CarolinaCon 9

presented by North Carolina 2600

March 15-17, 2013

  7pm to 11pm on Friday

  10am to 9pm on Saturday

  10am to 5pm on Sunday

Hotel Reservations

DISCOUNT HOTEL RESERVATIONS: If you would like to take advantage of our special group rate on hotel rooms (good till February 12th 2013), go to this Hilton.com link for direct booking:

Reserve a room!

http://www.hilton.com/en/hi/groups/personalized/R/RDUNHHF-CAR-20130315/index.jhtml

ATTENTION! The special room rate will be available until February 12th or until the group block is sold-out, whichever comes first. Also if we don't meet our quota of rooms with the Hilton the hotel will jack up our rate on the conference rooms we reserved for the weekend, which may impact our ability to break even on the event. So if you plan on staying in a hotel that weekend we hope it will be the Hilton and we hope that you will book under the discount group rate prior to February 12th 2013.

CALL FOR PAPERS

The Call for Papers has ended. We received too many great abstracts to fit them all into the schedule, and we regret that we didn't have room for them all. Thanks to everyone who submitted something.

Location

CarolinaCon 9 will be held at 35.830122,-78.620365.

Hilton North Raleigh/Midtown
3415 Wake Forest Road,
Raleigh, NC

Link to map

Want to attend CarolinaCon?

Admission to the conference is $20 at the door. There is no pre-registration. For your $20 you will receive admission to the conference and a cool CarolinaCon badge. In past years we've also given away magazines, bumper stickers, shot glasses, and free food with the cost of admission. There's no telling what we'll be giving away this year so you'll have to attend to find out.

We will also be selling t-shirts at the conference but a price for those shirts has not been determined yet. You can expect to pay similar prices to what other conferences charge for their shirts ($10~$20).

Topics & Speakers


Exploit Development for Mere Mortals - Joe McCray

Pwning the Pedophile - Joe Seanor

Intro to Lock Picking - smrk3r

Terminal Cornucopia - treefort

msfpayload isn't dead yet: AV Avoidance in Payload Delivery - melvin2001

The Evolution of Network Security: How Networks Are Still Getting Hacked - Omar Santos

Search Engine Hacking: Finding Credit Cards, Social Security Numbers, and Frighteningly More - Stephen Chapman

iPhone Data Reconnaisance without Physical Access to the Device - Jarrick

Getting Shells When Metasploit Fails - Ryan Linn (sussurro)

Jargon Jitsu: The Tao of Buzzwords - Craig Searle (kezef)

Burp Suite: Comprehensive Web Pen Testing - JoshInGeneral

Dancing With Dalvik - Thomas Richards

Digital Energy BPT - Paul Coggin

RAWR (Rapid Assessment of Web Resources) - @al14s and @c0ncealed

The Low Hanging Fruit of Penetration Testing - Bryan Miller

The Maru Architecture Design: A proposed BYOD architecture for an evolving threat landscape - Michael Smith

How the West was Pwned - G. Mark Hardy


---------------------------------------------------------------------------------

Name:

Thomas Richards

Title:

Dancin' With Dalvik

Abstract:

So you've reversed you're first Android APK; now what? Java pseduocode is nice, but how do we modify the app? This is a crash course in reading and understanding Davlik opcodes. It will go through some basics then we will jump into a couple case studies to demonstrate some of the concepts. This talk should help testers who are interested in or do Android application assessments to better understand how to mess with the underlying code.

Bio:

Thomas Richards is a Security Consultant with Cigital, Inc. where he specializes in mobile and web security assessments. He is the author of both Pwnberry Pi and Goofile. He is also active in his local 2600 and TOOOL groups.
---------------------------------------------------------------------------------

Name:

Paul Coggin

Title:

Digital Energy – BPT

Abstract:

There are a great deal of conversations today regarding APT and critical infrastructure networks for ICS/SCADA, smart grid networks and service providers. The basic persistent threat (BPT) issues are being ignored in many cases. How can the APT be mitigated when the BPT issues have not been resolved? Typically, the technical features and capabilities required to mitigate BPT issues are present in existing hardware and software on the network. Proper attention to information flows, trust relationships, integration and interdependencies are often not secured during a network architecture design and implementation. When the BPT issues are addressed an APT threat will find it more difficult to spread horizontally and vertically throughout a network. In this presentation common network BPT issues that are often discovered during security consulting engagements will be discussed. BPT network architecture mitigations including separation of services for control, management and data traffic as well as securing and monitoring trust relationships and interdependencies will be covered.

Bio:

Paul Coggin is an Internetwork Consulting Solutions Architect with Dynetics in Huntsville, Alabama. Paul is responsible for designing and building broadband multi-service networks supporting Smart Grid, MPLS, VoIP, and IPTV for service providers, leading cyber security research efforts, in addition to performing network security architecture assessments and penetration tests for enterprises, utilities and service providers. Paul is a Cisco Systems Certified Instructor # 32230 and a Certified EC-Council Instructor. He has a BS in Mathematics, MS in Computer Information Systems. In addition he holds a wide array of certifications, including CEH, ECSA, CPTS, CISSP, CCNA SPOPS, CCNP, CCDP, CCIP, CCSP, and CCNP-Voice.
---------------------------------------------------------------------------------

Name:

Joe McCray

Title:

Exploit Development for Mere Mortals

Abstract:

Joe will walk through the basics of exploitation starting from basics of stack overflows, then SEH overwrites, egg hunters, heap spray, and ROP. For people interested in the subject of exploitation here is a chance to finally get an introduction to it from a guy that won’t put you to sleep.

Bio:

Joe McCray is an Air Force Veteran and has been in security for over 10 years. Joe has been involved in over 150 very high level pentesting assessments and has some major hacking accomplishments that he can share with his classes. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe makes speaking appearances and gives seminars at major events in the security community such as Black Hat, DefCon, BruCon, Hacker Halted and more. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award. Joe is the founder and CEO of http://strategicsec.com an IT Security consulting firm that provides in-depth technical security assessments of your network, web application, and regulatory compliance gap analysis.
---------------------------------------------------------------------------------

Name:

Craig Searle (kezef)

Title:

Jargon Jitsu: The Tao of Buzzwords

Abstract:

Moore’s law states that IT systems will double in processing power every 18 months. However, security has not progressed at the same rate…seriously, it is 2012 and enterprise organisations are still arguing over whether or not 7 or 8 character passwords are stronger. ORLY? As a security industry what have we done about it? We’ve introduced standards like PCI DSS that further exacerbate the problem. Why? Because they prescribe the security controls required in order to meet some arbitrary compliance requirement. This is totally arse-about from how any well run enterprise project would be executed; define the objectives and then develop the controls/outcomes from there. Security is not unlike a tesseract; we cannot see what ‘secure’ looks like, but we can describe what the end results of security will look like. This presentation is a look at how buzzwords and poorly-constructed standards have actually hindered security in enterprise and what we as a security community can do about it.

Bio:

Craig is currently the Chief Operating Officer for BAE Systems Stratsec, the largest pure play security consultancy in the Asia-Pac region. He has extensive experience in the development, management & execution of IT security advice and assurance activities within large organisations, including banking and finance, critical infrastructure, ASX200 organisations and government (both state and federal).
---------------------------------------------------------------------------------

Name:

smrk3r

Title:

intro to lockpicking

Abstract:

You have locks on your network closet. Great. What if I can open them in 30 seconds or less? This talk will explore the basic-level concepts of various types of locks and how/why they can be picked. This information should be common knowledge by now, but given the need for free and open information sharing, it really can never be reviewed too often. Plus you're sure to get some seriously inappropriate humor alongside all of it.

Bio:

smrk3r is a penetration tester and co-founder of the FALE Association of Locksport Enthusiasts. He enjoys staying in his basement and not leaving the house before 9pm.
---------------------------------------------------------------------------------

Name:

treefort

Title:

Terminal Cornucopia

Abstract:

In this talk, I explore a seldom-discussed facet of airport security: what happens after the backscatter/millimeter wave scan or the friendly pat-down? A marginally resourceful and MacGyver-esque individual can breeze through terminal gift shops, restaurants, magazine stands and duty-free shops to find everything they need to wage war on an airplane. We'll take weapons — melee, projectile, and beyond — from concept to prototype in this serious (yet often humorous) talk, replete with photos and video.

Bio:

treefort is an interactive developer with roots in advertising. His company, Recursive Squirrel Interactive, has serviced clients such as HP, 20th Century Fox, AARP, and Hess. treefort is also a founding member of the FALE Association of Locksport Enthusiasts (www.lockfale.com), where he regularly gets to teach fellow problem-solvers and generally attractive people the fundamentals of lock picking and physical security.
---------------------------------------------------------------------------------

Name:

Ryan Linn (sussurro)

Title:

Getting Shells When Metasploit Fails

Abstract:

Penetration Tests aren't new, and most companies have figured out how to eliminate the low hanging fruit. Some have even gone above and beyond and deployed technologies like Network AV, IPS, and egress filtering. In 50 minutes, this talk is going to go through different ways of getting access to systems on the network without exploits and working around common hardening. Leveraging configuration weaknesses, common hardening oversights, and more, we'll go through ways to get around difficult AV systems, network AV, using open source and commonly available tools to get access to boxes were the standard stuff fails. Join us for a adventure with few slides and lots of shells, just make sure to keep your hands and feet inside the ride at all times.

Bio:

Ryan Linn is a Senior Consultant with Trustwave’s SpiderLabs – the advanced security team focused on penetration testing, incident response, and application security. Ryan is a penetration tester, an author, a developer, and an educator. He comes from a systems administration and Web application development background, with many years of IT security experience. Ryan currently works as a full-time penetration tester and is a regular contributor to open source projects including Metasploit and BeEF, the Browser Exploitation Framework.
---------------------------------------------------------------------------------

Name:

JoshinGeneral

Title:

Burp Suite: A Comprehensive Web Pen Testing

Abstract:

I plan on showing some of the features of the Burp Suite and how it can be used to run Pen Tests on devices that have web authentication. I will walk through setup and use of the target window to store proxy requests, and then combine that with the repeater, intruder and sequencer to attack the site. My talk will explain how we can use each view to analyze and view responses as we modify packets on the fly. I plan to show how Burp helps you bypass site XSS and SQL injection checking, directory traversal, client side login checks, and find non-random sessions keys.
The last part of the demo I will show how I successfully used this in order to bypass the web authentication on an Iomega drive Network Access System. Without knowing the details of the CVE, upload a backdoor to the NAS and gain root so that I can use it as a pivot point and mount other attacks into the victims network... all with using Burp. All of this will be presented live, however instructions and PowerPoint will be provided so anyone can repeat this demo on their own.

Bio:

Josh currently works as a Linux Administrator in the Washington DC Area. He has a Masters degree from UNC Charlotte in Security and Privacy, were he was also the founder of the 49th Security Division and two time winner of the South East Collegiate Cyber Defense Competition. He has done work for the Military and Private Sector in the areas of web penetration testing, network security and defense R&D, as well as ran his own business doing web development and network setups. His other activities include playing FPS's, Swimming, Traveling, and Scripting.
---------------------------------------------------------------------------------

Name:

Stephen Chapman

Title:

Search Engine Hacking: Finding Credit Cards, Social Security Numbers, and Frighteningly More

Abstract:

Brief Topic Abstract: This presentation is for anyone interested in learning the true power of search. While the vast majority of people think of search engines as gateways to movie times, shopping deals, and a little fact-checking, the reality is that advanced search queries are being used via the most popular search engines every day to find unbelievable types of information. Search has proven time and again that even the most paranoid and cautious individuals can find themselves on the business end of identity theft, and they'd never know how it happened. If you don't know how to use a search engine to find credit card scans, Social Security numbers, usernames and passwords, VPN credentials, back-up images, virtual machine installs, software licenses, confidential documents, private image/video dumps, or similarly fascinating/frightening data, then I'm offering you the chance to take the red pill and see just how deep the search engine rabbit hole really goes...

Bio:

Stephen is a freelance writer and investigative researcher who is head-over-heels in love with search. Whether it's tirelessly refining advanced search queries, unearthing awesome niche search engines, Internet marketing (SEO, social media, etc.), or just about anything Web-related, Stephen is passionate about it. Such passion allows him to touch on various facets of competitive research, Web security, search-related "fun and profit," and much more. Currently, Stephen writes for CBS Interactive / ZDNet on topics related to search, security, hardware, software, gaming, and other tech-related subjects. He speaks at conferences regarding search engine hacking and is also in the process of writing a book regarding advanced search querying with Google. Connect with Stephen via his Web site, LinkedIn, Twitter, or Facebook!
---------------------------------------------------------------------------------

Name:

Jarrick

Title:

iPhone data reconnaissance without physical access to the device.

Abstract:

I'll explore methodologies for iOS data reconnaissance without physical access to the device. Using a non jailbroken iPhone, I'll show how to use a local network to use common settings on devices to remotely backup the device to its paired instance of iTunes (assuming network or physical access to the computer), find the backup on disk, and extract things like the TXT/iMessage raw sqlite database to the recent calls list.
These tactics can be used to automate backups of your own device for safekeeping of data or for more nefarious things like recovering text message logs from a spouse's phone to see what they've ben up to behind your back. I'll show example SQL queries to adjust date/timestamps and account for an Apple bug that made it into production with iMessage database records which will make it easier to work with the data. I'll also show a simple way to protect against this sort of data reconnaissance by others.

Bio:

Jarrick is a software engineer by trade and manages the engineering department of a small custom web application development company. He also has a successful side business developing iOS apps for the masses. Jarrick is a member of the FALE Association of Locksport Enthusiasts.
---------------------------------------------------------------------------------

Name:

Omar Santos

Title:

The Evolution of Network Security: How Networks Are Still Getting Hacked

Abstract:

This presentation will cover how network and internet security is evolving. No matter how big your organization is, the possibility of having your network hacked is now higher than ever. This presentation will discuss how the attack landscape is changing and how large scale cyber-espionage campaigns have been pwning networks for years. People always think of nation-state hacks against large defense contractors, big government offices, and profile financial institutions, but anyone can be a victim. This presentation will also cover how organizations mature in their security strategy to try to maintain a good security posture, but in a lot of cases are unsuccessful.

Bio:

Omar Santos is an Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). Omar has designed, implemented, and supported numerous secure networks for Fortune 500 companies and the U.S. government. Omar has delivered numerous technical presentations on several venues; as well as executive presentations to CEOs, CIOs, and CSOs of many organizations. He is also the author of 4 Cisco Press books and two more in the works.
---------------------------------------------------------------------------------

Name:

melvin2001

Title:

msfpayload isn't dead yet: AV avoidance in payload delivery

Abstract:

Most, if not all, executables generated by msfpayload/msfencode/msfvenom get destroyed by every antivirus available. Msfpayload is still fantastic, but it's inevitable that something this fantastic will get a lot of attention from AV providers. It is crucial for security professionals to have reliable payloads to provide quality deliverables to their clients. Rather than having a theoretical discussion regarding various avoidance techniques, this talk will demonstrate methods that these chaps use on a regular basis with ridiculous success rates. Of particular focus will be ghost-writing ASM, use of binary-level encryption for payloads, and remote command execution for shell generation.

Bio:

melvin2001 is a penetration tester that loves cinnabon, and is a founding member of the FALE Association of Locksport Enthusiasts.
---------------------------------------------------------------------------------

Name:

Joe Seanor

Title:

Pwning the Pedophile

Abstract:

This presentation will discuss the methods for pwning the pedophile. The methods for collecting the evidence properly, tools that are available, tools that I have developed for this, and how to provide the information to LE so that the pedophile spends the rest of their life in jail.

Bio:

CISSP, CEH, Developer of Pedophile report tools, plugins, author, speaker, etc. I have been running internetpredatortracker.com since 2005 developing software for the public, and LE. I have been assisting investigators and parents on how investigating this issues and protecting their children. ALL of my software is FREE, I have applied as a GA non-profit company since I do not charge for these tools or classes I teach on this.
---------------------------------------------------------------------------------

Name:

Adam Byers (@al14s) and Tom Moore (@c0ncealed)

Title:

RAWR - Rapid Assessment of Web Resources

Abstract:

One of the highest threats to organizations today is also one of their most prevalent services available in most cases, web interfaces. The landscape has changed from simple static websites, to fully functional web-based applications that provide access to internal information gold mines. If you're not testing those of your client organization, expect that someone else is! Our belief is that most organizations have little to no knowledge as to how many internal web resources they have within their environments that could lead to network compromise. By taking an approach to ensure the security of your client's web interfaces through offensive security, you will find that there is a lot involved - and usually not a lot of time to get from initial scan to report. In this presentation, we'll introduce RAWR (Rapid Assessment of Web Resources). We'll cover its inception, hurdles faced, and give some practical advice on how to get the most out of 'the little dinosaur'. There's a lot packed in this tool that will help you get a better grasp of the threat landscape that is your client's web resources. It has been tested from extremely large network environments, down to 5 node networks. It has been fine-tuned to promote fast, accurate, and applicable results in formats that you can use! RAWR will make the mapping phase of your next web assessment efficient and get you producing positive results faster!

Bio:

@al14s's Bio: (al14s) Adam is a Blue Team member for a Fortune 50 organization, reverse-engineer, and an ardent coder and open source fanatic with development roles on projects such as smbexec and easy-creds. He's into data forensics, lock picking, and building little robots -- and has been voiding warranties since 1985. He loves Psalm 34:6.

@c0ncealed's Bio: (c0ncealed) Tom is a Penetration Tester and Red Team member for a Fortune 50 organization. He has an extensive background in network administration and web development. He is a graduate of Marshall University, member of 304Geeks, and the Security Awareness Training Framework project. He is an unremitting g33k, husband, father, and christian. He enjoys his 2nd amendment, outdoor primitive recreation, photography, gaming, lock picking, and inserting random single quotes where they don't belong.
---------------------------------------------------------------------------------

Name:

Bryan Miller

Title:

The Low Hanging Fruit of Penetration Testing

Abstract:

“As a professional penetration tester and a business owner I am often asked, “Why should I pay you to break into my network?” There are many reasons for doing so and they have been discussed in many different places over the years. In fact, there are probably as many reasons for performing a penetration test as there are for NOT performing a penetration test.
This presentation will explain the concepts of penetration testing and give some reasons for and against performing such tests. Penetration testing will be compared with vulnerability assessments and the decision criteria to choose which one is best for a given situation is discussed. The presentation will also describe some of the issues involved in deciding whether or not to perform penetration testing using internal staff or whether you should outsource the testing to a security vendor. The concept of Low Hanging Fruit (LHF) is then defined and the benefits of performing penetration tests to discover LHF are described. Specific cases of LHF are shown through screen captures of real-world testing.”

Bio:

Bryan Miller has over 25 years of Information Technology experience. His education includes a B.S. in Information Systems and a M.S. in Computer Science from Virginia Commonwealth University (VCU) in Richmond, VA. He holds the ISC2 CISSP and is a former Cisco CCIE in Routing/Switching. He has been a guest lecturer at the VCU FTEMS program, VA SCAN, ISSA, ISACA and IALR. He was an adjunct faculty member in Information Systems and Computer Science at VCU. He has a published article on penetration testing in the Cutter IT Journal. In August, 2007 he founded Syrinx Technologies specializing in penetration testing of computer systems, networks and applications. Bryan is a member of the local ISSA and InfraGard chapters.
---------------------------------------------------------------------------------

Name:

Michael Smith (@drbearsec)

Title:

The Maru Architecture Design: A proposed BYOD architecture for an evolving threat landscape

Abstract:

Abstract: BYOD has been a strong growing trend in information technology over the last few years. Proponents cite the benefits of cost savings, employee productivity, and worker satisfaction when pushing for adoption. As organizations explore accepting this paradigm shift, IT faces a future reality where devices are no longer under their complete control. This loss of control, along with a rapidly evolving security landscape focused on data breaches through attacking the user, is enough to keep IT staff and management awake at night with the fear that a breach of their network will soon make headlines.
Despite these fears and objections, the growing thought among industry experts is that BYOD acceptance is inevitable for most organizations. A shift in strategic thinking towards accepting BYOD in the enterprise and mitigating its potential risks is needed. This talk focuses on a proposed architecture blueprint for BYOD enterprises. The goal of this design, when part of a proper BYOD program, will be to help reduce many of the risks associated with BYOD, while allowing users and organizations to enjoy the many benefits.

Bio:

Michael Smith is a consultant for ePlus Security. A ten-year veteran of the industry, he has a diverse IT background, although his true passion remains security. Michael is currently a Doctoral candidate at Capital College, researching attack prediction and discovery using predictive analytics. He holds several certifications including his CISSP, OSCP, and GPEN. When not testing or securing the enterprise, Michael enjoys spending time with his family, pursuing his many geeky interests, and traveling… especially to see the Mouse.
---------------------------------------------------------------------------------

Name:

G. Mark Hardy

Title:

How the West was Pwned

Abstract:

Can you hear it? The giant sucking sound to the East? With it are going more than just manufacturing jobs -- it's our manufacturing know-how, intellectual property, military secrets, and just about anything you can think of. If we're the most advanced technological nation on Earth, how are the People's Republic of China (PRC) and others able to continue to pull this off? Why do we keep getting pwned at our own game? Last year I talked about "Hacking as an Act of War." This year we'll look at some specifics, including (published) documents that outline the plan of attack against America, (unclassified) details about what operations have been run against us, and efforts to create an international legal framework for cyberwar before the bits really start flying.

Bio:

G. Mark Hardy, CISSP, CISM, GSLC, is a retired U.S. Navy captain, and president and founder of National Security Corporation. He writes crypto contests for hacker conferences, and now that he's sort-of retired he can break 100 on the front 9.

About CarolinaCon9

CarolinaCon is an annual conference in North Carolina that is dedicated to sharing knowledge about technology, security and information rights. CarolinaCon also serves to enhance the local and international awareness of current technology related issues and developments. CarolinaCon also strives to mix in enough entertainment and side contests/challenges to make for a truly fun event.

CarolinaCon was started in 2005 and has been held every year since. With each passing year the conference continues to grow and attract more attendees and speakers. As has always been the case, CarolinaCon is put together and run by an all-volunteer staff. CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights.

The CarolinaCon Group is also closely associated with various 2600 chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters.

Frequently Asked Questions

Who develops and delivers CarolinaCon?

CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various "2600" chapters across NC, SC, TN, VA, LA, DC, and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters.

What events will be at CarolinaCon?

CarolinaCon is mainly about the educational talks, presentations, and demos. Alongside those we will have several other technology-related contests and challenges. Details on other events will be announced on our website as they are planned out.

Can my company sponsor CarolinaCon?

We don't accept any, so don't bother asking. Capitalism and philanthropic knowledge-sharing don't mix in our opinion. We keep our admission price to the bare minimum to cover our venue and equipment expenses. All of our staff are volunteers who generously donate their time and energy. All of our presenters generously donate their time and talent. The only items sold at CarolinaCon are a limited quantity of single-design CarolinaCon t-shirts....and we only make and sell those because attendees and staff want them.

What about donating to CarolinaCon?

Well that's a different story. We will gladly accept donations from anyone who wants to contribute. At CarolinaCon, we pride ourselves on not charging a lot for admission so we don't have a lot to spend on giveaways (we manage though). We can always use prizes for Hacker Trivia and various other contests that we run so if you want to donate an actual prize, rather than cash, just let us know by sending an email to [email protected] We'll also take cash. :-)