Combatting the ‘evil Internet of Things’

A recent survey of over 400 global IT security pros revealed that fears over the security of connected devices has risen sharply since last year, writes Peter Reid, executive head of Intervate.

In all, 86% of respondents to security analysts Pwnie Express’ survey said they were worried about device threats – with 50% either ‘very’ or ‘extremely’ concerned. Many had even witnessed attacks first-hand.

Connected, smart devices are rapidly advancing into almost every area of our lives: our homes, our cars, our offices, and even our bodies. Most market commentators forecast tens of billions of connected devices by the end of the decade.

However, while we remain in a state of enchantment over the possibilities of The Internet of Things (IoT), too few consumers and businesses are stopping to think about the critical security concerns the IoT revolution brings.

A fundamental adage of security is that the more devices you have connected to a network; the more vectors of attack are exposed.

Although one of the biggest drivers of IoT adoption is sharply falling costs, the repercussion of this is that many connected sensors and devices are stripped down to the bare minimum – with insufficient consideration for encrypting and protecting those devices.

 

Not just a ‘dumb sensor’

As consumers we forget that even the most basic sensor is actually a small computer, a fully-fledged ‘Von Neumann device’ with its own processing and integration capabilities. By recognising this reality, we see that any connected object can potentially be hijacked and used for malicious purposes.

Vulnerabilities abound wherever these devices are connected to wireless networks: whether that’s Bluetooth, NFC, WiFi, 3G, or any other form of wireless protocol.

Many ask what the real risk would be, if somebody – for example – was able to hack into my home thermostat or my connected toaster?

While it’s obviously unlikely that anyone would want to hack into your connected home infrastructure to change the temperature of your living room or burn your toast; that wouldn’t necessarily be the attacker’s end-goal.

Attacks often work in a progressive manner, where one small breach can open up opportunities to penetrate other areas of the network, and cause more damage. Attackers might compromise a printer on a corporate network, to sniff for passwords that would then enable them to configure their own admin-access.

So, the printer, or the thermostat, might just be the first step in a long chain of progressive breaches.

 

Full Article

Why Does the Community Like Mr. Robot?

Mr Robot is a good representation of real hacking

Surf channels most times of the day and you’ll see someone in scrubs, possibly in an operating room.

Most TV stations have at least one show where there’s a doctor doing doctor-like things, and we find that intriguing and interesting. These are shows dealing with severe matters of life and death, showing people (just like us!) doing very important things: operating on heart ventricles and finding bleeding and doing other things we can’t pronounce the medical terms for.

Do you know who probably dislikes these shows the most? Actual doctors. They groan at accuracy issues and the fact that everyone looks well rested and collected. The rest of the public has this issue, too: everyone sees in every show about his field an exaggeration and distortion of what actually occurs in that field.

Every cop show that’s out there? Watch with real cops, and you’ll see the police officers thinking to themselves at certain points: no, that’s not how you do the process. Firefighters don’t have lives quite like that. Lawyers aren’t always that well dressed.

And hackers are the same, if not worse.

Hackers have been subject to the worst stereotypes in TV. Doctors can complain about the details, but they’re not always the bad guys or resident “nerd type.”

TV shows treat hackers like a magical mythical beast who allows the storyline to go along – the McGuffin.

A simple “I can do this” at the computer and it’s working now. Or does the detective need a clue? Send the awkward guy in glasses to the computer for two seconds, rinse and repeat. Is a character socially awkward or devious or criminally intent? These are the stereotypes we’re usually forced to deal with.

It’s not all bad. To some degree, hackers in general have been OK with the status quo; the reality is that we don’t really care so much about how we’re portrayed. TV is fiction, but what we want is to be at least represented as being intelligent and doing our craft well. And most of these shows have failed in that department. Some of the better examples include the infamous NCIS scene with two people working on one keyboard scene, or the numbers scene (now a meme) using Visual Basic, or really most of CSI: Cyber.

Mr. Robot is a refreshing and wonderful instance in history where we actually get to see an attacker – Elliott – and his crew, doing technically sound and accurate hacking.

It’s like if you saw an ER show and the doctors talked about the procedures that needed to occur (in the way that they actually would) and needed to prescribe the things that would show up in real life. Mr. Robot resonates not only because it’s a good TV show, well made with a thought-out storyline. Mr. Robot shows a hacker as a more than one dimensional character – he’s the doctor operating on TV when the real doctors approve of how the scalpel is being used.

I and the Pwnie team are big fans of the show, and what we’d like to do is to help further the discourse – a lot of people talk about how well thought out the attacks are, and have walked through the technical details of how they were done. We want to acknowledge the elephant in the room: these are unauthorized attacks on systems.

Hackers work for good, but the show also needs to serve as a lesson to the good guys for how to protect ourselves. So because we’re Pwnie Express and defensive in nature, using the red team to protect the blue team, in the leadup to Season 2 we will be doing an ongoing series of posts as to what would have stopped some of these attacks, and what would’ve worked to be more effective defenses against the attacks seen in Mr. Robot.

Stay tuned
Jayson E. Street

Congratulations (and some cool Pwn Pad ideas)

Bradley Reed - Winner of the Pwn Pad 4 Giveaway

Bradley Reed – Winner of the Pwn Pad 4 Giveaway


Congratulations to Bradley F. Reed of the NASA IV&V team, the winner of our Pwn Pad 4!

It was pretty tough to choose, though. We had some great responses from InfoSec pros of all types. Don’t believe me? Check out their creativity for yourself:

Some people just wanna test:

  • We would use this to detect rogue devices and vulnerabilities in our corporate space as well as branch offices and international office. Due to the form factor of the Pwn Pad, we would be able to do this more discreetly than with a laptop loaded with external adapters.  We would then take the information gathered to use in an employee awareness program that will help strengthen our overall security.”
  • “I would use the Pwn Pad for doing spot testing and risk assessments for our 45 field locations.  Generating awareness around these weak spots in our corporate edge is always a challenge, being able to spot check them when we visit the sites would give us a definite leg up!”
  • “Our organisation always has security concerns. Our franchises are allowed to adopt their own technology to use our systems. The Pwn Pad would be a great tool to help us audit our franchise partners.”
  • “I manage IT Security at a credit union with 30+ branches, we would use the Pwn Pad for spot audits at each branch as well as investigations when e.g. One of the branches was breached overnight and we want to do a sweep of the space.  Also, I think we could adapt/use the pwn pad.”

 

Others got creative:

  • “Emulate attacks to my  company to enable the Blue team to understand malicious behaviour, so that a USE CASE can be created for the SIEM. An alert can be created from this which can be triaged with other alerts to understand from start to finish the process of a full blown attack. So you start threat modeling to create say a top 20 of likely attacks or malicious behavior.”
  • “Blue Team mostly but some Red. We are very trusting and I work across several departments. It would be cool to see what is different between each department, position, etc based on what they do. Some are super secret (or claim to be) and others are very public. It would be fun to see what is really revealed.“

 

It’s a validation tool:

  • “At work I would love to have a device I could use to validate the security of bluetooth enabled (medical) devices.  Personally I would like to evaluate the PWN Pad and bring it to the attention of our state government. I think we could look to include such a device in a jump bag when we are responding to an event.”
  • “Red team or Blue team?  YES!  But mostly red team operations, since we’re testing our standing tools for effectiveness.  Let’s start that bad boy up and rip through the network like buttah!  We have a lot of world class tools in place, but the Pwn Pad could challenge the effectiveness of the integration between those tools..  It’s perfect for finding those holes.”
  • “I would use it to regularly test network & wifi controls across our key offices, to enable us identify the high risk vulnerabilities to focus on.”

 

Want to scare management?

  • “I find the pwn pad to be a very valuable tool when trying to convince management there are aspects of our security that need to be addressed.”
  • “Purple Team. (Well, more bluish) I’d use it as an aegis to show flaws inherent in BYOD policies and why standards are necessary. As well as why the expectations of ‘free wifi’ are risky, why always on services are a bad idea, and why encryption/security are necessary in this always on/connected economy. I fight for the users.”
  • “We are trying to convince our leadership team to invest in security. The Pwn Pad would go a long way towards demonstrating how easily our network can be breached. By a casual tablet user no less!”
  • “Red Team – A Pwn Pad would be both useful and fun to help making the point that things need to change in an uncontrolled BYOD culture.  Making a couple of high-visibility examples would drive the point home and get authorization for a central monitoring project.”

 

You can buy one of your own:


Buy Now




 

Pwnie Express and Norwich University Identify and Neutralize Cyber Threats at Super Bowl 50

Boston, MA – June 8, 2016Pwnie Express, the leader in connected device threat detection, today revealed its successful partnership with Norwich University to identify and neutralize connected device threats during Super Bowl 50.

As one of the most technologically capable stadiums in the world and home of Super Bowl 50, Levi’s Stadium has more than 1,200 Wireless Access Points specifically designed to provide consistent, secure, on-demand connectivity to each of the 77,000+ guests. Norwich University, in partnership with local, state and Federal law enforcement, was tasked to provide direct cyber security and threat detection support at the venue during the international sporting event.

Norwich University selected Pulse, the Pwnie Express SaaS platform, to monitor and protect critical infrastructure and devices, as well as identify and alert on any malicious activity during the Super Bowl – including Denial of Service (DoS) attacks, Man in the Middle (MITM) attacks, card skimming, and rogue aerial drone activity. Designed to continuously and comprehensively discover wired, wireless, and Bluetooth devices in real time, Pwnie Express was chosen due to its ease of deployment, powerful real-time threat characterization engine and easy-to-use user interface.

“With five critical networks to monitor, it was crucial that we had a platform which could quickly show us what threats needed our attention immediately. With Pwnie we were able to see the full gamut of threats to the operational networks at Super Bowl 50 and focus our response activity accordingly,” said Phil Susmann, Norwich University’s Vice President of Strategic Partnerships.

Pwnie Express established a remote Security Operations Center (SOC) to monitor for any malicious device behavior, encryption levels changes, connections to insecure access points, introduction of malicious or rogue devices and other risky behavior, leading up to and during the event.

Key Findings

As the crowd of over 71,000 fans filed into the stadium, the Pwnie Express team observed the number of total wireless clients attached to the SB50 networks surge to over 55,000.

  • Over 1,200 priority access points were detected – each of which provided wireless access via the free stadium Wi-Fi.
  • Over 9 TB of data was used by fans from pre-game start to the post-game closing
  • Over 35,000 Bluetooth devices were present. Increasingly, this type of technology is used to not only guide users to specific locations within a geographic area, but it can also be used to conduct malicious activity. Being able to see these devices in real time made it possible to validate appropriate device behavior.
  • Several new open access points were detected during the game, a large number of which were high-definition cameras with the ability to therefore both capture and broadcast live content.
  • An attempt to de-authorize a high-priority network being used by an event-critical organization was also detected.

 

“Ticket holders of major events like Super Bowl 50 pay a premium not just to see the game, but to enjoy a once-in-a-lifetime experience,” noted Paul Paget, CEO, Pwnie Express. “Increasingly, connected devices are part of that experience and can be instrumental to event success. Yet the challenges that major event IT staff have to address can be daunting. Providing a rich user experience which is adaptive, responsive and all inclusive – all while detecting and mitigating malicious behavior – may seem like an insurmountable task, but with full visibility at the forefront of the event’s cyber security strategy, achieving these objectives are well within the realm of the possible.”

This year, Super Bowl 50 was broadcast in more than 180 countries in 25 languages and was expected to reach over 115 million households in the US. In the process it also set records for attendance (71,088), data usage (>10 TB total), and both unique and concurrent WiFi users, making it both the most viewed event in history and one of the most connected and data-intensive. To learn more about Pwnie Express’ partnership with Norwich University, please download the full case study here http://store.pwnieexpress.com/super-bowl-50/.

 

About Pwnie Express

Pwnie Express provides the industry’s only solution for continuous detection, identification and classification of wireless, wired and Bluetooth devices putting organizations at risk. Connected devices in the enterprise represent one of the fastest growing threat landscapes, unaddressed by existing security solutions. Pwnie’s SaaS platform provides complete device coverage, including employee owned (BYOx), rogue, and company owned devices across the entire enterprise, including remote sites. Pwnie arms security teams with the visibility and control they need to address the risk from connected devices. To learn more about how Pwnie Express can help your organizations find the devices putting you at risk, visit www.pwnieexpress.com.

 

About Norwich University

Norwich University is a diversified academic institution that educates traditional-age students and adults in a Corps of Cadets and as civilians. Norwich offers a broad selection of traditional and distance-learning programs culminating in Baccalaureate and Graduate Degrees. Norwich University was founded in 1819 by Captain Alden Partridge of the U.S. Army and is the oldest private military college in the United States of America. Norwich is one of our nation’s six senior military colleges and the birthplace of the Reserve Officers’ Training Corps (ROTC). www.norwich.edu

 

Learn More Here

Getting the Customer Experience Right

Total customer experience isn’t just about GUIs. It’s about every single touch – and the ease with which a customer can access honest and reliable information, product, people, and support. To get it right takes focus at every level of the company. Leadership, Sales, Development, QA, Finance, Operations, and Support all need to think about how their decisions and routines affect the human being on the other end of the email, phone call, web browser, shipment, invoice, etc.

If this isn’t part of your core ethos as a company, you won’t get it right. Even when it is part of your core ethos, you will occasionally leave a customer frustrated by a product or service issue. It is your performance during these times that defines a company – do you look for excuses, or for solutions? Do you lean on your policies, or do you make better ones?

Recently, a customer looking for support got frustrated when we failed to provide a timely response to his queries. When we did get in touch with him, we were able to quickly get him back on track.

But what could we have done better?

 

1. Be overly accessible. Tell the people how to find you.

So how do you get in touch with us for support? There are many ways:

  1.     support@pwnieexpress.com – the best way to quickly get help with your Pwnie Product
  2.     Call our support line at (855) 793-1337 [Mon-Fri, 0900-1700 EST]
  3.      Contact your Account Rep
  4.     Email me personally at aaron@pwnieexpress.com
  5.     Send snail mail, carrier pigeon, or (wait for it) Pony Express (cue rimshot)
  6.      We do have an IRC Channel, but we prefer customers use the above methods for support issues. You will get a faster and more personalized response

2. Keep a long view on customer lifecycles.

Companies pay a lot of attention to the first 30 – 90 days after a purchase. What about year 2, 3, or 10? It is important to make deliberate decisions about how you will support your products and customers years after the purchase. Warranties do apply, and products eventually meet their End of Life, but it is critical to communicate the plan with customers and provide paths to upgrade and maintenance.

3. Be community minded.

The Security Community continues to be a key part of Pwnie Express’ success. Your interest, support, and contributions drive us and challenge us to contribute innovations in the security space. We will continue to support and connect to the community as a foundational portion of our strategy and philosophy. Update on new Community Edition Mobile Release coming soon!

So how are we doing? Let me know at aaron@pwnieexpress.com.

Summertime Security: 5 Tips to Stay Safe on Public Wi-Fi

By Sarah Park

MeriTalk

June 6, 2016

Forty-three percent of Americans would sacrifice their personal online security for faster Internet speed, according to a recent report.

The survey, conducted by SecureAuth and Wakefield Research, dives into Americans’ perceptions around Internet speed versus personal security over public Wi-Fi, and shows Americans as a whole will latch onto any Internet connection they can get even if it’s insecure.

(Full Article)

Pwnie Express Announces Ultimate Pentesting and Threat Detection Tablet for Cyber Security Professionals

Combines Pentesting Tools, Industry-First Low Energy Bluetooth Detection Software and Integrates With SaaS Detection Platform

BOSTON, MA–(Marketwired – Jun 2, 2016) – Pwnie Express, the leading provider of device threat detection, today announced the Pwn Pad 4, a commercial-grade security tablet designed for remote security assessment of wired and wireless networks. The Pwn Pad 4 combines a portable security detection and pentesting tool with a powerful enterprise security platform. It is the only pentesting tablet that offers low energy and conventional Bluetooth detection and fingerprinting.

The Pwn Pad 4 features the following new capabilities:

  • Blue Hydra: The Pwn Pad 4 includes Blue Hydra, the first device detection software capable of detecting low power and classic Bluetooth devices.
  • Kali Linux Rolling Distribution: The tablet comes prepackaged with the latest Kali Rolling edition, which includes an arsenal of tools and scripts for the hands-on, on-the-go cyber security professional.
  • Streamlined Configuration and Setup: The Pwn Pad 4 introduces a consumer-like setup and configuration wizard that allows customers to rapidly perform configuration, upgrading and use of non-Pwnie Android apps. The tablet is completely integrated with the Pwnie Express Pulse platform for real-time wired and wireless, BYOD and IoT threat detection.

“As the number of connected devices continues to explode, Bluetooth is increasingly becoming an easy to exploit threat vector,” said Pwnie Express CEO Paul Paget. “The Pwn Pad 4 provides security teams with an integrated security tablet and distributed platform to perform security assessments and pentesting, with industry first coverage for Bluetooth.”

The Pwn Pad 4 is available now for $1,395. For more information, please visithttp://store.pwnieexpress.com/product/pwn-pad-4/ or contact sales@pwnieexpress.com or call (855) 793-1337.

About Pwnie Express
Pwnie Express provides the industry’s only solution for continuous detection, identification and classification of wireless, wired and Bluetooth devices putting organizations at risk. Connected devices in the enterprise represent one of the fastest growing threats, unaddressed by existing security solutions. The Pwnie Express SaaS platform, Pulse, provides complete device coverage, including employee owned (BYOx), rogue and company-owned devices across the entire enterprise, including remote sites. To learn more about Pwnie Express visit www.pwnieexpress.com. To learn more, visit www.PwnieExpress.com or@PwnieExpress.