CarolinaCon 6 will run from March 19 through March 21, 2010.
Friday: (Talks from 7pm-10pm):
6:00pm - Setup and registration
7:00pm - Cybercrime and the Law Enforcement Response - Thomas Holt
8:00pm - The Search for the Ultimate Handcuff Key - Deviant Ollam and TOOOL
9:00pm - Microcontrollers 101 - Nick Fury
10:00pm - conference room closed for evening
Saturday: (Talks from 10am-10pm with breaks for lunch and dinner):
10:00am - Hacking with the iPhone - snide
11:00am - We Don't Need No Stinking Badges - Shawn Merdinger
12:00pm - Lunch Break
1:00pm - It's A Feature, Not A Vulnerability - Deral Heiland
2:00pm - Smart People, Stupid Emails - Margaret McDonald
3:00pm - Mitigating Attacks with Existing Network Infrastructure - Omar Santos
4:00pm - OMG, The World Has Come To An End!!! - FeloniousFish
5:00pm - dinner break (conference room closed during)
7:00pm - You Spent All That Money and You Still Got Owned - Joe McCray
8:00pm - Locks: Past, Picking, and Future - squ33k
9:00pm - Hacker Trivia
10:00pm - conference room closed for evening
Sunday: (Talks from 10am-5pm with a break for lunch):
10:00am - The Art of Software Destruction - Joshua Morin and Terron Williams
11:00am - wxs - Why Linux Is Bad For Business
12:00pm - Lunch Break
1:00pm - The Evolution of Social Engineering - Chris Silvers and Dawn Perry
2:00pm - Metasploit - Ryan Linn
3:00pm - How the Droid Was Rooted - Michael Goffin
4:00pm - Protecting Systems through Log Mgmt and System Integrity - David Burt
5:00pm - CarolinaCon-VI/2010 ends - pack it up and pack it out
Chris Silvers and Dawn Perry | Something Smells Phishy: The Evolution of Social Engineering
This presentation is on the evolution of social engineering and some tips on what organizations can do to determine how vulnerable their employees are to social engineering. We will cover the main types of social engineering, including physical, telephone, email and media based attack vectors as well as some newer techniques employed by hackers such as utilizing social networks to increase their chances of success. Examples of these methods employed by hackers and penetration testers will be illustrated.
David Burt | Protecting systems through log management and system integrity
This talk was born out of a request for a presentation on how an attacker can maintain access on a system once it has been compromised. This is not that talk. The techniques that will be covered will help you to protect your systems through the proper use of log management and system integrity. Recommended auditing and configuration settings will be covered along with network design to ensure the integrity of logging from remote systems. Common attacks against logs and logging systems along with mitigation techniques will be reviewed. Simple solutions for monitoring and alerting on log messages will be discussed in addition to advanced correlation techniques using SIEM (Security Information and Event Management) solutions. File integrity solutions will also be covered as well as monitoring the integrity of network device configurations. Solutions that have been used to meet regulatory compliance needs will also be recommended.
Deral Heiland | It's not a vulnerability it's a feature!
During the past several years while working as a pen tester and security researcher, I have stumbled over a number of products and solutions that suffer from the "it's a feature syndrome'. This is typically caused by the unattended consequences of leveraging available functionality within an application to do evil things. Often when dealing with vendors and customers that have deployed their products. I have heard responses ranging from vendors saying "that's the way its suppose to work" to customers replying "OH !@#$, you can do that". During this presentation we will explore several of these applications and their features, covering vulnerabilities ranging from information disclosure, network reconnaissance to full system
TOOOL | The Search for the Ultimate Handcuff Key
For all of their varied brands and styles, did you know that most handcuffs consist of the same internal mechanisms and that all models almost always operate in the same way? Because of this, it's quite simple to understand how handcuffs work, how they can be exploited, and how to get out of them quickly.
One thing that this universal design similarity has NOT made easy, however, is any one, simple, unified design for a key that can operate all handcuff models. Many keys from various manufacturers are similar, but none is perfect in all situations.
Until now, that is. The members of TOOOL pooled their resources (and brought together all of their handcuff collections) and have been able to produce a single key that will operate over a DOZEN different brands of handcuffs... more than any one person is likely to ever see in their whole life, unless their name is Henry Earl.
Come and learn how we did it, and how to make your own universal handcuff key!
FeloniousFish | OMG The World has come to end!!!
Disaster “X” just occurred and you have been too busy playing the latest first-person shooter to hear the end of the world coming, and now you are @#$# out of luck… or are you? This presentation will show you how to utilize your hacker mentality and everyday products like a used cigarette to save your life.
Joe McCray | You Spent All That Money And You Still Got Owned
This talk will focus on practical methods of identifying and bypassing modern enterprise class security solutions such as Load Balancers, both Network and Host-based Intrusion Prevention Systems (IPSs), Web Application Firewalls (WAFs), and Network Access Control Solutions (NAC). The goal of this talk is to show IT Personnel the common weaknesses in popular security products and how those products should be configured.
The key areas are:
* IPS Identification and Evasion
* WAF Identification and Bypass
* Anti-Virus Bypass
* Privilege Escalation
* Becoming Domain Admin
Joshua Morin and Terron Williams | The Art Of Software Destruction
Fuzzing is a common tool for discovering zero-day flaws. Fuzzing is used in the SDLC/SDL, primarily in the verification phase when deploying communication software. The system under test can be open source software, enterprise solution, finance system, or it can be a consumer product such as a mobile phone or a set-top box for IPTV. The presentation covers model-based testing where tests are generated and executed automatically in order to find critical crash-level defects. Fuzzing is a proactive, pre-emptive method unlike traditional security measures are that fail because they are focused on known attacks and vulnerabilities.
Margaret McDonald | Smart People, Stupid E-Mails
Most of our communication these days is done through e-mail, but a look at the average inbox shows that most of us have very little idea of how to e-mail well. Smart People, Stupid E-Mails points out that we all need to know how to communicate well, and it shows professionals how to get more done in e-mail instead of wasting their own and each other's time. Attendees will learn how to make sense quickly, get the information they need, check their outgoing missives for fatal flaws, and boost their reputation for intelligent communication and efficient, productive work. They’ll also learn when to avoid e-mail altogether and choose a different method or technology for sharing information, and how to avoid the faux pas that can tragically - and for all the wrong reasons - catapult corporations and other organizations into the news.
Michael Goffin | How The Droid Was Rooted
The Droid was the most advertised and talked about Android phone to date. Verizon spent millions of dollars banking on this phone as their answer to the iPhone. As much as Android brought to the table most of the features that the iPhone lacked, people still wanted more. This is the story of how we got it. From theories before the phone was released, to the first rooting, to where we are today, I'll expose the process of getting more out of what was said to do it all.
Nick Fury | Physical Manifestation of Software: Microcontrollers 101
This talk will cover the basics of microcontollers and how to put them to practical use in projects. The talk will involve many demonstrations of various simple microcontroller projects. Audience participation in the form of questions and suggestions will be encouraged. The talk will feature many different types of microcontrollers but because this talk is designed as an introduction to the subject it will primarily be focused on the Arduino series of microcontrollers.
Omar Santos | Mitigating Attacks with Existing Network Infrastructure
Botnets, worms, and denial of service attacks threaten the availability of every network, yet few network engineers recognize or understand the inherent security benefits their infrastructures provide in handling these attacks. During this session we will discuss how to build a more secure infrastructure, and how to leverage inherent network features -- such as routing protocols and NetFlow - to provide a full range of attack mitigation mechanisms. Following a brief review of the state of core security and attack trends, the session will cover infrastructure protection techniques and best practices necessary to enable active attack responses using core infrastructure devices such as routers and switches. Moreover, the deployment of tools and techniques that rely on the network architecture will be discussed in detail. With proper configuration and the right tools in place, the network is a critical security component, which enables attack detection, analysis, and mitigation.
Professor Farnsworth/Thomas Holt | Cybercrime and the Law Enforcement Response
Attend any hacker conference and you will see some brief discussion about law enforcement and hacking. Generally speaking, we know the feds understand the complexity of serious hacks and international cybercriminals. We do not, however, know much about state and local law enforcement agencies' capacities to deal with multiple forms of cybercrime, from child porn to piracy to carding. There are few cases reported in national crime statistics like the Uniform Crime Report. Little is known about the capacity of these agencies to investigate various forms of cybercrime.This study attempts to address this gap in our knowledge using data from state and local police agencies from across the country. The findings consider the prevalence of cybercrime cases, the number of officers assigned to investigate these crimes, and their attitudes toward cybercrime and offenders. The policy implications of this research for hackers and law enforcement will also be considered in some detail.
Ryan Linn | Getting Up and Running With Metasploit
This presentation will be a demonstration based introduction to the basics of Metasploit. Once the basics have been covered, some tips and tricks will be discussed that will be relevant to both beginners and advanced users. Exploitation, Information Gathering, and Enumeration will all be covered. This presentation will be fast paced, however I will be available after the presentation for questions, additional demonstrations and assistance with problems.
Shawn Merdinger | We Don’t Need No Stinkin' Badges...
In the security world, attacker physical access often means game over -- so what happens if you can't trust your building's electronic door system?
This presentation and paper explore attack surfaces and exploitation vectors in a major vendor of electronic door access controllers (EDAC). The main focus is on time-constrained rapid analysis and bug-hunting methodologies, while covering research techniques that assist in locating and targeting EDAC systems. In addition, a review of practical countermeasures and potential research activities in the EDAC space are covered. Attendees can expect an eye-opening experience regarding insecurities of critical systems controlling physical access to hospitals, schools, fire stations, businesses and other facilities.
Snide | iBoning - Hacking with the iPhone
Buckle your seat belt and brace yourself for a journey into the amazing world of mobile hacks. Zooming past the risks and capabilities of mobile devices we'll catapult on to explore the techniques and tactics used for reconnaissance, exploitation and information retrieval.
squ33k | Locks: Past, Picking and Future
This talk will deal with locks in 3 capacities. The first one being the history of locks. When were the first locks created? And by who? I will cover the main locksmiths such as Robert Barron, Joseph Bramah, Harry Soref and Linus Yale along with the locks that they invented. The second portion will deal with lock picking. This will be the smallest portion of the presentation and just review the basics of how to pick a lock, what picks look like, etc. (I hope to have some sort of table with locks and picks on it for people to experiment with.) I will talk breifly about laws surrounding lock picking. I will definitely express the opinion that lock picking should only be done in sport, not for criminal means. The last part will deal with the future of locks. I will talk about fingerprint sensors on doors, retina scanners, etc. and what this change means for locks as we know them.
wxs | Why Linux is Bad For Business
In this talk I will spend no more than an hour bashing Linux and telling people why it's a bad choice for business. You can expect some profanity and pooh flinging from me. I will cover topics involving the GPL and it's inherent flaws for commercial use, the development cycle and it's shortcomings and the general insanity that is the Linux kernel community and then compare it to other offerings, both closed and open source. One hour is probably a bit long for the talk but I can fill it in if people want to debate such things with me