20 Startups to Watch in 2015

Dark Reading

20 Startups to Watch in 2015

December 29, 2014

By Ericka Chickowski


Check our list of security startups sure to start (or continue) making waves in the coming year.


gI_147821_Pwnie Express


Pwnie Express

Founded: 2009

What it does: Pen testing products

Latest funding: $5.1 million in Series A, July 2013

Noteworthy player: Dave Porcello (founder & CEO)

Built around the grassroots success of its signature Pwn Plug device, Pwnie Express has been growing by leaps and bounds, offering penetration tester devices that make it easier to carry out the work.

(Original Article)

Gifts that Keep on Taking

For many people, the end of the year is filled with celebrations and gift-giving, both at home and at work. While it’s easy to get excited about the new gadgets and gizmos you may find yourself unwrapping, it’s important to remember that danger can be hiding in even the most innocent of devices. From tablets to flash drives, something sinister could be lurking in that shiny new device, just waiting for you to plug it into your computer.


Dangerous Drivers

If you’ve gotten a new piece of computer equipment, chances are it’s going to require you install some form of driver to make it work. While you should always scrutinize software you install, drivers are especially important as by their nature they will have higher privileges and can dig themselves deeper into the system that other forms of software.

As a rule, if the product comes with a driver CD, don’t use it. Find the most up to date driver available online, and make sure it comes from the manufacturer’s official website. There’s no telling where that driver disc actually came from, or what extra software may have hitched along for a ride.


Funky Flash Drives

USB flash drives are now so cheap that they’re essentially disposable, making them a favorite promotional handout by vendors. Unfortunately, they are easily one of the most dangerous things you can plug into your computer.

Ideally, you should reformat the drive before your system even mounts the volume. Failing that, at least make sure all “autorun” features are turned off so that no program on the drive is able to execute when you plug it in.


Treacherous Tablets

The ridiculous price deductions on Android tablets have now pushed these things down into impulse buy territory. Unfortunately many of these cheap tablets are either improperly configured, shipping with outdated software, and in some cases even include backdoors.

A recent security analysis of cheap Android tablets by Bluebox Labs paints a pretty grim picture. Many of the tablets tested were susceptible to years-old system vulnerabilities, included root-level access by default, and some were so poorly configured they would accept invalid firmware updates. To say nothing of the fact that many misrepresented their capabilities or hardware specifications.


Worth the Risk?

With so many known flaws, is it really worth entering your personal information into a $50 tablet? With as cheap as flash drives are, is it really worth using the free one you got from a vendor or competitor?

Whether an intentional act of espionage/sabotage by a competitor, or simply the luck of the draw, there’s plenty to be cautious about when it comes to technology gifts this year.

Corporate Sabotage Suspected in Steel Plant Hack

We often talk about the threat of a company hacking a competitor, either to gain some insider knowledge of the competitor’s operations, or to actively sabotage them. It’s easy to throw out hypothetical situations like this, and even easier to dismiss them as classic “Fear, Uncertainty, and Doubt” (FUD); which is too often the go-to tactic when talking about cutting edge technology that most people aren’t too sure how to get a handle on.

So when you see an article about it in the international news, it’s something of a special occasion. While unquestionably a disheartening event for the targeted company, it’s an invaluable case-study for those of us who aim to prevent this sort of thing in the future, and a stark reminder that this sort of attack isn’t just the kind of thing you see in the movies.


Privilege Escalation

In their 2014 report, Germany’s Federal Office for Information Security describes a sophisticated attack carried out against an un-named German steel company.

The first phase of the attack consisted of social engineering and targeted email phishing (often referred to as spear phishing) to gain access to the company’s office network. From there, the attackers were able to access the network which controlled the actual production of steel, which is where things get interesting.

It appears that the goal of the attackers was to slow down or halt the production of steel by interfering with the system’s ability to control the machinery. But things may have gone a little farther than the attackers intended, because when the system lost control the operators were unable to properly shut down a blast furnace. With the furnace in an undefined state, physical damage was done, though to what extent and if it was permanent was not disclosed in the report.

While the report goes on to say that any determination at this point would be little more than an educated guess, “competitive sabotage” is mentioned as a possible intent, given the extremely specific nature of the attack.



There isn’t much in the way of details about the attack, it’s unknown what kind of software was used and how it was deployed, but one thing is very clear: the attackers clearly knew what they were doing.

Being able to take control (or even take control away from the operators) of industrial hardware such as this is a bit out of the reach for the bedroom hacker; it requires knowledge of the specific hardware being targeted and the operating systems and software used to control it.

If this sounds familiar, it’s because this attack has similarities to the infamous Stuxnet, which targeted Iranian nuclear enrichment centrifuges. In both cases, the combination of software and hardware targeted was so specific that the attack had little widespread use; it was only damaging at the location it was intended to attack.

As increasingly advanced technology that becomes available to attackers, sophisticated and targeted attacks like this may move from being interesting footnotes to common occurrences.

Sony, the Media, and Cyber Threats

If you haven’t heard about the Sony breach yet, you’re probably living under a rock. Therefore, I’ll spare you the nitty gritty details that have been rehashed (over and over) to get to the meat of it: why wild media speculation is a terrible thing, and why the Sony hack may be the most important thing to happen to cyber security in the US.

First, for the terrible: starting almost at the moment of the breach, the media descended like hawks on not only the company, but the information. The most problematic thing about this has been the journalistic lack of empathy when exposing exfiltrated data that may not have otherwise been found by the average user. Like the recent iCloud scandal, much of the attention has not been on the methods of the leak – it has been on the occurrence of a leak and the view we now have into the inner workings of an influential American media company.

Thankfully, there have been many journalists who are questioning the integrity of publishing leaked information. Yes, even they see the irony of “hopping on the bandwagon,” but still feel the need to call out opportunistic posting of confidential information on celebrities, the organization, and petty details of Sony’s inner workings.

Now, after all the crazy, Sony has decided to pull the movie entirely [edit: Sony has decided not to release the movie internationally, either]. This action was in response to theaters across the country deciding not to show the movie in response to threats of violence against Christmas Day moviegoers. Potentially a reaction to the Aurora, CO shooting, Americans have become more aware of the potential for real violence in response to media portrayals. Overall, the hack and withdrawal of the movie will probably cost the studio upwards of $200 million, a figure that at this point is only being tacked on to the greater costs of the breach (and the many other sides of it that I am sure we don’t even know about yet).

Regardless of the response, he entire hack still begs the question – The Interview? Really? Of all movies to spark enough outrage that innocent lives were threatened? Seth Rogen and James Franco were the guys behind “This is the End,” and “Pineapple Express,” neither one a movie known for its deep thinking and social commentary. It’s so bad that others are commenting that Seth Rogen should never have made the movie, a bold claim from an industry that has “killed off” an American president.

However, there is one good thing coming from this: people are taking cyber threats very, very seriously. In the words of the New York Times’ editorial board, a body not very used to speaking about cyber threats, “the international community needs to speed up work on norms on what constitutes a cyberattack and what the response should be.” Granted, they follow up this thought with a bit about the Internet becoming a free-for-all, but this marks a new stage in the public awareness of the threats facing businesses and governments in the cyber era. The threat of nation-states inflicting major damage on civilians as part of a cyber war is no longer the tinfoil hat theory – it’s being touted as the undeniable (even before US government officials said that North Korea was responsible).

Pwnie Express on Good Morning America

Watch Video Here

Pwnie Express founder and CTO Dave Porcello was recently featured on Good Morning America to help raise awareness on the cyber attacks currently targeting hotel guests across the globe. In this segment, Dave demonstrates two of today’s most common attacks: malicious WiFi hotspots (aka “Dark Hotel” attacks or “Evil Access Point hotspots”) and keystroke logging devices (aka “keyloggers”).

As shown by our “Project Eavesdrop” experiment with NPR, these attacks can expose a tremendous amount of personal information to a cyber criminal, including:

  • All visited websites, URLs, & search keywords
  • Passwords to banking/financial accounts, email accounts, & social media sites
  • Emails, photos, documents, & software downloads
  • Internet phone calls & video chat sessions
  • Physical location / GPS coordinates

In the past, these attacks required specialized equipment and a high level of technical expertise. Over the years, the proliferation of plug-and-play “cyber espionage devices” has made these attacks easier than setting up a home router.

“Evil Access Point” (Evil AP) hotspot devices and keyloggers come in a variety of portable, stealthy form factors and can be purchased online for as little as $20:



Device 2

In the first demonstration, Dave simulates a “Dark Hotel” attack showing how an attacker can use an Evil AP to obtain personal information from hotel guests. Using a setup similar to the NPR Project Eavesdrop drop box, Dave was able to see all visited websites, URLs, images, and search keywords in real-time.

Next, Dave uses a combination of SSL-bypass and Fake Login Pages to simulate a password capture attack against several email and social media accounts, as well as a credit card number capture attack through a fake hotel guest portal page:


Unfortunately, these “Dark Hotel” attacks are nearly impossible to detect by the average hotel-goer. Once a hotel guest unknowingly connects to one of these Evil AP hotspots, all their Internet traffic can be monitored, recorded, intercepted, and tampered with by the attacker.

Dave then illustrates how wireless keylogger devices, (Now sold at Amazon and Sears), can capture everything typed into a hotel business center or kiosk computer, including passwords and credit card numbers. Your captured keystrokes can then be transmitted wirelessly over the Internet to an attacker residing anywhere in the world.


Lastly, Dave shows how the Pwnie Express Pwn Pad can be used by a security professional to detect and track down Evil AP hotspots:


Just like we expect hotels to keep us physically safe with modern door locks and secured windows, we need to begin expecting hotels to protect us online as well. Pwnie Express and other cyber security vendors offer technologies such as Pwn Pulse that are increasingly being deployed by hotels, banks, hospitals, and other organizations to detect and disable these types of attacks.


Evil APs defined:

Rogue/Evil Access Points — or unauthorized and unmanaged WiFi devices —  can spell the end for even the most mature of Information Security programs. Rogue APs can take many forms: non-malicious employees plugging in their own Access Points for convenience, mis-or-unconfigured Wirelessly-enabled printers, or a $5 USB WiFi adapter that can be leveraged by criminals to stand up Fake Access Points from the parking lot. Unintentional, with malicious intent, or as a genuine mistake, a Rogue Access Point not under your control can give criminals direct access into your internal networks.

Evil Access Points can defeat even the most stringent WIPS/WIDS deployments, as they play on the weakest portion of any Security Program – the “Human Element.” Gone are the days of criminals having to have specialized Wireless gear and intimate knowledge of *nix to do this. With minimal cost and effort, any criminal can set up an EvilAP to lure – or even force – unsuspecting employees into joining fake wireless networks masquerading as legitimate networks.


Wireless Keyloggers defined:

Wireless keyloggers are rapidly becoming a physical security attack tool of choice. Keyloggers – traditionally found in software – allow for the storing of all keystrokes entered by the victim on the compromised machine. Criminals are now leveraging micro-USB sticks (some of which are so small, you wouldn’t notice them plugged in) to capture all keystrokes on the target computer. This inevitably leads to the disclosing of passwords and other sensitive information. Today’s keyloggers use remote connectivity methods (such as WiFi or Bluetooth) to offload or exfiltrate their capture information. Since they aren’t directly tied your organization’s wireless infrastructure, wireless keyloggers can operate virtually undetected.


Additional resources:

Dow Jones: “Five top cyber espionage devices”



Pwnie Express & NPR: “Project Eavesdrop”



Project Eavesdrop Part 1: “The Drop Box”



Project Eavesdrop Part 2: “A Week in the Life”



The Evolution of Rogue Devices



Evil AP: An Introduction



Bypassing HSTS SSL with the Mana Toolkit



Stealing Credentials with Fake Login Pages



Mapping WiFi Networks on the Pwn Pad 2014


If you are a security professional or commercial organization interested in detecting rogue devices that may be present within your enterprise, please contact us at 1-855-793-1337 or at info@pwnieexpress.com, and our team of security experts will be in touch with you.

Trojan USB Devices: Fact or Fiction?

When you think about the potential security risks inherent to USB devices, you probably think about issues related to USB storage: viruses, malware, and users inadvertently (hopefully) taking sensitive data out of the network with them. But with the constant miniaturization and improvement of technology, an insidious new threat is starting to emerge: trojan devices hidden in seemingly innocuous USB devices.

Recently a number of high profile publications, such as the Guardian, have been running a story where a system was apparently compromised due to malware being embedded in the USB charger for a user’s electronic cigarette.

While there is some debate about the particular story in question, the technology itself is here and is very much a real threat.


The Original Story

A number of sites have run pieces on this story over the past month or so, and they all point back to the same thread on Reddit, where a user by the name of Jrockilla posted an anecdote about a system that had been mysteriously compromised. After exploring all the traditional attack vectors, IT finally asked the user if they had done anything differently recently, to which he replied that he had starting using a Chinese electronic cigarette which charges up by plugging into the computer’s USB port. The story goes that the IT department discovered the USB charging device contained malware which phoned home and infected the computer.

Unfortunately, that’s about where the story ends. There’s no information on the USB charger or the malware it supposedly contained, and when pushed for details about what other possible explanations for the breach had been investigated, the original poster disappeared.

Eventually, one of the commenters mentioned that the story sounds suspiciously like a theoretical situation proposed by th3j35t3r, leading to the possibility that this story is now something of a tech urban legend that is now making its way around the Internet.



The legitimacy of this particular tale looks pretty doubtful, and it says something about the fear mongering mentality of most media outlets that anyone is even running this story (based on nothing more than a post to Reddit), but that doesn’t mean it isn’t possible.

There are a number of ways that an attack like this could be pulled off. The charger could have a small USB storage device built in which leverages the operating system’s “autorun” function to launch malware, or even a microcontroller which launches more sophisticated attacks such as BadUSB.

In his talk at Black Hat Asia 2014, JP Dunning showed a USB mouse and keyboard he modified with a microcontroller of his own design called “The Glitch”. With his microcontroller on board, Dunning was able to not only capture data, but also “type” commands into the host computer via the USB Human Interface Device (HID) protocol.


These types of threats can be particularly difficult to defend against; the best course of action is to have a strong policy about outside hardware being connected to the network, and to make sure that hardware is purchased only through trusted vendors.

Liability Roulette

When a judge last week dismissed Target’s attempt to dismiss a lawsuit about their 2013 breach, it set a very important precedent on data breaches – Target was shown to be responsible, at least in part, for the damage that was caused by the breach. According to the decision,  “Target’s actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers’ attack began – caused foreseeable harm to plaintiffs.”

If enterprises didn’t already have enough of an excuse to be worrying about breaches, this ruling adds to the worry. It serves as a reminder that not only will the organization have to pay for the breach in publicity; it will most likely be held legally liable if something goes wrong. As breaches seem to proliferate, these lawsuits will only become more common. P.F. Changs was dragged to court over their breach. Home Depot is facing “dozens” of lawsuits. And as the Sony hacking nightmare becomes darker, employees are considering a class action lawsuit against the company. With no credit card data involved, it is a precedent for all organizations, not just retail enterprises.

The legal tactics used in these cases have evolved along with the explosion of lawsuits. Today the enterprises themselves are not the only ones who should fear lawsuits. Target’s auditor was brought into the mess, as Target was certified as PCI DSS compliant before the breach. As we move forward, there may even be personal suits against individuals held responsible. And as the case law develops, clearer patterns will emerge – as of 2013, companies were still trying to decide whether these cases belonged in federal or state court.

With stock prices often affected only slightly by these breaches, successful lawsuits against breached organizations may actually be of great value. These data breach lawsuits may provide the extra kick needed to get retailers, in particular, to realize just how important security is.

The Evolution of Rogue Devices

It was only a few years ago that, unless you happened to be involved in international espionage, worrying about an attacker infiltrating your security with a rogue device would have been bordering on paranoia. Consumer level hardware simply wasn’t up to the task.

But today, not only are rogue devices available, they are becoming cheaper, more powerful, and harder to detect. These small devices are rapidly becoming huge threats thanks to a number of technologies making price breakthroughs.


ARM Single Board Computers

Easily one of the most important advancements in the world of rogue devices, the advent of low cost ARM single board computers (SBC) made the idea of a consumer-level disposable computer a reality. Not only do these devices pack enough horsepower to do legitimate security work (offensively, and defensively), but they are so small and cheap that they can be installed and forgotten about. There’s no need to worry about recovering an installed rogue device when it cost less than $50 and already delivered all of the data it collected over the Internet.

A perfect example is the massively popular Raspberry Pi. For just $35, anyone who wants one can get a full fledged Linux computer that fits in the palm of their hand. Its small size and energy efficiency make it easy to hide, and combined with commonly available software, makes an ideal “set and forget” rogue device.

Newer devices promise to be even smaller and more powerful than the Raspberry Pi, some now going as far to pack in multi-core processors. These devices will soon have the processing power to handle tasks which currently may be too resource intensive to perform on-site, increasing their already considerable threat.


Hobby Microcontrollers

Compared to a microcontroller, even the most diminutive of the ARM boards is a behemoth. Microcontrollers are still computers in the technical sense, but they are effectively only powerful enough to perform a single task. Even still, the security implications of these devices cannot be overstated.

If low-cost ARM boards have a poster child in the Raspberry Pi, the world of microcontrollers is best represented by the Arduino. This tiny board is easily programmable by even novices, and has enough input and output capability (greatly expanded by add-on modules) to perform a dizzying array of tasks. With add-on modules for Ethernet and WiFi, an Arduino only needs some clever programming to turn it into a stand-alone monitoring station that could run for weeks on batteries.

However, even that may be too pedestrian to do the threat of microcontrollers justice. The Social-Engineer Toolkit (SET) now includes multiple payloads which can be easily written to commonly available microcontroller boards. For example, the board could act as a USB keyboard when plugged into a target device, entering in rapidly and with zero errors any commands the attacker wishes.


3D Printing

A whole new dimension of rogue device threats has opened up with the increasing popularity, and decreasing price, of 3D printers. A sufficiently skilled attacker could use a 3D printer to create a passable facsimile of an existing fixture or appliance, thereby perfectly camouflaging a rogue device.

If it sounds far fetched, think again. As far back as 2010, criminals were attempting to use 3D printers to create nearly undetectable ATM skimmers. Since then, desktop 3D printers have only become more capable and more available.


Staying Alert

With the increasing capability and commonality of well-hidden roque devices, its never been more important to keep a close eye on your environment. Watch for hardware that looks like its been moved or tampered with, and don’t allow outside hardware to be brought in and installed without inspecting it first.

While it may seem like a daunting task, making it difficult for an attacker to install a rogue device is much easier than searching for one after the fact.

Leveraging InfoSec

High school physics is a lot of fun for many different reasons: experiments, math (or is that just me?), and falling things in the name of science. It’s good that I liked physics, because I’m reminded of it on a consistent basis. Though not immediately obvious, basic physics terms are used constantly in real life. One of these overused terms is leverage.

Leverage is defined as the usage of a fulcrum to amplify input force – essentially, that using a lever amplifies a person’s ability to do something. In classical physics, that something is movement of an object. In business, the term describes the “leverage” of a primary quantity of money to be used to make more. For example, the debt-to-equity ratio identifies just how leveraged a company is, generally by how much they have invested relative to their primary capital.

But physics and business aside, leverage is incredibly important to security. Most threats are really just the extended usage of one or two leveraged assets. Targeted threats are almost always based in calculated leverage – using smaller players in the quest to attack some larger target. In the case of the actual Target, that “in” was a small HVAC company. By leveraging a compromised computer, the attackers were able to access the backend of the Target system and infect the Point of Sale systems.

Another classic examples of leverage in Information Security is the malware “leverage” seen in ‘bots. With one compromised computer, a single attacker can create an army.

Pwnie Express has been pointing out the importance of the remote site for a long time, as they can be extremely dangerous to the security of an overall organization by providing an “in” for the attacker. An attacker can use the credentials stolen from a remote site as leverage to access databases, headquarters, or other mission-critical sites. Rogue devices are another perfect example, though not nearly as well-known. An employee with a compromised smartphone gives attackers the perfect doorway into the enterprise.

So maybe the next time you realize that yet another security hole needs to be plugged, take a moment to thank Archimedes.

The 18 Funniest Startup Promo Videos of 2014


The 18 Funniest Startup Promo Videos of 2014

November 26, 2014

By John Brandon

Want to get a laugh? These promo videos for startups this year may not compete with SNL, but they might make you chuckle.

Promotional videos can be duller than Al Gore at a government tax summit. Apparently, these companies did not get the memo about sticking to the facts. They made a funny viral video that is more about entertainment–and maybe remembering the company name.

1. Code 42
This data management company based in Minneapolis plays off the Minnesota Nice angle.

2. Poli Sippy Cup
I can relate to this dad trying to figure out how to put together a sippy cup.

3. Aromas
I am not sure if this one is laugh-out-loud funny, but it is well produced and has a heavy dose of sarcasm.

4. Pwnie Express
Mainly funny because of the setting and the side characters.

5. Poo~Pourri Toilet Deodorizers
This is one of the strangest holiday videos ever made.

6. Bedford Slims
Here’s one that is hilarious right from the start.

7. Get Final
The guy is this video looks strikingly familiar to the actor in one of the other winners.

8. Heard app
This one is just bizarre enough to get your attention.

9. Signs N Bacon
It’s always fun to riff off someone who thinks he has the only good ideas.

10. Nucleus Wireless Video Intercom
I like the cut to the little girl playing electric guitar…

11. Nicer Foods
This is the worst Christopher Walken impression ever, which also makes it the best.

12. Ownzones
I mainly think this is funny because I hate pop-up ads so much.

13. Ticketleap
Make it short and play off an Internet meme.

14. Congrats
This promo video is just odd enough to keep you watching.

15. Goods of Record
This promo video for a company that curates products for men gets funny halfway through.

16. TheSquareFoot
The actor in this video just seems to have a funny expression.

17. Navdy
My favorite part is when his mom calls. Same guy in the Get Final video, right?

18. Rest
Do any of these kid “founders” remind you of you?


(Original Article)