My new blog at

January 30, 2007

Due to the publicly known reasons, this blog at has been not accessible at China for a long time till last Spring festival (Feb.2006). It’s very difficult for me to update and manage this blog, while most of my readers from mainland can not read it since then. So I decide move it to a new site with good performance.

Hope you guys can change your bookmark and RSS feeds. I am sorry for the unconvenience for this move. Thanks for the great pleasure WP community gave me.


SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

November 16, 2006

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

What Hamachi brings?

July 28, 2006

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see, has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

VoIPsa Blog

June 1, 2006

Here is coming an eye-catching blog at VoIP security at VoIPsa Blog.

Will Net Neutrality come again?

April 29, 2006

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read the rest of this entry »

SMA, VoIP and Identity

April 25, 2006

There was an interesting description on SMA (Secure Mobile Architecture) by another Richard from Boeing :). SMA is expected to address security issues in VoIP and identity for those enterprise networks with some sample implementation inside Boeing

There have to be some fundamental changes in the way the Internet operates. One way is through a framework and architecture called the Secure Mobile Architecture (SMA). This architecture is published by The Open Group and is available at the following URL: The architecture addresses many of the issues you have been talking about. Until we actually address the issues of basing security on the MAC and IP addresses, all of your approaches will not address the basic problem.

I have an example of the issues hiding our heads in the sand can lead to. I have been a member of IEEE 802.11 since about 1995. Boeing got involved in 802.11 because of the potential solutions 802.11 provided for both Internet access onboard airplanes and for the mobile enterprise communications. So I got involved early in the security provided for the Wireless LANs. The initial group of 802.11 standards developers felt, as I did, that the WEP was sufficient (good enough) to get the standard rolling. It wasn't! The work around was VPNs for any wireless connections, but it definitely slowed and inhibited the growth of WLANs. It took six years to provide a WEP replacement that was cryptographically secure.

If IEEE 802.11i is any example, the VOIP growth and viability is inexorably tied to how secure our telephone calls are. I have always been incredulous that we never cared very much how vulnerable our telephone conversations are. The wire makes us seem less vulnerable, but in fact, backbone communications links are sometimes over major microwave links. Many of the Fortune 500 contractually stipulate that none of their business communications are sent over microwave links. In addition to the microwave links, we have wholly trusted our telephony companies to protect us and they have done quite a good job in that most of the connections are in central offices that have not been broken into. This is all changing now and this mailing list is at the forefront of the discussion. What do we do about voice security now that our telephone conversations are riding over the Internet and have all the Internet vulnerabilities of viruses, MAC address spoofing, IP address spoofing, replay, spamming, etc?

In the big picture, end-to-end secure sessions with cryptographically based mechanisms to identify people and machines are the only way to assure secure VOIP communications. In our work with the Secure Mobile Architecture (SMA), we have been exposed to all the regulatory requirements for privacy and legality. These requirements include Sorbannes-Oxley, HIPPA, and many others. They are quite extensive and demanding, especially of privacy and protection from exposure on the Internet. Without addressing the requirement of an end-to-end cryptographically secure infrastructure, we are not addressing the problem and those of us responsible for unleashing VOIP on the world have a responsibility to address this problem in a big picture way.

The core of the problem comes from the relationship of security and identity. When I first heard and participated in discussions on identity management, I was very skeptical that this was a required discipline at all. In fact, I still think that identity management is not the right term for what we need to address in Internet VOIP and WLAN infrastructure contexts. We do not need to manage the identities. In reality, the people, organizations, and enterprises need to be assured that their identities are protected when they use the Internet. So, the identity of a person or machine must be protected in a business context or in an individual context. By the way, this identity of a machine is an imperative one to address. We are still not doing a good job of identifying a computer or intelligent machine's identity. In fact, as VOIP gets more integrated into the business processes and telephony becomes more versatile and VOIP applications are used for event notification, the validity of such processes is dependent on getting the cryptographically validated sources of the VOIP information you get.

The architecture The Open Group developed called the Secure Mobile Architecture (SMA) deals with these issues through the use of four elements (Boeing deployment); 1. Public Key Infrastructure (PKI) access, 2. use of the Host Identity Protocol (HIP), 3. a Network Directory Service (NDS), and 4. use of a Location Enabled Network Service (LENS). I will treat each of these and their relationship to VOIP and VOIP security in the following four paragraphs. Read the rest of this entry »

More on SOX – VoIP

April 18, 2006

Gary Audin wrote a good post on VoIP and SOX, very unique view point and insight. Gary reviewed the goal and criticized the maturity and operationality of SOX and even predicted the modification in the near future.

The SOX goal is to insure the reliability of publicly reported financial information. Corporate boards, enterprise executives and directors, attorneys, auditors, small business owners, rank and file employees and security analysts have expanded duties as well as penalties as result of the SOX act. The legislation was not thoroughly debated. The result is being questioned, delayed and will probably be modified. It is a moving target where auditors may develop new policies and requirements in the future. My initial comments on SOX will found in the previous Blog, “Putting up with SOX”.

Further, Gary discussed what IP telephony (IPT) / VoIP systems might bring to SOX compliance.

IP Telephony systems will have IP phones that may access the Internet and softphones that are compromised. These could be the man-in-the-middle for attacks or malicious behavior. The call server could be hijacked to create denial of service for the VoIP service. Trojan break-ins could access financial information from an IPT device. Even when there are security personnel and procedures in place, if they are handled poorly and the CEO and CFO falsely report that they are diligent in their control, penalties may occur.


Do not wait for the audit. The results can be costly. Be proactive as you move to VoIP/IPT.

IMHO, because SOX is a financial oriented act, so if VoIP/IPT is not your business, ie. revenue generator, you might not cover VoIP auditing in your SOX compliancy audit, because in general they are not used to process and control those financial numbers. However, it's different to those VoIP operators, where security control of VoIP billing directly impact the final financial results and morever the shareholders' benefit.