CarolinaCon Hacksat

CarolinaCon Online 2 (2022)

Welcome to the CarolinaCon schedule page. The top half of the page has the events. Click the talk title to jump down to the talk abstract. All times are EST. The CTF will run from 7:30 Friday, to noon Sunday.

@7aSecurity's star-bound workshops "Hacking JavaScript Desktop apps with XSS and RCE" and "Practical Mobile App Attacks By Example" are Friday morning, make sure to signup here.

Friday (April 29th)

Time Talk Speaker
9:00am - 11:00 Workshop: Hacking JavaScript Desktop apps with XSS and RCE 7aSecurity
11:30am - 12:30 Workshop: Practical Mobile App Attacks By Example 7aSecurity
7pm CCOnline 2 kick-off CC Crew
7:05pm Hacker Trivia! CC Crew

Saturday April 30th

Time Talk Speaker
10:00am Moonwalking Through the Cloud - Continuous Integration / Continuous Disaster 0x57696c6c
11:00am Vulnerability Management for Containers Scott Wilson
12:00pm - Space Walk - -
1:00pm Tales from the Usenet Jason Evans
2:00pm Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices Brian Contos
3:00pm Security is an Awesome Product Feature Mark Hahn
4:00pm Stryng Theory: Disregard Becomes a Dumpster Fire Stryngs

Sunday (May 1st)

Time Talk Speaker
10:00am Trifecta of Email Authentication Denice
11:00am Beyond Purple - Fostering Cross-Team Collaboration Andrew Clinton
12:00pm Q&A Radio, End of CTF CC Crew and Friends

Workshop info

Abraham Aranguren of 7asecurity has been kind enough to host two workshops this year. Make sure you signup via this typeform if you would like to attend either of their talks. An email is required for workshop materials. signup here.

Zero-day .NET and Nvidia GFE Vulnerabilities Explained

Long are the days since web servers were run by perl scripts and desktop apps written in Delphi. What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.
This workshop covers the following topics:

  • Essential techniques to audit Electron applications
  • What XSS means in a desktop application
  • How to turn XSS into RCE in JavaScript apps
  • Attacking preload scripts
  • RCE via IPC
All action, no fluff JavaScript Desktop apps share traditional attack vectors and also introduce new opportunities to threat actors. This workshop will teach you how to review JavaScript desktop apps, showcasing Node.js and Electron but using techniques that will also work against any other desktop app platform. Ideal for Penetration Testers, Desktop app Developers as well as everybody interested in JavaScript/Node.js/Electron app security. Attendants will be provided with lifetime access to practice.

Practical Mobile App Attacks By Example

If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff :)

Get lifetime access to practice some attack vectors, including multiple mobile app attack attacks, deeplinks, mobile app data exfiltration with XSS. Vulnerable apps to practice, guided exercise PDFs and video recording included: A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This workshop aims to solve this problem by providing a broad coverage of Android and iOS app vulnerabilities identified over multiple years of penetration testing. The purpose is to provide a comprehensive repertoire of security anti-patterns that penetration testers can look for and mobile app developers can watch out for to avoid.

Talk info

Moonwalking Through the Cloud - Continuous Integration / Continuous Disaster


As supply-chain attacks are becoming more common, it's apparent that CI/CD pipelines are ripe for abuse. In a recent offensive engagement, my team set out to identify the breadth of compromise from three assume breach scenarios. In this talk I'd like to discuss some of the pitfalls and findings that we came across while we moonwalked through the cloud environment of a major cyber security company.

Vulnerability Management for Containers

Scott Wilson

With the advent of cloud computing, securing Containers is becoming ever more critical to organizations adopting a nimbler approach to delivering services and applications. In this presentation, Scott will share some of the basic paradigms of Container security, specifically detailing how Vulnerability Scanning is best designed. Understand the pros and cons of different models and strategies for ensuring code is deployed and maintained in a secure fashion. I have a unique view and a strong opinion about the best strategies to scan these systems for vulnerabilities, building on my experience analyzing thousands of vulnerabilities over two decades.

Tales from the Usenet

Jason Evans

Usenet is the original long-form discussion platform that predates the Internet. This session will be an introduction to Usenet as well as some stories from its past. This session will begin with a brief history of Usenet and where it is now. Some historical anecdotes will then be given, some will historically interesting and others will be humorous to give the audience a taste of what it was like to use the Usenet in decades past.

Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices

Brian Contos

Working globally with Fortune 500 enterprises and government agencies we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.

Security is an Awesome Product Feature

Mark Hahn

As a security practitioner, do you feel like your developers don’t want to talk to you? How can we convince developers that security is important? This talk explains how to frame security issues as opportunities for product differentiation. This approach starts a conversation with the developers that will yield a better relationship with the security team. I’ll show how to stop treating developers as the problem and include them as active partners in the solution.
Product Teams balance the competing interests for new features based on business value, but oftentimes there are no voices for security. Security teams need to make the point that the business value of a system cannot be realized if the system is un-trustworthy. Development teams must add security to their full lifecycle view of product development.
This work is based on rolling out security processes in my consulting organization of nearly 4,000 resources.
In many organizations security features are added as requirements in a category called “non-functional requirements”. This phrase may mean they are explicit features of the product. But this category also devalues these features. Product owners and development teams must value security aspects of the product as first class features. If a client, or user, cannot trust the system to prevent their data from being exposed, then they will likely find a different product to use. Conversely, if a product demonstrates strong security features, then clients and users will choose that system over others that are less secure.

Stryng Theory: Disregard Becomes a Dumpster Fire


The story of my approach to white-hatting for over a decade and some Do'S and Don'ts I have learned along the way. Even that one time I...

Trifecta of Email Authentication


This talk would be about how to prevent or avoid email spoofing. How the three email authentication mechanisms and techniques work together to avoid or atleast eliminate frauds and cybercriminals from spoofing a domain or sender information.

Beyond Purple - Fostering Cross-Team Collaboration

Andrew Clinton

Many companies find themselves with teams that become siloed. This often leads to strained communications, filtered communications, or even loss of communication between these teams. In this talk, we will use real-world examples where collaboration and purple team concepts were used to break down communication barriers, share knowledge, and foster ongoing cooperation between a mix of technical and non-technical teams.

Callin Info

This year we are going to end the conference with a livestream where we will be answering questions about the CTF, CarolinaCon itself, general hacking info, and whatever else comes up! At the end of the session, the CTF winners will be announced.