Wave Systems Corp. (fka WAVXQ)

[Genz2]

Oklahoma gov data leak exposes FBI investigation records, millions of department files

https://www.zdnet.com/article/oklahoma-gov-data-leak-exposes-millions-of-department-files-fbi-investigations/

Updated: An Oklahoma Department of Securities server allowed anyone to download government files.

Researchers have disclosed the existence of a server exposed to the public which not only contained terabytes of confidential government data but information relating to FBI investigations.

According to UpGuard cybersecurity researchers Greg Pollock and Chris Vickery, the open storage server belonged to the Oklahoma Department of Securities (ODS), a US government department which deals with securities cases and complaints.

The database was found through the Shodan search engine which registered the system as publicly accessible on 30 November 2018. The UpGuard team stumbled across the database on 7 December and notified the department a day later after verifying what they were working with,

To ODS' credit, the department removed public access to the server on the same day.

"The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services (OMES), allowing any user from any IP address to download all the files stored on the server," the researchers say.

Update 18.47 GMT: An Office of Management and Enterprise Services spokesperson told ZDNet:


"All state IP addresses, and many city and county addresses, are registered to OMES, but the agency has no visibility into the computer systems at the Oklahoma Department of Securities. For the past eight years the state has been working to consolidate all IT infrastructure under OMES and ODS had the option to consolidate its systems voluntarily and they did not."

In order to examine the security breach, the team was able to download the server's contents. The oldest records dated back to 1986 and the most recent was timestamped in 2016. In total, three terabytes of information representing millions of files. Contents ranged from personal data to system credentials and internal communication records.

"The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities' network integrity," the researchers say.

The data was stored in various formats. Email inbox storage backups represented a significant proportion of the leaked data, as well as virtual machine backups of ODS machines.

The stored information also included spreadsheets of IT credentials for accounts with Thawte, Symantec Protection Suite, Tivoli, and others; a BlueExpress database of account details for third parties submitting security filings; credentials required for remote access to ODS workstations; training documents; email histories, and files relating to ODS investigations.

Speaking to Forbes, Vickery added that there was a treasure trove of data relating to FBI cases. These files contained archives of enforcement actions dating back seven years including bank transaction histories, emails back-and-forth between those involved in cases, and copies of letters from subjects involved in investigations conducted by the FBI.

In a statement, the ODS confirmed there had been an "inadvertent exposure of information during installation of a firewall," and after the exposure was discovered it was "immediately secured."

"A forensic team is currently conducting an analysis to determine the type and number of data files that may have been exposed and who may have accessed them," the department added. "The ODS is also exploring remedial actions and notifications for anyone whose information may have been exposed."

This incident might encourage ODS to take cybersecurity more seriously in the future. According to UpGuard metrics, the organization's web domain has the worst risk of breach score of all websites on the ok.gov domain.
=================================================================
https://www.wavesys.com/wave-alternative

The IT perimeter is gone

With tablets, smartphones, and cloud applications, your employees can access sensitive data anytime, from anywhere. Indeed, around 70 percent of security breaches and data thefts are inside jobs. Meanwhile, the hackers only get better: advanced persistent threats (APTs) appear as normal traffic, and malware can go unnoticed for weeks.

It’s a new world, one without borders. Yet most organizations are still trying to protect their data with the same old firewalls and antivirus software. It’s not working. We refer you to the headline-making breach of the week.

You have to start with the device

Wave has an alternative: security that’s built into each and every device.

We’re talking about hardware: self-encrypting drives (SEDs), which protect data when a device is stolen or lost, and trusted platform modules (TPMs), or embedded security chips. Both go in at the factory, and increasingly, both are standard. They make it possible for you to monitor and control each individual device and its data, no matter where it is. But you need software to turn on and manage your SEDs and TPMs. Wave makes that software.

We’ve been refining comprehensive, centralized management of hardware-based security longer than anyone else. More than that, we’ve shaped the field as a founding member of the Trusted Computing Group, the not-for-profit that develops and promotes industry standards for the hardware.

Security that’s confirmed, not assumed

With Wave, you’ll know that you’re secure. Because we start with the individual devices, you get a broad, deep view of your network. You can see exactly who’s on it, with what devices and what apps, at any given time. Just for example, if Bob goes home and tries to log onto Facebook with the company laptop, Wave can stop him.

A big piece of this heightened security is device authentication. Traditional two-factor authentication requires what amounts to two user IDs. But by using the TPMs inside your devices, Wave can confirm the identity of not only users, but also the devices they’re on. Combine that with fast, enforced encryption of sensitive data via your SEDs—all easily managed with Wave software—and your data is protected from the full range of modern risks: device theft, missent emails, flash drives, portable hot spots … even (and no one else can say this) hardware keyloggers. Not to mention Bob.

Do we need to say that with Wave, compliance is no problem?

Start closing your security gaps today, with what you’ve got

You might be surprised to hear that 90 percent or more of your computers probably already have TPMs. Mobile devices are catching up fast. SEDs are newer, but you probably have a bunch of those too. Machines that don’t have them can often be outfitted at little to no extra cost. So you’ve got some or all of the hardware. All you need to do is turn it on with Wave.

It’s almost as easy as it sounds. TPMs and SEDs are built to open, vendor-neutral industry standards, and so are Wave solutions. That means Wave works on your existing mix of hardware, across platforms, and will evolve with you. It’s part of what makes the Wave alternative not only more secure, but also simpler and cheaper. Total cost of ownership for Wave data protection can be almost half that of a traditional software-based system.

Questions? Read on, or contact our sales department.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/wave-self-encrypting-drive-management