We have talked about VOIP legal monitoring and source location. In H.323 , softswitch or IMS VOIP network, it can possibly be done through signaling analysis. But as to P2P VOIP, especially encrypted P2P VOIP such as SKYPE, it is very difficult to identify P2P voice traffic.
Traffic classification and traffic identification can be useful in both ISP and enterprise environment, as well as in various occasions:
- Network planning and design
- Security policy such as legal monitoring, blocking
- QOS policy such as rate limitation, prioritization
- Pricing
Now there are two kinds of P2P traffic identification algorithms: transport layer based or payload based. Read more…
5/18早晨给我们留下了深刻的记忆,由于Symantec公司病毒代码库2007.5.17 rev 18的错误,sav将简体中文版Windows XP的两个关键的系统文件c:\windows\system32目录下的netapi32.dll和lsasrv.dll误报为 backdoor.haxdoor病毒, 并提示用户推荐删除该文件。用户当然服从命令听指挥,系统也就在重起时隔离这两个文件,导致无法正常重起,出现蓝屏。
这次看似简单的误杀,给安全经理们出了一道难题,甚至说将安全经理们放到了一个窘迫的境地。通常,我们都会努力引导用户提高安全防范意识,保证安装反病毒软件并及时升级代码库,遵从安全指令。可是,这次事故让最遵从安全策略、最具有安全意识的企业员工们无所适从。让执行效率越高的企业桌面信息系统承受越高的损失。
作为对国内用户的安抚,Symantec据说要在国内建设SRC,以提高对国内病毒样本的响应速度和查杀比例。另据说Symantec因为此次事故,还特意修改了内部流程,将原来全自动的病毒代码发布流程又改回到以前带有人工确认的环节。
零日攻击促使我们不断地加快补丁发布和安装速度,促使我们实现实时的病毒代码库升级,“作为欧洲领先企业安全软件提供商,提供世界最强杀毒引擎,拥有三十万级的病毒特征库,每隔一个小时自动更新病毒库。”这是市场上较为常见的宣传材料了,巨大的病毒库和快速自动更新显然是其中两个最招人惹眼的广告用语。
这样的快速和自动化带来了安全吗?还是带来了更多的风险?我们宁愿相信这次是Symantec的一次偶然事故。因为我们现在别无选择,只能将自己的企业网络的安全寄托在这几个厂家的可信度上,寄托在他们内部的流程成熟度上,期望他们内部的管控持久而有效,不会出现报复员工恶意植入后门逻辑炸弹… 作为一个企业,这样做事出无奈,然则可以接受。但是,从国家安全的层面,物种的多样性看来是安全进化的必要环境了。
As an annual meeting, China VOIP Conference & EXPO, China FMC/IMS Summit, China Enterprise IP communication Solutions Conference had hold on 23~24th, May, Beijing. Check here for its official website. I like to share some highlights of this meeting.
1. Three kinds of VOIP tech in China
Following the steps of VOIP standard development, there are three kinds of VOIP networks in China.
# H.323
H.323 is ITU-T standard framework for multimedia service in Non-QoS guaranteed network. The main service providers in china all have their own H.323 network. China Unicom has the biggest H.323 network in the world providing both audio and video services. It covers almost the whole China, has more than 1800K gateways and carries one billion mintues calls every month. This may own to the original multi-layer GK network structure which greately improves the scalability of H.323.
# Softswitch
Softswitch is a next generation network infrastructure based on SIP, H.248 and other protocols proposed by IEEE and ITU-T. Now, all 17951 call of China mobile and more than one third long distance call of China Telecom are carried by softswitch. China Netcom has been using softswitch to replace the Class 4 switch since 2005. CRC(China Railway Communication CO..,Ltd.) and China Satcom (China Satellite Communication Corporation) also have their softswitch network.
# IMS
The first proposal by 3GPP Release 5, IMS(IP multimedia subsystem) has the advantage in providing mobile and multimedia service. It is also the most promising framework of fix and mobile Convergence. ETSI TISPAN and ITU-T began work on IMS infrastructure in the end of 2005. Thus, the main service providers in China are paying attention to IMS and deploying trial network of IMS now. Read more…
Generally speaking, it’s a good news. No doubt, it will help data sharing and inter-operateability among different vendors so that the effectiveness and response time might be improved. The key point is the promotion. The similar case is that of IDMEF(Intrusion Detection Message Exchange Format) and CVSS (Common Vulnerability Scoring System). It took a long way for IDMEF to be adopted by those major vendors of IDS/IPS and scanners.
If the data is true, every month 13,500 URLs will be added into the library. If one URL has an average length close to 100 bytes, that means roughly 1.3MB increasement to this library. So it’s predicted this library might be over-flooded in the near future if no better algorithm is in place. The below is the full story. Read more…
This morning, Symantec’s worldwide customers found their computers failed to reboot, in the mean time the helpdesk was plunged into a hot pot. The rough root course is that Norton released wrong virus code definition by identifing a few system files(.exe and .dll) as virus and removing them. This will cause system reboot failure.
It’s a very severe incident from a global security perspective. One wrong operation might cause corruption of tens of millions of computer worldwide. In addition, security managers are put into a very embarrassed situation: whether or not you push users to install anti-virus software and keep virus code updated. It seems that both side will hurt you and the authority of security policy.
Till now, only Simplified Chinese version Windows XP SP2 system is reported to be impacted. Two system files under C:windowssystem32: netapi32.dll, and lsasrv.exe are identified wrongly as virus.
Users are prompted that these two files are infected by virus and need to be quarantined. If users follow the prompt, after reboot, the system corrupts…
At this moment, Symantec doesn’t release any news, notification, anslysis, solution, workaround on it officially.
[Tags]Security,Symantec,Anti-Virus[/Tags]
Wordpress.org just released its newest version 2.2 with a bunch of important bug fixes and interesting features, including:
- WordPress Widgets allow you to easily rearrange and customize areas of your weblog (usually sidebars) with drag-and-drop simplicity. This functionality was originally available as a plugin Widgets are now included by default in the core code, significantly cleaned up, and enabled for the default themes.
- Full Atom support, including updating our Atom feeds to use the 1.0 standard spec and including an implementation of the Atom Publishing API to complement our XML-RPC interface.
- A new Blogger importer that is able to handle the latest version of Google’s Blogger product and seamlessly import posts and comments without any user interaction beyond entering your login.
- Infinite comment stream, meaning that on your Edit Comments page when you delete or spam a comment using the AJAX links under each comment it will bring in another comment in the background so you always have 20 items on the page. (I know it sounds geeky, but try it!)
- We now protect you from activating a plugin or editing a file that will break your blog.
- Core plugin and filter speed optimizations should make everything feel a bit more snappy and lighter on your server.
- We’ve added a hook for WYSIWYG support in a future version of Safari.
The most interesting to me is the Widgets bundled into the core. So it doesn’t bother you any more to manual install this essential plugin. Check the office release notes …
[Tags]Wordpress,Blog,Web2.0[/Tags]
This morning, when I checked my gmajl account, I found the below email from skype@security.co.uk. It notified me to update my Skype account by following the embeded link, otherwise my account might be suspended temporarily:
Dear valued skype� member:
It has come to our attention that your skype� account informations needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.
However, failure to update your records will result in account suspension.
Please update your records on or before May 15, 2007.
you are requested to update your account informations at the following link.
https://secure.skype.com/login_update_done=1115487
*Important*
We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.
Note the embeded link. What it shows is a link to skype.com, but actually it’s a link to:
http://interflightstudio.com/store/images/screenname/index-ie_files
/okhc3QwlKBNmvFLueSMJ-jrk7rKBryuYQVUSNUiV33wyG-sD5ar6ik
WPdvonrkiYMq1Cdfh2TO1cNTi&shva/login.html
That’s a typical phishing cheating. Please be noted.
[tags]Skype,Phishing,Security[/tags]
This article is a good summary on recent offerings for warming-up managed security services (MSS). Based on the large picture of out-sourcing of IT, security has been one topic to be managed by a MSS provider (MSSP). What are those MSSPs offering? How can I choose from various service portfolio ? Joel gave us a good summary by his Managed security services: What’s right for you? Read more…
According to Xinhuanet report, China software industry revenue has reached to 480 billion RMB in 2006, approximately 62 billion USD, where software license revenue reached 273.6 billion RMB. In addition, according to another report on software piracy, the piracy rate in whole industry has downed to 24% in 2006 from 26% in 2005. That’s a obvious improvement and signal that China has been doing a great job in IP and copyright protection.
“sbin” is a special directory name in Unix and Linux world. Typically, it’s located at “sbin” and “usrsbin“. It means binary files for super users, e.g, fsck, mount and etc. , compared against binary files for average users at “bin” and “usrbin“. So “sbin” means the power and tools to control the system. That’s the major goal for most of hackers to execute the programs in it.
I wish every body can find their own “sbin” toolkit in such a fast growing time, avoiding distraction and rocking and lost in web2.0 ocean.
Recently, SEOMoz.org published its winner of Web2.0 Award 2007. It’s a long list, where you can fine a lot of websites you have been very familiar, and maybe some websites with strange face. According to the site, over 200 Web 2.0 Sites in 41 Categories are Rated, Ranked and Awarded. Meanwhile, they assembled a team of 25 of the most knowledgeable, well-respected experts in the field to vote on the winners. The Web 2.0 Awards were first created by SEOmoz in 2006.
Check out the list…
Entering Internet age, new software vulnerabilities are found every day and the corresponding patches and temporary workarounds are coming with them. The software vulnerabilities may cause system breakdowns or are being exploited at any time. As the mass of installations of the patches costs lots of system resourse or may cause the restarting of the system, and performance decreases. On the other hand, rushing on patch might not be secure or might bring potential dangers to the stability and functionality of a system. How can these problems be solved? The patch and vulnerability management is not only the business of the security administrators but also the focus of the entire IT operation sector. We would like to share our knowledge and best practices on managing patches and vulnerabilities with the industry.
Figures and problems
Lets read some figures first. As reported by Meta Group, a total of 4192 vulnerabilities were found in 2002 and at the same time, as per the real statistic, system administrators cost a total of 1920 work hours to make up all 4 patching to 120 servers. This means that it will take about 4 hours to patch a server – including backup, installation and debugging. Suppose the system administrators are skilled and they can completely learn vulnerability and patch solution within 20 minutes. This needs 172 persons to cost an entire working day for making up the 4192 vulnerabilities. In case of only10% – 413 vulnerabilities – of them are adapted to our own network environment and each correspondent patch is on 10 servers, it needs 2065 persons/day (there are about 10 servers with the same configurations. From these figures we have learnt that by adding up the days of the two persons, there needs to be almost 10 full time administrators, while that doesn’t include the processes of testing and validating the issued patching and the secondary resource consuming resulted from the failure of patching making up. Thus we can see that the patching and vulnerability management has been a huge resource funnel and wastes a lot of system management resources. Read more…
According to the report of PCWorld, optical fiber is easier to hack or tap than copper wires, opposite to ordinary sense. From personal perspective, I believe it’s safe to use FIBER communication as untappable. But for nation level and even critical commercial level, it’s not safe to rely on only fiber itself, but also the application encryption. Read more…
VoIP security is an interesting topic in the circle. VoIPsa is a very good community where you can find much of valued discussions and knowledge sharing. It’s highly recommended to register to their mailing list if you are interested to keep in touch with the latest research on VoIP security.
I recommend a very good article to you. It’s from DataStronghold, by Mr. Michael Talbert, where you can find very comprehensive summary of security threats to VoIP systems. The below is some points of the article.
- SPIT: The new Spam for VoIP
- Eavesdropping
- Phishing the Waters of Voice over IP
- SIP Registration Hijacking
- Spoofing Read more…
Recent Comments