My new blog at sbin.cn

Due to the publicly known reasons, this blog at wordpress.com has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

• New site URL: Http://sbin.cn/blog
• New site RSS: Http://feeds.feedburner.com/sbindotcn

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.

SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

China Mobile say no to 802.11i

China has adopted WAPI as its national wireless access standard in 2003, instead of  802.11i, which lead to furious debate at that time.  3 years passed. According to a report by Xinhua agency, the largest mobile operator in China – China Mobile has conducted a security testing to 802.11i and found security vulnerabilities in it.

Test results to date show that the current WLAN technology 802.11i has big security loopholes and is easy to attack, said Ma Benteng, senior engineer with China Mobile.

The Beijing Olympics will be the first to use WLAN in the Games’ history. Journalists would be major users of the networks.

At a meeting held by China Mobile recently, media users were skeptical about the safety of the current WLAN technology.

Results from more than a month of tests carried out by the national safety research center on information project show that 802.11i has serious technological defects and safety risks, said Ma, who is in charge of mobile planning for the 2008 Olympics.

Researchers said that articles on the technological defects of 802.11i were freely available on the internet, as well as tools for exploiting the defects. The internet also provides methods for decoding the technology.

Anybody who can connect to the Internet could download the software and steal private information from others, said Ma.

See the original report…

China telecom operators and Sarbanes Oxley Act Compliance

In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.

• Plan and Organize

Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.

• Acquire and Implement

In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.

This page was also published at sbin.cn.

del.etio.us digg it

12345678! Pyramid Framework

Yesterday afternoon, WHY and I worked out a holistic enterprise internal control framework. We named it as 12345678! Pyramid Framework. It help integrate the enterprise execution, IT control and security control methodologies and countermeasures.

1. One Priority: Execution
2. Two Hands: Technology and Management
3. Three Layers: Decision Makers, Managers, and Execution
4. Four Phases: Plan, Do, Check, Act
5. Five Layer Controls: Control Environment, Risk Assessment, Control Activities, Information and Communications, Monitoring
6. Six Risk Elements: Assets, Threats, Vulnerabilities, Safeguards, Risks and Opportunities
7. Seven Information Criteria: Confidentiality, Integrity, Availability, Efficiency, Effectiveness, Compliance, Reliability
8. Eight IT Processes: Planning and Organization, Acquisition & Implementation, Delivery and Support, Monitoring and Evaluation

Do you like it? We know there has been much space left for it to be perfect. But it help guide your thinking ways when you prepare proposals or do planning. Its original form is in Chinese. Click here for more.

If you think it helpful or have any suggestions, just leave me a comment.

VoIPsa Blog

Here is coming an eye-catching blog at VoIP security at VoIPsa Blog.

Will Net Neutrality come again?

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read the rest of this entry »

SMA, VoIP and Identity

There was an interesting description on SMA (Secure Mobile Architecture) by another Richard from Boeing :). SMA is expected to address security issues in VoIP and identity for those enterprise networks with some sample implementation inside Boeing

---

There have to be some fundamental changes in the way the Internet operates. One way is through a framework and architecture called the Secure Mobile Architecture (SMA). This architecture is published by The Open Group and is available at the following URL:
http://www.opengroup.org/bookstore/catalog/select.tpl?text=secure+mobile+arch The architecture addresses many of the issues you have been talking about. Until we actually address the issues of basing security on the MAC and IP addresses, all of your approaches will not address the basic problem.

I have an example of the issues hiding our heads in the sand can lead to. I have been a member of IEEE 802.11 since about 1995. Boeing got involved in 802.11 because of the potential solutions 802.11 provided for both Internet access onboard airplanes and for the mobile enterprise communications. So I got involved early in the security provided for the Wireless LANs. The initial group of 802.11 standards developers felt, as I did, that the WEP was sufficient (good enough) to get the standard rolling. It wasn't! The work around was VPNs for any wireless connections, but it definitely slowed and inhibited the growth of WLANs. It took six years to provide a WEP replacement that was cryptographically secure.

If IEEE 802.11i is any example, the VOIP growth and viability is inexorably tied to how secure our telephone calls are. I have always been incredulous that we never cared very much how vulnerable our telephone conversations are. The wire makes us seem less vulnerable, but in fact, backbone communications links are sometimes over major microwave links. Many of the Fortune 500 contractually stipulate that none of their business communications are sent over microwave links. In addition to the microwave links, we have wholly trusted our telephony companies to protect us and they have done quite a good job in that most of the connections are in central offices that have not been broken into. This is all changing now and this mailing list is at the forefront of the discussion. What do we do about voice security now that our telephone conversations are riding over the Internet and have all the Internet vulnerabilities of viruses, MAC address spoofing, IP address spoofing, replay, spamming, etc?

In the big picture, end-to-end secure sessions with cryptographically based mechanisms to identify people and machines are the only way to assure secure VOIP communications. In our work with the Secure Mobile Architecture (SMA), we have been exposed to all the regulatory requirements for privacy and legality. These requirements include Sorbannes-Oxley, HIPPA, and many others. They are quite extensive and demanding, especially of privacy and protection from exposure on the Internet. Without addressing the requirement of an end-to-end cryptographically secure infrastructure, we are not addressing the problem and those of us responsible for unleashing VOIP on the world have a responsibility to address this problem in a big picture way.

The core of the problem comes from the relationship of security and identity. When I first heard and participated in discussions on identity management, I was very skeptical that this was a required discipline at all. In fact, I still think that identity management is not the right term for what we need to address in Internet VOIP and WLAN infrastructure contexts. We do not need to manage the identities. In reality, the people, organizations, and enterprises need to be assured that their identities are protected when they use the Internet. So, the identity of a person or machine must be protected in a business context or in an individual context. By the way, this identity of a machine is an imperative one to address. We are still not doing a good job of identifying a computer or intelligent machine's identity. In fact, as VOIP gets more integrated into the business processes and telephony becomes more versatile and VOIP applications are used for event notification, the validity of such processes is dependent on getting the cryptographically validated sources of the VOIP information you get.

The architecture The Open Group developed called the Secure Mobile Architecture (SMA) deals with these issues through the use of four elements (Boeing deployment); 1. Public Key Infrastructure (PKI) access, 2. use of the Host Identity Protocol (HIP), 3. a Network Directory Service (NDS), and 4. use of a Location Enabled Network Service (LENS). I will treat each of these and their relationship to VOIP and VOIP security in the following four paragraphs. Read the rest of this entry »