Wave Systems Corp. (fka WAVXQ)

[Genz2]

A Massive Accounting Hack Kept Clients Offline and in the Dark

https://www.bloomberg.com/news/articles/2019-05-11/a-massive-accounting-hack-kept-clients-offline-and-in-the-dark

Dutch company Wolters Kluwer NV makes the software on which many of the world’s small and mid-sized accounting firms run. Earlier this week, a cyberattack took down that software and presented a case study in how not to communicate with customers over a hack.

The company told its followers on Facebook and Twitter on May 6 that, out of caution, it’d taken some of its cloud-based software applications offline. But the opaque 48-word statement didn’t explain why, and left customers frustrated and worried.

"Going dark as much as you have has done nothing to stop us from fearing the worst," one person replied on Twitter. "Has there been a security breach?" asked another.

Martin Wuite, chief information officer at Wolters Kluwer, was trying to find out, too. He’d become aware of anomalies in his company’s servers around 8 a.m. ET Monday after an automated monitoring system had flagged something was wrong.

"Customers were alerted immediately as soon as we discovered the issue," he said. "When we detected the malware, we proactively took a broad range of platforms offline to protect our customers’ data."

Wolters Kluwer, based in small town in the Netherlands and with a market value of around $19 billion, is a little known accounting software giant, providing services to health, tax and compliance industries. According to the company, 93% of Fortune 500 companies are its customers.

Please see above link for the rest of the article.
==================================================================
Given the success that Wave had with PwC's strong authentication, this accounting software firm could substantially benefit from Wave's solutions especially Wave ERAS and Wave VSC 2.0!!. Being set up on Wave VSC 2.0 and Wave ERAS is probably much faster now with Wave than when PwC was converted to the TPM!
==================================================================
https://www.cio.com/article/2415123/pwc-lauds-trusted-platform-module-for-strong-authentication.html

PwC lauds Trusted Platform Module for strong authentication

migrating 150,000 users to TPM-based storage of private keys

networkworld.com -

Wednesday, September 15, 2010 -

Auditing and business-services firm PricewaterhouseCoopers (PwC) today said it's built its next-generation authentication system by swapping out employees' older software-based private-key certificates for hardware-based storage of new certificates using the Trusted Platform Module (TPM).

What is TPM?

TPM is a small chip embedded in laptops, says Boudewijn Kiljan, solution architect for global information technology, infrastructure portfolio, at PwC, which is migrating 150,000 users to TPM-based storage of private keys. The vast majority of computers on the market ship with TPM inside, and by adding TPM-based software from Wave Systems, it was fairly easy for PwC, which already had a public-key infrastructure (PKI) in place, to switch to hardware-based storage of private keys, the foundation for employee desktop authentication.

In contrast, "private keys protected by TPM are not exportable," Kiljan said. The Microsoft-based software-only method that PwC had been using to store private keys does appear to be far more vulnerable to an attacker intent on stealing private keys, he noted.

TPM, developed as a specification by the Trusted Computing Group (TCG), is an open standard so there's less worry about vendor lock-in than if a more proprietary method were selected, Kiljan pointed out. One thing to note about TPM is that it's a restricted technology in the countries of China, Russia, Kazakhstan and Belarus, he noted.

But while making the conversion to TPM has been fairly easy by adding TPM-supporting software from Wave Systems, there were a number of processes that the IT department at PwC had to follow to make it all work.

These included issuing new certificates for TPM, installing TPM drivers, and a process called enabling and clearing the TPM in the BIOS.

Technically, the TPM specification doesn't yet have a specification that details a way to do this other than manually. But several vendors, including Wave Systems, now have toolkits to do this remotely and build management around it. That's what PwC used to activate TPM via administrator-controlled passwords.

PwC has already migrated about 35,000 employees to TPM, and expects to have all 150,000 over to TPM over the course of about a year or so. TPM works transparent to the user. Kiljan says estimates are that TPM is less than half the cost of going with a smartcard-based PKI device and a third of going with a USB PCI device.