Cloud & Telecom Security

This morning Twitter seems to be in trouble of performance issue.  Actually, this is not first time to get the below screen:

Read more…

WordPress released its 2.8.5 today. At this release, WordPress enhanced itself by:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

At the same time, WordPress 2.9 is in development and beta testing process.

CNCERT/CC 2009 Conference

CNCERT/CC 2009 Conference will be held at Oct.21, Changsha, Hunan Province, China. This is the consecutive 6th conference since 2004.  Here is the English agenda.

This annual event is generating more and more influence to not only China information security community, society, industry, but also the related parties at Asia Pacific and even worldwide.  You can find a number of famous regional CERT organizations and reps from carriers, large enterprises, vendors, say, SingCert, ThaiCert, VNCert, China Telecom, China Mobile, China Unicom, ICBC, CCB, etc. Read more…

Oct.18 2009(Beijing time), China CCTV news reported the release of national vulnerability database of China.

Along with the upsoaring of the Internet applications, the vulnerability number is also in a sharp growth. So the update and automation of vulnerability information is becoming more and more critical for the whole information ssytems. Vulnerability Database is used to research, collect, release, automate the lifecycle of vulnerability management, which is regarded the core of the related activities. Although there have been a series of open source vulnerability database(e.g. OSVDB, etc.), commercial maintained vulnerailibity database(e.g. CERT CVE, Bugtraq, NSFocus VDB, etc.), it’s still regarded very essential to setup one authoritive database for the industry, particularly for government and research organizations. Read more…

So yes, President Barack Obama was awarded the Nobel Peace Prize earlier this morning, and Twitter (and the rest of the Web) immediately blew up.

The diagram is the tag cloud at this morning.

It helps refect that how twitter has been closely penetrating into daily life at USA.

After Google released its new Sidewiki service yesterday, it’s very interesting to imagine what would be Google’s next step.  You know, it’s not a new service to let users share comments for specific web pages. Digg, Slashdot, Reddit, delicious, and other peers have been providing this for a few years.  From the release note, the key point of Sidewiki is “direct”, ie. users don’t need to submit to somewhere else to share their comments. Sidewiki allows users share comments “directly”. Doesn’t “directly” mean shortcut to other page sharing providers? Read more…

Sept.16 2009, NSFocus, a leading information security company from China, got EAL3 certificate from the authority organization – ITSEC. This is the only NIPS product which gets EAL 3 certificate issued by ITSEC so far. The certificate, in conjunction with other certificates that NSFocus has gotten and is working on, is helping the company enhance its leadership at NIPS/NIDS market at China, even at Asia-Pacific area. Click here to see the news report in Chinese. Read more…

It’s reported that the U.S. Department of Homeland Security was looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. It’s an inspiring finding from unique viewpoint. A slight bite by injection into the grid might lead to an overwhelming avalanche. Isn’t it horrible?

However, what I am thinking is that Internet cloud services have many similarity to those of power grid, ie. these threats and potential attacks are very possibly valid to Internet clouds.  What and how Internet clouds respond/react to these potential similar attacks to those against power grid? Yes, those dominant cloud service providers have very robust and strong infrastructure all over the world, how large the bandwidth, how many the servers, how many square feet the data centers, blah blah. Further, there are automatic load balancing and distribution system among those distributed data centers.  Once one set of servers and/or circuits, the services would be transfered to other servers and circuits automatically. Your services WILL be there, keeping the same, or NOT? Read more…

Nowadays, many companies spent a lot of resources to build and improve their branding impage at Internet. The Internet has transfered the control from trational media and PR company to bloggers and users. Jeff Jarvis told an interesting story at his book “What Would Google Do?” which introduced how Dell succeded in recovering its customer satisfaction and image through new strategy tuned for Internet – from overlooking Internet voices to listening to bloggers, fully leveraging Internet and transfering complainers into advocates.

Inspired by Jeff’s book, I start to do some simple research on this topic of Internet branding and complainers, i.e. “sucks” speakers, trying to find something interesting. Don’t you want to know how many customers were saying your company sucks? Read more…

Information is the new currency of business – a critical corporate asset whose value rises and falls at different times, and in different ways, depending on when, how, where and by whom it is placed into circulation as a medium of exchange.
Therein lie the risks. And the opportunities.

“Safeguarding the new currency of business”, Findings from the 2008 Global State of Information Security Study®, PWC

Today, I changed my theme to inove. Inove is created by mg12. It’s very stylish.

I made some changes to a better sidebar. I removed the “south”, “center” sidebars, because I can not fine any place to configure, even it seems to be “options”. mg12 might be still working on it.

Again, I like “views”. So I add the “views” after “author”.

If you like it, please go to his homepage.

The newest greatest version of WordPress, version 2.8 “Baker,” is immediately available for download. V2.8 represents a nice fit and finish release for WordPress with improvements to themes, widgets, taxonomies, and overall speed. Over 790 bugs are fixed at this release.

I just can not wait for upgrading my blog.

Many business units are being drawn into using cloud services by the attractive economics, bypassing IT departments to host their applications and data in the cloud directly. This creates several problems for the IT organizations with reduced internal and external control.

- From RSA Whitepaper “The Role of Security in Trustworthy Cloud Computing”.

Even they are not directly for Cloud services, but there were cases that BUs signed contracts with 3rd providers to host their applications directly, bypassing IT department. Obviously, it’s not good practice from governance perspective. It might be a head-up for CIOs at Cloud time.

If security experts do not fully understand the business, organizational roles, and people in general, they will not make the security sale. Security experts must be educators, which means they must understand human beings outside of their world, because all parties influenced and affected by security (and that’s everybody) need to understand, in a balanced fashion and in terms they understand, what security means to them.

- “Mission-Critical Security Planner”, by Eric Greenberg

In a service economy, knowledge is a critical asset, and Google has more knowledge than anyone in history. In our opinion, anyone who is not taking advantage of Google’s offerings soon will be fighting an inherent disability.

- What Does Google Know?  Gartner