CarolinaCon Online 2 (2022)
Welcome to the CarolinaCon schedule page. The top half of the page has the events. Click the talk title to jump down to the talk abstract. All times are EST. The CTF will run from 7:30 Friday, to noon Sunday.
Friday (April 29th)
|11:30am - 12:30||Workshop: Practical Mobile App Attacks By Example||7aSecurity|
|7pm||CCOnline 2 kick-off||CC Crew|
|7:05pm||Hacker Trivia!||CC Crew|
Saturday April 30th
|10:00am||Moonwalking Through the Cloud - Continuous Integration / Continuous Disaster||0x57696c6c|
|11:00am||Vulnerability Management for Containers||Scott Wilson|
|12:00pm||- Space Walk -||-|
|1:00pm||Tales from the Usenet||Jason Evans|
|2:00pm||Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices||Brian Contos|
|3:00pm||Security is an Awesome Product Feature||Mark Hahn|
|4:00pm||Stryng Theory: Disregard Becomes a Dumpster Fire||Stryngs|
Sunday (May 1st)
|10:00am||Trifecta of Email Authentication||Denice|
|11:00am||Beyond Purple - Fostering Cross-Team Collaboration||Andrew Clinton|
|12:00pm||Q&A Radio, End of CTF||CC Crew and Friends|
Abraham Aranguren of 7asecurity has been kind enough to host two workshops this year. Make sure you signup via this typeform if you would like to attend either of their talks. An email is required for workshop materials. signup here.
Zero-day .NET and Nvidia GFE Vulnerabilities Explained
This workshop covers the following topics:
- Essential techniques to audit Electron applications
- What XSS means in a desktop application
- Attacking preload scripts
- RCE via IPC
Practical Mobile App Attacks By Example
If you are the kind of person who enjoys workshops with practical information that you can immediately apply when you go back to work, this workshop is for you, all action, no fluff :)
Get lifetime access to practice some attack vectors, including multiple mobile app attack attacks, deeplinks, mobile app data exfiltration with XSS. Vulnerable apps to practice, guided exercise PDFs and video recording included: https://7asecurity.com/free-workshop-mobile-practical A significant amount of confusion exists about what kind of damage is possible when vulnerabilities are found in mobile apps. This workshop aims to solve this problem by providing a broad coverage of Android and iOS app vulnerabilities identified over multiple years of penetration testing. The purpose is to provide a comprehensive repertoire of security anti-patterns that penetration testers can look for and mobile app developers can watch out for to avoid.
Moonwalking Through the Cloud - Continuous Integration / Continuous Disaster
As supply-chain attacks are becoming more common, it's apparent that CI/CD pipelines are ripe for abuse. In a recent offensive engagement, my team set out to identify the breadth of compromise from three assume breach scenarios. In this talk I'd like to discuss some of the pitfalls and findings that we came across while we moonwalked through the cloud environment of a major cyber security company.
Vulnerability Management for Containers
With the advent of cloud computing, securing Containers is becoming ever more critical to organizations adopting a nimbler approach to delivering services and applications. In this presentation, Scott will share some of the basic paradigms of Container security, specifically detailing how Vulnerability Scanning is best designed. Understand the pros and cons of different models and strategies for ensuring code is deployed and maintained in a secure fashion. I have a unique view and a strong opinion about the best strategies to scan these systems for vulnerabilities, building on my experience analyzing thousands of vulnerabilities over two decades.
Tales from the Usenet
Usenet is the original long-form discussion platform that predates the Internet. This session will be an introduction to Usenet as well as some stories from its past. This session will begin with a brief history of Usenet and where it is now. Some historical anecdotes will then be given, some will historically interesting and others will be humorous to give the audience a taste of what it was like to use the Usenet in decades past.
Cameras, CACs & Clocks: Enterprise IoT Security Sucks - A Story of Two Million Interrogated Devices
Working globally with Fortune 500 enterprises and government agencies we’ve interrogated over two million production IoT devices. Across these two million devices we’ve identified threats and trends, compiled statistics, summarized compelling cases, and evaluated common offenders. We’ve also assembled tactics that organizations can employ to recognize value from their IoT devices while minimizing risk and ensuring that devices that are secure today will stay secure tomorrow.
Security is an Awesome Product Feature
As a security practitioner, do you feel like your developers don’t want to talk to you? How can we convince developers that security is important? This talk explains how to frame security issues as opportunities for product differentiation. This approach starts a conversation with the developers that will yield a better relationship with the security team. I’ll show how to stop treating developers as the problem and include them as active partners in the solution.
Product Teams balance the competing interests for new features based on business value, but oftentimes there are no voices for security. Security teams need to make the point that the business value of a system cannot be realized if the system is un-trustworthy. Development teams must add security to their full lifecycle view of product development.
This work is based on rolling out security processes in my consulting organization of nearly 4,000 resources.
In many organizations security features are added as requirements in a category called “non-functional requirements”. This phrase may mean they are explicit features of the product. But this category also devalues these features. Product owners and development teams must value security aspects of the product as first class features. If a client, or user, cannot trust the system to prevent their data from being exposed, then they will likely find a different product to use. Conversely, if a product demonstrates strong security features, then clients and users will choose that system over others that are less secure.
Stryng Theory: Disregard Becomes a Dumpster Fire
The story of my approach to white-hatting for over a decade and some Do'S and Don'ts I have learned along the way. Even that one time I...
Trifecta of Email Authentication
This talk would be about how to prevent or avoid email spoofing. How the three email authentication mechanisms and techniques work together to avoid or atleast eliminate frauds and cybercriminals from spoofing a domain or sender information.
Beyond Purple - Fostering Cross-Team Collaboration
Many companies find themselves with teams that become siloed. This often leads to strained communications, filtered communications, or even loss of communication between these teams. In this talk, we will use real-world examples where collaboration and purple team concepts were used to break down communication barriers, share knowledge, and foster ongoing cooperation between a mix of technical and non-technical teams.