Wave Systems Corp. (fka WAVXQ)

[Genz2]

Iranian Hackers Hit U.K. Cybersecurity Universities

https://www.forbes.com/sites/geoffwhite/2018/10/29/iranian-hackers-hit-u-k-cybersecurity-universities/#6e545fe331c9

Iranian cybercriminals tried to hack into U.K. universities offering government-certified cybersecurity courses, successfully accessing at least one university’s accounts during a campaign lasting months.

The hacking group has targeted at least 18 British universities, according to researchers. The list includes top-flight institutions. But it also includes less well-known destinations which are notable for being among a select group certified by the National Cyber Security Centre (NCSC) to provide degrees in cybersecurity.

It is not known whether the universities were singled out because of their affiliation, but half of those targeted by the hackers are on the NCSC-certified list, including Warwick and Lancaster. The attacks are believed to be linked to a previous campaign which US officials blamed on Iranians, in which dozens of universities were hacked and their research published on two Iranian websites.

People with U.K. university log-ins were sent phishing emails to trick them into giving up their passwords.

Lancaster University said a small number of recipients fell for the hackers’ attack and entered their credentials. The University reset their passwords and investigated whether any information had been lost.

“We were aware of the phishing campaign, which posed as a library notification and directed the user to the fake page,” a spokeswoman said. “The University blocked the link and all those targeted by the campaign were individually notified by the University.”

A Warwick University spokesman said its use of two-factor authentication would have prevented data theft. “There is no evidence of any data loss around sensitive or valuable research material at Warwick by [cyberattacks],” said a spokesman.

Students who take the certified cybersecurity degrees are not guaranteed a job with GCHQ or the National Cyber Security Centre, but will likely end up occupying senior positions protecting the UK’s largest companies and institutions from cyberattack.

The hackers sent their targets a fake email to trick them into logging in, thereby revealing their passwords. To make the emails look genuine the hackers created spoofed websites similar to the genuine universities’ sites.

The registration of the websites shows the hackers have been active in the last few months. A fake site for Warwick University, where cybersecurity masters courses are NCSC-certified, was set up in June. A fake Lancaster University site was created in May.

This is despite the US Department of Justice charging nine Iranians with hacks on universities in March, claiming the “Mabna Institute” group had stolen 31 terabytes of academic information universities in 22 countries. Since then, researchers have been painstakingly tracking the creation of new fake websites, seemingly by the same hacking group, which show the hacking attempts on universities have continued.

A spokesperson for the NCSC said: “Universities are a popular target for cyber actors seeking access to intellectual property, such as cutting-edge research. The NCSC supports the academic sector to help them to improve their security practices. This has included our Active Cyber Defence programme, which took down 23 attempts to spoof one university’s website. We urge universities to follow the best practice cybersecurity advice on the NCSC website.”

The hackers also used the internet’s “green padlock” system to try to fool victims into entering their passwords. Many web users believe the presence of a green padlock in their browser means the site is safe to visit. In fact, it means only that information sent to and from the site is encrypted; the site itself could be fake or malicious.

The hackers successfully gained green padlock certificates from a US company called Let’s Encrypt, meaning victims could have been tricked into thinking the sites were legitimate. Let’s Encrypt told Forbes: “Browsers are misleading people about site safety when they display lock icons. Some people incorrectly interpret lock icons as a sign that a site's content is safe or trustworthy, and that's a completely separate issue from whether or not the connection is secure. We would like to see browsers stop displaying lock icons on the basis of the existence of a secure connection.”
=================================================================
I have read that the UK was testing the TPM many months ago and with a 'Public' Wave Knowd the non-employees could have access to an authentication product that could protect them from hackers like Iranians. (Knowd is in retirement currently but was a very promising product) The UK 'Public' employees could have their authentication protected by Wave VSC 2.0. Wave has state of the art technology around authentication that could benefit employees/non-employees (students) with these two products which are easier to use than the standard (2FA) and is better security! There would be no need to fumble around with keys. And each product takes advantage of a standard (TPM) backed by 150 companies!
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Excerpt:

Key Features:

Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies
=================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords

Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services

https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords

Lee, MA -

May 9, 2013 -

Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.

“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”

To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.

“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”

Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.

“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”

ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.

Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?

Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.

Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.

Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience