CarltonFoster.com

If you had been a subscriber on this site but are not any more, please feel free to re-register.  However, this time, please at least fill out part of the user info beyond just email.  I regularly delete all registered users that I think are spam registrations (grouchy that way).  If the registration seems questionable, it goes.

Sorry.  I just have little patience for annoyances…

Update it to the newest version and then do this:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

“Hey, did you hear there’s a new voice mail from Tiger Woods?”

“What was that recipe for coconut cake?”

“My video isn’t playing properly, do I need new codecs?”

Simple, innocent questions like these can lead to not so innocent results… but why? There’s a term in search technology called Search Engine Optimization or SEO for those with lazy fingers. Search engine optimization (SEO) is the process of improving the volume or quality of traffic to a web site from search engines via “natural” or un-paid (“organic” or “algorithmic”) search results… like Google’s search algorithm, PageRank.

Here’s a quick peek at PageRank:

For a more detailed and explained breakdown:
http://en.wikipedia.org/wiki/PageRank

But I digress… how does all this turn into a user getting infected?

In recent years, hacker SEO tactics, also called spamdexing, attempt to redirect search results to particular target pages in a fashion that is against the search engines’ terms of service. Some of the tactics include: keyword stuffing, hidden text and links, doorway and cloaked pages, link farming and blog comment spam.

Criminals are using tools such as Google Trends to identify the most popular and current Internet search terms. The same criminals then use new blogs on free hosting sites, such as Windows Live Spaces, Blogspot, and AOL Journals, featuring the same search terms. When an Internet user then makes a search using those popular terms they get multiple links to these hosted blog sites in their search results.

If the user then clicks on the link, thinking it is relevant to their desired search, they are taken to a blog site with an apparent embedded video player. If the user clicks on the video player, they are prompted to load a ‘codec’, which surreptitiously loads malware, including fake anti-virus software that promises to clean non existent viruses from the computer in return for their credit card details.

Our advice is to not blindly trust results from Google searches, and be wary of these kinds of links to hosted blog sites. One simple way to assist in identifying possible bad sites is using the Firefox add-on Web Of Trust. While their primary source of knowledge is ratings from other users, they also take advantage of nearly a hundred carefully chosen trusted sources, such as listings of phishing sites. This provides WOT with a fast, automated and reliable means of protecting their users from new, rapidly spreading online threats.

You can find it here:
http://www.mywot.com/en/download/ff

And as always, if you find yourself the victim of such nefarious techniques, please call IT Security at x44200

http://www.cnn.com/video/#/video/tech/2009/03/28/dcl.data.doc.computer.worm.cnn

For the few of you who visit the site, you’ll notice the change in design and software. I removed the Drupal site tonight and changed it over to this WordPress design.

The Drupal site was nice, but really had far more pieces than I needed for here. This should be easier to maintain and read.

Hopefully Janie can figure out how to register and start posting…

I have been trying out a couple of free programs for blog writing so I can do it offline and upload when I am ready.

I tried Microsoft Live Writer first, but had some issues with my Word Press blog not recognizing all the tags. At first I thought maybe I needed to try HTML instead of XHTML, but that only changed the tags and did not fix the issue.

Now I am trying Zoundry Raven. We’ll see how this uploads. No sense using some extra application to write and upload posts if I have to follow up by logging in and editing every post to fix the source code…

UPDATE: Raven handled some things better, like spaces.  But the paragraph tags still showed up, so I am going to have to spend some time with both of these programs and see if I can figure out how to configure them to work with this blog.

Since I had been wanting a new computer to run Linux on, and Circuit City is going out of business, I decided it would be ok to buy a computer from them.  Now, buying an HP desktop from a brick and mortar instead of buying parts and building my own machine has never been my favorite thing.  But, I decided for $700 I’d be lazy and buy an OEM machine this time.

So far, the new machine is doing fine.  Why is this a surprise?  Because it has Vista on it.  I’m thinking of keeping this system with Vista and converting the XP system to Linux.  The older machine still has lots of life left in it, especially if I put Linux on it.

We’ll see how the Vista does over the next couple of weeks before I make a final decision.  I don’t really like having this much Microsoft in the house…

Those who work in IT already know (or at least they should already know) about the waves of spam pretending to be from legitimate news sites such as CNN, BBC, or MSNBC. These messages look real, the news in them might even sound real (although some of them have bad grammar), but they are malicious.

The current iteration has a subject line starting with “msnbc.com – BREAKING NEWS”. If you get these messages, just delete them. Don’t click on anything in the messages, just get rid of them. Hopefully your spam filters are catching them, but if not, DELETE!

The ones pretending to be from CNN had subject lines that were similar or said Top10 ______. Again, delete these.

Some of these messages would open a pop-up if you viewed the message claiming that you needed to install something to view the news. DO NOT INSTALL. In fact, don’t click on the pop-up at all. Instead, immediately delete the message. The pop-up will go away.

If you click cancel on the pop-up, you’re stuck. Once you activate that pop-up by clicking, you are stuck in a loop of clicking the X button to close it or clicking cancel. Neither of which work. At this point, you need to reboot. NEVER CLICK THE OK.

For those in IT, you may want to consider an IDS signature that watches for downloads of adobe_flash.exe. If your organization has a SIEM product, I’d also recommend going a step further and configuring it to alert any time that IDS signature triggers, and have it also email your security team.

For instance, create a Snort signature to look for HTTP GET requests for adobe_flash.exe. Number your signature 10000001. Now, from here I’d go to the SIEM, say Intellitactics Security Manager, and configure alerting for this signature.

I would create a correlation for this that simply watches for my new Snort signature ID number and creates an alert for each one of them it sees. I would have that correlation give the alert a priority of 99 (I want to make sure they get attention quickly). Also, have the correlation set a unique alert id. Let’s use 99000001.

From there, I would configure Alert Notifications and setup an email notification. I would make the notification look for the unique alert id 99000001 and generate an email for everyone of the alerts (the hope is there won’t be a lot of these).

Now you’re logging what’s happening with your IDS, passing those logs to the SIEM for long term storage, near real-time correlation, and investigation.

Well, tomorrow is my last day at Intellitactics.  I have enjoyed my time with the company, though I have to admit, it has been much shorter than I originally thought it would be.

With this job I have had the opportunity to travel to new places, meet lots of new people, and learn a lot about how other companies and government organizations deal with IT Security.  In the last 17 months I have traveled to Albany, NY; Philadelphia, PA; the Pentagon (what a place!); Fort Walton Beach, FL (vacation here); Fayetteville, NC (July here is miserably hot); San Diego/Coronado, CA; Calgary, Alberta; Palo Alto/San Franciso/San Jose, CA; Washington, DC; Raleigh/Durham, NC; Ottawa, Ontario (my first time to the Canadian Capital city); Richland, WA (I enjoyed this trip so much and the beauty of this area that I am disappointed I won’t be going back to follow up on the sale I helped with out there); and Toronto (NOT the Canadian Capital!)/Cambridge, Ontario.

Along the way I learned a lot about business travel.  For instance, if you’re flying US Air, NEVER CHECK A BAG!  And, if you’re flying US Air, never expect to get anywhere on time.  Really, what I learned is Airtran and Southwest are the best two airlines to fly to and from the Hampton Roads, VA area.  Try to avoid US Air and United at all costs!

Thanks to some of the people I have met along the way I have found great ways to spend time in some of these cities along the way.

For instance, it was Paul at Hurlburt that told me about the Sheraton on Okaloosa Island I stayed in for two weeks while I was there on business and the family was down on vacation.  Right on the beach facing the Gulf of Mexico.  That was a wonderful time.

Or Mike H. in Coronado taking me to the Coronado Brewing Company (I hope that’s right) for lunch.  I’m a picky eater as most know, but the Pepperoni Calzone is amazing!!

And also there is Hank in DC.  He introduced me to the Virginia Railway Express (OK, Tyler had mentioned it once, too).  It is so much nicer to work in DC when you can ride the train in from Fredericksburg instead of trying to drive in and out everyday!  Not to mention the hotels and food are a heck of a lot cheaper in Fredericksburg.  Though you have to be careful parking at the VRE lots, they like to tow (I speak from experience).

And especially to all of the Intellitactics employees I have had the privilege to work with.  It has been a very interesting place to work (you know what I mean).

I’ve definitely had a good time traveling overall, despite US Air losing my suitcase the second week in Ottawa.  And I have really enjoyed the work and the people.

If you ever find yourself needing a full SIEM solution, or maybe just an appliance for log monitoring and compliance reporting, I would strongly recommend Intellitactics and its people.  I hope to be able to continue work with them as I return to the IT Security team at LaRC where I was first introduced to the company.

In the last month, we have bought a new house, painted the bedrooms in it, and moved into it.  I have also accepted a position back at NASA.

Yep, all in one month we’ve moved and I am changing jobs.  My last day at Intellitactics is this Friday.

I’ve also learned this month that you can fit more into a townhouse than you might expect!  I can’t believe how much we’ve moved into this new house.  We’re going to be cleaning and tossing for months to come from the look of it.