My Submissions for the 2013 HI-TEC Conference

Conference Information

It'll be July 21-24 in Austin. More info here:

I just submitted this 45-min. talk:

Two Scary Denial-of-Service Attacks

I will explain and demonstrate two attacks that can kill machines.

A new, stronger IPv6 Router Advertisement flood attack was released in October, 2012. It can freeze or crash Windows 8, Mac OS X, BSD Unix, and Android.

Sockstress was developed in 2008, but was never thoroughly patched. It works remotely and can damage Web servers so badly that they cannot be rebooted. It abuses an intrinsic feature of TCP; so almost any device that uses TCP is vulnerable.

I will also discuss countermeasures for these attacks--the easiest is to filter them out with firewalls.

I also submitted this 3-hour hands-on workshop:

Hands-on SQL Injection Attack and Defense

The vast majority of all stolen data was taken with SQL injection. Every security professional needs to understand it well. Unfortunately, many websites remain vulnerable, and the techniques needed to prevent it are not widely enough known.

After a brief explanation of the vulnerabilities, attacks, and defenses, students will set up a vulnerable SQL website using SQLol, exploit it with Havij (the tool Anonymous used to exploit PBS), and protect it with input validation.

Additional projects are available for you to use in your classes, demonstrating other attacks and a better defense--parameterized queries.

All the powerpoint slides, lecture notes, and hands-on projects will be `freely available for you to incorporate into your own classes.

Hands-on component

Students will set up a SQL server and a vulnerable application, exploit it, and patch it to make it more secure. Computers will be provided for students to use, or they can use their own laptops. An internet connection would be nice but if it doesn't work, the workshop can proceed without it.

This workshop will use Backtrack Linux and SQLol.

Posted 10:37 PM, Jan. 27, 2013 by Sam Bowne