Why Does the Community Like Mr. Robot?

Mr Robot is a good representation of real hacking

Surf channels most times of the day and you’ll see someone in scrubs, possibly in an operating room.

Most TV stations have at least one show where there’s a doctor doing doctor-like things, and we find that intriguing and interesting. These are shows dealing with severe matters of life and death, showing people (just like us!) doing very important things: operating on heart ventricles and finding bleeding and doing other things we can’t pronounce the medical terms for.

Do you know who probably dislikes these shows the most? Actual doctors. They groan at accuracy issues and the fact that everyone looks well rested and collected. The rest of the public has this issue, too: everyone sees in every show about his field an exaggeration and distortion of what actually occurs in that field.

Every cop show that’s out there? Watch with real cops, and you’ll see the police officers thinking to themselves at certain points: no, that’s not how you do the process. Firefighters don’t have lives quite like that. Lawyers aren’t always that well dressed.

And hackers are the same, if not worse.

Hackers have been subject to the worst stereotypes in TV. Doctors can complain about the details, but they’re not always the bad guys or resident “nerd type.”

TV shows treat hackers like a magical mythical beast who allows the storyline to go along – the McGuffin.

A simple “I can do this” at the computer and it’s working now. Or does the detective need a clue? Send the awkward guy in glasses to the computer for two seconds, rinse and repeat. Is a character socially awkward or devious or criminally intent? These are the stereotypes we’re usually forced to deal with.

It’s not all bad. To some degree, hackers in general have been OK with the status quo; the reality is that we don’t really care so much about how we’re portrayed. TV is fiction, but what we want is to be at least represented as being intelligent and doing our craft well. And most of these shows have failed in that department. Some of the better examples include the infamous NCIS scene with two people working on one keyboard scene, or the numbers scene (now a meme) using Visual Basic, or really most of CSI: Cyber.

Mr. Robot is a refreshing and wonderful instance in history where we actually get to see an attacker – Elliott – and his crew, doing technically sound and accurate hacking.

It’s like if you saw an ER show and the doctors talked about the procedures that needed to occur (in the way that they actually would) and needed to prescribe the things that would show up in real life. Mr. Robot resonates not only because it’s a good TV show, well made with a thought-out storyline. Mr. Robot shows a hacker as a more than one dimensional character – he’s the doctor operating on TV when the real doctors approve of how the scalpel is being used.

I and the Pwnie team are big fans of the show, and what we’d like to do is to help further the discourse – a lot of people talk about how well thought out the attacks are, and have walked through the technical details of how they were done. We want to acknowledge the elephant in the room: these are unauthorized attacks on systems.

Hackers work for good, but the show also needs to serve as a lesson to the good guys for how to protect ourselves. So because we’re Pwnie Express and defensive in nature, using the red team to protect the blue team, in the leadup to Season 2 we will be doing an ongoing series of posts as to what would have stopped some of these attacks, and what would’ve worked to be more effective defenses against the attacks seen in Mr. Robot.

Stay tuned
Jayson E. Street

Congratulations (and some cool Pwn Pad ideas)

Bradley Reed - Winner of the Pwn Pad 4 Giveaway

Bradley Reed – Winner of the Pwn Pad 4 Giveaway


Congratulations to Bradley F. Reed of the NASA IV&V team, the winner of our Pwn Pad 4!

It was pretty tough to choose, though. We had some great responses from InfoSec pros of all types. Don’t believe me? Check out their creativity for yourself:

Some people just wanna test:

  • We would use this to detect rogue devices and vulnerabilities in our corporate space as well as branch offices and international office. Due to the form factor of the Pwn Pad, we would be able to do this more discreetly than with a laptop loaded with external adapters.  We would then take the information gathered to use in an employee awareness program that will help strengthen our overall security.”
  • “I would use the Pwn Pad for doing spot testing and risk assessments for our 45 field locations.  Generating awareness around these weak spots in our corporate edge is always a challenge, being able to spot check them when we visit the sites would give us a definite leg up!”
  • “Our organisation always has security concerns. Our franchises are allowed to adopt their own technology to use our systems. The Pwn Pad would be a great tool to help us audit our franchise partners.”
  • “I manage IT Security at a credit union with 30+ branches, we would use the Pwn Pad for spot audits at each branch as well as investigations when e.g. One of the branches was breached overnight and we want to do a sweep of the space.  Also, I think we could adapt/use the pwn pad.”

 

Others got creative:

  • “Emulate attacks to my  company to enable the Blue team to understand malicious behaviour, so that a USE CASE can be created for the SIEM. An alert can be created from this which can be triaged with other alerts to understand from start to finish the process of a full blown attack. So you start threat modeling to create say a top 20 of likely attacks or malicious behavior.”
  • “Blue Team mostly but some Red. We are very trusting and I work across several departments. It would be cool to see what is different between each department, position, etc based on what they do. Some are super secret (or claim to be) and others are very public. It would be fun to see what is really revealed.“

 

It’s a validation tool:

  • “At work I would love to have a device I could use to validate the security of bluetooth enabled (medical) devices.  Personally I would like to evaluate the PWN Pad and bring it to the attention of our state government. I think we could look to include such a device in a jump bag when we are responding to an event.”
  • “Red team or Blue team?  YES!  But mostly red team operations, since we’re testing our standing tools for effectiveness.  Let’s start that bad boy up and rip through the network like buttah!  We have a lot of world class tools in place, but the Pwn Pad could challenge the effectiveness of the integration between those tools..  It’s perfect for finding those holes.”
  • “I would use it to regularly test network & wifi controls across our key offices, to enable us identify the high risk vulnerabilities to focus on.”

 

Want to scare management?

  • “I find the pwn pad to be a very valuable tool when trying to convince management there are aspects of our security that need to be addressed.”
  • “Purple Team. (Well, more bluish) I’d use it as an aegis to show flaws inherent in BYOD policies and why standards are necessary. As well as why the expectations of ‘free wifi’ are risky, why always on services are a bad idea, and why encryption/security are necessary in this always on/connected economy. I fight for the users.”
  • “We are trying to convince our leadership team to invest in security. The Pwn Pad would go a long way towards demonstrating how easily our network can be breached. By a casual tablet user no less!”
  • “Red Team – A Pwn Pad would be both useful and fun to help making the point that things need to change in an uncontrolled BYOD culture.  Making a couple of high-visibility examples would drive the point home and get authorization for a central monitoring project.”

 

You can buy one of your own:


Buy Now




 

Getting the Customer Experience Right

Total customer experience isn’t just about GUIs. It’s about every single touch – and the ease with which a customer can access honest and reliable information, product, people, and support. To get it right takes focus at every level of the company. Leadership, Sales, Development, QA, Finance, Operations, and Support all need to think about how their decisions and routines affect the human being on the other end of the email, phone call, web browser, shipment, invoice, etc.

If this isn’t part of your core ethos as a company, you won’t get it right. Even when it is part of your core ethos, you will occasionally leave a customer frustrated by a product or service issue. It is your performance during these times that defines a company – do you look for excuses, or for solutions? Do you lean on your policies, or do you make better ones?

Recently, a customer looking for support got frustrated when we failed to provide a timely response to his queries. When we did get in touch with him, we were able to quickly get him back on track.

But what could we have done better?

 

1. Be overly accessible. Tell the people how to find you.

So how do you get in touch with us for support? There are many ways:

  1.     support@pwnieexpress.com – the best way to quickly get help with your Pwnie Product
  2.     Call our support line at (855) 793-1337 [Mon-Fri, 0900-1700 EST]
  3.      Contact your Account Rep
  4.     Email me personally at aaron@pwnieexpress.com
  5.     Send snail mail, carrier pigeon, or (wait for it) Pony Express (cue rimshot)
  6.      We do have an IRC Channel, but we prefer customers use the above methods for support issues. You will get a faster and more personalized response

2. Keep a long view on customer lifecycles.

Companies pay a lot of attention to the first 30 – 90 days after a purchase. What about year 2, 3, or 10? It is important to make deliberate decisions about how you will support your products and customers years after the purchase. Warranties do apply, and products eventually meet their End of Life, but it is critical to communicate the plan with customers and provide paths to upgrade and maintenance.

3. Be community minded.

The Security Community continues to be a key part of Pwnie Express’ success. Your interest, support, and contributions drive us and challenge us to contribute innovations in the security space. We will continue to support and connect to the community as a foundational portion of our strategy and philosophy. Update on new Community Edition Mobile Release coming soon!

So how are we doing? Let me know at aaron@pwnieexpress.com.

Policies That Work (Making IT Real)

We talk a lot about IT, but we don’t talk nearly enough about making IT real.

In particular, I’ve found that there’s a disconnect between IT – security guys in particular – and the people they’re securing. While this applies across the board, it becomes a problem when policies are being created.

One of the keys to effective security is to stop trying to create policies or procedures that aren’t going to work. It’s great on paper to require users to have fourteen character passwords that change every day, only use Internet access for work purposes, turn off their cellphones as they walk in the door, have IT install (and fix) all printer connections, and never connect their iPads to corporate wireless. Unfortunately, these requirements work best on paper….not necessarily in reality. Security policies that users don’t buy into weaken security across the board.

When it comes to wireless in particular, it’s hard to tell users to just give up their need for constant Internet access. So I say: give them a clean, safe avenue to feed their need for unlimited access to the Internet. WiFi is so cheap – Internet connections in general are so cheap – that I suggest having open third-party wireless. It goes out to the Internet, and has no connection to the internal network. You get on the VPN as if you were in Starbucks – it’s just as hostile – and you back that up with policy that you treat the VPN as if you were in Starbucks. If you find a user bridging the networks, you have appropriate policy enforcements, equivalent to the ones if you found out that someone was publishing sensitive docs from a open, public network.

The question, then, is “what does appropriate punishment look like.” Personally, I believe in having effective policies that actually result in real change, and for that I have always found that positive reinforcement works the best. Whether positive or negative, acknowledgement either way is effective and very important. When I do a security awareness engagement (pentest) and I’ve completely destroyed the place, I spend the third day going out of my way getting caught. One time, I walked out with the business processing computer from behind a teller machine. There was a guy who had let me do lots of bad stuff, but this time he caught me. As soon as he caught me, I said “ooh, you caught me.” Basically, I gave him the win! It was a bad situation and we found all these flaws in their security. But these four people were able to find something, and that caught their attention.

We spend too much time in our industry showing people what they did wrong. You can’t find everything that everyone did wrong. But you can show them examples of what to do right. That’s what enforcement policies should be based off of – what it looks like to do things right. When I do enforce a punishment, I go to their desk and make that employee stand right behind me and watch while I “check” at their computer, even if I already know what was wrong. I make them watch the process. And then I say “you do understand our corporate policies, right?” Usually, if it’s the first time, I won’t necessarily even report it the first time, but I do publicly show him what the right way forward is. I don’t just educate this person – I’m also trying to educate everyone around that guy.

Unfortunately, not many IT departments have a guy like me.

But every IT guy can be a guy like me. Every quarter, a security professional or IT team doing security needs to physically walk through the company’s buildings. Pick a floor, campus, department. Walk through while people are there. Look under keyboards and monitors for passwords. Let them know what you’re doing, and let them know why you’re doing it. Security is everyone’s job: you’re just the one being obvious about it.

Introducing the Pwn Pad 4: the latest Pwnie mobile sensor for wired, wireless and Bluetooth device detection, classification, and penetration testing

We’re excited to announce pre-sale of the Pwn Pad 4, a commercial-grade security tablet designed for remote security assessment. The Pwn Pad 4 combines a portable security detection and pen-testing tool with a powerful enterprise security platform.  In addition, even the pentesting abilities have some exciting new features: with Kali Rolling and Blue Hydra (a Pwnie-developed capability), it’s the only pentesting tablet with Bluetooth capabilities that offers energy efficient and conventional Bluetooth detection and fingerprinting.

The Pwn Pad 4 features the following enhanced capabilities:

  • Blue Hydra, An industry first from Pwnie Express, the Pwn Pad 4 now includes Blue Hydra, the first device discovery software capable of detecting low power and classic Bluetooth devices.
  • Portable Pen-Testing Doubling as Threat Detection Sensors: The tablet is completely integrated with Pwnie Express’ Pwn Pulse SaaS platform for real-time wired and wireless, BYOD and IoT threat detection. This allows security professionals to leverage the versatile pen testing capabilities of a portable pad andwith the centralized visibility and historical records of enterprise data.
  • Kali Linux Rolling Distribution: The tablet comes prepackaged with the latest Kali Rolling edition, which includes an arsenal of tools and scripts for the hands-on, on-the-go cyber security professional.
  • Enhanced Configuration and Setup: The Pwn Pad 4 is more user-friendly than its earlier counterparts, with a consumer-like setup and configuration wizard that allows customers to streamline the initial implementation, upgrading and use of non-Pwnie Android apps.  

The Pwn Pad 4 is now available for pre-sale and will be generally available on June 1.  For more information, please visit  or contact sales@pwnieexpress.com or call (855) 793-1337.

Pwnie Express Named a Winner of the 2016 ISPG Global Excellence Awards

Pwnie Express has continued to ride the rails of success in 2016, picking up an honor from the 12th Annual 2016 Info Security Products Guide’s  (ISPG) Global Excellence Awards.  The Pwnie Express SaaS platform, which provides continuous threat detection and visibility, was named a Silver Winner in the New Products and Services category.

The ISPG 2016 Global Excellence Awards are the information security (InfoSec) industry’s premier global awards program, celebrating the best companies, products, people, and InfoSec contributions from all over the world. We are proud to see Pwnie included among some of the industry’s best security solutions and top InfoSec companies. This year’s award winners were selected by a panel of more than 50 judges from a broad spectrum of industry voices. Scores were averaged to determine the 2016 Global Excellence Awards Finalists and Winners. Winners were announced at a recent awards dinner and presentation in San Francisco.

This award comes on the heels of another industry recognition: SC Magazine UK named Pwnie Express a finalist in its Best Vulnerability Management Solution category.  With the explosive growth of BYOx and the Internet of Things, Pwnie  is enabling organizations to continuously detect and fingerprint every wireless and wired device in and around their networks – from smartphones to drones. This visibility enables enterprises to prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation to protect data privacy and critical business infrastructure. We thank our valued customers around the world, and our engineering team for their continual research and innovation to make Pwnie Express an industry leader.  

Pwnie Express provides the industry’s first solution designed to continuously detect both wireless and wired devices putting an organization’s workplace at risk, including high-risk BYOx, shadow IT, and purpose-built malicious hardware. To learn more about how Pwnie Express can help your organizations find the devices putting you at risk, visit our website.

Pwn Pulse Named Finalist for SC Awards 2016 Europe

Awards season isn’t over yet – not when SC Magazine UK has yet to give out its annual European IT security awards. At Pwnie Express, we’ll be picking out our best formalwear and joining our fellow nominees for the June 2016 event.

As an industry-recognized 2015 SC Magazine Security Innovator, we were thrilled to learn that Pwn Pulse has also been named one of SC Magazine UK’s six finalists for the Best Vulnerability Management Solution, which “acknowledges superior products and services that help customers address the most pressing cyber security threats.” This recognition comes on the heels of the launch of Pwn Pulse into the European market, which provided EU workplaces new, full visibility into the connected devices posing threats to their networks.

Meanwhile, demand for wireless/wired detection continues to surge in the region. According to the ISACA European 2015 IT Risk/Reward Barometer, 70 percent of European business and IT professionals consider it a medium to high likelihood that a company will be hacked through a connected device. As bring your own device (BYOD) and Internet of Things (IoT) devices continue to proliferate in workplaces across the EU, 51 percent believe their IT department is not aware of all of the connected devices within the organization, and one in three do not have a policy in place to address BYOD at all — let alone discover and analyze the multitude of devices in and around their networks.

These devices can be inherently malicious or can be used as gateways into the networks of these organizations, including critical networks used by utilities, financial institutions, government organizations, and others.

At Pwnie, we work with our global customers to help them better understand the threat of connected devices in and around their organizations. With the Pwn Pulse enterprise-class SaaS platform, European organizations can continuously detect and fingerprint every wireless and wired device – from phone to printer – and hone in on the ones they actually care about. This helps them prioritize security response, reduce alert fatigue and provide situational intelligence to implement real-time remediation. This visibility from Pwn Pulse also enables companies to more comprehensively protect critical business infrastructure while preserving data privacy.

Being recognized by SC Magazine UK is a testament to our incredible team, and in particular, our top- notch engineering talent, as well as our amazing users around the globe who have deployed Pwn Pulse. The SC Magazine Awards Europe are one of the information security industry’s most prominent recognitions. Winners in the Threat Solution categories are decided by an expert panel of judges, hand- picked by SC Magazine UK’s editorial team for their breadth of knowledge and experience in the information security industry. The awards honor both the cyber security professionals working in the trenches, and the products and services that help protect today’s corporate world from a myriad of ever-changing threats.

Pwn Pulse: Patagonia Edition

As Product Manager, I have the great privilege of getting to sit in on a lot of demonstrations and on-boarding sessions. This past Tuesday was no different; I sat and watched my colleague provide a demo for a prospective customer. The material is quite familiar to me at this point, and so I wasn’t paying close attention until I saw a familiar name under the list of probes:

 

my wi-fi probes

 

Now, seeing my computer show up in a Pulse demonstration wasn’t especially shocking — this kind of visibility is what Pulse excels at. However, this particular probe stood out because that SSID is for a hotel in Patagonia, Chile, a place I had visited six months prior. With a different phone. And a different computer. None of the items I carry in my possession now have ever been with me to Patagonia.

So why was it showing up in the list of probes now?

Perhaps, naively, I used my long-standing  iCloud account to set up my new computer and with it came my cloud-backed Keychain, which also happened to store a historical record of every Wi-Fi network I’ve connected to in the last 2 years. Parents. Friends. Former jobs…. All of it.

Looking at the probes from other devices in Pwn Pulse, I can see that plenty of people do this, as the average person in the United States generally has 3 Internet-connected devices on them at any point in time. Furthermore, the concept of “the office” has evolved to include home, the airport, and the local coffee shop. Even more alarming is the fact that the pool of networks my i-devices “trust” grows with every new connection I make, whether it’s on my phone, my tablet, or my laptop. The idea behind it is noble: you can move seamlessly from device to device with nearly no break in service or user experience. However, with this information, I can take any one of my i-devices back to any one of those Wi-Fi networks and my device would automatically connect (assuming the password hasn’t changed).

Nice idea, but bad for privacy. Potentially bad for my company, too, but this is about me now. This information, combined with a little social engineering, could be exceptionally damaging in the wrong hands. Which begs the question: in a world of BYOD and CEOD (company/employer-owned devices), where do we draw the line between employee privacy and company-proprietary business? I don’t know the answer to that question, but I do know that I don’t want my whereabouts advertised to my company at all times just because my devices are thirsty. The crazy thing is, some of the probes on that list are for networks I’ve never connected to (sorry gogoinflight, I just don’t trust you), yet my phone attempted to connect to them while I had Wi-Fi turned on and there it goes… into the pool.

So what do I do about it, and what can you?  Well, the first thing I did was to go back and remove all of those old networks from my keychain. Then I set my phone and computer to NOT remember networks, with the exception of one or two. Divorcing my computer from my iCloud account is the logical next step, but I’m not ready to go there yet. We’ll call it separation anxiety.

I only came to this epiphany when I happened to be sitting in the right Pwn Pulse demo at the right time. I shudder to think about how many other people are spewing data like this about themselves without even knowing it.

My trip to Patagonia was awesome, by the way – thanks for asking.

 

 

CVE-2016-0728, Practicality, and Going Crazy

A new and very serious Linux kernel exploit affecting Linux kernels 3.8 and later, CVE-2016-0728, was announced today with surprisingly little fanfare.

Perception Point LTD, the company that disclosed the vulnerability, provided an amazing write up which I’ve already linked to. Without going into the questions of responsible disclosure, etc., the write up is one of the very rare ones: professional and succinct, while providing exactly the details needed to understand what is going on.

So why do I find myself surprised that this isn’t more prevalent in the news? This vulnerability, when exploited, effectively gives unrestricted root access and there is no patch available for it yet. The best I can find is a crafty SystemTap patch attached to RedHat’s bug report on the issue; PaX/grsecurity unsurprisingly protects against this, and a comment on the sample code indicating that there is a non-default sysctl value that might provide limited protection at the expense of being able to perform some performance analysis as a regular user. SELinux does provide some protection but it can be bypassed, and Perception Point indicates that they’ll even provide write ups of how they test in follow-up blog posts.

I personally don’t see any harm in recommending that users set the following sysctl values if they have an affected kernel using the following command as root, at least until a proper patch is available. As always, please understand changes you make to your systems and don’t trust every blog post.

sysctl -w kernel.kptr_restrict=1

There is one side of these kinds of vulnerabilities that I don’t see discussed very much in the security industry: practicality of using the attack. When I personally consider exploits like these, I like to think about a couple of different categories, which in my mind map to how they’ll be used. Is it a local or remote vulnerability? How reliable is it? How easy would it be to modify to execute any other arbitrary code? What privileges will my new code have? How likely is it to be patched on a system?

Some of these questions I’ve already answered: the exploit gives full root access, and there is a very small chance that a target is protected against it. As to reliability, the proof of concept code released with the write up works scarily well, though it takes time and resources (about half an hour when I tested it in a virtual machine) and I have yet to see it fail. There also doesn’t appear to be any restriction on the code you’re able to execute with those privileges.

The one redeeming feature of this exploit – and probably why people are not going as crazy over this as some other recent named vulnerabilities  – is that it requires getting the code to run as an already legitimate user. In the parlance of our industry, it is exclusively a privilege escalation vulnerability.

There are a lot of applications out there now running on a matching kernel, and unless you really read that write up you may miss it. This exploit affects Android 4.4 and later. There doesn’t seem to be a working PoC for Android yet but people are already trying to test it and there is nothing special about the Android kernel that will prevent it.