Hooyah! The Challenge of BYOD Policy Enforcement in the Navy and In Your Organization

I have been off the boat (former submariner) for a few years now, but every now and again I find myself browsing the U.S. Navy’s public website to see who got promoted and to check out the new policies heading to the fleet. Last week, I saw a NAVADMIN, (a formal Navy Administration Memo for those not in the service), with the subject, USE OF UNCLASSIFIED NAVY AND MARINE CORPS INTRANET LAPTOPS WITH EMBEDDED  WIRELESS (NAVADMIN 290/15). The message goes on to present a new formal policy to a problem facing many organizations – protecting critical data and systems from the ever-growing swarms of wireless devices.

With a tradition of tech heroes like Grace Hopper and Hyman Rickover, the U.S. Navy has a proud history of being an innovator and early adopter of technology (Hooyah!). From the early days of software, through nuclear propulsion reactors and advanced weapons systems and satellites, the Navy has tackled the most challenging of technical problems. This history makes it particularly interesting to see how such a large and structured organization is tackling the proliferation of web-enabled devices.

In short, the policy states that devices issued for use on UNCLASSIFIED systems, when used in areas with sensitive networks and operations, must have the WiFi turned off by the operator. The onus is on the device owner to remember that they must disable wireless capabilities prior to entering these areas (of which the Navy has many), and re-enable when they are in an appropriate area.

But here’s the thing, relying on humans to remember to turn off WiFi will be challenging. It’s even a significant challenge when you have well trained and loyal sailors legally bound to follow your orders. So the question must be asked, how do you enforce this type of policy? The memo goes on to tease some additional measures for “detection/jamming” on the horizon so that the policy can be properly enforced, though specifics aren’t offered at this time

Sound familiar? It should, because, this is not just a problem for the military. Every organization has sensitive data and critical infrastructure that needs to be protected – and your “sailors” are not legally bound to follow orders. You might even have something similar in your enterprise where you have a BYOD or IoT policy that states WiFi should be disabled or even certain devices not allowed onto the WiFi network. Two stats are telling: While 74% of organizations permit or plan to permit BYOD, 30% of those with a BYOD policy in place have no way to enforce it or simply rely on the honor system.
Now, ask yourself, how will your organizations develop and enforce policies to mitigate risk and protect your important assets in 2016? Let us know below.

Pwnie Express on Good Morning America

Watch Video Here

Pwnie Express founder and CTO Dave Porcello was recently featured on Good Morning America to help raise awareness on the cyber attacks currently targeting hotel guests across the globe. In this segment, Dave demonstrates two of today’s most common attacks: malicious WiFi hotspots (aka “Dark Hotel” attacks or “Evil Access Point hotspots”) and keystroke logging devices (aka “keyloggers”).

As shown by our “Project Eavesdrop” experiment with NPR, these attacks can expose a tremendous amount of personal information to a cyber criminal, including:

  • All visited websites, URLs, & search keywords
  • Passwords to banking/financial accounts, email accounts, & social media sites
  • Emails, photos, documents, & software downloads
  • Internet phone calls & video chat sessions
  • Physical location / GPS coordinates

In the past, these attacks required specialized equipment and a high level of technical expertise. Over the years, the proliferation of plug-and-play “cyber espionage devices” has made these attacks easier than setting up a home router.

“Evil Access Point” (Evil AP) hotspot devices and keyloggers come in a variety of portable, stealthy form factors and can be purchased online for as little as $20:



Device 2

In the first demonstration, Dave simulates a “Dark Hotel” attack showing how an attacker can use an Evil AP to obtain personal information from hotel guests. Using a setup similar to the NPR Project Eavesdrop drop box, Dave was able to see all visited websites, URLs, images, and search keywords in real-time.

Next, Dave uses a combination of SSL-bypass and Fake Login Pages to simulate a password capture attack against several email and social media accounts, as well as a credit card number capture attack through a fake hotel guest portal page:


Unfortunately, these “Dark Hotel” attacks are nearly impossible to detect by the average hotel-goer. Once a hotel guest unknowingly connects to one of these Evil AP hotspots, all their Internet traffic can be monitored, recorded, intercepted, and tampered with by the attacker.

Dave then illustrates how wireless keylogger devices, (Now sold at Amazon and Sears), can capture everything typed into a hotel business center or kiosk computer, including passwords and credit card numbers. Your captured keystrokes can then be transmitted wirelessly over the Internet to an attacker residing anywhere in the world.


Lastly, Dave shows how the Pwnie Express Pwn Pad can be used by a security professional to detect and track down Evil AP hotspots:


Just like we expect hotels to keep us physically safe with modern door locks and secured windows, we need to begin expecting hotels to protect us online as well. Pwnie Express and other cyber security vendors offer technologies such as Pwn Pulse that are increasingly being deployed by hotels, banks, hospitals, and other organizations to detect and disable these types of attacks.


Evil APs defined:

Rogue/Evil Access Points — or unauthorized and unmanaged WiFi devices —  can spell the end for even the most mature of Information Security programs. Rogue APs can take many forms: non-malicious employees plugging in their own Access Points for convenience, mis-or-unconfigured Wirelessly-enabled printers, or a $5 USB WiFi adapter that can be leveraged by criminals to stand up Fake Access Points from the parking lot. Unintentional, with malicious intent, or as a genuine mistake, a Rogue Access Point not under your control can give criminals direct access into your internal networks.

Evil Access Points can defeat even the most stringent WIPS/WIDS deployments, as they play on the weakest portion of any Security Program – the “Human Element.” Gone are the days of criminals having to have specialized Wireless gear and intimate knowledge of *nix to do this. With minimal cost and effort, any criminal can set up an EvilAP to lure – or even force – unsuspecting employees into joining fake wireless networks masquerading as legitimate networks.


Wireless Keyloggers defined:

Wireless keyloggers are rapidly becoming a physical security attack tool of choice. Keyloggers – traditionally found in software – allow for the storing of all keystrokes entered by the victim on the compromised machine. Criminals are now leveraging micro-USB sticks (some of which are so small, you wouldn’t notice them plugged in) to capture all keystrokes on the target computer. This inevitably leads to the disclosing of passwords and other sensitive information. Today’s keyloggers use remote connectivity methods (such as WiFi or Bluetooth) to offload or exfiltrate their capture information. Since they aren’t directly tied your organization’s wireless infrastructure, wireless keyloggers can operate virtually undetected.


Additional resources:

Dow Jones: “Five top cyber espionage devices”


Pwnie Express & NPR: “Project Eavesdrop”


Project Eavesdrop Part 1: “The Drop Box”


Project Eavesdrop Part 2: “A Week in the Life”


The Evolution of Rogue Devices


Evil AP: An Introduction


Bypassing HSTS SSL with the Mana Toolkit


Stealing Credentials with Fake Login Pages


Mapping WiFi Networks on the Pwn Pad 2014

If you are a security professional or commercial organization interested in detecting rogue devices that may be present within your enterprise, please contact us at 1-855-793-1337 or at, and our team of security experts will be in touch with you.

Pwnie Express Selected as a SINET 16 Innovator Remote Asset Discovery and Assessment Provider Lauded for Its Cutting-Edge Cybersecurity Defense Technology

BOSTON, Nov. 18, 2014 /PRNewswire/ – Pwnie Express, providing anywhere on-demand wired and wireless network security assessment, today announced that the Security Innovation Network (SINET) has named it a SINET 16 Innovator.

Pwnie Express was selected from a pool of 180 applicants worldwide by the SINET Showcase Steering Committee, which is made up of 60 security experts from government, academia and the private sector, for its ability to combat cybersecurity threats and vulnerabilities.

The SINET Showcase will feature Pwnie Express’s Pwn Pulse solution, which provides consolidated asset discovery, vulnerability scanning, and pentesting in a single unified offering. This delivers actionable risk information showing organizations where they are most vulnerable, allowing them to focus on high probability threats and threat vectors. The event will be held December 3-4 in Washington DC.

“We are honored by SINET’s recognition of our innovative solution whose integrated intelligence delivers continuous in-depth analysis to accurately identify attack paths, allowing organizations to level the playing field against the hackers,” said Paul Paget, Pwnie Express CEO. “Pwnie Express is the only solution to assess wired and wireless network security anywhere, on-demand. Leveraging the expertise of Pwnie Labs and using open source tools our SaaS solution allows organizations to easily protect themselves against attackers who are increasingly accessing confidential data and information through remote locations.”

The SINET Showcase provides a platform for the business of Cybersecurity to take place as emerging technology companies present their solutions and connect with a select audience of nearly 400 venture capitalists, investment bankers as well as industry and government buyers.

SINET is a community builder and strategic advisor whose mission is to advance innovation and enable global collaboration between the public and private sectors to defeat Cybersecurity threats.  Its public-private partnership events are supported by the U.S. Department of Homeland Security, Science & Technology Directorate.

SINET also offers advisory services and a membership program that have helped build thousands of relationships and delivered value across a broad spectrum of the security community to include buyers, builders, researchers and investors.  For more information, visit  Connect with us on Twitter at @SINETconnection.  Follow the conversation about SINET 16 at #SINET16 and this year’s SINET Showcase at #SINETDC.

About Pwnie Express

Pwnie Express provides an end-to-end security assessment solution that delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting. It provides sensors for individual locations and an enterprise-class Pwn Pulse solution using its sensors combined with central management for scalable continuous intelligence across remote locations.

Thousands of organizations worldwide rely on its products to conduct drop-box pentesting and provide unprecedented insight into distributed network infrastructures. Pwn Pulse allows organizations to see all the things using open source tools and platforms. The products are backed by the expertise of Pwnie Express Labs. It is headquartered in Boston, Massachusetts.

Contact: Sara Kantor
Phone: 617-267-1777

(Original Article)

10 Reasons Why Pwn Pulse Will Save You Time and Money

1. Real Time Wired, Wireless, and Bluetooth Asset Discovery

Pwn Pulse allows you to automatically discover both wired and wireless assets and helps security professionals locate rogue devices and create a comprehensive list of network devices and exceptions that may be noncompliant or harmful. Pulse detects wireless and Bluetooth devices, unlike software-agent-based solutions, so Pwn Pulse can let you actually “see all the things”.

2. Vulnerability Scanning and Validation

Runs a custom vulnerability scanner on a schedule determined by the user and visually displays aggregate data and trends while allowing technical users to drill down into the details. So you can know what’s out there to get you.

3. Penetration testing

Users can run custom scripts and assessments remotely through Pwn Pulse to further test and validate security gaps revealed by routine vulnerability scans. It’s the classic Pwnie pentesting experience.

4. Analysis of security information across a distributed network

Analytics allow users to visualize trends across the company and/or within a remote location including  a comprehensive view of assets and vulnerabilities discovered by specific sensors or groups of sensors. Results are graphically displayed on an intuitive dashboard.Because big data has taught us that more information is better… (but only when it’s organized well)

5. Frictionless Plug and play deployment

Easy to deploy without the need to install and manage agents, Pwnie Express sensors are plug-and-play, so employees in remote locations simply plug the sensors into the network. Pwn Pulse is the perfect solution for a company without technical resources at its remote sites – my grandmother could plug in a Pwnie sensor!

6. Centrally managed, easy-to-use graphic interface

Security professionals can both see its output and control its capabilities remotely. Pwn Pulse is designed to be integrated with System Integration and Event Management (SIEM) software, but even without SIEM software Pwn Pulse is the aesthetically pleasing way to assess security – anybody can see how beautifully secure your remote sites are.

7. Safe and Secure – even Dave Kennedy of TrustedSec thinks so!

Sensors are pre-configured to only communicate with their central management server, all communications and databases are encrypted, and all services are segmented to provide the highest level of defense. Because a security tool should be secure.

8. Customers love it!

You’re not the first one to use it, and people seem to like it so far:

  • It’s a “solution that allowed me to do these scans more frequently and without having to be onsite.”
  • “It allows us to have true policies in regards to our networks and computers and a true way to test that. It gives us the ability to not only have the policies on hardening our hardware but also a way to verify that it’s where it’s supposed to be.”
  • “It solves the pressing problem of continuous and comprehensive assessment of remote locations.”

 9. Enterprise Capable

Pwn Pulse is designed to be a highly scalable solution capable of supporting thousands of sensors at remote locations. Each sensor reports back to its central console and users can remotely control individual sensors for penetration testing. This Pwnie grows with you.

10. It can find that *rogue* printer in your office

All jokes aside, wirelessly-connected printers are a problem.

*If you really want to read the dry stuff, Pwnie Express has also released a press release on Pwn Pulse.*



Stealing Credentials with Fake Login Pages

In previous entries, we’ve seen how client devices can be tricked into connecting to a rogue access point, giving the person running the AP full control over the client’s Internet access. The concept is fairly simple: present the client device with a WiFi network that looks like what it is expecting and the device will connect without a fuss.

As it turns out, humans can be tricked just as easily. As a general rule, people are trusting; as long as things look more or less as they expect them to, most users will continue on with their normal routine, blissfully unaware that they might be the victim of a sophisticated attack.

In this post, we’ll build on the EvilAP attack by presenting victims a cloned version of the Facebook login page in an effort to capture their login credentials. Facebook is used only as an example here, the same method can be used with any website that features a login dialog.

Note: The following assumes you’ve already configured an EvilAP and are ready for clients to connect. If you’d like to read up on how to launch an EvilAP,take a look at “EvilAP: A Practical Example”.

Social Engineering Toolkit

The Social Engineering Toolkit (SET) is a collection of tools designed to automate a wide array of exploits: everything from generating malicious QR codes to programming a microcontroller to act as an attack vector. In this particular example, we’ll be using the “Site Cloner” function, which will duplicate any website the operator chooses and capture information the victim sends to it.

To launch SET, tap its icon under the “Attack Tools” directory.


SET has its own menu system which you can navigate through by entering the numbers corresponding to the selection you wish to make.


First, select “Social-Engineering Attacks” by entering in the number 1, then number 2 for “Website Attack Vectors”.


Then enter 3 for “Credential Harvester Attack Method”, and finally, enter 2 for “Site Cloner”. You’ll then be asked for the IP address of the EvilAP, which is, followed by the URL of the site you want to clone.


All that’s left to do now is wait for the results to scroll across the screen. As victims connect to the EvilAP and try to login to Facebook (or whatever site you selected to clone), their login credentials will show up in red.




Crunching the Numbers: A Snapshot of Security

Here at Pwnie, we want to know just how we’re helping the industry. So we conducted a survey of you and your peers — hundreds of IT security professionals last month.

The survey found that 40.6 percent of you have no visibility into your wireless assets at remote sites. That’s right – zero. As wireless becomes omnipresent and businesses are increasingly distributed, often with hard-to-reach branch offices and remote sites, this could potentially spell disaster. TJX, anyone?

Additionally, the survey found that this may be because 43.9 percent of you are not even required to assess the wireless assets at your remote sites. And on top of it, even when assessments are taking place 53.6 percent of the time they are only happening quarterly or less. The survey also revealed that despite increasing compliance mandates, including the Payment Card Industry Data Security Standard (PCI DSS), 51.8 percent of you said they did not conduct penetration tests at remote locations.

Many of you have expressed to us how they would like to do more penetration testing and have full visibility into both the wired and wireless assets at all of your locations. The intentions are there, and so were many of the open-source tools, but by packaging these tools we at Pwnie Express are trying make it easier for the security community to effectively use them across the organization.

Here is the official press release.

What’s Up, Doc?

Black Hat 2014 had a roundtable on “Medical Devices Roundtable: Is There a Doctor in the House? Security and Privacy in the Medical World”. Rapid 7’s Jay Radcliffe presented the major issues facing the healthcare industry as it moves in the direction of increasing automation both of information and devices, an expanding surface for all sorts of potential problems.

Though the roundtable was well-attended, Forbes’ Dan Munro pointed out that it was more incredible that medical care was surprisingly not present at the conference. Healthcare is becoming increasingly more automated, and rightly so — bioanalytics and cloud-based monitoring are helping to save lives by giving doctors up-to-date information on patients and remote oversight of their health. As he pointed out, this is not a bad thing: lives are not only being saved by wirelessly controlled pacemakers and insulin pumps; the lives of sick patients are often being improved by the ability to monitor and control processes that were previously invisible to patients. In addition, medical research is infinitely easier when the information from thousands of people — all willing participants, of course — can instantly be aggregated.

Radcliffe was quick to point out the main issues: lack of regulatory oversight, lack of understanding even within regulatory organizations, and lack of knowledge within the industry. As it exists, he pointed, security is under no domain. The FDA gives cybersecurity “guidance”, a tricky word that lacks the emphasis of retail’s PCI regulations and fines. They rightly point out that cybersecurity is a shared responsibility, which is simultaneously a problem and an opportunity, if the industry rises to the challenge.

Unfortunately, the industry is already behind. A DEF CON talk by Scott Ervin and Shawn Merdinger further explored just how lacking in security many medical device currently are, with another Munro article noting that over 90% of cloud services used by healthcare could pose a major security risk. New devices being marketed as health monitors also have the potential to be extremely detrimental, as information gathered from the devices could be used to collect sensitive data.

Meanwhile, data breaches at hospitals and health centers are already occurring, as the recent CHS incident attests. Data breaches, surprisingly enough, are a portion of the healthcare industry that is regulated under HIPAA (the Health Insurance Portability and Accountability Act), a Health and Human Services Act that protects Personally Identifiable Information (PII). Even with HIPAA and the guidance of the FDA, more has to be done in this field.

And with the potential implications of a hack or breach being human life, the stakes could not be higher.

Pwnie Express Releases Next Generation Penetration Testing Device: The Pwn Plug R3

September 3, 2014

Pwnie Express today announced the release of the latest version of its cutting edge Pwn Plug, the R3, an inconspicuous pentesting device whose drop box form factor provides unprecedented ease of use at remote locations at a fraction of the cost of traditional penetration testing solutions.

Pwnie Express is the only company to assess wired and wireless network security anywhere, on demand. Its Pwn Plug R3 is a next-generation penetration testing device in a portable, shippable, “Plug-and-Pwn” form factor. With onboard 802.11a/b/g/n wireless, external high-gain Bluetooth, 4G/GSM cellular, ruggedized case design, and greatly improved performance and reliability over its much-lauded R2 predecessor, the Pwn Plug R3 is the enterprise penetration tester’s dream tool.

This easy-to-deploy sensor can be remotely controlled over a covert Internet channel or a cellular data connection. Preconfigured, once plugged in and turned on, the Pwn Plug R3 will look to find a way to establish a persistent SSH connection between the device and its operator’s server—including a GSM-based 4G cellular data connection.

The R3 rounds out the Pwnie Express line of comprehensive vulnerability assessment and penetration testing solutions. The solutions include Pwn Pad 2014 and Pwn Phone, mobile form factors for the on-the-go tester, Pwn Plug R3 and its more powerful medium to large enterprise Pwn Pro counterpart, drop-box sensors used for remote testing, and Pwn Pulse software as a service (SaaS) solution for those organizations with multiple hard-to-reach distributed sites that require continuous monitoring and assessment.

“Our customers are constantly looking for ways to keep cost down and quality high. With the products at Pwnie Express we can cut travel costs to zero and still provide outstanding internal assessments. They have changed our business model and hopefully the whole business model for pentesters everywhere for the better,” said John Strand, senior security analyst/principal of Black Hills Information Security.

Product benefits:
o    Provides a cost-effective lightweight, non-intrusive and easy-to-deploy solution for remote locations
o    Preconfigured, doesn’t require onsite management
o    Extends on demand penetration beyond the headquarters to remote sites
o    Allows for easy anywhere drop box deployment
o    Increases frequency and scope of remote site assessments
o    Expands awareness of wired, wireless, BYOD and rogue devices across all sites
o    Addresses PCI DSS and HIPAA compliance requirements at remote sites
o    Greatly reduces travel and operational overhead required to do security testing

Core features include:
o    Onboard dual-band 802.11a/b/g/n wireless supporting packet injection & monitor mode
o    Onboard Bluetooth supporting device scanning & monitor mode
o    External 6-band (worldwide) 4G/GSM cellular USB adapter
o    Intel-based hardware delivers professional-grade performance & reliability
o    Onboard 802.11a/b/g/n wireless supporting packet injection & monitor mode
o    Onboard Bluetooth supporting device scanning & monitor mode
o    External unlocked 4G/GSM cellular adapter (SIM not included)
o    Runs Pwnix, a custom Debian distro based on Kali Linux
o    Over 100 OSS-based pentesting tools including Metasploit, SET, Kismet,
o    Aircrack-NG, SSLstrip, Nmap, Hydra, W3af, Scapy, Ettercap,
o    Bluetooth/VoIP/IPv6tools, and more
o    Simple web-based administration and in-product updates with “Pwnie UI“
o    One-click Evil AP & Passive Recon services
o    Persistent reverse-SSH access to your target network
o    6 unique covert channels for remote access through application-aware firewalls and IPS
o    Supports HTTP proxies, SSH-VPN, & OpenVPN
o    Out-of-band SSH access over 4G/GSM cell networks
o    Wired NAC/802.1x/RADIUS bypass capability
o    Unpingable and no listening ports in stealth mode
o    Local console access via HDMI

“It’s challenging for today’s globally-distributed organizations and consultants to assess the security of remote sites and branch offices. Today’s cyber criminals know this and are increasingly concentrating their efforts on these often-overlooked entry points,” said Dave Porcello, Pwnie Express CTO and Founder. “The Pwn Plug R3 helps these organizations and consultants gain deep visibility into these remote locations without physically traveling to each site, providing a cost-effective means to mitigate these attacks.”

Availability And Pricing
Pwn Plug R3 is generally available, priced at $995.

About Pwnie Express
Pwnie Express provides a simple and scalable asset discovery, vulnerability scanning, and penetration testing solutions for remote sites and all wireless spectrums. At its core are open source tools integrated on a smart platform available in a variety of form factors, which have helped thousands of enterprises worldwide get unprecedented real-time actionable insight into their distributed network infrastructure. The award-winning products are backed by the expertise of Pwnie Express Labs, the company’s security research arm. The company is headquartered in Boston, Massachusetts.

[Press Release]

Congratulations to the Winners of our Vegas Pwn Phone Drawings!

Congratulations to Eric Meyers of Corning, Inc. and Joe Burgos of Molina Healthcare, the winners of our Pwn Phone drawings at Black Hat and DEF CON! The Pwn Phone 2014 is a high-speed, lightweight LG Nexus 5 smart phone that is the ideal choice for on-the-road pentesting and onsite assessments. The Pwn Phone 2014 can evaluate wired, wireless, and Bluetooth networks and has over 100 open source pentesting tools.