10 YEARS, HOW TIME FLYING!

10 years! A lot of things happened, a lot of things past.

Thank you very much, WordPress and WordPress.com!

My new blog at sbin.cn

Due to the publicly known reasons, this blog at wordpress.com has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

• New site URL: Http://sbin.cn/blog
• New site RSS: Http://feeds.feedburner.com/sbindotcn

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.

Security 2.0, Security 1.0 SP2 … Web 3.0 …

Feld expressed his dislike to those fashion words in his famous blog:

 I’m personally going to boycott the phrase “Web 3.0” since “Web 2.0” makes me tired enough.  There have been some great quips going around the system about this, including Gordon Weakliem’s “I haven’t even gotten around to upgrading to Web 1.0 Service Pack 2”, Michael Parekh’s “Web 2007 versions”, Peter Rip’s “Web 2.0 + 1”, and Nick Bradbury’s “Web 3.0 Does Not Validate.”  While I recognize the inevitability of the newest increment of the Web x.0 label, I don’t have to like it.

My points is that they are interesting stuff. Some guys like to use fashion words to attract eyeballs. As long as they can illustrate the essential points, just let it be.

I use Security 2.0 to describe the new trends in network security area, e.g. internal control, identity and access management, and etc. That differentiate themselves from the original anti-virus plus firewall plus IDS. No matter what you call them, they just exist there. right?

SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

China Mobile say no to 802.11i

China has adopted WAPI as its national wireless access standard in 2003, instead of  802.11i, which lead to furious debate at that time.  3 years passed. According to a report by Xinhua agency, the largest mobile operator in China – China Mobile has conducted a security testing to 802.11i and found security vulnerabilities in it.

Test results to date show that the current WLAN technology 802.11i has big security loopholes and is easy to attack, said Ma Benteng, senior engineer with China Mobile.

The Beijing Olympics will be the first to use WLAN in the Games’ history. Journalists would be major users of the networks.

At a meeting held by China Mobile recently, media users were skeptical about the safety of the current WLAN technology.

Results from more than a month of tests carried out by the national safety research center on information project show that 802.11i has serious technological defects and safety risks, said Ma, who is in charge of mobile planning for the 2008 Olympics.

Researchers said that articles on the technological defects of 802.11i were freely available on the internet, as well as tools for exploiting the defects. The internet also provides methods for decoding the technology.

Anybody who can connect to the Internet could download the software and steal private information from others, said Ma.

See the original report…

A whitepaper on audit of SSH and RDP

A startup at China, BMST, is exploring a new field in security audit by rolling out their ground-breaking product – Session-Auditor.  That’s good pitch in the hot compliance trends. Compared against those tradional host based audit systems and SPAN-sniffer like audit systems, SA can audit those encrypted protocols transparently, without necessity to install expensive agents at hosts. Another plus of this product is its built-in access control capability. That means you don’t need intranet firewalls to protect your mission critical servers from operation and administration terminals. Just use Session-Auditor.

More technical information are available at the new whitepaper at their website. Click here to download.

It’s Cool. Go to Yahoo Mail Beta

I have a Yahoo Mail account to receive some mailing lists. For a long time I didnot login to check those messages. Today I found it changed outlook greatly, giving me a big surprise. Yahoo Mail Beta, very cool interface. See the below screenshot.

I had very different experience with Live Mail beta from Microsoft, slow response, bad interaction, … I felt very upset with it and changed back to the previous hotmail interface. Now go to Yahoo Mail beta. It’s cool.

The pain of patch management

There are always more and more vulnerabilities and patches in our IT life. It has become one part of our job. Isn’t it? What’s the biggest pain in your mind?

If you said “why patch management? just go ‘windows update'”, then you must be a individual computer user, not an administrator. 😉

The hardest is to balance the risk of hacking due to not to patch and system unstability or even crash due to new patch. According to common practice, security manager should have a process in place to test patches, with the help from system and application managers. The balance point is decided together. [My comment in Chinese]. See the below report by Roger… Read the rest of this entry »