CarolinaCon 7

For the fourth year in a row, I treated myself to a weekend of security training and adolescent tom-foolery called “CarolinaCon”. The event was sponsored by the local chapter of 2600. While the presentations covered a range of topics that would interest any security professional, the tone was that of a college party. It’s fun.

The tagline for this year’s event was “A weekend of brainstorming (and by brainstorming, we mean drinking)”.

The Con started on Friday after work, and it continued until supper time on Sunday. While the speakers were giving their presentations in the main room, there were side events going on, too: a “lock pick village”, a weekend-long game of capture-the-flag, and a crypto challenge. It was hard to decide what to do, but I stuck with the presentations.

Here’s my thoughts on the various presentations.


  • 7pm – Tales from the Crypto (G. Mark Hardy)
    Security conferences are known for having puzzle challenges in their admission badges, and Gmark is the twisted mind behind several of them. He gave us an overview of classical (pen-and-paper) cryptography techniques, and showed how these tricks were incorporated into past Con badges. Finally, he issued a challenge to crack the code buried in the CarolinaCon 7 badge.
  • 8pm – How to Own and Protect Your Office Space (Dr. Tran)
    Dr Tran, from the ToooL team (of lock-pickers) showed common weaknesses in office physical security.
  • 9pm – Serial Killers: USB as an Attack Vector (Nick Fury)
    Nick likes to build stuff, and this time he built a small USB device that claims to be a keyboard, or a mouse, or both.  And it can type stuff and click on stuff, just like a real mouse.
  • 10pm – Hacker Trivia (wxs, Vic Vandal, AlStrowger)
    Hacker Trivia is CarolinaCon’s version of Jeopardy, where the questions are about hacker topics, and the answers will win you prizes (or crap).  I won a lock pick set and a “vintage” (1990) T-shirt that says “Cray Ada 3.0”.


  • 10am – Music and Audio Production with FOSS (Adam Drew)
    Some of the audience members partied a little hard last night, so Adam woke them up with some noise/music that he produced using 100% free and open source software.  This was my favorite talk of the Con… but it had nothing to do with security.
  • 11am – PIG: Finding Truffles Without Leaving A Trace (Ryan Linn)
    Ryan has given talks before about using metasploit to find vulnerabilities in a network.  This time, he showed a plug-in that he calls “PIG”, which does Passive Information Gathering… just listening to what everyone else is willfully broadcasting.
  • 1pm – If You Own a Multi-Function Printer than I Own You (Deral Heiland)
    Every year, Deral brings some new way to crack an egg. This time, it was office printers with shoddy security. It’s as if the printer companies got their embedded software guys to do the web interfaces, too! [This, of course, describes MY day job pretty well – I should take notes.]
  • 2pm – Yara and Python: The Malware Detection Dynamic Duo (mjg = Michael Goffin)
    Yara is a tool that can generate a “signature” to help classify malware. I sort of faded out during this one. Hey, it was just after lunch.
  • 3pm – There’s An App For That: Pentesting Moble (Joe McCray)
    We always enjoy seeing Joe Mac, and so we were happy to learn that he could fill a last-minute vacancy with his talk on installing your favorite hacking tools on a mobile phone platform.
  • 4pm – Fun with SSH Honeypotting (Chris Teodorski)
    Best security talk of the Con, starting with a simple tool that looks like a vulnerable SSH shell account, but is really just a frustrating maze that records an intruder’s every move.  But not stopping there, Chris went on to profile his intruders by analyzing the rootkit they used, and then by chatting them up in their IRC forum.
  • 7pm – Why Your Password Policy Sucks (purehate = Martin Bos)
    Using statistics from databases of passwords that have previously been compromised, Martin narrows down the search space significantly, speeding up the time to guess new passwords. For example, a large percentage of passwords are in the form “(some word) + (one number digit)”.  Password policies that force you to use a digit only encourage users to choose one that follows this same template.
  • 8pm – Mackerel: A Progressive School of Cryptographic Thought (Justin Troutman)
    There’s a dud at every Con, and this one was it. At first, it looked as though Justin had promise, with his good-ole-boy charm and his trippy slides (done with prezi). But in the end, it was an hour of techno-babble with over-animated slide transitions and no practical substance, a rehash of an academic paper, and a marketing pitch for his consulting business. Boo! [1]
  • 9pm – TTL of a Penetration (Branson Matheson)
    Branson argues that it is more important to react quickly to the inevitable attack than to try to thwart attacks in the first place. Spoken like a real Windows user.
  • 10pm – Hacker Trivia (Vic Vandal, wxs, AlStrowger)
    The Saturday night episode of Hacker Trivia was a little harder-edged than Friday night’s game. The staff spent much more of their time enforcing (and changing) the rules, and generally arguing with each other. Al (the MC) commented that this was like a game of “CalvinBall”. The cheezy prizes were replaced by unique “CarolinaCon 7” shot glasses, awarded (full) to the correct answerers.


  • 10am – logstash: Open Source Log and Event Management (Jordan Sissel)
    Most of us just print logs to a file. Jordan Sissel manages logs like Sorcerer Mickey manages his broom minions. His open source tools consolidate, format and distribute log messages in a very flexible way. And he even has stickers with cartoon logs and beavers to boot!
  • 11am – Dissecting the Hack: Malware Analysis 101 (Gerry Brunelle)
    When a machine is hacked, many people want to just wipe it clean and reinstall the OS. Gerry tells us not to… save that image and study what the malware is doing. He showed several techniques for learning what a piece of malware is doing. This was primarily a Windows-based talk, and much of the work was done using debuggers that disassembled the object code.
  • 1pm – Security Lessons from Cracking Enigma (Lisa Lorenzin)
    Lisa walked us through the history of the German Enigma machine, and the extraordinary tale of how the code was broken by the British and the Allies.
  • 2pm – Hack from a Library with Katana (JP “ronin” Dunning)
    A pretty straightforward talk about a toolkit that can be installed on a USB flash drive, and about the many places where one might find an unattended PC (McDonald’s drive-thru??).
  • 3pm – The Art of (Cyber) War (wxs = Wes Shields)
    It’s time to put on our tin foil hats… Wes is about to tell us about the next generation of bad guys. While the media warns us of APT’s (Advanced Persistent Threats), Wes prefers to call them DHA’s (Determined Human Adversaries). They are organized, focused, funded, and take a long-term view of their attack. So determine what their motivation is, and how to counter them. Apologies for numerous Sun Tsu quotes.
  • 4pm – Pwning Capture the Flag: Step by Step (David Burt)
    David Burt set up the playing field for the weekend-long capture-the-flag game, and so as the Con came to a close, he spilled the beans.  Five machines were set up on a private network, two Linux machines and three Windows. Each had vulnerabilities and “flag files” hidden on them. Find the files, and cut-and-paste their contents into the scoreboard web page, and you pwn this game.

All in all, it was a very fun, but exhausting, weekend.  I learned a lot… some of it security-related, and some… well… Thanks to the organizers for another fun weekend.  I am glad that they only hold this thing once per year.

[1] I am also willing to accept an alternative explanation – that I am too dumb to understand what Justin was talking about.