Hackers, Security Pros Talk Penetration Testing, Social Engineering

You might have heard of DefCon, the big, bad, Las Vegas penetration and hacking conference where gray (and darker) hats show off their exploits.

It's less likely that you've heard of GrrCon, the Grand Rapids, Mich.-based hacking and penetration conference. The event drew 850 attendees in this, its second year, charging as little as $85 per attendee-or $280 for the "VIP Pass" that provided attendees a front-row seat (and power cords) at the keynotes and access to Ping Pong, Foosball, video games and snacks in the speakers' lounge.

Best Defense Against Hackers: Good Offense

The conference brought together security professionals to talk about how to harden systems and detect intrusion, conduct penetration testing and teach attack techniques to compromise, and gain access to, a system.

Feature: Hackers in the Limelight: Scenes From Black Hat 2012

In a twist, the opening keynote speaker, Kevin Johnson of Secure Ideas (motto: "Professionally Evil"), is unable to attend, so a pseudo-anonymous hacker known as "atlas of D00m" gives the talk in his place. By the end of the talk, I am honestly not sure if Johnson is atlas-and I am not about to try the local "free" wireless to find out.

Hacker "atlas of D00m" on stage at GrrCon.

His main point: penetration testing needs to happen, and it should be folded into an overall security policy. In other words, pen testing will find defects, and, when testing occurs again in six months, those defects should not show up again because they have been fixed. In addition, "atlas" points out that compromised users are embarrassed users and will be the biggest advocates for security in the organization for the foreseeable future.

After the keynote, I check out the lockpicking demonstration. The conference set up a table with free lockpicking tools and held a competition the following day.

Attendees practice lockpicking with free tools-an artifact of the digital lifestyle.

In addition, there's a penetration testing "capture the flag" contest. Kurt Rhoades, a local IT technician, shows me how he is using backtrack Linux and a tool called nmap to discover servers on the private network. After discovering the servers' IP addresses, he uses nmap again to scan their ports, find open services and metasploit to find and run attacks.

Lary Holland, president of NEM Technology, leads off a talk whose title says it all: "You have your firewall, but the hacker threat is already in your office-[or], the killer is already in your house."

How-To: BYOD Security Demands Mobile Data Protection Strategy

Thanks to the bring your own device (BYOD) trend, Holland says, infected computers can now bypass the firewall directly and attack from the inside. He suggests increased intrusion detection that not only monitors packets for signatures but also watches where they go and, in a sense, creates Virtual Private Networks to enforce role-based security. In other words, if an engineer logs into the network with any device, that device will not be able to ping, route to or view any of the systems, in, say, accounting. Holland also suggests user profile monitoring software to evaluate the threat of an employee who may be "checking out" another department's information on the shared folder system.

Highlights: Chance Encounters, Hearing From a 30-Year Hacker

For me, the real value attending a conference is meeting people in the hallway. One was Drew Looyenga, an account representative for Grand Rapids-based ISI.

Drew Looyenga throws real software reverse engineering puzzles and challenges at would-be employees as the first step in the hiring process.

Looyenga is here to hire, as ISI has grown from 17 to 50 in employees in just two years. GrrCon is a great place to recruit, he says, because it draws enthusiasts-people who don't just do IT but also care about it passionately.

To that end, Looyenga was handing out USB keys containing data in electric file formats so rare that they were essentially encoded-one, for example, was a compiled executable on a rare UNIX distribution. Opening the file, and showing Looyenga the output, his the first step in the job interview process, he says.

Analysis: Should Companies Hire Criminal Hackers?

I also had a chance meeting with Josh Soehnlein, a security hobbyist who built a Raspberry Pi device that senses attempts by personal equipment to join a wireless network. (He's looking for a programmer to help him extend and document the framework.) The device, which Soehnlein documents at hilt.co, sends signals back confirming that it is in fact the "home wireless network," creates connections and monitors the traffic. To the hobbyist, this is a parlor trick; to the enterprise, this is a nice way to identify and correct possible vulnerabilities from users who bring their own devices into the network.

The real highlight of the show, though, was the talk by Kevin Mitnick, one of the first documented hackers.

He began with an example of a simple hack-a picture of the front of someone's American Express card, complete with the security code, which he had snapped at dinner the night before.

Next, Mitnick explains how his career as a hacker unfolded.

  • At 12, he discovered how the Los Angeles bus system ticket-punching system worked, went Dumpster diving for blank transfer paper, rode the bus for free and gave free rides to people waiting at bus stops.
  • In his teens, Mitnick was cracking phone systems-making free calls, looking up unlisted numbers and so on. (Steve Jobs, the founder of Apple, started out the same way.)
  • In computer class, Mitnick's first assignment was to write a program to find the first 100 Fibonacci numbers. He instead wrote a program to simulate the login prompt at a teletype, capture the password and log into the system.
  • Mitnick ultimately became most known for, and most successful, using social engineering techniques to steal, among other things, the source code for VAX/VMS, for which he eventually went to prison. (He was released in 2000 and forbidden from profiting from books or films based on his criminal activity for seven years.)

Kevin Mitnick tells the story of his exploits (and prison time) in his second book, Ghost in the Wires, published in 2011.

Feature: 10 More Infamous Hacks and Hackers

Social engineering is an alternative to "hard" cracking, which exposes ports and weaknesses in software. Instead, Mitnick simply convinced people that he deserved to have key information-user IDs, passwords and, after his first arrest in 1988, when he was on the run from an outstanding warrant, birth and death certificates in order to create a new identity.

Security Professionals: Trust No One

Mitnick's success with social engineering was one recurring theme of GrrCon. Any hardened, secure, asset can be compromised by a single bad judgment about whom to trust.

The other theme? Trust no one.

At one point, I hear that a company, Southfield, Mich.-based 24x7 Security, is hiring. I ask for a picture and quick interview with the company's representative at GrrCon, reckoning that a mention on CIO.com could help lead to new hires. He assumes I am doing some sort of social engineering attack and won't tell me his name or let me take his picture.

This "anonymous" culture was prevalent; several of the speakers, as noted, used pseudonyms or false names. Most professionals attending the conference took time off to do so, meaning they paid out of pocket. With a low registration fee of $85, attendees came from a variety of backgrounds, which may allow for the kind of recruiting Looyenga wants to do.

Of course, the joke was on them. I got a free conference pass to the event with a social engineering attack.

I made up some story about being a reporter.

Matthew Heusser is a consultant and writer based in West Michigan. You can follow Matt on Twitter @mheusser, contact him by email or visit the website of his company, Excelon Development. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Penetration testingsecurityGrrConcloud securitylegalsoftware securitySecurity | Cybercrimecybercrimesocial engineeringDefcon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matthew Heusser

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts