Hackers, Security Pros Talk Penetration Testing, Social Engineering

CIO.com goes undercover (sort of) at GrrCon, the Midwest's premier conference on penetration testing and software security, to learn about cloud security, hacking, lock picking and more.

By Matthew Heusser
Wed, October 24, 2012

CIO — You might have heard of DefCon, the big, bad, Las Vegas penetration and hacking conference where gray (and darker) hats show off their exploits.

It's less likely that you've heard of GrrCon, the Grand Rapids, Mich.-based hacking and penetration conference. The event drew 850 attendees in this, its second year, charging as little as $85 per attendee—or $280 for the "VIP Pass" that provided attendees a front-row seat (and power cords) at the keynotes and access to Ping Pong, Foosball, video games and snacks in the speakers' lounge.

Best Defense Against Hackers: Good Offense

The conference brought together security professionals to talk about how to harden systems and detect intrusion, conduct penetration testing and teach attack techniques to compromise, and gain access to, a system.

Feature: Hackers in the Limelight: Scenes From Black Hat 2012

In a twist, the opening keynote speaker, Kevin Johnson of Secure Ideas (motto: "Professionally Evil"), is unable to attend, so a pseudo-anonymous hacker known as "atlas of D00m" gives the talk in his place. By the end of the talk, I am honestly not sure if Johnson is atlas—and I am not about to try the local "free" wireless to find out.

atlas of d00m
Hacker "atlas of D00m" on stage at GrrCon.

His main point: penetration testing needs to happen, and it should be folded into an overall security policy. In other words, pen testing will find defects, and, when testing occurs again in six months, those defects should not show up again because they have been fixed. In addition, "atlas" points out that compromised users are embarrassed users and will be the biggest advocates for security in the organization for the foreseeable future.

After the keynote, I check out the lockpicking demonstration. The conference set up a table with free lockpicking tools and held a competition the following day.

Lockpicking at GrrCon
Attendees practice lockpicking with free tools—an artifact of the digital lifestyle.

In addition, there's a penetration testing "capture the flag" contest. Kurt Rhoades, a local IT technician, shows me how he is using backtrack Linux and a tool called nmap to discover servers on the private network. After discovering the servers' IP addresses, he uses nmap again to scan their ports, find open services and metasploit to find and run attacks.

Continue Reading

Our Commenting Policies