My new blog at sbin.cn

January 30, 2007

Due to the publicly known reasons, this blog at wordpress.com has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.


SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

November 16, 2006

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.


China Mobile say no to 802.11i

November 16, 2006

China has adopted WAPI as its national wireless access standard in 2003, instead of  802.11i, which lead to furious debate at that time.  3 years passed. According to a report by Xinhua agency, the largest mobile operator in China – China Mobile has conducted a security testing to 802.11i and found security vulnerabilities in it.

Test results to date show that the current WLAN technology 802.11i has big security loopholes and is easy to attack, said Ma Benteng, senior engineer with China Mobile.

The Beijing Olympics will be the first to use WLAN in the Games’ history. Journalists would be major users of the networks.

At a meeting held by China Mobile recently, media users were skeptical about the safety of the current WLAN technology.

Results from more than a month of tests carried out by the national safety research center on information project show that 802.11i has serious technological defects and safety risks, said Ma, who is in charge of mobile planning for the 2008 Olympics.

Researchers said that articles on the technological defects of 802.11i were freely available on the internet, as well as tools for exploiting the defects. The internet also provides methods for decoding the technology.

Anybody who can connect to the Internet could download the software and steal private information from others, said Ma.

See the original report…


China telecom operators and Sarbanes Oxley Act Compliance

August 10, 2006

In recent 2 years in China, the main rhythm in telecom industry is the compliance journey of Sarbanes Oxley Act (SOX). The four major telecom operators – China Mobile, China Telecom, China Netcom, China Unicom, all have public-list at USA stock market. In a similar time schedule, each of them has spent a lot of man power and money on SOX compliance, to organize, to plan, to build up internal control oriented processes, to buy consulting services and tools, to collect operation records.

  • Plan and Organize

Typically, inside an operator, a 404 team, headed by a vice general manager level executives, was assigned to lead the compliance activities. Specialists in each of the main IT departments, e.g. Management Information System Department, Billing Department, Network Department, were assigned to be responsible for the implementation and follow-ups. A series of education has been conducted to improve the awareness of compliance.
All provincial operators are required by their HQ to complete the self-assessment and corresponding remediation in the first half year of 2006, so that they can collect enough records for external auditors to testify the effectiveness of internal control measures. Three of the BIG FOUR accounting firms are external auditors of the four operators – KPMG for China Mobile and China Telecom, Deloitte for China Netcom, and PWC for China Unicom.

  • Acquire and Implement

In order to improve the effectiveness and efficiency of compliance controls, a series of nationwide security and governance projects are being undertaken, covering IAM (Identity and Access Management), auditing, ITSM (Information Technology Service Management) optimization and etc. Large amount of KPI (Key Performance Indicator) are setup and monitored to reflect the compliance status. Complete auditing systems are under continuous construction and improvement, while periodic and formal auditing processes for the compliance controls are designed and implemented.
We are glad to say that the enterprise governance structure and effectiveness has got unprecedented upgrade inside the four major telecom operators. There is no denying that SOX compliance journey is too expensive for mainland enterprises. The high cost of SOX has had many of enterprises to re-think their IPO plan to Nasdaq.

This page was also published at sbin.cn.

Deliciousdel.etio.us Diggdigg it


12345678! Pyramid Framework

June 14, 2006

Yesterday afternoon, WHY and I worked out a holistic enterprise internal control framework. We named it as 12345678! Pyramid Framework. It help integrate the enterprise execution, IT control and security control methodologies and countermeasures.

  1. One Priority: Execution
  2. Two Hands: Technology and Management
  3. Three Layers: Decision Makers, Managers, and Execution
  4. Four Phases: Plan, Do, Check, Act
  5. Five Layer Controls: Control Environment, Risk Assessment, Control Activities, Information and Communications, Monitoring
  6. Six Risk Elements: Assets, Threats, Vulnerabilities, Safeguards, Risks and Opportunities
  7. Seven Information Criteria: Confidentiality, Integrity, Availability, Efficiency, Effectiveness, Compliance, Reliability
  8. Eight IT Processes: Planning and Organization, Acquisition & Implementation, Delivery and Support, Monitoring and Evaluation

Do you like it? We know there has been much space left for it to be perfect. But it help guide your thinking ways when you prepare proposals or do planning. Its original form is in Chinese. Click here for more.

If you think it helpful or have any suggestions, just leave me a comment.


VoIPsa Blog

June 1, 2006

Here is coming an eye-catching blog at VoIP security at VoIPsa Blog.


Will Net Neutrality come again?

April 29, 2006

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read the rest of this entry »