May 06--MANCHESTER -- It's an ill wind that blows no good, and a Queen City technology firm is hoping that very ill wind of the Heartbleed bug, an Internet security problem so widespread that its scope is still being determined, will blow them some business.
"We have a number of opportunities that are being worked presently. There's a lot of interest that it," said Joe McDonald, project manager for WWPass -- who said that he has taken on some sales duties in recent weeks as the 60-person firm finds its profile rising in the newly security-conscious world.
The interest comes partly as a result of high-profile data breaches at retailers like
SSL has been the basis of website security almost since the Web began; finding a flaw in SSL that leaves data open to theft has been compared to finding a flaw in the basic design of all combination locks.
"There has been security breach after security breach, but Heartbleed dramatically changes the market -- it shows that hundreds of thousands of servers, millions of websites, are vulnerable," said E.J. Powers, a company spokesman.
By contrast, WWPass said in a release, "If the online retailer had utilized WWPass' cloud-based authentication technology ... the customer's information would not be accessible even if the server was compromised by the Heartbleed bug."
WWPass, which stands for "worldwide pass," was founded in 2008 by Russian-born physicist Gene Shabylgin and moved to downtown Manchester in 2013. It is privately held and does not release sales figures, and so far has depended entirely on financing from Shabylgin.
WWPass has developed a form of two-factor authentication, using a USB "dongle" that with a user's access code interacts with the website of a retailer or firm to gather key information distributed in the cloud. While the need for a physical tool means WWPass isn't going to be a widespread consumer tool, the company says their model answers a lot of concerns about online commerce, including privacy in an era of greater government and law-enforcement activity online.
"If we were subpoenaed, we couldn't tell them" about customers' data or usage habits, McDonald said. "We don't have that information. It's distributed and encrypted among 12 data centers that WWPass has around the globe." It can only be obtained via the user's passkey and access code, he said.
Further, he said, because the WWPass system involves back-and-forth information exchange between the receiving website and the user before authentication occurs, it prevents "spoofing," in which a bad guy's website pretends to be a legitimate site, gathering data from customers trying to place an order.
Finally, because the key itself holds no personal data, if it's lost or stolen, nothing can be done with it, lacking the user's access code.
"Target's a good example of the kind of companies we're speaking with," said McDonald, talking about the massive data breach at the retailer, in which hackers stole customer information by entering the network via connections with a heating and air conditioning contractor.
"(Target) provides two-factor to their larger vendors, so why didn't they do it to the lower ones? I suspect it was the cost associated with competitor's two-factor security systems," he said. He said that the WWPass system is much cheaper to implement and keep updated.
David Brooks can be reached at 594-6531 or dbrooks@nashua telegraph.com. Also, follow Brooks on Twitter (@GraniteGeek).