October 24, 2012, 9:39 PM — You might have heard of DefCon, the big, bad, Las Vegas penetration and hacking conference where gray (and darker) hats show off their exploits.
It's less likely that you've heard of GrrCon, the Grand Rapids, Mich.-based hacking and penetration conference. The event drew 850 attendees in this, its second year, charging as little as $85 per attendee-or $280 for the "VIP Pass" that provided attendees a front-row seat (and power cords) at the keynotes and access to Ping Pong, Foosball, video games and snacks in the speakers' lounge.
Best Defense Against Hackers: Good Offense
The conference brought together security professionals to talk about how to harden systems and detect intrusion, conduct penetration testing and teach attack techniques to compromise, and gain access to, a system.
Feature: Hackers in the Limelight: Scenes From Black Hat 2012
In a twist, the opening keynote speaker, Kevin Johnson of Secure Ideas (motto: "Professionally Evil"), is unable to attend, so a pseudo-anonymous hacker known as "atlas of D00m" gives the talk in his place. By the end of the talk, I am honestly not sure if Johnson is atlas-and I am not about to try the local "free" wireless to find out.
Hacker "atlas of D00m" on stage at GrrCon.
His main point: penetration testing needs to happen, and it should be folded into an overall security policy. In other words, pen testing will find defects, and, when testing occurs again in six months, those defects should not show up again because they have been fixed. In addition, "atlas" points out that compromised users are embarrassed users and will be the biggest advocates for security in the organization for the foreseeable future.
After the keynote, I check out the lockpicking demonstration. The conference set up a table with free lockpicking tools and held a competition the following day.
Attendees practice lockpicking with free tools-an artifact of the digital lifestyle.
In addition, there's a penetration testing "capture the flag" contest. Kurt Rhoades, a local IT technician, shows me how he is using backtrack Linux and a tool called nmap to discover servers on the private network. After discovering the servers' IP addresses, he uses nmap again to scan their ports, find open services and metasploit to find and run attacks.