Wave Systems Corp. (fka WAVXQ)

[Genz2]

German Researchers Accessed Service Members’ Sensitive Medical Data—and One Lawmaker Wants Answers

https://www.nextgov.com/cybersecurity/2020/01/german-researchers-accessed-service-members-sensitive-medical-dataand-one-lawmaker-wants-answers/162497/

Sen. Mark Warner wants to know what the Defense Health Agency is doing to secure “a significant number” of medical images.

A Democratic lawmaker wants answers and actions taken to address unsecured servers at three military medical facilities that he said are putting service members’ personal information at risk.

Sen. Mark Warner, D-Va., penned a letter to the Defense Health Agency Thursday pressing it to eliminate the exposure of sensitive medical data belonging to military personnel that he said remains vulnerable due to risky practices at Fort Belvoir Medical Center, Ireland Army Health Clinic and the Womack Army Medical Center.

“The exposure of this information is an outrageous violation of privacy and represents a grave national security vulnerability that could be exploited by state actors or others,” Warner wrote.

DICOM is the standard format for medical images, and Warner—who co-chairs the bipartisan Senate Cybersecurity Caucus—recently learned that anyone with a DICOM web viewer can access service members’ personally identifiable and sensitive medical information from the three entities, due to unsecured Picture and Archiving Servers, or PACs. Last September, Warner wrote to health care entities that controlled the PACs after a comprehensive investigation detailed how the servers were leaving millions of Americans’ medical images up for grabs on the internet without their consent.

Following the first letter, the images were removed—but Warner said records belonging to 6 million Americans were still accessible online. In November, the lawmaker wrote to the Health and Human Services Department’s Office of Civil Rights about the information that remained exposed. Since then, the senator said 16 systems, 31 million images and 1.5 million exam records were removed from the internet.

“However, I recently learned that a significant number of medical records belonging to servicemembers remain online,” Warner wrote in the latest correspondence. That information, he noted, was discovered by German researchers who accessed the information using German IP addresses.

“This itself should have triggered alarms by the hospital information security systems,” he wrote.

In Thursday’s letter, the lawmaker presses the agency to remove the vulnerable PACs from open access to the internet and immediately mitigate the security issues. To understand the severity of exposure, Warner also asks officials to answer a series of questions regarding information security management practices at military medical hospitals. He asks whether full-disk encryption and authentication for PACs are required by the agency and whether hospitals are directed to hire chief information security officers, among other questions. Warner also added that he expects a response within two weeks due to the issue’s gravity.

“As a matter of national security, the sensitive medical information of our men and women of the armed services is particularly vulnerable and should be, at a minimum, protected by robust security controls and routine scans,” he wrote.
=================================================================
Facebook users will be notified when their credentials are used for third-party app logins

https://www.helpnetsecurity.com/2020/01/16/facebook-login-third-party-apps/

Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account.

At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites.

Login Notifications

The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated email.

The sending of those notifications will be triggered every time a user (or attacker):
•Logs into a third-party app with Facebook Login and grants the app access to their information
•Re-uses Facebook Login to log into a third-party app after an app’s access to information has expired.

As you can see in the image above, each notification will include a list of the information the app/website pulls from the Facebook account to personalize the user’s experience, as well as offer a direct link to Facebook Settings > Apps and Websites, so users can limit the information shared with the app/service or remove the app altogether.

Privacy push

“The design and content of the Login Notifications remind users that they have full control over the information they share with 3rd party apps, with a clear path to edit those settings,” Puxuan Qi, a software engineer at Facebook, explained.

“We will continue to test additional user control features in early 2020, including bringing permissions to the forefront of the user experience when logging into a 3rd party app with Facebook Login.”

This new feature is part of Facebook’s broader attempt to show they care about user privacy and minimize the fallout of incidents such as the massive 2018 Facebook data breach (when attackers managed to steal access tokens of at least 50 million users, potentially allowing them to take over victims’ Facebook accounts and log into accounts the victims opened on third-party websites and apps by using Facebook Login) and the Cambridge Analytica scandal (CA used information collected through third-party apps without users agreeing to their data being used to fuel election campaigns or even knowing about it).
==================================================================
Wouldn't it be so much easier, more secure and better for the customer if government and Facebook and its customers were able to use 'Wave Knowd' for better authentication?!!!
==================================================================
Wave Knowd Introduces New Model for Internet Authentication Without Passwords

Knowd ‘Trust Score’ Assures User Identity when Accessing Web Services

https://www.wavesys.com/buzz/pr/wave-knowd-introduces-new-model-internet-authentication-without-passwords

Lee, MA -

May 9, 2013 -

Wave Systems Corp. (NASDAQ: WAVX), the Trusted Computing Company, today announced Wave Knowd, a new web service available for preview that significantly reduces the vulnerability and use of passwords by leveraging the unique identity of computing devices. With a simple integration of Wave Knowd, any website can establish reliable and consistent identity relationships with the devices its customers use most often for Internet services. Wave Knowd, which signifies “Known Devices,” is being tested by partners to provide the backbone for general purpose machine identity.

“The maturation of the web mandates a change in how we, and our computing devices, connect to the web,” said Steven Sprague, Wave CEO. “With cable television, satellite radio, bank kiosks and mobile phones, the service relationship is tied to the endpoint device. The web needs the security and simplicity of this same model, where our computing devices themselves play an added role in authentication. I access dozens of web services every day from the computer in my home office, and want those sites to know and trust my PC so they’ll stop continually asking me to log in. Wave Knowd enables that trust.”

To make web authentication stronger and simpler, Wave Knowd provides a new approach to signing on and accessing Cloud and Internet services. From online banking to business services and even consumer gaming, passwords are failing to provide a level of security that either service providers or users can trust. Knowd is built upon the concept that only known devices should ever access a protected network. Knowd incorporates all of your access and identity solutions together to establish a relationship of trust between users’ computing devices, and the web services they access.

“We interact online using so many devices now, but from a security perspective those devices aren’t all equal. Accessing medical records or confidential business files from my kid’s smartphone is certainly not as trustworthy as connecting from my business PC with an encrypted drive,” continued Mr. Sprague. “Wave Knowd is all about making the Web simpler and safer, and that new foundation of trust begins with known devices, and known capabilities.”

Once machine identity is established, any web site—from gaming, social networking or shopping; to banking, business and financial services—can use Wave Knowd to create a reliable and persistent identity for the connecting device. Knowd allows Web sites to streamline access for users who repeatedly log on from trusted devices, while bolstering security. Initial authentication creates a unique and anonymous relationship between each computing device and each web service accessed, and then the level of trust between the two grows over time. Knowing the device can also help the site prevent fraud and phishing, or simply provide quicker no-password access. Wave is the partner helping to create and manage these relationships.

“Wave Systems was the obvious choice to provide ID Dataweb’s attribute exchange with device identity services,” said David Coxe, CEO at ID Dataweb. “In Knowd, Wave has provided a system that is rooted in state of the art device security technologies such as the Trusted Platform Module and other secure elements, while also offering a simple web based integration. It’s easy to identify if a connecting device is highly trusted, or whether it requires added screening and security.”

ID Dataweb uses Wave’s Knowd solution as part of the Identity Ecosystem supported through a grant from the U.S. Department of Commerce’s National Institute of Standards and Technology’s NSTIC initiative (National Strategy for Trusted Identities in Cyberspace). ID Dataweb has created a standards-based platform to simplify online identity verification using OpenID credentials.

Providing the Tools to Manage Trust in the Cloud: What’s Your Trust Score?

Wave Knowd is a powerful enhancement for any website. The endpoint identity service links an individual users’ unique device identity, with the Internet services that are typically protected only by username and password access. Users are prompted by their cloud service provider to register their primary computing devices to create a unique and persistent device identity relationship with their Internet services and service providers. No personal ID information is obtained by Wave, as Knowd works purely as a machine identity service. Furthermore, registered devices are given a unique ID for every service provider, establishing a separate trust relationship with each service.

Wave Knowd asserts a Trust Score that helps both consumers and cloud services or relying parties to determine the level of trust granted to each specific computing device. For example, a home PC that is used regularly for banking will quickly build a high Trust Score. Users can achieve a higher Trust Score by installing a small software application (Wave Knowd currently supports Windows 7 and 8, with Apple and Android to follow later this year). Business-class PCs containing a standard Trusted Platform Module (TPM) can establish even greater trust by leveraging the TPM security chip to create and securely store a unique device ID.

Knowd provides a web service with a new capability to enable or disable features based on the device that the user is actively using, providing a new security option for the end user. Perhaps an account password can only be reset from the user’s registered home computer and not from anywhere in the world, thereby linking in all of the user’s investment in the security of their home, from their alarm system to the doorman. Every web service can benefit from integrating Wave Knowd as part of the user’s experience.