My new blog at sbin.cn

Due to the publicly known reasons, this blog at wordpress.com has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

• New site URL: Http://sbin.cn/blog
• New site RSS: Http://feeds.feedburner.com/sbindotcn

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.

China Mobile say no to 802.11i

China has adopted WAPI as its national wireless access standard in 2003, instead of  802.11i, which lead to furious debate at that time.  3 years passed. According to a report by Xinhua agency, the largest mobile operator in China – China Mobile has conducted a security testing to 802.11i and found security vulnerabilities in it.

Test results to date show that the current WLAN technology 802.11i has big security loopholes and is easy to attack, said Ma Benteng, senior engineer with China Mobile.

The Beijing Olympics will be the first to use WLAN in the Games’ history. Journalists would be major users of the networks.

At a meeting held by China Mobile recently, media users were skeptical about the safety of the current WLAN technology.

Results from more than a month of tests carried out by the national safety research center on information project show that 802.11i has serious technological defects and safety risks, said Ma, who is in charge of mobile planning for the 2008 Olympics.

Researchers said that articles on the technological defects of 802.11i were freely available on the internet, as well as tools for exploiting the defects. The internet also provides methods for decoding the technology.

Anybody who can connect to the Internet could download the software and steal private information from others, said Ma.

See the original report…

A whitepaper on audit of SSH and RDP

A startup at China, BMST, is exploring a new field in security audit by rolling out their ground-breaking product – Session-Auditor.  That’s good pitch in the hot compliance trends. Compared against those tradional host based audit systems and SPAN-sniffer like audit systems, SA can audit those encrypted protocols transparently, without necessity to install expensive agents at hosts. Another plus of this product is its built-in access control capability. That means you don’t need intranet firewalls to protect your mission critical servers from operation and administration terminals. Just use Session-Auditor.

More technical information are available at the new whitepaper at their website. Click here to download.

China telecom operators and Sarbanes Oxley Act Compliance

In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.

• Plan and Organize

Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.

• Acquire and Implement

In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.

This page was also published at sbin.cn.

del.etio.us digg it

In 2006, China has issued 15 national security standards

In China, network and information security have been getting rising attention in these years, not only from the government and those large enterprises, but also from whole society. More and more relevant standards are issued, and internal control manuals are made and executed in FSI (Financing, Securities and Insurance) and telecom enterprises as well to strengthen their compliance management.

Since the beginning of 2006, 15 standards have been published in security domain by the technical committee TC260 (http://www.tc260.org.cn), which is responsible for the information security related standards under the government standardization organization (http://www.sac.gov.cn/), the counterpart of NIST, USA. Some of them cover the detailed management and technical requirements for classify security protection, while some of them are updates of the previous GB/T18336, which is the localized version of ISO15408 (CC). Additionally, ISO17799:2000 has been adopted as GB/T19716-2005 in 2005.

For the original publish page, check: http://www.tc260.org.cn/sy/xwzt/htmls/20060720000002.html

Click here to see my chinese comment.

Ground-breaking audit tool for SSH and Windows Remote Desktop Protocol (RDP)

A startup company in China, BMST Co. Ltd., is bringing security managers and auditors a ground-breaking product which can audit SSH and Windows Remote Desktop Protocol (RDP) as a network bridge transparent to the upper layer applications. The product is named Session Auditor. It can record, replay, query, correlate those session data from most of popular protocols used in the daily network and system maintenance and operations, such as SSH, RemoteDesktop(RDP), Telnet, FTP, HTTP, Rlogin, VNC, and even those SQL query in Oracle, Sybase, MS SQL and etc. The most brilliant point is its unprecedented audit capability to the two most popular encrypted protocols, ie. SSH and RDP, making it unique in the competition against common sniffer products as well as forensics tools.

The founders of BMST have put their product at much larger background – the wave of compliance.

In the wake of Enron and WorldCom the role of internal auditors in corporate governance has taken on whole new meaning. Compliance is a long journey that enterprise excutives and IT managers have to take. Although there have been too much in your work breakdown structure task list, however, “Audit” is the right one that you can never overlook for seconds. Audit systems help executives assure everything runing as expected and defined.

Generally speaking, “audit system” for information systems are seperated into two kinds, one is management layer auditing, another one is technical layer auditing. The former is mapped to those auditing tools, particularly based on best practices and standards, such as ISO27001(BS7799), Cobit. But as to the technical layer auditing, there are too many tools and approaches in IT managers’ table. Typically it’s implemented by those log collection and analysis tools in the IDC’s security product category of SIEM(Security Information and Event Management). Those logs are designed to record only the event results, without the details of the activities and operations. In other words, if security managers and auditors want to do in depth investigation and forensics, those logs can’t help any more.

BMST’s Session Auditor can help. It’s an outstanding in-depth investigation and forensics tool. With its huge built-in storage (up to 2T Bytes), SA can record up to 5 months of network traffic in a wire speed fast ethernet (100Mb/s) environment without missing any packet.

This post was also published at sbin.cn.

Go Security 2.0

When I try to dig "Security 2.0" via Google, only one noticeable hit was found from CSOonline by Sarah. Sarah summarized the convergence at security area, and regarded "Security 2.0" as integration, convergence, holistic security and so on. Sarah reported a case study from Constellation Energy Group on convergence of physical security and IT security, where they assigned a new role named Chief Risk Officer, directly under CEO, who is responsible for control of what ever risks which might hurt the enterprise to an acceptable level. That's very interesting and with deep insight. However, my vision of "Security 2.0" is somewhat different.

At least in China, based on the about ten years of security practice, I would like to define the following two stages of security management and technology we are living with so far.

• Security 0.1: security came from anti-virus capability
• Security 1.0: security is PDR (Protection -> Detection -> Response), where in most cases at China, PDR was explained as firewall (protection), IDS (detection) and security emergency response services (Response)

But I begin to feel the emerging of a new pulse and inspiration at the industry, which I didn't hasitate to call it "Security 2.0", where I hope to borrow some concepts and feelings from Web2.0. The representative and definitive features of "Security 2.0" include:

• Security 2.0.1: focus changed to internal control and security protection of applications and data, rather than simple virus/intrusion detection and attacks.
• Security 2.0.2: "holistic security" synergizing the AAAA(Account, Authentication, Authorization, and Audit), from just stack/heap of firewalls, IDSs and other single point stuff.
• Security 2.0.3: emphasizing the perception and experience of those security managers and administrators, ie. the real effectiveness and efficiency. along with the implementation of technologies of data mining and correlation.

The key difference between Security 2.0 and previous stages lies at that the later focuses on the security information production and corresponding accuracy from those single point security elements, while the former turns to effective and efficient usage of those information to direct the real operations. Security 2.0 just develops itself on the shoulder of Security 1.0, instead of replacing them.

BTW, I am sorry I don't have time to translate other parts of this post from Chinese to English. If you are interested, please check the full version in Chinese.