Hackers, Security Pros Talk Penetration Testing, Social Engineering
CIO.com goes undercover (sort of) at GrrCon, the Midwest's premier conference on penetration testing and software security, to learn about cloud security, hacking, lock picking and more.
By Matthew Heusser
You might have heard of DefCon, the big, bad, Las Vegas penetration and hacking conference where gray (and darker) hats show off their exploits.
It’s less likely that you’ve heard of GrrCon, the Grand Rapids, Mich.-based hacking and penetration conference. The event drew 850 attendees in this, its second year, charging as little as $85 per attendee—or $280 for the “VIP Pass” that provided attendees a front-row seat (and power cords) at the keynotes and access to Ping Pong, Foosball, video games and snacks in the speakers’ lounge.
The conference brought together security professionals to talk about how to harden systems and detect intrusion, conduct penetration testing and teach attack techniques to compromise, and gain access to, a system.
In a twist, the opening keynote speaker, Kevin Johnson of Secure Ideas (motto: “Professionally Evil”), is unable to attend, so a pseudo-anonymous hacker known as “atlas of D00m” gives the talk in his place. By the end of the talk, I am honestly not sure if Johnson is atlas—and I am not about to try the local “free” wireless to find out.
His main point: penetration testing needs to happen, and it should be folded into an overall security policy. In other words, pen testing will find defects, and, when testing occurs again in six months, those defects should not show up again because they have been fixed. In addition, “atlas” points out that compromised users are embarrassed users and will be the biggest advocates for security in the organization for the foreseeable future.
After the keynote, I check out the lockpicking demonstration. The conference set up a table with free lockpicking tools and held a competition the following day.
In addition, there’s a penetration testing “capture the flag” contest. Kurt Rhoades, a local IT technician, shows me how he is using backtrack Linux and a tool called nmap to discover servers on the private network. After discovering the servers’ IP addresses, he uses nmap again to scan their ports, find open services and metasploit to find and run attacks.
Lary Holland, president of NEM Technology, leads off a talk whose title says it all: “You have your firewall, but the hacker threat is already in your office—[or], the killer is already in your house.”
Thanks to the bring your own device (BYOD) trend, Holland says, infected computers can now bypass the firewall directly and attack from the inside. He suggests increased intrusion detection that not only monitors packets for signatures but also watches where they go and, in a sense, creates Virtual Private Networks to enforce role-based security. In other words, if an engineer logs into the network with any device, that device will not be able to ping, route to or view any of the systems, in, say, accounting. Holland also suggests user profile monitoring software to evaluate the threat of an employee who may be “checking out” another department’s information on the shared folder system.
Highlights: Chance Encounters, Hearing From a 30-Year Hacker
For me, the real value attending a conference is meeting people in the hallway. One was Drew Looyenga, an account representative for Grand Rapids-based ISI.
Looyenga is here to hire, as ISI has grown from 17 to 50 in employees in just two years. GrrCon is a great place to recruit, he says, because it draws enthusiasts—people who don’t just do IT but also care about it passionately.
To that end, Looyenga was handing out USB keys containing data in electric file formats so rare that they were essentially encoded—one, for example, was a compiled executable on a rare UNIX distribution. Opening the file, and showing Looyenga the output, his the first step in the job interview process, he says.
I also had a chance meeting with Josh Soehnlein, a security hobbyist who built a Raspberry Pi device that senses attempts by personal equipment to join a wireless network. (He’s looking for a programmer to help him extend and document the framework.) The device, which Soehnlein documents at hilt.co, sends signals back confirming that it is in fact the “home wireless network,” creates connections and monitors the traffic. To the hobbyist, this is a parlor trick; to the enterprise, this is a nice way to identify and correct possible vulnerabilities from users who bring their own devices into the network.
The real highlight of the show, though, was the talk by Kevin Mitnick, one of the first documented hackers.
He began with an example of a simple hack—a picture of the front of someone’s American Express card, complete with the security code, which he had snapped at dinner the night before.
Next, Mitnick explains how his career as a hacker unfolded.
At 12, he discovered how the Los Angeles bus system ticket-punching system worked, went Dumpster diving for blank transfer paper, rode the bus for free and gave free rides to people waiting at bus stops.
In his teens, Mitnick was cracking phone systems—making free calls, looking up unlisted numbers and so on. (Steve Jobs, the founder of Apple, started out the same way.)
In computer class, Mitnick’s first assignment was to write a program to find the first 100 Fibonacci numbers. He instead wrote a program to simulate the login prompt at a teletype, capture the password and log into the system.
Mitnick ultimately became most known for, and most successful, using social engineering techniques to steal, among other things, the source code for VAX/VMS, for which he eventually went to prison. (He was released in 2000 and forbidden from profiting from books or films based on his criminal activity for seven years.)
Social engineering is an alternative to “hard” cracking, which exposes ports and weaknesses in software. Instead, Mitnick simply convinced people that he deserved to have key information—user IDs, passwords and, after his first arrest in 1988, when he was on the run from an outstanding warrant, birth and death certificates in order to create a new identity.
Security Professionals: Trust No One
Mitnick’s success with social engineering was one recurring theme of GrrCon. Any hardened, secure, asset can be compromised by a single bad judgment about whom to trust.
The other theme? Trust no one.
At one point, I hear that a company, Southfield, Mich.-based 24×7 Security, is hiring. I ask for a picture and quick interview with the company’s representative at GrrCon, reckoning that a mention on CIO.com could help lead to new hires. He assumes I am doing some sort of social engineering attack and won’t tell me his name or let me take his picture.
This “anonymous” culture was prevalent; several of the speakers, as noted, used pseudonyms or false names. Most professionals attending the conference took time off to do so, meaning they paid out of pocket. With a low registration fee of $85, attendees came from a variety of backgrounds, which may allow for the kind of recruiting Looyenga wants to do.
Of course, the joke was on them. I got a free conference pass to the event with a social engineering attack.