Saddle Up for Derby?

That’s right – once again we’ll be hanging out at DerbyCon (as a gold sponsor, no less!)

We were going to put together another Louisville guide, but after last year we realized that the city is simply too cool – and too popular – for the likes of us to try and outdo a real guide. However, just a quick reminder (according to the DerbyCon official website) of a few of the things around the area:

  • 4th Street Live (seriously, you should check it out)
  • Muhammad Ali Center
  • Louisville Slugger Museum
  • Frazier History Museum
  • Louisville Waterfront Park
  • Kentucky Center for the Performing Arts

 

Obviously, plenty going on at the con itself – of particular interest is the Hackers screening… we’re (more than) a little obsessed with the movie here at Pwnie. Remember to check out the Schedule of talks and events – we’ve got a few favorites, but for the sake of fairness we’ll let you figure out which ones those are.

As usual, swag will be present and plentiful, and for the first time ever we have PWNIE PATCHES!

20150924_164845

Most importantly, remember that we’ll have THREE different drawings, all for a year-long subscription of Pwn Pulse (including an R3 Pwn Plug!) This year we’re running things a little differently; instead of having a card dropbox, we’ll have three separate live drawings:

 

  • Friday at 6pm
  • Saturday at 6pm
  • Sunday at 2pm

Can’t wait to see y’all there!

#TBT To That Time We All Had a BlackBerry

I remember quite distinctly being asked a few years ago to “defend the BlackBerry.” While the devices are really quite good, the task is harder than it sounds in the era of iPhones and Androids. After grasping for an answer I finally stumbled upon “it’s professional! Do you ever see a businessman in the movies carry an iPhone?” While that may not have been the case a few years ago, today it is completely standard – and professional – to have whatever phone you’d like. BlackBerries are falling out of favor at faster rates than ever – according to The Guardian, BlackBerry users have fallen from 80 million to 50 million and the number is still dropping.

BlackBerry did hold a position of some importance in business technology for a long time, and it relied heavily on its reputation as secure, controlled, and uniform. The company even wrote on its blog about the challenges of cybersecurity in the enterprise and why a BlackBerry device is a good choice for cybersecurity. Their answer was really very simple: BlackBerries are easily controlled by IT, and if your employees can’t make choices about technology, then they can’t make bad choices about technology.

Neither this post nor this webinar will be about BlackBerries in particular, but about much larger issues – the reality of BYOD (Bring Your Own Device) in financial institutions, the problem of cybersecurity in financial institutions, and the fact that one is contributing to the other.

 

BYOD Is The New BlackBerry

While many people think of financial cybercrime as being the work of foreign criminals on a computer, those criminals are often aided by an unexpected (and unwitting) ally in your office – any one of the many employees walking around with a personal device that happens to be connected to your network, email server, or other sensitive information. More employees than ever are walking around with these kinds of devices. BYOD (Bring Your Own Device) isn’t going anywhere – IDC predicts that by 2016 there will be 480 million smartphone sold, 65% of which will be heading into a BYOD environment. According to a recent Cisco study, 69% of decisions makers in the US feel that BYOD is a good thing for their organization.

Unfortunately, we haven’t shifted our mentality to reflect these changes. Though according to SecureEdge a whopping 80% of all BYOD is completely unmanaged, the security thought process is the same – lock everything down. A SANS Institute Research Survey found that “more than 50% of organizations rely on their users to protect personally owned devices.” Well what could be done? It’s actually not as complicated (or costly) as one may think.

Our September 1 webinar on Wireless devices discussed the various ways that organizations are trying to lock down their security with hardened outer defenses while ignoring internal threats. While these statistics are disheartening, they are also for industry in general. The outlook in the financial industry is not quite as bleak – with security budgets for the financial industry topping $9.5 billion in 2015, one would hope so. But what does it look like on the ground?

We will continue this exact conversation with Security Weekly crew on Wednesday, September 30 to hear a panel of experts discuss what it’s actually like to implement a secure, effective BYOD policy.

REGISTER HERE for the webinar

Can your network withstand the Internet of Evil Things?

Network World

September 18, 2015

Can your network withstand the Internet of Evil Things?

By Linda Musthaler
The Internet of Things is here—tens of billions of devices that are Internet-connected for various business purposes. But some of those devices have a malicious purpose.

From cars to home electronics to medical machines and industrial sensors and controls, all types of devices are gaining the ability to communicate. Generally this is known as the Internet of Things (IoT), although Cisco refers to it as the Internet of Everything (IoE).

IoT is enabled by several factors, including: the ability to add inexpensive sensors and communication capabilities to all types of devices; the adoption of IPv6 as a standard communications protocol, thus enabling billions of devices to be uniquely identifiable; and the ubiquitous nature of communication channels such as WiFi, Bluetooth, cellular, satellite and wired networks.

IoT is sure to bring a lot of value to businesses. GE estimates that the “Industrial Internet” alone has the potential to add 10 to 15 trillion dollars to global GDP over the next 20 years. Cisco forecasts $19 trillion in global economic value created by IoE by the year 2020. In terms of the sheer numbers of Internet-connected devices, ABIresearch forecasts that the number of devices will exceed 40 billion in the next five years.

That’s a lot of devices creating a lot of value, and while most of those devices will perform some type of beneficial activity, is isn’t all rainbows and sunshine.

Even as IoT grows exponentially, the ability to monitor and secure these devices lags far behind and, in many cases, is completely non-existent. Cyber spies and cyber criminals of every ilk will surely parlay this technology into a new threat vector, which network visibility company Pwnie Express calls “the Internet of Evil Things” (IoET). Malicious actors are already utilizing IoET to surreptitiously steal data and information, to spread malware, to create botnets, to launch denial of service attacks, to commit industrial sabotage, and to infiltrate public and private networks.

Pwnie Express recently published the industry report The Internet of Evil Things: The Rapidly Emerging Threat of High Risk Hardware, which outlines threats from all sorts of rogue devices, including:

  • Rogue/unauthorized/evil wireless access points
  • WiFi/Bluetooth hacking gear
  • Hacking/pentesting drop boxes
  • Mobile/cellular hacking gear
  • Wireless keylogger hardware
  • Covert micro-computing devices

(Original Article)

Interview With Pwnie Express

Pentest Magazine

September 4, 2015

Interview With Pwnie Express

By Pentest Magazine

Pwnie Express was founded in 2010 by Dave Porcello, who developed the original Pwn Plug to fulfill his own penetration testing needs while working as the IT Security Director at Vermont Mutual Insurance Group. Since its founding, Pwnie Express has become the world leader in remote security assessment, and the first company to empower organizations of all sizes with a full visibility and threat detection platform that discovers and alerts unknown or high-risk devices and their potential threats wherever they exist on the network.

Through its enterprise-class Pwn Pulse platform and its long-trusted Pwn Plug, Pwn Phone and Pwn Pad devices, Pwnie Express provides continuous visibility throughout the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting “known-bad”, unauthorized, vulnerable, and suspicious devices. Pwn Pulse enables central management from a single cloud dashboard for scalable, continuous intelligence across the enterprise, as well as remote and branch locations.

Backed by the powerful security research of Pwnie Labs and regular feedback from customers and community partners, Pwnie Express helps its customers reduce the attack surface created by the explosion of devices introduced by Bring Your Own Device (BYOD and the expansion of threat vectors brought on by the Internet of Things (IoT). It is headquartered in Boston, Massachusetts.

PenTest Mag: Can you speak to your experiences starting/developing a small company in a market as competitive as IT security?

Pwnie Express: Pwnie Express CEO Paul Paget joined founder (and current CTO) Dave Porcello because they shared a vision for how remote penetration testing tools could be used in a much more substantial way. Dave created the first Pwn Plug, which has since become the industry standard for remote penetration testing around the world. The success of the Pwn Plug led to the bigger idea of distributed pentesting, which caused Dave to seek venture funding and a CEO to help build the business. With more than 30 years experience bringing information security products to market, Paget had built the first company to establish penetration testing as a product, and had experience with highly secure hosted security systems. For the past 15 years, he has specialized in leading early stage companies and bringing new, innovative security products to market.
In all cases, Paul sees the primary challenge – and opportunity – as this: find a way to connect the technology to the right people who will help you with the initial phases of the product’s lifecycle. Together you shape the product into something that can be successful in the marketplace. You HAVE to be able to connect your idea to the market and find a seam where you can enter. In Pwnie Express’ case, the team leveraged the original Pwn Plug to create automated pentesting on a distributed basis. As the market shifted toward BYOD, the marketplace presented a larger problem for Pwnie to solve: the lack of visibility into devices within an organization.

PenTest Mag: Your products make heavy use of open source projects, would it be safe to say that you wouldn’t have been able to bring them to market if you had to develop all of this software in house, or pay licensing fees to include them?

Pwnie Express: No, we would not have been able to bring this rich of an offering to market without the use of open source technology. By leveraging the open source technology in the Pwn Pulse system we were able to make a collection of powerful products scalable, and at a price point that makes the solution readily available for customers. Ultimately, we have contributed to the further development of open source tools and shared them back with the community.

PenTest Mag: Could you tell us more about the Pwnie Express training, the skills and tools?

Pwnie Express: Pwnie Express offers live training for users of the mobile line of products, i.e. Pwn Pad and Pwn Phone and for users of the fixed sensor line of products, i.e. Pwn Plug R3 and Pwn Pro. The training session for the mobile and fixed line of products provides new or infrequent users of the Pwn Pad and Pwn Phone, or  Pwn Plug R3 and Pwn Pro respectively,  with an introduction to the hardware, the Kali based Operating System, and product usage, configuration, updating, installation of additional software, remote access, and advanced functionality (such as NAC Bypass with the Pwn Plug R3).

The training session for the “fixed” line of products provides new or infrequent users with an introduction to the hardware, the Pwnix operating system, and product usage. Including the subjects of the Pwnie UI, configuration, deployment, updating the device, installation of additional software, enabling remote access, enabling Stealth Mode and NAC Bypass (R3 only), hints & tips, troubleshooting, etc.

Both training classes are interactive, delivered online via WebEx and attendees are encouraged to ask questions of the instructor. Training sessions usually last three hours.  Afterwards attendees are provided with a recording of the session for later reference.

PenTest Mag: In terms of the OSI (Open Source Interconnection) 7 layer model, at which layers do your products and solutions operate at?

Pwnie Express: Out of the box, Pwn Pulse primarily operates at Layers 2 and 3 due to our focus on device discovery. If the advanced features — such as a custom script to leverage Nmap’s Heartbleed checker– are utilized, Pwn Pulse is able to operate at layers 2 through 7.

PenTest Mag: For branch offices are distributed servers an option? Or does each sensor communicate back to the Central Pwn Pulse system?

Pwnie Express: Each sensor is essentially a server that communicates back to the central Pwn Pulse system. The beauty of the system is that it can be shipped to remote locations, plugged in by any employee, and it will start collecting date without any special configuration.

PenTest Mag: Is the communication between remote sensors and the central Pwn Pulse system encrypted? What protocols are used?

Pwnie Express: The communication between the sensors and Pwn Pulse is encrypted. Specifically, we utilize an encrypted TLS tunnel to transmit Sensor data back to Pwn Pulse.

PenTest Mag: How is the Pwnie Express experience and intelligence translated down into the customer organization for those who do not specialize in Information Security; Risk Assessment and Security Planning?

Pwnie Express: Our solution does not require IT to put agents on employee-owned devices, the threat detection and added visibility preserves privacy and ownership so that IT does not have to interfere with the employee’s personal devices. At the same time the Pwn Pulse provides the enterprise with the ability to identify devices that do not belong in the workplace. The ability to track and know which devices are employee-owned enables them to say “these devices belong.” Pwn Pulse also provides a “safety net” for IT where they can track and monitor all employee-owned devices on an ongoing basis. For example, an employee could bring in a device that helps them do their job more effectively, i.e a printer that connects to wifi. Employees may not realize that this printer in its default state provides a gateway into the network for an attacker. The Pwn Pulse would alert IT that the device has been added to the network and is a potential threat.

PenTest Mag: How is the pricing model structured?

Pwnie Express: Pwnie Express offers a subscription service based on the number of sensors required.  Pricing starts at ~$180 per month per sensor and includes access to the Pwn Pulse system,

 Al la carte device prices are available at www.pwnieexpress,com or by contacting sales via phone at (855) 793-1337 or email sales@pwnieexpress.com.