Scaling the Firewall 

Many a lucrative industry is born from antiestablishment roots. Hip-hop music tapped the gritty lifestyle of inner-city gangs and turned it into solid gold. Surfers and skateboarders turned once-maligned and often-illegal recreational pastimes into family-friendly, multibillion-dollar industries.

Similarly, the cyber-security world has its share of entrepreneurs who wear the “hacker” label with pride. Hacker Jeff Moss, aka “The Dark Tangent,” founded two of the world’s largest hacker conventions, Black Hat Technical Security Conference and DEF CON Hacking Conference. In recent years, these annual events have morphed into recruitment grounds for cyber-security experts working at the FBI, CIA, NSA and Pentagon. Further evidence that the lines between the black hats and white hats can be blurry: In April, Moss was appointed chief security officer for the nonprofit Internet Corporation for Assigned Names and Numbers, the group charged with preserving the operational stability of the Internet.

Vermont’s own Pwnie Express, founded in 2010, also embraces the hacker aesthetic. The company sells products that allow its clients to test for vulnerabilities in their computer networks. The name comes from the hacker term “pwn” — it rhymes with “own” — which means to control another person’s computer, often surreptitiously and for unscrupulous purposes.

Despite the illicit-sounding moniker, company founder and sole employee Dave Porcello says Pwnie Express is one of the good guys. His clients are all “legitimate security professionals” who work to keep criminal hackers from breaching their firewalls and wreaking havoc on their organizations.

Pwnie Express helps its clients play defense by providing a good offense. Porcello admits that the company’s hottest product, the “Pwn Plug,” is a very powerful offensive tool that can be dangerous in the wrong hands. Little wonder that since its release, in August 2010, hundreds of Pwn Plugs have been sold to security experts at major corporations, universities, and U.S. military and intelligence agencies.

Porcello, 32, is a former IT security expert from Boston who spent five years at Vermont Mutual Insurance Group in Montpelier before leaving the company in June just as his business took off. He says the idea behind the Pwn Plug — a “drop box,” or tiny computer, that’s designed to give a user remote access to a computer network through covert channels — has been floating around for years. He was simply the first to commercialize it.

“It’s something that hackers are actively using, so security professionals have to be aware of it, too,” Porcello explains. “And some of them are realizing they have to be using them themselves.”

Mark Hughes, a former U.S. Army cryptographer who handles marketing for Pwnie Express, explains how the Pwn Plug fits into a previously unfilled niche of the information security world known as “vulnerability assessment,” an umbrella term for various technical analyses of computer networks.

Simply put, a vulnerability assessment looks for weaknesses or avenues that allow hackers to enter a network undetected. Once inside, a hacker may try to damage, disrupt or shut down an organization’s operations, as a hacker named “Codeine” did to the University of Vermont’s website in August. A hacker may plant malicious software, or “malware,” to harvest valuable data, such as credit card numbers and other personally identifiable information that can be used for fraud and identity theft. A hacker may also steal proprietary information for industrial espionage, state secrets for cyberterrorism, or classified information to shame or embarrass a government.

“A lot of times you can be losing data and not know you’re losing [them], and still be held responsible,” Hughes explains. “So, the question is, how can you get on to your own network and know whether data [are] leaking?”

Security experts protect against such leakage, sometimes called “data exfiltration,” by conducting penetration testing, or “pentesting” for short. In effect, pentesting identifies those vulnerabilities, then exploits them in the same way a hacker would.

Enter the Pwn Plug, a 1.2-gigahertz microcomputer that’s about the size of a battery charger and fits in the palm of your hand. It plugs into a wall outlet and connects to a network either wirelessly or via an ethernet cable. It runs a suite of open-source software familiar to all security professionals, but it’s the first device that lets a user operate it remotely.

The Pwn Plug is small, portable and relatively inexpensive — it sells for $380 — and part of its appeal is its stealthy profile. Since the device can easily be mistaken for an AC adaptor or power brick, the Pwn Plug can be placed in an office surreptitiously and never attract suspicion. In fact, it even comes with decals that can camouflage it as another gizmo, such as a plug-in air freshener.

Once connected, Hughes says, the Pwn Plug creates an “encrypted tunnel” through the firewall and out of the network. Essentially, this secure channel can then be used to control the device remotely. It’s at the discretion of the user to determine what software tools he or she decides to run — and for what purposes.

Who’s getting the Pwn Plug? Porcello and Hughes won’t disclose the names of specific customers, but of the more than 400 devices that Pwnie Express has sold — the majority in the last three months — some have gone to Fortune 50 companies, the U.S. Army, Air Force, Coast Guard and Department of Defense. In fact, Pwnie Express now has the authority to sell to any agency of the U.S. government and has secured export certification, though the company can’t sell to foreign governments. (Porcello claims an order even came in from Iran; it was denied.)

One Pwnie Express buyer is a security professional who was tasked by his employer, a major national bank, with infiltrating 14 of the company’s branches. According to Hughes, the security professional would enter each branch and pretend to be a maintenance worker who was monitoring the building’s climate-control system. Each time he was allowed inside, he’d connect the Pwn Plug to a computer via an ethernet cable. One bank manager even got up from her chair and allowed him to climb under her desk to install it. The exercise demonstrated to the bank just how easy it would be to pierce its defenses.

And just last week, Hughes was contacted by a state attorney general’s office, which ordered a “Pwn Phone” — a similar Pwnie Express product, which operates on cellphone and wireless networks — to track an ethnic gang that traffics in children. As Porcello puts it, “Apparently, this is something people have been waiting for.”

Although Pwnie Express was incorporated last year, Porcello says he sold fewer than a half-dozen Pwn Plugs in 2010 and did no marketing whatsoever on the product until recently. Porcello and several of his subcontractors (including Hughes) attended Black Hat in late July but didn’t even set up a booth.

Nevertheless, as they arrived at the convention site, Caesars Palace in Las Vegas, Porcello recalls riding up the escalator and being surprised by a giant Cisco Systems banner on the wall that read, “Take our security challenge and win a Pwnie Express Pwn Phone.” The following week, at the DEF CON conference in Vegas, Pwnie Express set up a booth and sold more than 200 Pwn Plugs in three days.

“It was extremely well received,” Porcello says.

The potential for abuse of these devices is obvious. Peter Stephenson is director of Norwich University’s Center for Advanced Computing and Digital Forensics, and also serves as Norwich’s chief information security officer. He says Norwich is hit by about 13,000 cyber attacks per day, so he fully appreciates the nature of the risks out there.

Stephenson, who is familiar with the Pwn Plug but hasn’t tested one himself, calls the device “a very dangerous tool, because it provides the ability to have a back door into the network.”

As he explains, most computer networks are what he calls “candy networks: They’re hard and crunchy on the outside and soft on the inside.” That is, in recent years firewalls have become sufficiently hardened to keep out most unwanted visitors. The far bigger threats these days are those that come from inside the firewall, where it’s far less common for data to be encrypted.

How do hackers get to the “soft inside”? Stephenson likens today’s most serious computer threats to vampires: They can’t bite you in your own home unless they’re invited inside. Hackers do this in a variety of ways, such as by sending seemingly innocuous and legitimate emails containing attachments with malware or other hidden programs. The Pwn Plug, he adds, could be used as a security tool, or “like the vampire.” Once allowed inside, it can suck your network dry.

Stephenson emphasizes that he’s not denigrating the product or its developer.

“I have all the respect in the world for those folks [at Pwnie Express],” he adds. “What these guys have done with this thing is clever. The technology is good technology.”

At the same time, Stephenson notes that when he mentioned the Pwn Plug to Norwich’s security engineer, “His immediate reaction was, ‘I’m glad that that won’t work on our network, because if it did, every student in here would have one.’”

When asked about that remark, Porcello’s smile could almost be heard over the phone line.

“I don’t know,” he says. “A lot of people think that. But in reality, I can pretty much guarantee that this would get through their network.”

Let the cyber games begin.

Pwnie Express will be exhibiting at the Vermont Tech Jam this Friday and Saturday, October 28 and 29, at the Borders building on Church Street.