Wave Systems Corp. (fka WAVXQ)

[Genz2]

Files With 42 Million Emails and Passwords Found On Free Hosting Service

https://www.bleepingcomputer.com/news/security/files-with-42-million-emails-and-passwords-found-on-free-hosting-service/

A huge database with email addresses, passwords in clear text, and partial credit card data has been uploaded to a free, public hosting service.

The operator of the sharing service sent the set to Troy Hunt, Australian security researcher and creator of the Have I Been Pwned data breach index site, to compare it and check whether it was the result of an unknown data breach.

Most likely intended for credential stuffing

Based on the format of the data, Hunt thinks the lists are most likely intended for credential stuffing attacks, which combine into a single list cracked passwords and email addresses and run them automatically against various online services to hijack the user accounts that match them.

Credential stuffing attacks take advantage of the fact that users, for convenience, are likely to reuse credentials on multiple websites.

"When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I've never seen before. (Later, after loading the entire data set, that figure went up to 93%.)," Hunt writes in a blog post (https://www.troyhunt.com/the-42m-record-kayo-moe-credential-stuffing-data/) today.

The security researcher was able to determine that over 91% of the passwords in the dataset were already available in the Have I Been Pwned collection. You can query the service for yours here (https://haveibeenpwned.com/Passwords).

Hunt says that filenames in the collection do not point to a particular source because there is no single pattern for the breaches they appeared in.

For years, security researchers have advised users to kick the habit of recycling passwords, specifically to avoid credential stuffing attacks.

Cybercriminals trade credential databases on a daily bases, not just on the dark web, but on publicly accessible forums, too. They rely on automated processes for cracking the passwords and test them against online services.

Using a password manager that can generate strong unique passwords for every site you visit and turning on two-factor authentication (where possible) are good measures against this type of attack.

=================================================================
All it takes is one employee's credentials (from a list such as this) to break into a company network. Why not use a two factor authentication product like Wave VSC 2.0 instead of a 2FA product like RSA Securid which has had demonstrated holes in it.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

Get better security at less than half the cost

Passwords are weak. Tokens are expensive. Don’t compromise on security or price.

Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.

What can it be used for?

What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.

One helpdesk call you'll never get: "I lost my virtual smart card again..."

There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.

The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.

What will you do with >50% TCO savings?*

Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.

Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.

When we say “secure”…

…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).

*Actual number may vary. Contact us today to receive more details and a free quote

Key Features:

• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications