This is a static archive of the CarolinaCon 2009 website. Some features may not work. Visit for the current website.
CarolinaCon | Schedule

CarolinaCon 2009

Friday March 13th
06:15pm - Social interaction and on-site registration
07:00pm - The Day Spam Stopped (The Srizbi Botnet Takedown) | Alex Lanstein
08:00pm - detecting the matrix: hiding virtual machines from malware | redspot
09:00pm - Leveraging Metasploit through Nmap | Ryan Linn

Saturday March 14th
09:00am - Registration
10:00am - The Security Assessment Methodology | Kellep Charles (KC)
10:30am - What does Mickey Mouse have to do with a viral outbreak in India? | Nick Fury
11:30pm - Lunch
12:30pm - The Ten Finger Discount: Philosophy and Ethics of Modern Piracy | mjg
01:30pm - professor farnsworth
02:30pm - Software Reverse Engineering with the Leaf Framework | Chris
03:30pm - Running Snort and ClamAV on your wireless router | ciscostu
04:30pm - Web-enabled - Smart Solution or Security Blunder. | Deral Heiland
05:30pm - Dinner
07:00pm - Anti-debugging - A developers perspective | txs
08:00pm - Packing & The Friendly Skies | Deviant Ollam
09:00pm - Hacker Trivia

CarolinaCon 2009
March 13th - 14th 2009

Name/Alias:  professor farnsworth

Dr. Thomas J. Holt is an Assistant Professor in the Department of Criminal
Justice at the University of North Carolina at Charlotte specializing
in computer crime, cybercrime, and technology. His research focuses on
computer hacking, malware, and the role that technology and the
Internet play in facilitating all manner of crime and deviance. He
works with computer and information systems scientists, law
enforcement, businesses, and technologists to understand and link the
technological and social elements of computer crime. Dr. Holt has been
published in academic journals, and has presented his work at various
computer security and criminology conferences. He is also a member of
the editorial board of the International Journal of Cyber Criminology.

Presentation Abstract
The global nature of the Internet and continuous industrialization has
greatly expanded the hacker population in countries that previously had
little role in the computer underground. Central America, the Middle
East, and Southeast Asia have emerging hacker populations, while
Turkey, China, and other countries have skilled hackers and crackers.
As a consequence, there are myriad questions as to the nature of
hacking in various parts of the world, and how they compare to
longstanding hacker communities, such as in the U.S. and eastern
Europe. This talk will explore the hacker community in the U.S.,
Turkey, and China using interviews and survey data. The findings will
provide some context for the perceptions and beliefs of hackers, the
boundaries of hacker subculture, and some of the methods of hacking
used in each country. This talk should be of interest to anyone who
wants to better understand the global contours of hackers and hacking.


Name/Alias: Chris
Title of Presentation:
Software Reverse Engineering with the Leaf Framework

I started my security career 6 years ago as a civilian contractor to
the US Army doing vulnerability research. Since then I have worked as a
developer and security engineer at various places. I am presently a
Senior Security Consultant at Matasano Security.

Presentation Abstract:
My presentation will briefly cover the basics of static analysis in
software reverse engineering. I will cover why its hard as well as what
your tools need to be capable of in order to be effective at it. The
second half of the presentation is dedicated to introducing the Leaf
framework, a static analysis framework written by me to make reversing
ELF objects on Unix platforms easier. I will conclude with a demo of
various Leaf plugins I have released with the framework.


Name/Alias: - txs
Title of Presentation: 
Anti-debugging - A developers perspective

txs is a 1-year-old baby who is driven by his goal to become the sole ruler
of the entire world. In fact, if it were not for his lack of muscle
strength, toilet training and his need for parental sustenance, txs
would have become leader over most of the third world, including
Canada. txs has the voice and manner of an evil Rex Harrison, but he’s
only recently celebrated the one-year anniversary of his escape from
his mother’s “cursed ovarian Bastille”, in which he was incarcerated
for nine grueling months. Another goal for txs is to murder his
brother, wxs. Just because wxs has narrowly escaped several attempts on
his life thus far doesn’t mean that he is off the hook.

Presentation Abstract
Anti-debugging is the implementation of one or more techniques within computer code
that hinders attempts at reverse engineering or debugging of a target
binary. Anti-debugging techniques can be seen in use as commercial
software protection, binary packing protection, and even in a nefarious
way in today’s While no single layer of security is a silver
bullet, an understanding of the latest anti-debugging techniques and their use
in common code can help developers to implement an additional layer of
security into their applications. Adding anti-debugging routines into
the development process can make the analysis and subsequent breakdown
of the application a significantly more difficult and time consuming

The bulk of research conducted in the area of
anti-debugging is positioned from the point of view of a security
researcher or reverse engineer. Advanced debugging is traditionally the
realm of high expertise QA efforts, exploit development, reverse
engineering, malware analysis experts, and software pirates. Because of
this, much of the researched data is presented using assembly language
constructs and requires a reasonably deep working knowledge of machine
level programming. Limited output has been produced that allows
developers straight forward access to the high level code and methods
used in anti-debugging. The problem this presents is a lack of
education and awareness of anti-debugging methods by software engineers
and a low adoption rate of even the most trivial anti-debugging

During this presentation I will cover a number of the
known methods of anti-debugging in a fashion that should be easy to
implement for a developer of moderate expertise. Specific classes of
anti-debugging to be covered include API based anti-debugging,
exception based anti-debugging, direct process and thread block
detections, modified code detection, hardware and register based
anti-debugging, and timing checks. Upon completion of the presentation
the audience should leave with a reasonable awareness of anti-debugging
techniques in use today and an understanding of the basic methods with
which they can implement them in their own development projects.

A brief background will be given on the history of anti-debugging and a
clear definition of the problem and terms. Next, the positive role
anti-debugging can play in making reverse engineering a difficult
process will be discussed. I will conclude with a walkthrough of a
number of anti-debugging methods. The presentation will contain
demonstration source code, whenever possible, and a line by line
explanation of how each anti-debugging technique operates. The goal of
the presentation is to educate software engineers with regard to
anti-debugging methods and to ease the burden of implementation.


Name/Alias redspot
Title of Presentation
detecting the matrix: hiding virtual machines from malware

I have a degree in computer science from Louisiana tech. This is where I
got into hacking, unix and trouble. after college, I spend 3 years as a
unix engineer. Then, I made my move into security by earning the CISSP
certification. I’m currently working at the Computer Security Incident
Response Center (CSIRC) for the Department of Health and Human Services
which includes the FDA, Medicare, National Institutes of Health and CDC
headquarters here in Atlanta.

Presentation Abstract
Analyzing malware can be tricky. many malware analysts use virtual machine
software, like VMware, to shield their real system from infection. the
problem is that malware can detect vm’s from telltale signs. my talk
involves how to hide a vm from malware, to make the matrix seem like
the real world. as a bonus, I might have to time to demonstrate how you
can do a ‘virus scan’ from outside a virtual machine.


Name/Alias: Chris Gates (CG), Vince Marvelli (g0ne)
Title of Presentation: Attacking Layer 8: Client Side Penetration Testing

Chris Gates (CG). Founder Full Scope Security performing full scope
penetration testing and security engineering. Previous jobs includes full scope
penetration tester for one of the DoD Red Teams and Army Signal Officer spending
gobs of time in layer 2 and layer 3 land. columnist and security blogger

Vince Marvelli (g0ne). Founder Full Scope Security performing full scope penetration testing and security engineering. Previous jobs includes
full scope penetration tester for one of the DoD Red Teams, SOC architect and
principal engineer, IDS architect and analyst, general IT security analyst and
security blogger

Presentation Abstract:
Do you have good perimeter security keeping bad guys from coming in the
front door? Unfortunately for you, there are other ways of gaining access.
Specifically, having your untrained users browse to places they shouldn’t, open
emails they shouldn’t, and downloading and executing things they shouldn’t.
This presentation will address some of those issues and and describe why and
how to go about testing your environment for this very likely vulnerability.
Client Sides are the new remote exploit. If you aren’t allowing client
side attacks during your vulnerability assessments or penetration tests your are
ignoring a huge attack vector and the current attack method. You are also failing
to exercise your internal and host based exploitation countermeasures (HIDS/HIPS),
your ability to test and respond to client side attacks and internal
attackers and missing a valuable opportunity for user awareness training.

This talk will focus on justifying why you should be allowing client
side penetration testing, giving penetration testers a basic methodology to
conduct client side attacks during their penetration test, and give (mostly
real-world) examples we used during client side penetration tests to go with our


Name/Alias: Kellep Charles (KC)
Title of Presentation: The Security Assessment Methodology

Presentation Abstract:
Conducting regular security assessments on the organizational network and computer
systems has become a vital part of protecting information-computing
assets. Security assessments are a proactive and offensive posture
towards information security as compared to the traditional reactive
and defensive stance normally implemented with the use of Access
Control-Lists (ACLs) and firewalls. Too effectively conduct a security
assessment so it is beneficial to an organization, a proven methodology
must be followed so the assessors and assesses are on the same page.
Using a proven security assessment methodology supplies a blueprint of
events from start-to-finish that can be examined, tracked and
replicated. In addition, reports that are constructed from the security
assessments are used to provide a snap shot view of information system
deficiencies for short-term analysis as well as trending data for
long-term evaluation, thus allowing the organization to understand
their vulnerabilities so they can better protect themselves from
current and future threats.


Name/Alias ciscostu
Title of Presentation Running Snort and ClamAV on your wireless router

Charlie Vedaa, CCIE #7502, is a network architect for the FBI’s CJIS
He is the founder of, an OpenWrt-based security
distribution for wireless routers.

Presentation Abstract
Bringing the power of Snort and ClamAV to embedded Linux!
We’ll start with a sub $100 ASUS WL-500g premium wireless router and turn
into a security gateway providing IPS (Snort Inline) and web AV
(DansGuardian and ClamAV) functionality.
Along the way we’ll introduce the hardware, liberate the firmware, and show you how to
unleash the power of your wireless router.
Topics covered include:

* Using the OpenWRT SDK (cross compilation environment)
* Installing and enabling snort in inline mode
* Installing DansGuardian and ClamAV
* Transparently redirecting HTTP traffic
* Snort tuning in a low bandwidth environment
* Automating rule and signature update


Name/Alias Ryan Linn
Title of Presentation Leveraging Metasploit through Nmap

Ryan Linn is a corporate security engineer by day and enjoys playing around
with security tools in his off time. Ryan’s background includes web
application development, *nix systems programming, as well as windows
and network security.

Presentation Abstract
This presentation will discuss how to leverage Metasploit through Nmap in order to
fast-track some aspects of penetration testing. Traditionally
vulnerabilities are assessed after a scan has completed, which could
take a significant amount of time if a large number of hosts are being
scanned. Through the integration of these two tools, testers or admins
have the ability to target specific tests at ranges of hosts and
automatically assess vulnerabilities as the hosts are being scanned.

Whether you are a pen tester,a system administrator, or a hobbyist, this
presentation will show you how to leverage a new framework to create
triggers for execution, understand the limits of the framework, and
better understand some of the integration features of both Nmap and


Name/Alias Alex Lanstein
Title of Presentation
The Day Spam Stopped (The Srizbi Botnet Takedown)

At FireEye, Alex handles a broad set of responsibilities including product
engineering, sales engineering, and security research. Most recently,
his security research was published by The Washington Post, PC World,
The Register, and Cisco Systems, where he uncovered botnet and Web
malware sites associated with McColo Corp. His work was key in taking
McColo off the Internet as well as significantly reducing worldwide
spam. Prior to FireEye, Alex was founder, owner, and network
administrator of an Internet hosting company. His areas of expertise
include botnets, malware, network security, and functional binary
analysis. Alex has a B.S. in Computer Science from Connecticut College.

Presentation Abstract
The Srizbi botnet was responsible for about 75% of all of the spam on
Earth. All of Srizbi’s command and control servers were hosted in
downtown San Jose, CA. Once this was pointed out to McColo’s peers,
they stopped routing that AS. As a backup, the botnet was designed to
connect to deterministically generated DNS names, which at the time
were not registered. FireEye registered them, blocking the spammers
from regaining control of the botnet, and getting a list of every
bot-infected source IP. In this presentation, attendees will learn
about the take down and shut down of the Srizbi botnet and the
subsequent botnet activity in a technical, case study format.


Name/Alias:: mjg
Title of Presentation:
The Ten Finger Discount: Philosophy and Ethics of Modern Piracy

Presentation Abstract
The premise of this talk is to discuss the side of piracy barely represented in the media sector.
When it comes to piracy, who is driven to pirate (software, music, movies, books), and who is driven to acquire?
What is going on in their head that makes them want/need to do it? What are the beliefs these people hold that makes their actions proper…right…heroic?
Is it their rebellious nature? Is it their way to “stick it to the man?“ Is it for the glory and fame in the pirating community? Or is it just because they can’t afford it?

This isn’t meant to be a discussion on why pirating is bad. This isn’t meant to be a discussion on why pirating is good.
This is meant to tease out WHY we pirate, WHY we provide others with the means to pirate, and WHY we feel the need to acquire the things we want without spending money on them.

I don’t have the answers. I don’t know every angle on the situation. But by asking these questions and having this type of discussion we can better shape some thoughts around modern piracy from an involved group that is barely listened to.


Name/Alias:  Deviant Ollam
Title of Presentation: “Packing & The Friendly Skies”

Presentation Abstract
Do you know that transporting firearms may be the best way to safeguard your tech when you fly?

Many of us attend cons and other events which involve the transportation of computers, photography equipment, or other expensive tech in our bags.
If our destination if far-flung, often air travel is involved… this almost always means being separated from our luggage for extended periods of time and entrusting its care to a litany of individuals with questionable ethics and training.

After a particularly horrible episode of baggage pilferage and tool theft, I made the decision to never again fly with an unlocked bag.
However, all “TSA compliant” locks tend to be rather awful and provide little to no real security. It was for this reason that I now choose to fly with firearms at all times. Federal law allows me (in fact, it REQUIRES me) to lock my luggage with proper padlocks and does not permit any airport staffer to open my bags once they have left my possession.

In this talk, I will summarize the relevant laws and policies concerning travel with weapons. It’s easier than you think, often adds little to no extra time to your schedule (indeed, it can EXPEDITE the check-in process sometimes), and is in my opinion the best way to prevent tampering and theft of bags during air travel.


Name/Alias: Deral Heiland
Title of Presentation
Web-enabled - Smart Solution or Security Blunder.

Deral Heiland CISSP Serves as a Security Assessment Engineer. In addition
Deral is the founder of Layered Defense Research and co-founded of Ohio
Information Security Forum a non-profit organization focused on
information security training and education. Deral has also presented
at numerous conferences including CarolinaCon 2008, ShmooCon 2008,
Defcon (2004, 2005), Interzone 5, Information Security Summit and AFCEA
InfoTech 2007. With over 15 years of work in the Information Technology
field, Deral has held several security positions included serving as a
senior security analyst for a global fortune 500 manufacturer where he
was responsible for delivering security guidance and leadership in the
area of risk and vulnerability management.

Presentation Abstract
With the constant proliferation of security issues within web technology, we
need to stop and take a closer look at our deployment and use of
web-enabled appliances within our environment. In this presentation we
do just that. We will discuss the webonizing of network and security
appliances and the risk this can potentially pose to us. I will also
demonstrate several examples of how this technology has failed and led
to system compromise. In conclusion we will be examining steps that can
be taken to reduce the risk and still leverage web-enabled solutions in
a secure manner.


Name/Alias: Nick Fury
Title of Presentation
What does Mickey Mouse have to do with a viral outbreak in India?

Nick Fury is what he is and that is all that he is.

Presentation Abstract
This talk will start with the basics of intellectual property and provide
the audience with a brief historical overview along with the current
state of intellectual property laws. This talk will focus primarily on
copyrights and patents.

The main purpose of this talk will be to enlighten the audience about how current intellectual property legislation is having a negative impact on the world according to the point of view of the presenter. This talk is not just another hacker con anti-IP talk designed to make fun of the RIAA for their litigious nature, instead this talk will cover many areas that are not
often addressed by other IP talks, including genetic engineering and commodity reproduction.

Further, this talk will serve to get the audience interested in the subject and hopefully encourage them to think about how the topic of intellectual property effects them more than they probably realize.

Lastly, a portion of this talk will be devoted to Q/A with the audience and audience participation will be encouraged throughout the talk.

(0) CommentsPermalink