Cloud & Telecom Security

大家一起来共享交换各自的书签和收藏，管理交换标签。这样的社区形成了一种非常新颖的在线的知识和交友方式。这个地方就就不错：

http://del.icio.us

Technorati Tags: Blog,Tools, News,共享,在线书签,交友

Most of my publications in Chinese, during 2000-2005, are now collected at cn.zhaol.cn, which is redirected to zhaol.i170.cn at this moment. Welcome to comment.

Technorati Tags: Telecom, security, P2P

Facetime unveils its competitive next generation technology, named Day Zero Defense System, built in its industry leading products – IMAuditor 6.5.1. 

• # IM Anomaly Detection – intelligently monitors IM communications and performs behavioral analysis across multiple attributes including message frequency, content, and message sender to determine anomalies against normal thresholds set by the organization.
• # Zero-Day Policy Management- Provides administrators complete flexibility in defining the actions to be taken on IM communications when an anomaly is detected, including block, allow, log, send alert, challenge, and more. The system provides comprehensive reporting on all activity.
• # Patent-pending Challenge/Response Technology – allows administrators to quarantine suspicious IM conversations and initiate a challenge to the sender which requires a human to successfully respond to the challenge. This stops malicious threats created by computer bots and allows uninterrupted delivery of legitimate communications sent by human sources
• # Integration with FaceTime Security Labs – New threats are automatically reported to researchers for further analysis and evaluation by the largest security team dedicated to IM, P2P and spyware threats.

Currently there have been a few known products to address IM threats, such as Facetime (IM Guardian RTG500), IMLogic(IM Manager), SurfControl(Instant Message Filter), Websense, BlueCoat(ProxySG 400), Akonix(L7 Enterprise).  SC Magzine tested a group of those products at Aug.27, 2004, see the following test summary:

The ease of use combined with the vast array of functionality offered by Websense Enterprise 5.2 wins it the Best Buy award. The product’s rich enterprise functionality incorporating excellent IM security was very impressive. For large enterprises looking for a dedicated solution to IM security, the FaceTime FTG500 Guardian is a very strong contender. It offers a high-end solution and is highly configurable to the needs of even the largest environments, and so wins the Recommended award.

Technorati Tags: IM, P2P, EIM, GreyNet, Security

TMCnet reported a keynote by Nikalas Zennstrom, the founder of Skype, where “Skype Groups” was regarded as an important step for Skype to turn to enterprise solutions, see the below excerpt.

“…Another area he focused on was Skype Groups, which is designed for enterprises looking to deploy Skype as a business solution. He mentioned that it features the ability for administrators to centrally administer SkypeOut credits, as well as administer SkypeIn numbers. Skype Groups is a step in the right direction in making Skype part of the solution and not part of the problem, considering Skype has often been a disruptive “uninvited guest” within the enterprise….”

Technorati Tags: Skype, P2P, eBay, EIM

In fact, this post is the first part of the whole review of IM/P2P application and security management (see second part: IM/P2P Security Management at Telecom Networks (Chinese) ). It’s easy to find one pretty clients with millions of fans, while it’s difficult to evaluate and predict which one will win the competition.

Lou Latham, famous IM expert of Gartner, at “Talking Technology”, the audio magzine of Gartner, divided the IMs into two kinds: consumer-oriented and enterprise-oriented. Most of popular IM/P2P applications are consumer-oriented, while he regarded that Microsoft, SAP, Novell, IBM, and etc. provide the solution what enterprised IT managers might consider to adopt to leverage the internal communication. Further, he emphasized that Jabber was one open and flexible platform and worthy of attention.

I uploaded the whole article in PDF format to my chinese version blog at i170.com. Click to download.

即时消息和P2P的安全管理 (Part 1)

1 快速增长中的IM/P2P应用

即时消息
即时消息（IM）成为现在网络几乎上不可或缺的一种应用。即时消息是一种类似电子邮件的联机通信方式，但是不同于电子邮件的地方是其“即时性”。 Yankee Group的预测分析，从2003年到2005年，即时消息（IM）在企业中的应用将以150%的复合增长率增长，至2005年底全世界的企业用户将会达到3.5亿。

Garter Group也认为到2006年，即时消息应用可以明显提升企业的工作效率和实时性，将会超过电子邮件，而成为企业中首选的文本通信形式。Gartner还估计使用IM的企业能够减少内部电子邮件数量的30%～40%，语音邮件数量也将减少10%～15%。

在下面的网址上大家可以找到数以百计的各式各样的即时消息软件（客户端）：
http://fileforum.betanews.com/browse/InstantMessaging/IMClients

应该注意到，支持多种协议的IM客户端开始受到追捧，例如Gaim, Trillian, Myim, IM2等，它们都能够同时支持ICQ, AIM, YahooIM, MSN，Jabber等多种通信协议，甚至还可以在其中充当消息路由器或者桥接器。当前主流的IM客户端通常还会带有话音、视频、游戏、以及文件共享等多种增强功能。另外，穿越防火墙（也包含地址翻译）、具备加密功能、简捷易用的界面成为新一代IM软件的趋势。

Peer-To-Peer (P2P)

对等网络（P2P）是一种网络的组织形式。P2P的应用摆脱了传统的服务器/客户机系统在服务器端的带宽瓶颈，可以充分利用互联网的带宽资源，发挥互联网无所不在的优势，代表了未来个性化通信的需求。基于P2P技术，有越来越多的应用被开发出来，例如文件共享、群件与协作、数字媒体分发等。IM也是P2P技术的重要应用之一。虽然也有很多的IM是采用传统的客户机/服务器（C/S）架构实现的，但是基于P2P技术的IM在安全管理上具有独特性。

下面的表格是当前一些主要的即时消息和P2P软件和平台网络的枚举以及简要功能介绍。

• 名称    P2P    聊天    文件共享    话音    视频    备注
• ICQ    x    v    v    v    x    最早的网络聊天工具
• YIM    x    v    v    v    v    Yahoo的出色聊天工具
• MSN    x    v    v    v    v    国内很大的用户群
• AIM    x    v    v    v    v    依靠AOL，在美国有很大的影响力
• Skype    v    v    v    v    x-v    有外挂实现视频，话音质量、穿透防火墙以及加密能力是其特色
• QQ    x    v    v    v    v    国内最大的网络聊天工具，支持多种游戏，国内短信互通有优势
• BT    v    x    v    x    x    最有影响力的网络共享平台
• eDonkey    v    x    v    x    x   
• eMule    v    x    v    x    x   
• Kazaa    v    x    v    x    x    Napster的升级
• Napster    v    x    v    x    x   
• Gnutella    v    v    v    V    V    一个出色的P2P平台，许多应用基于其上
• Jabber    v    v    v    v    v    一个出色的P2P平台网络，许多应用基于其上。Google Talk即基于Jabber平台

2 P2P/IM的双刃剑效果

IM和P2P技术在带来便利和效率的同时，也同时带来了多重的负面效应：首先，从普通用户角度来看，使用即时消息进行通信与使用电子邮件一样，也具有一些类似的隐私和安全风险。例如如同垃圾邮件（SPAM）一样，现在互联网也存在垃圾即时消息（SPIM）的困扰。其次，IM和P2P的大量使用为企业IT部门带来了很多安全方面的困扰，使得企业的网络边界进一步模糊化。如果没有有效的、针对性的安全管理措施，不夸张地说，企业内网将等同于互联网，重重设防的企业边界在IM/P2P流行的年代里将逐渐变得形同虚设、甚至消失了。加重了企业安全管理的负担。第三，对电信运营商来说，IM可能意味着提供综合信息平台服务的同时，还需要关注所承担的垃圾短消息、以及反动黄色等不良内容的控制；而P2P则意味着带宽的低价值消费、知识产权的保护、甚至自身城域网安全等很多的关注话题。

关于个人用户使用IM/P2P应用过程中的隐私和安全威胁，目前网络上已经有不少的讨论和指导，例如下面的链接就是微软公司网站对于IM用户的安全使用建议：
http://www.microsoft.com/china/athome/security/online/imsafety.mspx

思科公司在其中文网站也提出了电信网络中在P2P面前的“增量不增收”的困境：
http://www.cisco.com/global/CN/about/news_info/press_release/leadship/2005_06_1.shtml

Technorati Tags: IM, P2P, Skype, GTalk, SPAM, SPIM, Jabber

IMLogic publishes two Top 5 Security Risks for Instant Messaging in 2004 and 2005, respectively. In 2005, the top 5 is as below:

1. Blended Threats Include Instant Messaging
2. Identity Theft, Spoofing, and Phishing over IM
3. Advanced Spyware and SPAM over IM
4. Information Security Leaks over IM
5. Targeted Attacks on Enterprise Domains

while the top 5 in 2004 is:

1. Viruses and Worms over IM
2. Identity Theft and Authentication Spoofing
3. Tunneling Through Firewalls
4. Information Security Leaks
5. SPIM or Spam over Instant Messaging

What differs 2005 against 2004 is that the priority of SPAM/SPIM: increased to 3rd from 5th. The openness and inter-op of IM services and clients will worsen the SPAM/SPIM threats in the near future.

Virus infections are most often sent via file transfers that bypass traditional gateway anti-virus security. IM and P2P attacks also push URLs to malicious code hosted on the Internet which can be downloaded and executed on local machines.

Technorati Tags: IM, SPAM, SPIM, Security

Have you downloaded and installed Flock? That’s quite easy and straightforward. Go to www.flock.com to find more.

Once I began to add accounts, I found one “maybe as design” bug:

if you have two blog acounts, with the same title, when you try to add the second one, the first one will be replaced, rather than just add.

Technorati Tags: news, blog, mycomments

This post was published at cww.com.cn , 2004, where I summarized the 9 common mistakes at a Security Operations Center(SOC) project, which was becoming hotter and hotter at China. In brief, they are:

1. unbalanced resource investment on security elements and management
2. unmatched organization structure
3. misunderstanding of SOC as a pure product. It’s a project on management
4. without consideration of IT infrastructure accordingly
5. wrong project goal
6. not enough support from the software vendors and/or system integrators
7. without thorough understanding of the SOC products under implementation
8. withoug corresponding management processes, such as monitoring and incidents management
9. regarding the finish of the product implemantation as the end of the SOC construction.

Read more…

As everybody know, security is the most concern point to choose a IM/P2P application. Refer to my post of Top Ten Concerns to Skpye, many uncertainties make a number of enterprise IT managers and professionals hesitate to use Skype. Two days ago, Skype published a security whitepaper to explain the security concerns, for full version, click here.

The designers of Skype did not hesitate to employ cryptography widely and well in order to establish a foundation of trust, authenticity, and confidentiality for their peer-to-peer services. The implementers of Skype implemented the cryptographic functions correctly and efficiently. As a result, the confidentiality of a Skype session is far greater than that offered by a wired or wireless telephone call or by email and email attachments.

Beyond errors in the cryptosystem, I have also looked for back doors, Trojans, overreaching “debugging” facilities, etc. I did not find any hints of malware in the portions of the Skype code I reviewed.

The whitepaper seems to be published not officially, rather, published from a free investigator/researcher perspective. It covers mainly what cryptographic algorithm used in Skype, and how to exchange private/public keys between communication parties, and how to defend against cryptographic attack, while it doesn’t address other concerns from telecom operators and enterprise IT managers, for an instance, how to identify/control/audit the Skype clients and their usage. I am afraid that it only help assure those personal professionals to believe Skype. 

Other important papers on skype security include:

• “An Analysis of the Skype Peer-to-Peer Internet Telephony protocol”,  by Salman A. Baset and Henning Schulzrinne, click to download.
• “VoIP and Skype Security”, by Simson L. Garfinkel, click to download.

Today It seems the “import” link disappears! I don’t know why the admin removed that.

After I imported my posts and comments from my blog at blogger.com, I found that blog’s template was changed to a flat text with a link to “wordpress.org”. -:( maybe there were some hints during the import processes, but i overlooked that. any way, i hope that blog work too. Thus, i re-configured the template. see: http://telecomsecurity.blogspot.com.

“SOX compliance” and “section 404″ are buzz words recently, not only at USA, but also at China, for those companies listed at Nasdaq. They set up special team to build compliance controls for the enterprise, commonly named “Team 404″. For an instance, China Mobile, the largest mobile carrier at China, has assigned a 404 team to be responsible and boost the whole compliance affairs. At the same time, CMCC group assigned 4 trial  province  sites at  Fujian, Tianjin,  Shanxi, Hubei respectively. 

China Telecom, the largest fix line operator at China, has been working on their COTS (Commercially Off-The Shelf) ERP and CRM for around two years to advance the compliance journey. Kunming (by IBM) and Suzhou (by BearingPoint and BEA) are two trial sites for the BPR (Business Process Re-Engineering) approaches.

China Netcom (CNC) has invested a lot of resources to get their ERP online at the earliest time to comply the compliance.

SOX compliance, while generating a gold mine for the “big four”, will disclose financial information of public list companies more trustworthy and stablish the financial and security market.

During recent study and investigation of SOX compliance methodology and architecture, a lot of good documents are found via the Internet. At this moment, here is a good paper by Redmonk.com, click to donwload it to your harddisk.

At the risk of reading like a cliché, compliance is a journey not a destination. Rarely is anything completed. Rather, compliance calls for constant attention, tweaking and vigilance combined with a balancing of cost, risk and transparency. Sarbanes Oxley, for example, is very much a living regulation. Upfront costs can be conceived of as similar to corporate year 2000 (Y2K) projects for some organizations, but unlike Y2K, Sarbanes requires ongoing improvements in process controls and reporting.

What is Compliance?
Simply put, compliance is the process of adhering to a set of established guidelines or rules established by external bodies such as government agencies or by internal corporate policies.

This is an exciting milestone to my blog. This morning the google toolbar shew the pagerank jumped to 3 from 0!

It’s a great news to find that wordpress.com has provided a “import” function so that you can import your posts and comments at blogspot.com into wordpress.com. It will be a great move to lock down wordpress.com users. It does work! Really.

Refer to the post at 17799.com forum by Calvin, the following information about BS7799 and relevant standards is summarized “as is”:

• ISO27001 is to be the replacement for BS7799-2 by the end of year 2005
• ISO 17799:2005 will be renamed in year 2006 or 2007 as ISO/IEC 27002

A new standard for BS7799 series:

• BS 7799-3:2005 – information security management systems – guidelines for information security risk management” is a new British Standard due for release in December 2005

The new ISO27000 series will have five parts:

• ISO 27000 will formally define the specific technical vocabulary used in these standards;
• ISO 27001 will be the ISO version of BS 7799-2, the certification standard (due for full release in November 2005, already available as a final draft);
• ISO 27002 will be the renamed and updated version of ISO 17799:2005 (to be released in 2006 or 2007);
• ISO 27003 will contain guidance for those implementing the ISO 27000-series standards;
• ISO 27004 will be a new Information Security Management Metrics and Measurement standard to help measure the effectiveness of information security management system implementations (currently in draft);
• ISO 27005 will be the ISO version of BS 7799-3

From “comp.security.misc“, by Sue Thomas:

ISO 27001 has, after months in final draft, finally been published as an official ISO standard.

This particular standard defines an ‘Information Security Management System’ (commonly known as an ISMS), and compliments the existing ISO 17799 standard. It basically specifies a best practice framework for the design and maintenance of information security processes within anorganization.

The two standards are closely aligned and interlinked, but have very distinct roles:

ISO 17799
This lists many hundreds of individual and detailed security controls, which may be selected as part of the security management system.

ISO 27001
This specifies the overall requirements for the security management system itself. It is this document, as opposed to 17799, against which a certification route is offered. ISO 27001, which was built upon an earlier version of BS7799, has also been made more compatible with other management standards.

THE GLOBAL IMPACT
The publication of the new standard is likely to herald a rapid increase in interest in both information security generally and
certification specifically. Organizations already certified via BS7799-2 will take a transitional route, whereas the international
status of the new standard is certain to have an impact on the numbers following the certification or compliance route.

This has already started to manifest itself in terms of the record number of pre-orders for the new standard, and the recent membership increases of the Online ISO 17799 User Group (located at http://www.17799.com).

OFFICIAL SOURCES
The new standard can be obtained via: StandardsDirect (BSI): http://17799.standardsdirect.org

It will also be available via SNV shortly from the following page: Standards Online:
http://www.standards-online.net/InformationSecurityStandard.htm

Finally, the support kit for the standard has also been updated to reflect todays changes: http://www.17799-toolkit.com

FURTHER INFORMATION
Additional information on both these standards can be obtained from the ISO 17799 News website at:
http://17799-news.the-hamster.com