Posts

Rethinking Biometric Security

For many, biometrics are considered the ultimate form of two-factor authentication; where a user must provide something they know in addition to something they have. Most systems currently implement two-factor authentication with security tokens, which can either take the form of a hardware device (such as the RSA SecurID fob) or software running on a smartphone (Google Authenticator), both of which have their logistical problems. Supplanting these tokens with something that is literally part of the user, such as a fingerprint or iris scan, would take a lot of the implementation headaches out of two-factor authentication.

But new attacks have shown that the most common form of biometric authentication, fingerprint scanning, are not nearly as secure as originally thought. The next generation of scanners aim to increase security, but is it too little too late?

 

High Profile Vulnerabilities

Hacking fingerprint scanners by cloning fingerprints is hardly new, but it definitely got a lot of mainstream attention when it was shown that Apple’s iPhone 5S was susceptible to this type of attack just days after its release. Chaos Computer Club member Jan “Starbug” Krissler created a detailed guide on a how a print could be “lifted” from a smooth surface (such as a drinking glass) and reproduced in a form that can be glued to an attacker’s own finger. A video was released that even showed how to recover a usable fingerprint from the iPhone’s screen using nothing more exotic than a desktop scanner.

These hacks were by no means simple, they required patience, skill, and even some volatile chemicals. But it was very much possible, and anyone who had the drive to follow the widely available information could replicate it on their own without much expense. If somebody wanted into your iPhone badly enough, it was clear they could do it.

Many hoped that the iPhone 6 would pack in a more sensitive fingerprint scanner that would be harder to trick, but upon its release, it was demonstrated that the same method worked on the newer device as well.

But to many, this didn’t come as a surprise. The fingerprint scanner on the iPhone is meant to be more convenient, but not necessarily more secure, than simply using a traditional PIN to unlock the device. For the average user, the iPhone’s fingerprint authentication would work fine, but it shouldn’t be relied on for high security applications.

 

Hands Free Hack

As if his attack against the iPhone wasn’t enough, Krissler has recently released information on how he was able to to create a duplicate fingerprint using nothing more than high resolution images of the target’s hands.

In his demonstration at the 31st Chaos Communication Conference, Krissler showed how he was able to use images of German Defense Minister Ursula von der Leyen’s thumbs and the commercially available VeriFinger SDK to create a replica of her fingerprint without ever having access to a physical object she touched. Given the availability of high resolution images of public figures, this attack could conceivably have long reaching security implications.

During his presentation, Krissler quipped that “After this talk, politicians will presumably wear gloves when talking in public.” While the statement was in jest, it will be interesting to see if policy on photographing public officials will be in anyway impacted by Krissler’s work.

 

Next Generation Hardware

With attacks like these already in the wild, it’s clear that fingerprint authentication needs to be rethought. New approaches to fingerprint scanning include what are known as “living biometrics”, where it isn’t enough to simply have an image of a fingerprint, the scanner must also see evidence of living processes.

One such method is finger vein recognition, where the veins in the finger (which are as unique to each individual as the fingerprint itself) are photographed through the use of infrared light. Since the veins are under the skin, there’s no way to duplicate them using images of the hands or prints lifted off of glass, as these only give surface details.

While the technology and method is still being actively researched, the results so far are very promising. Britain’s Barclays bank has announced that this year they will be making vein recognition systems available to their commercial customers, with a full rollout to follow if it’s successful.
While it will be quite some time before we see vein recognition hardware on our smartphones, the technology will one day become common enough that a user’s finger may still end up being as worthwhile a security token as anything currently available.

20 Startups to Watch in 2015

Dark Reading

20 Startups to Watch in 2015

December 29, 2014

By Ericka Chickowski

 

Check our list of security startups sure to start (or continue) making waves in the coming year.

 

gI_147821_Pwnie Express

 

Pwnie Express

Founded: 2009

What it does: Pen testing products

Latest funding: $5.1 million in Series A, July 2013

Noteworthy player: Dave Porcello (founder & CEO)

Built around the grassroots success of its signature Pwn Plug device, Pwnie Express has been growing by leaps and bounds, offering penetration tester devices that make it easier to carry out the work.

(Original Article)

Corporate Sabotage Suspected in Steel Plant Hack

We often talk about the threat of a company hacking a competitor, either to gain some insider knowledge of the competitor’s operations, or to actively sabotage them. It’s easy to throw out hypothetical situations like this, and even easier to dismiss them as classic “Fear, Uncertainty, and Doubt” (FUD); which is too often the go-to tactic when talking about cutting edge technology that most people aren’t too sure how to get a handle on.

So when you see an article about it in the international news, it’s something of a special occasion. While unquestionably a disheartening event for the targeted company, it’s an invaluable case-study for those of us who aim to prevent this sort of thing in the future, and a stark reminder that this sort of attack isn’t just the kind of thing you see in the movies.

 

Privilege Escalation

In their 2014 report, Germany’s Federal Office for Information Security describes a sophisticated attack carried out against an un-named German steel company.

The first phase of the attack consisted of social engineering and targeted email phishing (often referred to as spear phishing) to gain access to the company’s office network. From there, the attackers were able to access the network which controlled the actual production of steel, which is where things get interesting.

It appears that the goal of the attackers was to slow down or halt the production of steel by interfering with the system’s ability to control the machinery. But things may have gone a little farther than the attackers intended, because when the system lost control the operators were unable to properly shut down a blast furnace. With the furnace in an undefined state, physical damage was done, though to what extent and if it was permanent was not disclosed in the report.

While the report goes on to say that any determination at this point would be little more than an educated guess, “competitive sabotage” is mentioned as a possible intent, given the extremely specific nature of the attack.

 

Sophistication

There isn’t much in the way of details about the attack, it’s unknown what kind of software was used and how it was deployed, but one thing is very clear: the attackers clearly knew what they were doing.

Being able to take control (or even take control away from the operators) of industrial hardware such as this is a bit out of the reach for the bedroom hacker; it requires knowledge of the specific hardware being targeted and the operating systems and software used to control it.

If this sounds familiar, it’s because this attack has similarities to the infamous Stuxnet, which targeted Iranian nuclear enrichment centrifuges. In both cases, the combination of software and hardware targeted was so specific that the attack had little widespread use; it was only damaging at the location it was intended to attack.

As increasingly advanced technology that becomes available to attackers, sophisticated and targeted attacks like this may move from being interesting footnotes to common occurrences.

Pwnie Express on Good Morning America

Watch Video Here

Pwnie Express founder and CTO Dave Porcello was recently featured on Good Morning America to help raise awareness on the cyber attacks currently targeting hotel guests across the globe. In this segment, Dave demonstrates two of today’s most common attacks: malicious WiFi hotspots (aka “Dark Hotel” attacks or “Evil Access Point hotspots”) and keystroke logging devices (aka “keyloggers”).

As shown by our “Project Eavesdrop” experiment with NPR, these attacks can expose a tremendous amount of personal information to a cyber criminal, including:

  • All visited websites, URLs, & search keywords
  • Passwords to banking/financial accounts, email accounts, & social media sites
  • Emails, photos, documents, & software downloads
  • Internet phone calls & video chat sessions
  • Physical location / GPS coordinates

In the past, these attacks required specialized equipment and a high level of technical expertise. Over the years, the proliferation of plug-and-play “cyber espionage devices” has made these attacks easier than setting up a home router.

“Evil Access Point” (Evil AP) hotspot devices and keyloggers come in a variety of portable, stealthy form factors and can be purchased online for as little as $20:

Pineapple

Device1

Device 2

In the first demonstration, Dave simulates a “Dark Hotel” attack showing how an attacker can use an Evil AP to obtain personal information from hotel guests. Using a setup similar to the NPR Project Eavesdrop drop box, Dave was able to see all visited websites, URLs, images, and search keywords in real-time.

Next, Dave uses a combination of SSL-bypass and Fake Login Pages to simulate a password capture attack against several email and social media accounts, as well as a credit card number capture attack through a fake hotel guest portal page:

OurHotel

Unfortunately, these “Dark Hotel” attacks are nearly impossible to detect by the average hotel-goer. Once a hotel guest unknowingly connects to one of these Evil AP hotspots, all their Internet traffic can be monitored, recorded, intercepted, and tampered with by the attacker.

Dave then illustrates how wireless keylogger devices, (Now sold at Amazon and Sears), can capture everything typed into a hotel business center or kiosk computer, including passwords and credit card numbers. Your captured keystrokes can then be transmitted wirelessly over the Internet to an attacker residing anywhere in the world.

Keyloggers

Lastly, Dave shows how the Pwnie Express Pwn Pad can be used by a security professional to detect and track down Evil AP hotspots:

PwnPadAction

Just like we expect hotels to keep us physically safe with modern door locks and secured windows, we need to begin expecting hotels to protect us online as well. Pwnie Express and other cyber security vendors offer technologies such as Pwn Pulse that are increasingly being deployed by hotels, banks, hospitals, and other organizations to detect and disable these types of attacks.

 

Evil APs defined:

Rogue/Evil Access Points — or unauthorized and unmanaged WiFi devices —  can spell the end for even the most mature of Information Security programs. Rogue APs can take many forms: non-malicious employees plugging in their own Access Points for convenience, mis-or-unconfigured Wirelessly-enabled printers, or a $5 USB WiFi adapter that can be leveraged by criminals to stand up Fake Access Points from the parking lot. Unintentional, with malicious intent, or as a genuine mistake, a Rogue Access Point not under your control can give criminals direct access into your internal networks.

Evil Access Points can defeat even the most stringent WIPS/WIDS deployments, as they play on the weakest portion of any Security Program – the “Human Element.” Gone are the days of criminals having to have specialized Wireless gear and intimate knowledge of *nix to do this. With minimal cost and effort, any criminal can set up an EvilAP to lure – or even force – unsuspecting employees into joining fake wireless networks masquerading as legitimate networks.

 

Wireless Keyloggers defined:

Wireless keyloggers are rapidly becoming a physical security attack tool of choice. Keyloggers – traditionally found in software – allow for the storing of all keystrokes entered by the victim on the compromised machine. Criminals are now leveraging micro-USB sticks (some of which are so small, you wouldn’t notice them plugged in) to capture all keystrokes on the target computer. This inevitably leads to the disclosing of passwords and other sensitive information. Today’s keyloggers use remote connectivity methods (such as WiFi or Bluetooth) to offload or exfiltrate their capture information. Since they aren’t directly tied your organization’s wireless infrastructure, wireless keyloggers can operate virtually undetected.

 

Additional resources:

Dow Jones: “Five top cyber espionage devices”

http://thetally.efinancialnews.com/2014/09/five-top-cyber-espionage-devices/

 

Pwnie Express & NPR: “Project Eavesdrop”

http://store.pwnieexpress.com/blog/pwnie-express-on-npr/

 

Project Eavesdrop Part 1: “The Drop Box”

http://store.pwnieexpress.com/npr-blog-series-part-1-the-drop-box/

 

Project Eavesdrop Part 2: “A Week in the Life”

http://store.pwnieexpress.com/npr-blog-series-part-2-a-week-in-the-life/

 

The Evolution of Rogue Devices

http://store.pwnieexpress.com/the-evolution-of-rogue-devices/

 

Evil AP: An Introduction

http://store.pwnieexpress.com/introduction-evilap/

 

Bypassing HSTS SSL with the Mana Toolkit

http://store.pwnieexpress.com/bypassing-hsts-ssl-with-the-mana-toolkit/

 

Stealing Credentials with Fake Login Pages

http://store.pwnieexpress.com/stealing-credentials-with-fake-login-pages/

 

Mapping WiFi Networks on the Pwn Pad 2014

http://store.pwnieexpress.com/mapping-wifi-networks-pwn-pad-2014/

_______________________________________________________
If you are a security professional or commercial organization interested in detecting rogue devices that may be present within your enterprise, please contact us at 1-855-793-1337 or at info@pwnieexpress.com, and our team of security experts will be in touch with you.









Leveraging InfoSec

High school physics is a lot of fun for many different reasons: experiments, math (or is that just me?), and falling things in the name of science. It’s good that I liked physics, because I’m reminded of it on a consistent basis. Though not immediately obvious, basic physics terms are used constantly in real life. One of these overused terms is leverage.

Leverage is defined as the usage of a fulcrum to amplify input force – essentially, that using a lever amplifies a person’s ability to do something. In classical physics, that something is movement of an object. In business, the term describes the “leverage” of a primary quantity of money to be used to make more. For example, the debt-to-equity ratio identifies just how leveraged a company is, generally by how much they have invested relative to their primary capital.

But physics and business aside, leverage is incredibly important to security. Most threats are really just the extended usage of one or two leveraged assets. Targeted threats are almost always based in calculated leverage – using smaller players in the quest to attack some larger target. In the case of the actual Target, that “in” was a small HVAC company. By leveraging a compromised computer, the attackers were able to access the backend of the Target system and infect the Point of Sale systems.

Another classic examples of leverage in Information Security is the malware “leverage” seen in ‘bots. With one compromised computer, a single attacker can create an army.

Pwnie Express has been pointing out the importance of the remote site for a long time, as they can be extremely dangerous to the security of an overall organization by providing an “in” for the attacker. An attacker can use the credentials stolen from a remote site as leverage to access databases, headquarters, or other mission-critical sites. Rogue devices are another perfect example, though not nearly as well-known. An employee with a compromised smartphone gives attackers the perfect doorway into the enterprise.

So maybe the next time you realize that yet another security hole needs to be plugged, take a moment to thank Archimedes.

SINET 16 (Awards and Innovation)

We at Pwnie are beyond proud and excited to announce that we have been selected as one of this year’s SINET 16 Innovators. SINET, according to its site, selects these companies as the “best-of-class security companies that are addressing industry and government’s most pressing needs and requirements.”

SINET stands for “Security Innovation Network,” an incredible organization that promotes innovation, business development, and awareness of smaller companies. Their interest in smaller companies is fairly unique, but one that is more necessary in the security space than in many others. Though innovation is necessary in any industry, information security is reliant upon innovation to face new and increasingly sophisticated threats.

One of the most exciting things about InfoSec is that there is a constant push forward. In the words of SINET Chairman and Founder, “For those of us in the cybersecurity space this is an exciting but critical time.” It is certainly an intense time for cybersecurity: the U.S. Postal Office was breached, the State Department was targeted, and data breaches are becoming so common and so huge that Information is Beautiful was able to create this incredible infographic that clearly demonstrates that the breaches have gotten bigger… and more frequent.

Here at Pwnie the increasing urgency in the cybersecurity space has inspired us to move forward. Innovation has been one of the Pwnie Values since the beginning, and we are truly grateful to know that it has paid off.

Pwnie Express Selected as a SINET 16 Innovator Remote Asset Discovery and Assessment Provider Lauded for Its Cutting-Edge Cybersecurity Defense Technology

BOSTON, Nov. 18, 2014 /PRNewswire/ – Pwnie Express, providing anywhere on-demand wired and wireless network security assessment, today announced that the Security Innovation Network (SINET) has named it a SINET 16 Innovator.

Pwnie Express was selected from a pool of 180 applicants worldwide by the SINET Showcase Steering Committee, which is made up of 60 security experts from government, academia and the private sector, for its ability to combat cybersecurity threats and vulnerabilities.

The SINET Showcase will feature Pwnie Express’s Pwn Pulse solution, which provides consolidated asset discovery, vulnerability scanning, and pentesting in a single unified offering. This delivers actionable risk information showing organizations where they are most vulnerable, allowing them to focus on high probability threats and threat vectors. The event will be held December 3-4 in Washington DC.

“We are honored by SINET’s recognition of our innovative solution whose integrated intelligence delivers continuous in-depth analysis to accurately identify attack paths, allowing organizations to level the playing field against the hackers,” said Paul Paget, Pwnie Express CEO. “Pwnie Express is the only solution to assess wired and wireless network security anywhere, on-demand. Leveraging the expertise of Pwnie Labs and using open source tools our SaaS solution allows organizations to easily protect themselves against attackers who are increasingly accessing confidential data and information through remote locations.”

The SINET Showcase provides a platform for the business of Cybersecurity to take place as emerging technology companies present their solutions and connect with a select audience of nearly 400 venture capitalists, investment bankers as well as industry and government buyers.

About SINET
SINET is a community builder and strategic advisor whose mission is to advance innovation and enable global collaboration between the public and private sectors to defeat Cybersecurity threats.  Its public-private partnership events are supported by the U.S. Department of Homeland Security, Science & Technology Directorate.

SINET also offers advisory services and a membership program that have helped build thousands of relationships and delivered value across a broad spectrum of the security community to include buyers, builders, researchers and investors.  For more information, visit www.security-innovation.org.  Connect with us on Twitter at @SINETconnection.  Follow the conversation about SINET 16 at #SINET16 and this year’s SINET Showcase at #SINETDC.

About Pwnie Express

Pwnie Express provides an end-to-end security assessment solution that delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting. It provides sensors for individual locations and an enterprise-class Pwn Pulse solution using its sensors combined with central management for scalable continuous intelligence across remote locations.

Thousands of organizations worldwide rely on its products to conduct drop-box pentesting and provide unprecedented insight into distributed network infrastructures. Pwn Pulse allows organizations to see all the things using open source tools and platforms. The products are backed by the expertise of Pwnie Express Labs. It is headquartered in Boston, Massachusetts.

Contact: Sara Kantor
Email
Phone: 617-267-1777

(Original Article)

Security Innovation Network (SINET) Announces Its 2014 Top 16 Emerging Cybersecurity Companies

The Security Innovation Network™ (SINET), an organization focused on advancing Cybersecurity innovation through public-private collaboration, announced today the winners of its annual SINET 16 competition. The companies, which were selected from a pool of 180 applicants from around the world, represent a range of Cybersecurity solution providers who are identifying cutting-edge technologies to address Cybersecurity threats and vulnerabilities. The selected companies will share their work with buyers, builders, investors and researchers during the SINET Showcase on Dec. 3 – 4, 2014 at the National Press Club in Washington, DC.

The competition requires that revenues be under $15 million and this year’s applicant pool of early stage and emerging technology companies was the most competitive since SINET began the initiative six years ago. The entries were vetted in a two-stage process by the SINET Showcase Steering Committee, which was comprised of 60 security experts drawn from government, academia and the private sector.

ABOUT THE 2014 SINET 16 INNOVATORS

The following companies were selected as the 2014 SINET 16 Innovators:

Click Security focuses on advanced threat detection, offering solutions that provide security visibility, automatically build rich context around otherwise independent and inconclusive product alerts, detect attack activity missed by traditional security products, and automate the hunt for the unknown.

Contrast Security brings continuous application security to the enterprise by identifying security vulnerabilities in real-time at portfolio scale.

CrowdStrike is a global provider of security technologies and services focused on identifying advanced threats and targeted attacks.

Cylance, Inc. is the first company to apply artificial intelligence, algorithmic science and machine learning to Cybersecurity that improves the way companies, governments and end users proactively solve the world’s most difficult security problems.

Cyphort, Inc. is an innovative provider of Advanced Threat Protection solutions that deliver a complete defense against current and emerging Advanced Persistent Threats, targeted attacks and zero day vulnerabilities.

GuruCul is a security risk intelligence provider, featuring GuruCul Risk Analytics (GRA), an Identity-Centric Behavioral Risk Intelligence platform that helps organizations efficiently prevent insider threat and fraud and protect intellectual property and regulated information.

Interset provides a highly intelligent and accurate insider and targeted outsider threat detection solution that unlocks the power of behavioral analytics, machine learning and big data to provide the fastest, most flexible and affordable way for IT teams of all sizes to operate a data protection program.

Norse Corporation focuses on live attack intelligence, delivering continuously updated Internet and Darknet intel that helps organizations detect and block attacks that other systems miss.

PFP Cybersecurity provides a unique, anomaly-based Cybersecurity threat detection technology that can find any cyber intrusion in any device, including active and dormant attacks.

PhishMe, Inc. provides threat management for organizations concerned about human susceptibility to advanced targeted attacks by enabling employees to identify, report, and mitigate spear phishing, malware, and drive-by threats.

Pwnie Express provides simple and scalable asset discovery, vulnerability scanning, and penetration testing solutions for remote sites and all wireless spectrums.

SecureRF Corporation provides cryptographic security solutions for wireless sensors, embedded systems and other devices where little or no security currently exists.

Shape Security has developed advanced technology that defends against attacks from malware, botnets and scripts by constantly re-shaping the web code.

Skyhigh Networks is a Cloud Visibility and Enablement Company that enables organizations to adopt cloud services with appropriate security, compliance, and governance.

vArmour is a data center security company designed to protect the data of enterprises and service providers from advanced attackers and lateral moving threats.

ZeroFOX is a social risk management company that enables organizations to identify, manage and mitigate information security risk introduced through social media.

“I am proud and excited to once again partner with the DHS S&T Directorate as we recognize this year’s SINET 16 Innovators,” says Robert Rodriguez, Chairman and Founder of SINET. “Only 16 companies were selected out of 180 applications by our esteemed committee so they might present their innovative solutions on stage in front of 400 investors builders, buyers and researchers. Of our four programs each year, Silicon Valley, New York City, Washington DC and London, the Showcase is my favorite as it has a clear deliverable in our mission to advance innovation in the Cybersecurity domain.”

“The continued robust investment and M&A activity are strong bellwethers that we are not only experiencing an exciting period in our lives but are a true testament to the dynamics of the Cybersecurity market, which highlights the continued need for innovative and hopeful solutions.”

ABOUT SINET SHOWCASE

SINET Showcase provides a platform for the business of Cybersecurity to take place as emerging technology companies are able to present their solutions and connect with a select audience of nearly 400 venture capitalists, investment bankers as well as industry and government buyers. The program, which is supported by the Department of Homeland Security, Science & Technology Directorate, also features commentary on the latest investment and Cybersecurity trends from the industry’s foremost experts. The program includes educational workshops, panel sessions, an interactive luncheon hour and a networking reception.

To register for SINET Showcase and to see a complete list of speakers and a program agenda, visit http://www.security-innovation.org/showcase_2014.htm.

ABOUT SINET

SINET is a community builder and strategic advisor whose mission is to advance innovation and enable global collaboration between the public and private sectors to defeat Cybersecurity threats. Its public-private partnership events are supported by the U.S. Department of Homeland Security, Science & Technology Directorate. SINET also offers advisory services and a membership program that have helped build thousands of relationships and delivered value across a broad spectrum of the security community to include buyers, builders, researchers and investors. For more information, visitwww.security-innovation.org. Connect with us on Twitter at @SINETconnection and follow all the news about this year’s SINET 16 and Showcase event with #SINET16 and #SINETDC.

 

(Original Article)

Shadow IT in Stores and Branches: How to Stay Compliant

InfoSecurity Magazine

Shadow IT in Stores and Branches: How to Stay Compliant

October 22, 2014

By Bob Tarzey

Branches are where the rubber still hits the road for many organisations; where retailers still do most of their selling, where much banking is still carried out and where health care is often dispensed. However, for IT managers, branches are outliers, where rogue activity is hard to curb; this means branches can become security and compliance black spots.

Branch employees may see fit to make their lives easier by informally adding to the local IT infrastructure, for example installing wireless access points purchased from the computer store next door. Whilst such activity could also happen at HQ, controls are likely to be more rigorous. What is needed is an ability to extend such controls to branches, monitoring network activity, scanning for security issues and detecting non-compliant activity before it has an impact.

A proposition from Boston, USA-based vendor Pwnie Express should improve branch network and security visibility. Founded in 2010, Pwnie Express has so far received $5.1 million Series-A venture capital financing from Fairhaven Capital and the Vermont Seed Capital Fund. The name is a play on both Pony Express, the 19th century US mail system and the Pwnie Awards, a competition run each year at the Black Hat conference to recognise the best discoverers of exploitable software bugs.

 

(Original Article)

Shadow IT in Stores and Branches: How to Stay Compliant

– By Bob Tarzey –

Branches are where the rubber still hits the road for many organisations; where retailers still do most of their selling, where much banking is still carried out and where health care is often dispensed. However, for IT managers, branches are outliers, where rogue activity is hard to curb; this means branches can become security and compliance black spots.

Branch employees may see fit to make their lives easier by informally adding to the local IT infrastructure, for example installing wireless access points purchased from the computer store next door. Whilst such activity could also happen at HQ, controls are likely to be more rigorous. What is needed is an ability to extend such controls to branches, monitoring network activity, scanning for security issues and detecting non-compliant activity before it has an impact.

(Original Article)