Thursday, December 18, 2008

Critical Security Update for Internet Explorer

This alert provides you with an overview of the new security bulletin released (out of band) on Wednesday, December 17, 2008. Microsoft released security update MS08-078 to address a new vulnerability allowing remote code execution in Internet Explorer. MS08-078 has a maximum severity rating of Critical for all versions of Internet Explorer. This security update was released outside of the usual monthly security bulletin release cycle in an effort to protect customers.

We request that you take action immediately by first assessing and preparing your own systems and networks and applying the security update, then reaching out to your customers to assist them in securing their systems and networks by applying the update.

For details, please read the full bulletin for MS08-078 on the Microsoft TechNet Security TechCenter. On Thursday, December 18 at 11am Pacific Time, Microsoft is hosting a webcast to address questions about this bulletin.

Kenneth Hamer Hodges

Wednesday, October 1, 2008

Authority Based Access Control : Open Social Networking and Computer Security in the 21st Century

Some of the issues covered include: Desktop Security and Identity Based Access Control, Understanding Ambient Authority, Networked Security and Authority Oriented Architectures, Forms of Authority Based Access Control, Using Authority Based Access Control in Federated Networks, Authority Backed Identities and Mandatory Access Control. Books by Ken Hamer-Hodges

Tuesday, August 26, 2008

What makes a security consultant an expert?

Good security experts are different characters than other engineering or Information Architecture roles. The important qualities for security set them apart from rather than make them indistinguishable from others.

Security experts are always interested in security across a broad spectrum that goes well beyond IT, professional information security at every level, demands “thinking outside the box”. 

A security expert always takes the initiative to find the answers to security problems without guidance and sets the agenda based on threat priorities. 

Information security falls outside defined policy, because the job revolves around preventing, investigating, and responding to incidents where policy has failed.

A security expert’s work involves investigation, assessment, troubleshooting, abstract thinking, problem analysis, and understanding the security principles underlying of particular events. 

Security works best when it is part of the architectural design of a system, when it is the very basis for policy, and when it limits the errors of everyday work. 

The best security experts have an unconventional mindset and perspective than memorized standards of “industry best practices”. In fact, the most important lessons to be learned about such practices are their flaws. 

Read Chad Perrin thoughts on hiring security experts at

Sunday, August 10, 2008

Vista security defeated; IOS rootkit; DNS flaw 'worse than thought'

  1. Researchers say they have found a way to bypass Vista's memory protection features
  2. It may be possible to pwn a Cisco router with a rootkit
  3. The DNS cache mess could be far, far messier than first thought, with more than a dozen attacks possible.


More >>

Saturday, July 12, 2008

What's inside the Apple iPhone 3G?

Cracking Open the Apple iPhone 3G
Apple's iPhone 3G arrived on Friday with a bevy of new enterprise-ready features, including Exchange support, business-grade security, and third-party applications powered by an SDK. As with the first iPhone, we [TechRepublic] waited in line, bought our phone, signed an AT&T contract, and promptly began to crack open the case. Come along as we disassemble the Apple iPhone 3G. -- TechRepublic

Thursday, June 26, 2008

The Ten Most Important Security Trends of the Coming Year

Experts Predict the Future

  1. Mobile Devices,
  2. Government Action,
  3. Attack Targets,
  4. Attack Techniques,
  5. Defensive Strategies.

Top Ten Cyber Security Menaces for 2008

Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008. Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.  Here's their consensus list.


Thursday, June 5, 2008

Renaming the Administrator Account?

Renaming the Administrator Account is a measure that can add to security defense. It certainly enhances security by preventing script attacks that assume the admin or root names. Jesper Johansson and Roger Grimes discuss this in their TechNet posting “The Great Debate: Security by Obscurity”.

Read the full posting at

Kenneth Hamer-Hodges


ACL Security in Windows Vista

A posting on TechNet (by Jesper Johansson) discusses Vista Security changes. Jesper points out a few Vista changes that try to deal with ACL problems:

  • Accounts created during setup become administrators programs execute with Ambient Authority (administrative privileges, with free access to the file system.
  • Default ACLs includes ACL entries for Everyone, Power Users, etc, this includes the default ACL for C:\  gave Read and Create access to Everyone.
  • Limitations exist on ACLs to assign permissions to the an object that changes owner - permissions were not transferred.
  • Owners have implicit rights to an object, no matter what permissions they need.

Read the full posting  

Kenneth Hamer-Hodges


Wednesday, April 16, 2008

Vista Security Is Annoying by Design

Latest Neil McAllister Saturday, April 12, 2008 Vista Security Is Annoying by Design
If you're running Windows Vista, you're familiar with User Access Control (UAC). It's the security subsystem that pops up those irritating dialog boxes asking whether you really want to install software, or modify system files, or write to the Registry.
UAC may be Vista's most-hated feature, but as it turns out, it may also be its best-designed [KJHH comment - This is just stupid!]. As reported by Ars Technica, UAC was created with a very specific purpose in mind: to annoy you. [KJHH comment: Should read about POLP or POLA and how security improves useability...]
Ars picked up this tidbit at the recent RSA 2008 security conference in San Francisco, where David Cross, Microsoft's product unit manager for Windows security, discussed the company's security directions post-Vista. "The reason we put UAC into the platform was to annoy users. I'm serious," Cross is quoted as saying.
More cynical observers will note that this is a longstanding Microsoft business strategy. But in this case, believe it or not, it actually makes some sense.
Before Vista, most Windows users did their day-to-day computing with full Administrator access to their PCs. This gave them -- and by extension, the software they used -- total control over the system, including the ability to modify critical system files.
That degree of freedom grants a lot of power, but it leads to unpleasant side effects. Most importantly, when you're logged in as an Administrator, any Trojan horses, viruses, or other malware you unwittingly download will have free reign to attack your system with impunity.
Vista attempts to correct this legacy of bad behavior by only granting Administrator privileges to applications in situations where it's absolutely necessary. Unfortunately, developers have been spoiled by the old-style security model. Too often, they write their software in such a way that it actually requires Administrator privileges, even if there might be another (albeit more complicated) way to do the same work.
That's where UAC comes in. When a program tries to gain Administrator privilege, UAC pops up a dialog box, forcing the user to click a button. As Cross pointed out, that's annoying, and intentionally so. The idea is that users will shy away from programs that cause too many UAC dialogs to pop up, out of sheer irritation. If developers don't want to scare users away from their software, they're forced to rewrite it so that it plays nice under the new security rules.
Microsoft is onto a whole new paradigm here: modifying user behavior via reverse psychology. By making users click "OK" in a bunch of security dialogs, Microsoft is actually discouraging them from continuing.
Of course, so far this strategy has only met with limited success. Many users have preferred to disable UAC, rather than participate in Microsoft's social-engineering experiment. But isn't it nice to know that the good folks in Redmond are thinking outside the box?

'Pro-Tibet' Rootkit Attacks Windows PCs

'Pro-Tibet' Rootkit Attacks Windows PCs (

Wednesday, April 16, 2008 8:25 AM PDT

A cartoon that ridicules the efforts of a Chinese gymnast at the Olympic games is the latest ploy used by cyber-criminals to infect Windows PCs, according to McAfee Avert labs.

While the movie files, which show the cartoon followed by images supporting a free Tibet, are playing, a keystroke logging tool, hidden by a rootkit, is installed onto the user's PC.

McAfee Researcher, Patrick Comiotto, said: "This is a pro-Tibet Rootkit. What looks like a simple Flash movie actually silently drops a number of files onto your PC and then hides those files."

This is second Olympics-related virus in seven days. The 'Fribet' Trojan horse was placed on hacked websites and subsequently loaded onto the PCs through a Windows vulnerability.

Dave Marcus, security research and communications manager at McAfee Avert Labs, said: "Cybercrooks are increasingly taking advantage of the high general interest in the Olympic Games to trick people into giving up personal information or to load malware onto their PCs. If you want to watch the Olympic Games it is better not to do it by opening a file that appears to be a movie that comes in e-mail."

Wednesday, April 9, 2008

Virtualization's Dark Side

The security industry's big annual confab, the RSA Conference, going on this week in San Francisco, interesting to see how the Virtualization issue will turn out. RSA will no doubt offer more of the same in solution. Add more IT staff.

The decision to switch to virtualization is easy enough: As companies discover that the process can consolidate hardware and save space, energy and money, virtualization is sweeping through the world's desktops and data centers. Now comes the hard part: keeping a new and largely untested IT world safe from hackers and data breaches. Andy Greenberg, 04.09.08, 6:15 AM ET SAN FRANCISCO

Sunday, March 23, 2008

State Department IT requirements

Is anyone else struck by the serious need for a State Department
capability box for users?

"State Department officials say the three people involved were contract workers who misused their ability to access confidential computer files containing passport details."

In my experience a capability system would always be able to prevent this type of poor security administration.

Sunday, February 3, 2008

Microsoft Speech Server SDK Installation

Hard to find but to install OCS 2007 speech server SDK you must go to:
Uninstall any early versions of MSS SDK 1.1 and any OCS 2007 beta or later OCS releases.
Download SpeechServer.exe size of 427.8 MB takes 20min on a high speed link.
Expand into say C:\OCS2007SpeechServer and open the Prerequisites folder. Install all four items if not already installed. Also install the Hotfix and the Business Intelegence Tools from their folders.
Then install Visual Studio 2005 extensions for .NET Framework 3.0 (Windows Workflow Foundation) from make sure that you do not load any beta software first since uninstall does not clean things up and speech server will not install with any OCS 2007 beta software!

Labels: , , ,

Wednesday, January 30, 2008

Object Capabilities

This is my own notes page with observations on using the combination of techniques related to Capability Architectures for reliable software with Object Oriented designs for modular software.

Labels: ,