My new blog at

January 30, 2007

Due to the publicly known reasons, this blog at has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.


SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

November 16, 2006

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

China Mobile say no to 802.11i

November 16, 2006

China has adopted WAPI as its national wireless access standard in 2003, instead of  802.11i, which lead to furious debate at that time.  3 years passed. According to a report by Xinhua agency, the largest mobile operator in China – China Mobile has conducted a security testing to 802.11i and found security vulnerabilities in it.

Test results to date show that the current WLAN technology 802.11i has big security loopholes and is easy to attack, said Ma Benteng, senior engineer with China Mobile.

The Beijing Olympics will be the first to use WLAN in the Games’ history. Journalists would be major users of the networks.

At a meeting held by China Mobile recently, media users were skeptical about the safety of the current WLAN technology.

Results from more than a month of tests carried out by the national safety research center on information project show that 802.11i has serious technological defects and safety risks, said Ma, who is in charge of mobile planning for the 2008 Olympics.

Researchers said that articles on the technological defects of 802.11i were freely available on the internet, as well as tools for exploiting the defects. The internet also provides methods for decoding the technology.

Anybody who can connect to the Internet could download the software and steal private information from others, said Ma.

See the original report…

The pain of patch management

November 8, 2006

There are always more and more vulnerabilities and patches in our IT life. It has become one part of our job. Isn’t it? What’s the biggest pain in your mind?

If you said “why patch management? just go ‘windows update'”, then you must be a individual computer user, not an administrator. 😉

The hardest is to balance the risk of hacking due to not to patch and system unstability or even crash due to new patch. According to common practice, security manager should have a process in place to test patches, with the help from system and application managers. The balance point is decided together. [My comment in Chinese]. See the below report by Roger… Read the rest of this entry »

What Hamachi brings?

July 28, 2006

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see, has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

“Common Weakness Enumeration” Added to CVE Web Site

March 16, 2006

March 15, 2006, according to the official news from, a new effort leveraging CVE entitled the "Common Weakness Enumeration (CWE)" has been added to the GET CVE page on the CVE Web site.

GetCVECWE is a community-developed formal list of common software
weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.

Technorati Tags: , , ,,

OSVDB’s fight for VM against Mitre

March 13, 2006

How about the status of current vulnerability management market? A common question leads to drastic argument. Is CVE enough? Do you agree that Mitre help you master the vulnerability management? See comment from, which is from OSVDB(Open Source Vulnerability Data Base):

Vulnerability research is straight forward. There isn't a lot of black magic and secret arts when it comes to finding vulnerabilities. For the most part, 99% of vulnerabilites are very well documented (even if the 'researcher' doesn't document it), easy to understand by others in the field, and leave little to imagination. It has been years since we've seen a truly new class of vulnerability surface. If I post details of an overflow of *any kind* to this list, there are a hundred folks that can digest what I post in seconds, then go to town on me for not going into details, not looking at VectorX, FunctionY or Z.c =)

The other side of vulnerability disclosure is the human element. The sociology and mindset behind what we do, and why we do it. This is the angle that has interested me for years, and the type of book I will grab before any 'technical' (generous term usually) security/hacking book. Not only are there dozens of questions that can be asked of the researcher about his mindset and ethical views, there are countless other people involved in the process. Does the researcher have partners? Is he an employee of a security company? What vendor is he dealing with? Which vendor is it? How many people is he dealing with on the vendor side?