November 17, 2006
Feld expressed his dislike to those fashion words in his famous blog:
I’m personally going to boycott the phrase “Web 3.0” since “Web 2.0” makes me tired enough. There have been some great quips going around the system about this, including Gordon Weakliem’s “I haven’t even gotten around to upgrading to Web 1.0 Service Pack 2”, Michael Parekh’s “Web 2007 versions”, Peter Rip’s “Web 2.0 + 1”, and Nick Bradbury’s “Web 3.0 Does Not Validate.” While I recognize the inevitability of the newest increment of the Web x.0 label, I don’t have to like it.
My points is that they are interesting stuff. Some guys like to use fashion words to attract eyeballs. As long as they can illustrate the essential points, just let it be.
I use Security 2.0 to describe the new trends in network security area, e.g. internal control, identity and access management, and etc. That differentiate themselves from the original anti-virus plus firewall plus IDS. No matter what you call them, they just exist there. right?
November 16, 2006
Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:
VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.
Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).
See more comments and report at VoIPsa blog.
November 16, 2006
China has adopted WAPI as its national wireless access standard in 2003, instead of 802.11i, which lead to furious debate at that time. 3 years passed. According to a report by Xinhua agency, the largest mobile operator in China – China Mobile has conducted a security testing to 802.11i and found security vulnerabilities in it.
Test results to date show that the current WLAN technology 802.11i has big security loopholes and is easy to attack, said Ma Benteng, senior engineer with China Mobile.
The Beijing Olympics will be the first to use WLAN in the Games’ history. Journalists would be major users of the networks.
At a meeting held by China Mobile recently, media users were skeptical about the safety of the current WLAN technology.
Results from more than a month of tests carried out by the national safety research center on information project show that 802.11i has serious technological defects and safety risks, said Ma, who is in charge of mobile planning for the 2008 Olympics.
Researchers said that articles on the technological defects of 802.11i were freely available on the internet, as well as tools for exploiting the defects. The internet also provides methods for decoding the technology.
Anybody who can connect to the Internet could download the software and steal private information from others, said Ma.
See the original report…
November 14, 2006
A startup at China, BMST, is exploring a new field in security audit by rolling out their ground-breaking product – Session-Auditor. That’s good pitch in the hot compliance trends. Compared against those tradional host based audit systems and SPAN-sniffer like audit systems, SA can audit those encrypted protocols transparently, without necessity to install expensive agents at hosts. Another plus of this product is its built-in access control capability. That means you don’t need intranet firewalls to protect your mission critical servers from operation and administration terminals. Just use Session-Auditor.
More technical information are available at the new whitepaper at their website. Click here to download.
November 13, 2006
I have a Yahoo Mail account to receive some mailing lists. For a long time I didnot login to check those messages. Today I found it changed outlook greatly, giving me a big surprise. Yahoo Mail Beta, very cool interface. See the below screenshot.
I had very different experience with Live Mail beta from Microsoft, slow response, bad interaction, … I felt very upset with it and changed back to the previous hotmail interface. Now go to Yahoo Mail beta. It’s cool.
November 8, 2006
There are always more and more vulnerabilities and patches in our IT life. It has become one part of our job. Isn’t it? What’s the biggest pain in your mind?
If you said “why patch management? just go ‘windows update'”, then you must be a individual computer user, not an administrator. 😉
The hardest is to balance the risk of hacking due to not to patch and system unstability or even crash due to new patch. According to common practice, security manager should have a process in place to test patches, with the help from system and application managers. The balance point is decided together. [My comment in Chinese]. See the below report by Roger… Read the rest of this entry »