured boot is for naught if a hacker or worm can surreptitiously alter code after it has been checked. This sounds more difficult than it really is. Hackers have demonstrated time and again on internet servers and pcs the effectiveness of one particular technique for inserting code into a running program: the buffer overflow.
Hackers have used the buffer overflow exploit for more than 20 years: the Morris worm, the first internet borne virus, used the technique in 1988. It is a prime example of how compilers can work against you if you are not careful.
A buffer overflow is devastatingly simple, especially if you have a system connected to a network. The hacker or virus writer deliberately creates oversized or malformed packets that break through the area of space set aside by the programmer to hold the data for incoming packets. Very often, these data areas or buffers will take the form of strings with a defined length. The problem generally comes when a standard C or C++ library function such as strcpy() is used to pass data captured from a network packet into one of these buffers. The problem with strcpy() is that it does not bother to perform any bounds checks before copying the string supplied by the hacker into the string that will be used by the program for further processing.
Using a call such as strcpy(), the copying takes place on the stack. The compiler will allocate just enough space on the stack to hold whatever the programmer has defined as the size of the buffer. When the code in strcpy() is run, it dutifully cycles through until it finds the zero value that typically terminates a string in C or C++. If that string happens to be larger than the space allocated to the buffer, then strcpy() will simply overwrite other valuable data, such as the function's return address.
This is where the exploit bares its teeth. Usually, a corrupted stack results in an instant crash. However, the hacker will have, in the style of a Blue Peter demonstration, done this before and will make sure the replacement data that winds up in the stack will either point the return address to a piece of operating system code that spawns a process that can then be used to control the system, or steer execution to code inserted in the buffer itself.
There are many ways to defeat this kind of exploit. For example, strncpy() will only copy characters up to a defined limit, which should be the size of the buffer. Strncpy() can even be used as a way of detecting a buffer overflow attempt as it will not insert the zero value terminator normally expected of a string. This can be tested after the operation to help detect whether data coming into the system has been corrupted or deliberately malformed.
Another technique is to copy the return address at the beginning of the stack frame. When the function returns, code inserted by the compiler or a post compilation tool can check the two addresses. Execution can only proceed normally if the two addresses match.
However, as buffer overflows are still being used to corrupt internet based systems, the message has not necessarily made it through to developers.
Datatype abuse can trip up systems. For example, the default in C is to treat integers as signed variables, even if the developer only intended the variable to be used as unsigned. A hacker may try to use negative values to fool that test and to force logic later on in the program to go off in the wrong direction. There are plenty of other integer manipulation tricks that rely on similar overflow or underflow problems in software that has not been designed to defend against them.
In principle, even if malicious code can be inserted into a running system, it is still possible to trap it before too much damage is done. In the chain of trust system, hashing is done in such a way that if a piece of code is corrupted, it can be identified by checking its hash against the result for it stored by the measured boot process. There is inevitably a performance hit if the system is continually scanning for corruption.
The root of trust itself can come under attack. This generally demands physical access to the system but specialists, such as cryptography researchers and the Cambridge researchers who showed the vulnerability of POS terminals, have demonstrated repeatedly how seemingly innocuous and subtle changes in temperature and emitted rf can be used with the right statistical techniques to uncover cryptographic keys that are stored in on chip non volatile memory and which never leave the package.
Hardening cryptographic circuits against attack – for example, by putting false paths into the algorithms – is one way to protect against the problem. The other is to make sure the consequences of an attack only affect one system by not sharing keys between units. While more complex to achieve, this is likely to pay off in the long term as hackers become more aware of how they can break into systems through embedded hardware.
Don't think that, just because Windows is such a common target for attack, embedded hardware is safe for the moment. Companies that specialise in penetration testing of corporate IT networks regard devices such as printers and network switches as soft targets. And others are busily reverse engineering home automation devices to find out what is possible.
Author
Chris Edwards
National Strategy for Trusted Identities in Cyberspace
http://events.stanford.edu/events/261/26161/
U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt will visit the Stanford Institute for Economic Policy Research (SIEPR) to discuss the Obama administration's efforts to enhance online security and privacy and next steps in meeting the challenges of a growing cyber world, with local industry and academic leaders in Silicon Valley.
The public and private sectors have critical roles to play in creating a system that allows people to complete online transactions with greater confidence that their personal information is safe. Through its forthcoming National Strategy for Trusted Identities in Cyberspace (NSTIC), the administration aims to support private-sector cybersecurity innovations by focusing on establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for users and consumers. E-commerce worldwide is estimated at $10 trillion of business online annually.
Following keynote remarks, Patrick Gallagher, director of the Commerce Department’s National Institute of Standards and Technology, will moderate a panel discussion with industry CEOs and public policy executives on the benefits and challenges surrounding the implementation of the NSTIC.
Panelists include:
Dave DeWalt, CEO, McAfee
Phil Bond, President & CEO, TechAmerica
Philip Kaplan, President & Founder, Blippy
James Dempsey, Vice President for Public Policy, Center for Democracy and Technology and nominee to the U.S. Privacy and Civil Liberties Oversight Board
The event is co-hosted by TechAmerica, TechNet, the Churchill Club, SIEPR, and TRUST.
GSA falls short in four critical cybersecurity areas
http://www.infosecurity-us.com/view/14956/gsa-falls-short-in-four-critical-cybersecurity-areas/
05 January 2011
The General Services Administration (GSA) needs to beef up its cybersecurity in four key areas, concluded an audit by the GSA’s inspector general.
In its FY 2010 audit under the Federal Information Security Management Act, the GSA inspector general acknowledged that the agency’s chief information officer (CIO) had taken steps to improve cybersecurity, including updating the GSA’s IT security policy, publishing guidance on information security topics, and expanding the security program to include cloud computing.
At the same time, the inspector general warned that the CIO needs to strengthen cybersecurity in four areas: secure monitoring of agency systems, oversight of audit logging and monitoring practices, implementation of multifactor authentication for systems processing sensitive information, and encryption of data on laptops.The audit noted that “numerous” cybersecurity weaknesses were identified in five GSA systems reviewed by the inspector general. These weaknesses result form “security misconfigurations of database or operating system software”.
According to the audit, “these weaknesses included database and operating system software that was not patched or securely configured and lax password management practices for database administrator accounts. As a result, these systems and their sensitive data were placed at an increased risk of inappropriate access, modification, or destruction.”
Regarding the lack of laptop encryption, the inspector general explained: “GSA laptops are not encrypted because GSA has experienced significant technical problems in integrating the chosen encryption solution in the GSA’s network.”
The inspector general recommended that the CIO take the following actions to improve the cybersecurity situation at the agency: strengthen configuration management practices for GSA systems; work with system security officials to prioritize the implementation of audit logging and monitoring controls; ensure that all systems remotely accessed implement multi-factor authentication; and implement encryption for agency laptops.
The CIO, Casey Coleman, had a terse response to the inspector general’s audit. In a Nov. 23 letter to the inspector general, Casey wrote: “My staff has reviewed the draft audit report and we concur with your audit findings and recommendations.”
Pentagon, industry to swap cybersecurity experts
03 January 2011
The Department of Defense (DoD) is launching a pilot program to exchange cybersecurity experts and other IT personnel with private industry to improve information sharing and beef up the nation’s cybersecurity defenses.
The program would involve temporary assignment of DoD cybersecurity experts to companies and private sector experts to the Pentagon. “This Pilot is envisioned to promote the interchange of DoD and private sector IT professionals to enhance skills and competencies”, according to an interim final rule published in the Federal Register.
"Given the changing workforce dynamics in the IT field, DOD needs to take advantage of these types of professional development programs to proactively position itself to keep pace with the changes in technology. The immediate implementation of an Interim Final Rule is viable to enhance IT professional skills, particularly in the area of cybersecurity", the notice said.
Several DoD agencies will participate in the program, including the Defense Information Systems Agency, the Defense Advanced Research Projects Agency, the Office of Naval Research, and the Pentagon’s Chief Information Officer.
Not everyone is thrilled with the pilot program. Don Hale, chair of the American Federation of Government Employees’ Defense Committee, warned that the program could jeopardize national security unless severe restrictions are placed on the private sector employees.
“I have serious doubts that the same level of scrutiny applies to private sector IT employees, and national security could be comprised during the exchange”, Hale told Defense Systems.
We've seen quarter over quarter revenue growth. It's building. You're not going to see it immediately because of the way it's booked.