Adobe issues emergency Flash update for attacks on Windows, Mac users

Adobe Systems has released a patch for two Flash player vulnerabilities that are being actively exploited online to surreptitiously install malware, one in attacks that target users of Apple's Macintosh platform.

While Flash versions for OS X and Windows are the only ones reported to be under attack, Thursday's unscheduled release is available for Linux and Android devices as well. Users of all affected operating systems should install the update as soon as possible.

The Mac exploits target users of the Safari browser included in Apple's OS X, as well as those using Mozilla's Firefox. That vulnerability, cataloged as CVE-2013-0634, is also being used in exploits that trick Windows users into opening booby-trapped Microsoft Word documents that contain malicious Flash content, Adobe said in an advisory. Adobe credited members of the Shadowserver Foundation, Lockheed Martin's Computer Incident Response Team, and MITRE with discovery of the critical bug.

Read 4 remaining paragraphs | Comments

TOGAF Demystification Series: TOGAF Sucks, Incomplete and Overly Complex

True or false

Do I have your attention now?

Given this is the first post of the series about the myths, misconceptions, fiction and even some facts  behind TOGAF I want to be open and honest about my affiliation with the Open Group. I do have personal affiliations with the Open Group. Like many others, I am certified as an Open CA Distinguished Chief Architect, I have participated in the Architecture Forum building out TOGAF v-Next and I speak at their conferences. However, I am not financially or otherwise compensated by The Open Group. My interest is my own and to evolve the EA discipline. 

Now let's get into it.

So just to set the record straight, I don't believe that TOGAF sucks. Quite the opposite. Does it need work, yes. Are there areas in which I would do something different, yes. But like anything else I think it's a work in progress but thats no different than anything in the EA space. 

This generalization of TOGAF not living up to the right level on the quality bar can be found all over the place (e.g., Linkedin, Twitter, blogs and even in competing training organizations) . To be perfectly honest it seems like people either love or hate TOGAF. But why is this the case? Surely with such a pervasive complaint there is merit behind it, right? Well with this one, yes and no. But we need to decompose this into three areas to first.

  1. TOGAF You Suck
  2. TOGAF is incomplete
  3. TOGAF is Overly Complex 


TOGAF You Suck

Wow, what a generalization. Many things might come to your head when referring to something "sucking' (and yes that's the technical term). Here are the common complaints:

  • Missing core elements
  • Hard to understand
  • It's so long
  • Too Academic

I'm not going to address these items specifically as I will talk about them in later posts or refer back to them directly and indirectly. I would much rather take a step back and look at the macro point here. I'll do so by telling a story about my own experiences and a negative perception that I had on TOGAF. 

So this story dates back to the mid 2000's when I was still very skeptical of TOGAF and the industry was even more disjointed than now. I had used elements of TOGAF and had done a deep analysis of the framework. I looks at what a good framework and methodology should have along with the practicalities of applying to my company at that time. 

I went to the Open Group Architecture Practitioners Conference and sat through the TOGAF 101 pre-conference seminar (for the second time) and jotted down notes with all the gaps I had identified. I was thinking, "I can't believe they didn't think about that", "what about [xxxx]?", "that would never work…"

I wasn't the only one with similar thoughts. At that time TOGAF was on version 8 and was still very IT focused. So that added fuel to the fire as well. 

Being the not so shy guy that I am I confronted a very senior member of the Open Group staff and had a very passionate conversation with them about my thoughts. This turned into a multiple hour conversation over drinks (thankfully for him) in which I proceeded to tell him my thoughts: "Let me tell you about this…", "don't you know you have a gap here?", "I could never apply this…"

As the conversation progressed, most of my feedback was received quite well, even a great deal of agreement on what my view was. But at the end of what might of seemed like the Spanish Inquisition  for him, he simply replied back to me:

Those are all great ideas, why aren't you participating to apply those changes?

He then proceeded with the statement that the Open Group itself doesn't write a single line in TOGAF, it's member companies do.

That was the ah-ha moment for me… A whole new perspective arose. It' an important distention to keep in mind. It also reenforces an open source feel for EA once you understand that. I have personally been able to influence the standard, just in one meeting. If what you have is really compelling for the practice then donate it to the greater good. I see a lot of folks trying to monetize this and that causes further disruption in the practice. 

The Open Group provides a forum / platform / stage (or whatever you want to call it) for collecting industry consensus on what an Enterprise Architecture Framework should be. This isn't to say that the current participants in the Architecture Forum  "suck", but maybe there isn't enough people participating or enough challenging of the status quo.

So I'll leave this final thought on the topic…

If TOGAF sucks, aren't we to blame? 


TOGAF is Incomplete

This is one I hear quite a bit as well. For me, this is a push (both true and false). 

Let's start with the true piece. I think it's fair to say that there are components that are missing from TOGAF. I will also say that there are elements of the method that could be enhanced. A great example of this is the Business Architecture phase. 

However, this is misleading. This gets us to the false aspect of this. TOGAF was built to be a general purpose platform that is extended. The intent of TOGAF is not to create all those modules (necessarily). At the beginning of most phases the first step is to establish what methods, models and tools you will use in that phase. There is a general "happy path" provided in the method along with some diagrams, matrices and catalogs. However, it is expected for the EA to know what to plug into the method, even if it is not TOGAF (which is recommended by the method). 

For many aspects TOGAF links out to other frameworks. This is a very good thing. If something works, don't break, change, reinvent it. This happens so much in our industry. There is a level of humbleness about the approach that wants to create unity in the EA space. 

With all of this said, I think TOGAF provides a solid foundation. I would like to see more in the "Core" framework to fill those holes that are there, and there are many. That's ok, in my honest opinion, TOGAF is the best universal general purpose EA framework out there that has the strength of the top 5 high-tech companies with a ton of passionate people behind it. It is a defacto standard for our practice with a ground swell of certified practitioners. 


TOGAF is Overly Complex

My first response to this is… What part of enterprise architecture isn't complex. Of course EA is complex. If it was easy we would't need it. There is a great deal of rigor and skill need to architect for enterprises. So let's separate out two issues:

  1. Is the practice of enterprise architecture complex?
  2. Should the customers / consumers of an enterprise architecture framework be complex?

In the case is the EA practice complex, as I stated above, of course it is. Given that's the case expect to see complexities in the framework. I think that is OK.

 However, to the second point with the consumption of framework I tend to agree that it is difficult (for some people) to consume TOGAF without formal training. I do think there are things that can be done to make TOGAF more consumable. But I don't think that it has unnecessary components to it. I think TOGAF is more at the optimization stage rather than re-engineer stage.

For example, I have a dozen or so of my staff reading TOGAF as a study group. I find myself clarifying aspects of the standard quite a bit. Some of this is purely structural of the content, conflicts in terminology (for example the fully loaded term"capability")  and the nuances in the intent of TOGAF. 

The second area in the complexity area is less about complexity and more about the sheer volume of pages in the standard. This comes to the degree where people refer to the book or online version as  the TOGAF Bible or the 900 page gorilla. This is where I get conflicted in my response because this statement is usually from the same folks that say that there isn't enough in TOGAF. 

Is this a deal breaker for the usage of TOGAF? No.

The good news is that the members the Architecture Forum (where the TOGAF standard is created) already know this. We see evidence of simplification of TOGAF with 9.1. TOGAF 9.1 was a point release to address inconsistencies, duplications and other areas that these very issues. In TOGAF v-Next I would expect you to see a major update that would keep this in mind too. 


So what is the conclusion here? Does TOGAF "Suck"? Simply put, I don't think so. 

I walked us through some of the common things I hear when people say TOGAF is no good or "Sucks". Just like with anything I there is certainly work that needs to be done with the standard. However, it is clear that TOGAF has all the essential elements that you would want from an EA framework:

  • Open (Source) Standard Enterprise Architecture Framework that is driven by practitioners
  • TOGAF is MEMBER driven based in industry consensus
  • Industry standards setters on proven practices NOT to foster trends or fads
  • TOGAF is a general purpose framework that is built to apply to all companies of all sizes, in different industries,  supporting any organizational model and maturity of EA.
  • It has a method and a framework
  • Continually evolves and adds to the standard. A great example of this is architecture modeling with ArchiMate. 
  • Serves to partner rather than duplicate other standards. We see this with the better together materials on Zachman, TMFourm and SABSA to name a few.

It's not perfect but I will go back to what are you doing to make it better. This is your call to action!

For the creators of "-AF" frameworks

  • Stop creating duplicate methods that are essentially or close to the same as TOGAF
  • Take the methods that would complement TOGAF and give back to the community. If you're a consulting firm, take a page out of the IBM playbook. They donate a great deal methods and models that are common for everyone and the thing that differnates them (special sauce). That shows the industry that they are the leader and setting the standard. 
  • Before commenting on how bad TOGAF is, get trained in it (ideally certified). To protect the guilty I'll omit names. I have sat in on training courses on other frameworks and I hear comments made about TOGAF that are just plain wrong. I have a problem with that as a practitioner. This send false information to EA's which ultimately hurt our profession. STOP IT!

For the practitioners 

  • Ask yourself what are you doing to advance the profession and what you can do if you're not.
  • Join an Open Group forum or workgroup
  • Take a step back and look at the broader industry. Take a look at another area such as Service Management with ITIL or Program Management with PMI and contrast it with the TOGAF approach. 
  • Get your colleges involved.

Phishing: The Easy Way to Compromise Twitter Accounts

Last week, Twitter announced that the details of around 250,000 of its users may have been compromised before it discovered and stopped an attack on their network. There is not much you can do when attackers go straight to the service provider to try to steal your data; however, it is also common for attackers to approach the end-user in order to obtain account details. Phishing is a popular tactic used to steal account details this way. When thinking of phishing attacks, people usually think of bank account or credit card details as the type of information that is stolen but social network account details are also a popular commodity for attackers.

Attackers see phishing on social network sites as an easy way to trick users into giving their credentials away. So let me take this opportunity to go over one particular attack that has been taking place on Twitter over the last few months and show you how this type of scam works.

It starts out with spam in the form of a direct message (DM) or a tweet that asks the user to click on a link in order to view a picture of them.

Figure 1. Spam message

If the link is clicked, the browser is directed to a page that informs the user that they need to sign-in to their account to proceed. The page looks like it belongs to Twitter but it is actually a phishing page hosted on a server prepared by the attacker.

No matter what is entered into the login fields, correct or incorrect credentials, the user will appear back in their session.

Figure 2. Fake Twitter login page used in phishing attack

However, another fake page informs the user that the page they were attempting to visit does not exist.  The page then redirects back to the legitimate Twitter page and the user is unaware of anything malicious having taken place.

Figure 3. Fake page purporting that the  page the user was looking for does not exist

Looking at the network data captured during one of these phishing attacks, you will see that the stolen account details were posted to the attacker’s server hosting the fake Twitter login page.

Figure 4. Network data showing location stolen data is sent to

Later, the account will be hijacked and used to distribute spam that leads to sites such as the one shown in Figure 6 advertising diet supplements.

Figure 5. Spam message

Figure 6. Advertisement that some spam messages link to

Many of you may be watching out for phishing attacks when it comes to entering your bank account or credit card details online, but you may not be as cautious when entering account details related to social networking sites. The attackers are aware of this and use it to their advantage.  The end result in the example discussed in this blog is not incredibly severe, but much more damage can potentially be inflicted depending on the machinations of the attackers.

As mentioned earlier, there is not much you can do when it comes to hackers attacking the service provider to steal your data, but you can definitely protect yourself from scams such as phishing.

Always be suspicious of links sent from unknown users. Also, accounts are hacked all the time so even if a link is sent from someone you know it does not mean it is safe. It is also recommended that users install security software that protects against phishing attacks such as Norton Internet Security.

You can also make sure your online accounts are more secure by using passwords or passphrases that are difficult to guess and are not in the dictionary. Ideally a combination of upper and lower case letters, numbers, and special characters should be used. It is also recommended that different passwords be used for each account; that way, even if one account is compromised, the others will stay safe.

Microsoft Releases February 2013 Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer, Server Software, Office, and .NET Framework as part of the Microsoft Security Bulletin summary for February 2013. These vulnerabilities could allow remote code execution, allow elevation of privilege, or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which update should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.