RSA 2014 Wrap Up

I just finished my seventh year of attending RSA. The conference was bigger than ever, with a very enthusiastic attendee base and a well-engaged and knowledgeable vendor community.  Over the years RSA has become one of the premier and most relevant information technology conferences in the world. This year there were so many new trends and exciting solutions being offered. As always, start up alley was filled with energy, enthusiasm, great new products and services, and passionate companies vying for attention.

Like in past shows, the perennial security cornerstone companies promised to provide all of their products on platform like dashboards and summarize everything you need on comprehensive consoles. One-stop shopping for all of your security needs is the nirvana that they strive for. The “best of breed” upstarts continue to innovate, develop, and deliver much needed solution sets in a focused and efficient manner. What we have in common is that we are all trying to make the digital world a less chaotic and orderly place for all of our daily information needs. Once again, information security is a fantastic place to be in 2014.

Among all of the trends were innovators and vendors mastering a fine balancing act between  separating themselves from all the noise while remaining relevant. At the same time there was a common thread that still prevailed with a large part of the participants:

What unknown activities are underway on my network?

In the remote, most vulnerable areas of my network, how do I ensure that I am aware and take actions so I can see “all of the things”?

Am I keeping compliant and viewing the entirety of the network?

However, the edges of the network (the outposts) are still the most vulnerable. That’s where the breaches will occur and that is where we really need to focus and lock down. You will most likely be regretting it if you choose to make this an afterthought.

RSA 2015 is just a year away and I’m sure it will be just as innovative as ever. Pwnie Express we will be there again, doing what it does best: staying one step ahead of the bad guys and helping to provide the community with necessary and forward thinking solutions that run your businesses with less stress and more efficiency.

I wish you all safe travels home from the show.

Steve Pace

 

RSA Day 3 Recap

The third day of RSA really amped up the energy in the South Hall Expo. Not only did the traffic passing by the booths increase exponentially, but the overall excitement and enthusiasm for new technology reached a new high. Being such a relatively new company, the Pwnie Express team was thrilled to be able to show off and introduce its security solution to so many curious attendees.

My favorite part of this day was our new demo that showed the number of devices of passerbys’ that were connected to Wi-fi. Conference attendees would stroll by the booth, come to a halt in front of our flat screen demo display and study it briefly before asking what exactly this was all about. Then, upon receiving an introduction to our security solution and just how many devices were showing on the screen, their excitement was quite visible in their expressions. Before turning away from our booth, attendees would quickly reach for their phones and turn off their wifi connection. What better way to demonstrate security vulnerabilities in the cyber space than through a clever little device like this?  I felt quite proud to be a part of such an innovative team and I was very excited to watch the enthusiastic responses from people who strolled by our booth.

For quite a few conference attendees, Wednesday was their lucky day to receive fantastic conference pricing on our products – they walked away with a new toy for either work or for personal use. The Pwn Pad 2014 definitely garnered the most attention with its sleek form factor and world’s sharpest 7″ tablet screen. Another favorite was the Pwn Plug Elite, just because of its’ simple yet so effective form factor. And of course, everyone is awaiting the Pwn Pad 2014 raffle results to see if they are by chance the lucky winner!

The afternoon resulted in several video interviews with customers and partner companies, as well as networking with a diverse and dynamic security community. A brief walk through both the North and South Hall Expos provided me with a good overview of the latest and greatest in technology and innovation. And of course, like everyone attending conferences, I couldn’t help but grab a few of the silly yet irresistible freebies from other booths while recruiting exhibitors to stop by our booth to enter the Pwn Pad raffle. It was great to meet some of our customers in person while making new connections.

Pwnie Express had a great turnout at RSA, we were excited to again be a part of the technology innovation at one of the most premier conferences. Although I just left RSA, I am already looking forward to what next year at RSA will bring.

 

Pwnie Express and Splunk: Realtime Wireless & Bluetooth Visibility

As part of a recent collaboration between Pwnie Express and Splunk, Inc., we put together a simple “Pwnie-Splunk” dashboard showing a real-time stream of all wireless and Bluetooth devices detected by a Pwn Plug R2 on the RSA show floor.

To accomplish this, we cobbled together a few parsers for Airodump-NG and Bluelog output, which we then forwarded to the Splunk demo server via syslog.

The Bluelog parser is fairly simple. First, we launch Bluelog in daemon mode, recording Bluetooth device names and device types and logging all detected devices to a local log file on the Pwn Plug R2:

# Start bluelog and write output to local logfile
bluelog -nfdo /var/log/pwnix/bluelog-devices

Next, we forward a real-time tail of this log to the Splunk server:

# Forward newly detected Bluetooth devices to Splunk server
tail -f /var/log/pwnix/bluelog-devices | logger -u /tmp/ignored -d -P 514 -t bluelog -n "${splunk_server}" &

Ok, that was fairly painless. Parsing Airodump-NG output on the hand was a bit of a challenge. Airodump-NG does export to CSV. However, the resulting CSV contains binary blobs, MS-DOS newline characters, two separate sections (with header rows) for wireless APs versus wireless clients, and the CSV file is entirely overwritten every 5 seconds while Airodump-NG is running. Also, Airodump-NG has no native support for backgrounding or daemonizing itself.

We thus first launch Airodump in a detached screen session:

# Launch a detached airodump session that logs output in CSV format
screen -d -m -S AirodumpSession airodump-ng --output-format=csv --write=/var/log/pwnix/airodump "${monitor_interface}"

Next, because Airodump overwrites the CSV every 5 seconds, we need to establish a way to track “already known” devices to avoid duplicate log entries for devices already discovered by the running Airodump session. To accomplish this, we first log the initial list of client devices and APs detected by Airodump:

# Create initial list of client devices and forward to Splunk server
cat /var/log/pwnix/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==2 {print}' | egrep -v "First time seen|^$" | awk -F"," '{print$1","$6","$7,$8,$9,$10,$11,$12,$13,$14,$15,$16}' | tee "${local_logpath}"/airodump-known-clients | logger -u /tmp/ignored -d -P 514 -t wificlient -n "${splunk_server}"

# Create initial list of APs and forward to Splunk server
cat "${local_logpath}"/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==1 {print}' | egrep -v "^BSSID|^$" | awk -F"," '{print$1","$14","$6}' | tee "${local_logpath}"/airodump-known-APs | logger -u /tmp/ignored -d -P 514 -t wifiap -n "${splunk_server}"

The “tr” commands strip out the MS-DOS newlines and binary blobs. The first “awk” command then splits the wireless AP/client sections into a simple comma-separated list of each device type, then the second “awk” command organizes the output into the desired format for our syslog entries. The “tee” command writes the initial list of known APs/clients to a local file, and “logger” then forwards that same list to the Splunk server.

We now want to keep an eye on the Airodump CSV file and forward any newly detected APs/clients to Splunk. This is accomplished with the following while loop:

while [ 1 ]
do

# Extract wireless clients from airodump CSV file, append newly detected clients to airodump-known-clients, and forward newly detected clients to Splunk server
cat "${local_logpath}"/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==2 {print}' | egrep -v "First time seen|^$" | awk -F"," '{print$1","$6","$7,$8,$9,$10,$11,$12,$13,$14,$15,$16}' | grep -vxf "${local_logpath}"/airodump-known-clients | tee -a "${local_logpath}"/airodump-known-clients | logger -u /tmp/ignored -d -P 514 -t wificlient -n "${splunk_server}"

# Extract wireless APs from airodump CSV file, append newly detected APs to airodump-known-APs, and forward newly detected APs to Splunk server
cat "${local_logpath}"/airodump-01.csv | tr -d 'r' | tr -cd '11121540-176' | awk -vRS='nStation MAC' 'NR==1 {print}' | egrep -v "^BSSID|^$" | awk -F"," '{print$1","$14","$6}' | grep -vxf "${local_logpath}"/airodump-known-APs | tee -a "${local_logpath}"/airodump-known-APs | logger -u /tmp/ignored -d -P 514 -t wifiap -n "${splunk_server}"

# Repeat every few seconds
sleep 3
done

The “tr” and “awk” commands server the same purpose as when we created the initial list of APs/clients above. With the addition of the “egrep” command however, we can effectively de-duplicate our results by excluding any “already known” AP/client devices from our output and then appending any newly detected devices to the original list.

Pwnie-Splunk Dashboard Screenshot

Running this demo live at both the Splunk and Pwnie booths made one thing quite clear: It’s 2014, and most security conference attendees still do not disable the Wifi or Bluetooth functions of their mobile devices while on the conference floor. Within 10 minutes of launching the demo, over 1000 mobile devices appeared on our Pwnie-Splunk dashboard.

Yikes.

Pwn All the Things: State of the Modern Penetration Testing Toolkit

I recently had the opportunity to speak at San Francisco Security Bsides with Sam Stelfox. We decided to investigate a topic which is very important to us. At Pwnie Express a lot of the work we do falls into the category of “Platform Development”. For our package repositories we rely on the Kali package repos and decided to investigate that set of tools in more depth.

Penetration testing professionals often depend on a complex and largely undocumented ecosystem of tools created by a wide variety of individuals. If you are staking your professional identity on freely available security tools it is crucial that you ask a few questions of those tools:

  • Is it stable and reliable?
  • What language is the tool written in?
  • Is the tool properly licensed to be used or modified as needed?
  • Is the project being actively maintained and developed?
  • Is the source code publicly available and being managed through some sort of revision control?
  • Are the tools safe to use?

In our research we combed through 369 different tools and asked these questions of them to try to evaluate the state of the tools that are available to us as well as to users of our products as well as Kali Linux in general.

Research Results

In general the tools were not in a bad state. The median project length was 2.3 years with the longest running active tool being developed for over 17 years. Those numbers are positive, but there were also a large number of tools which had never been updated since their initial release.

The openness of the source and version management was not as promising.

This was quite surprising when we considered how important this sort of technology is for our workflow. This was a clear sign to us that many of these tools were not being developed with any sort of software engineering best practices.

The licensing situation was also not ideal. GPLv2/GPLv3 took the lead followed by MIT and BSD. However the number of unlicensed tools was much higher than we would have liked.

The long tale of other licenses speaks to a need for more consensus on how open software should be licensed to both protect the intellectual property of the developers but also allow for people to freely modify and update the code to meet their own needs.

Another common problem we encountered was “bit rot”. This occurs when a project is left unmaintained for an extended period of time. Dependencies can change or be deprecated, processor architectures can change or APIs might vanish or change. All these can contribute to a tool that was working ceasing to function. This is generally not hard to fix, but only if the code is available in such a way as to encourage people who are using that particular tool to submit fixes or contact the maintainer directly.

Recommendations

We had a few general recommendations for anyone releasing an open source security tool or script to follow:

  • Licenses: License your tool int he appropriate way. We suggest TL;DR Legal as a place to start understanding the implications of different licenses.
  • Version Control: Use public version control such at Github to host your code and maintain a free place to host documentation and stimulate collaboration.
  • Code Quality: Take the time to learn coding best-practices for the language you choose to use. Well written code is much easier to maintain over time.
  • Documentation: Document your project for users as well as other coders who may need to modify or work on your code.
  • Output: Generate outputs that are both human readable and consumable by other scripts and tools. For GUI tools make sure you have an export option into a standard format such as XML or CSV.

Our full slides and research data are available here. Hopefully Bsides will also post a video of our talk soon!

If you are in the Bay area come say “Hi” at our RSA Booth (#2513).

Pwnie Tuesday at RSA

Today was another great day at RSA with an entire day on the floor. While this may seem like an awfully long time to be standing on your feet and mingling, the atmosphere and floor activity kept the Pwnie Team energized throughout the day. The morning started with an influx of conference attendees. We were excited to see that most were familiar with Pwnie Express and quite enthusiastic about the new logo and Pwnie gear.

Later in the morning I visited the Splunk booth #2835 where Pwnie Express’s CEO Paul Paget and founder Dave Porcello set up a Pwn Plug R2 demo that quickly discovered over 1,000 wifi connections in the exhibit hall. This not only caught conference attendees and exhibitors by surprise, but also left them hastily checking their cell phones to turn off their wifi connections. The result proved to be a fantastic way of pointing out the vulnerabilities in today’s security, specifically in terms of wireless connectivity.

I also took a little bit of time to walk the exhibit floors and interview attendees about RSA and their main takeaways (check back for these on our blog page soon), in addition to taking a couple of awesome interviews with Pwnie Express customers. As half of our partner booths are located on the North Expo, I gained a nice comparison to the South Expo. While the North Expo contains much larger booths, flashy flat screen displays, meeting spaces, and presentations, the South Expo had a much more intimate feel to it. The North Expo did provide quite a bit of glitz and glam as well as really cool booth designs. Both exhibit spaces are of equal size and each Expo contained roughly the same number of attendees in it. But what was really interesting to me was that the South Expo with its smaller booth sizes and limited hall space was teeming and buzzing with activity. A mix of well-established companies and recent start-ups, the South Expo is what drew the most attention as people seemed to be more interested in and curious about the latest technology and developments in the security space. It struck me as almost a comparison between a popular, well-advertised restaurant chain that everyone has to be at least familiar with – essentially a reliable brand that guarantees the same menu in contrast to a small, local restaurant that promises a unique and dynamic flavor. The innovation and new developments of security solutions in the South Expo is what drew more business conversations to take place in the South side. Tomorrow will be another exciting day of general RSA interviews of attendees who stop by the Pwnie Express booth. And have I mentioned the special show pricing on our products that will save you hundreds of dollars? Stop by booth #2513 before products run out and enter to win a PwnPad 2014!

 

 

Pwnie Express Arrives in San Francisco for RSA and BSides

Gabe Koss and Sam Stelfox present at BSidesAs the Pwnie Express arrives in San Francisco for RSA and BSides, we will be posting a daily blog to share what we are seeing and doing. Our team of Pwnies is excited to meet many of the people using our products, talk about the cool new things we are doing and engage with the industry on ways to use Pwn Plugs and Pwn Pads. If you deal with the challenge of assessing remote locations and wifi, you will see capabilities that dramatically improve visibility and assessment capability, especially to remote sites and “see all the things. ”

Here is a quick summary of what to expect at RSA and why you should stop by the booth:

  1. We will be showcasing the Pwn Plug R2, successor to the award winning Pwn Plug Elite, plus the Pwn Pad 2014, the most recent version of the way cool Pwn Pad for security professionals. Of course, we will be offering special show deals and selling products from the Pwnie stable, Booth 2513 in the South Hall.
  2. For the first time we will be showcasing our demo of Tenable’s Nessus product running as part of a fully equipped Pwn Appliance. We have recently established Pwnie Express as a strategic alliance partner with Tenable. The combination of Pwnie Express and Tenable solves the real world challenge of fully testing remote branch offices, sites and their wired and wifi devices.
  3. See another first, Pwnie Express demo with Splunk, showing how the Pwn Pad R2 can do site surveys on demand while feeding a real time view of all the wireless devices running within the vicinity of the Splunk and Pwnie booths. The data feed provides a powerful new source of visibility to organizations that need to see and monitor all the things coming in and out of their remote sites, including both wired and wireless. This capability is especially helpful in identifying rogue devices before they can do damage.
  4. We will also be interviewing users on camera (with permission) to share their stories about how they use their Pwn Plugs or Pwn Pads, so come on by Booth 2513 and tell us your story!

For BSides participants a couple of our experts will talk about how to “Pwn All the Things.” Gabe and Sam will talk about some of the tools pen testers may be missing in their bag of tricks, and how to keep pace with the evolving environment where more and more “things” are part of the security assessment and penetration testing challenge.

Now, if you are not attending these events, please send us an email and we will be happy to schedule a briefing for you on any of the topics about. We will be posting a blog daily this week to talk more about is happening at the events and share what we learn.  Adios.

Networking and Welcome Reception at RSA

Today the Pwnie Team set up booth #2513 with all of its cool new gear and cloud central demo. The floor was bustling with last-minute exhibitor setup activities before RSA opened its doors to visitors while our in-house sales engineers Kevin and Don completed a fantastic job of setting up the Pwnie demo. Located on the South Expo, the Pwnie Express booth had a great start to the week with both newcomers as well as supporters stopping by within the first few hours. Among them were SyncState LLC, SecureNinja, Rift Recon, and Treadstone Security Services who stopped by to say hello and to show their support. The Pwnies also took down visitors’ info for what were the first of many entries for the exciting Pwn Pad 2014 giveaway.

This is my first time at RSA, and the atmosphere is exciting, if not addicting. Each company’s team seemed both excited as well as a bit competitive in terms of comparing other booths to their own; each trying to outdo the next with unique signs, gadgets, and booth floor layouts. Meanwhile, each group tried  to start off the week with an active networking pace, proudly giving out their sales pitches, curiously eyeing their neighbors’ booths, and assigning last-minute strategies and tips to their teams. Walking the exhibit floor with my camera made me amazed at the number of small, dynamic cyber firms in the security space. At the same time, I am extremely proud to be attending RSA as a member of such a cutting edge, sophisticated, startup company that sets itself apart in the market by having the only technology that assesses both wired and wireless network security in remote locations.  The first few hours of  networking with new and old contacts this evening are a great preview of a productive and exciting week for the Pwnies at RSA!

 

The State of Open Source Pentesting Tools

Penetration testers rely heavily on a challenging combination of open source and proprietary software. Most of these tools are available for free through various software repositories but who makes these tools and who maintains them? How up-to-date and robust is the ecosystem on which we stake our professional careers and test the security of some of the most important systems on the planet?

At Security B-Sides in San Fransisco, Pwnie Express developers Sam Stelfox and I (Gabe Koss) investigate the state of many uncommon and well-established tools. This talk looks at the various tools which are publicly available via the Kali Linux repositories from the perspective software development, maintainability and professional reliability.

In this talk we will:

  • Present statistical information about these tools
  • Place shame on projects which need to be better maintained
  • Highlight tools which are doing a good job
  • Make solutions to help the community at large better curate this complex ecosystem of tools

Drop by our talk at 4pm in the Main Room (Track 1) of the DNA Lounge.

About Security B-Sides

Security B-Sides is the first grass roots, DIY, open security conference in the world!  Security B-Sides is a great combination of two event styles: structured anchor events and grass-roots geocentric events. B-Sides San Francisco is a 2-day information security conference taking place on February 23rd and 24th at the DNA Lounge. Each day will feature two speaking tracks. Admission is free, on a first-come, first-served basis.

Click here to learn more about B-Sides San Francisco.

Tenable’s Nessus® Software Now Available on Pwn Appliance

Empowers On-Demand Anywhere Network Assessments

February 13, 2014

Pwnie Express, the only technology to assess wired and wireless network security in remote locations on demand, today announced that it will extend Tenable Network Security, Inc.’s real-time vulnerability and threat management to Pwnie customers’ remote, hard-to-reach locations.

Pwnie Express’s smart devices allow organizations to see all the things on both wired and wireless networks in their far-flung and out-of-the-way locations. Thousands of enterprises rely on Pwnie Express’s innovative sensors to conduct penetration testing and provide unprecedented insight into their entire infrastructure. Now, Pwnie Express gives customers the power of Tenable Network Security’s leading Nessus® vulnerability scanner to provide patch, configuration and compliance auditing; mobile, malware and botnet discovery; and sensitive data identification at any location, any time.

With Pwnie, a Tenable Edge Global Partner Network channel partner, organizations can opt to use the Nessus software on the Pwnie Appliance or implement the solutions in tandem. Organizations globally already are seeing the value.

“The combination of Pwnie Express security devices and Tenable’s vulnerability scanning provides organizations unparalleled reach and visibility in to remote locations and wireless end points,” said Ed Skoudis, InGuardians Co-founder and SANS Institute Fellow. “This combined offering gives users a cost-effective, on-demand discovery and assessment solution that is unmatched in the industry today.”

Jack Huffard, President and Chief Operating Officer at Tenable said: “Pwnie is pioneering new ways to help organizations quickly secure their most remote assets and we are thrilled that their customers can leverage our powerful Nessus solution.”

Pwnie Express’s CEO Paul Paget, added: “Our state-of-the-art enterprise security intelligence addresses today’s threats in both wired and wireless networks. The ability to work with the leading company in vulnerability and threat management, Tenable Network Security provides the broadest view of all the potential threats for customers.”

About Pwnie Express
Pwnie Express is the leading provider of innovative sensors that assess network security risks in remote and hard to reach locations. Thousands of enterprises and government organizations worldwide rely on Pwnie Express’s products to conduct drop-box penetration testing and provide unprecedented insight into their distributed network infrastructure. Pwnie Express’s smart devices allow organizations to see all the things while leveraging open source tools and platforms. The award-winning products are backed by the expertise of Pwnie Express Labs, the company’s security research arm. The company is headquartered in Boston, Massachusetts. For more information contact http://store.pwnieexpress.com

[Press Release]