CarltonFoster.com

Those who work in IT already know (or at least they should already know) about the waves of spam pretending to be from legitimate news sites such as CNN, BBC, or MSNBC. These messages look real, the news in them might even sound real (although some of them have bad grammar), but they are malicious.

The current iteration has a subject line starting with “msnbc.com – BREAKING NEWS”. If you get these messages, just delete them. Don’t click on anything in the messages, just get rid of them. Hopefully your spam filters are catching them, but if not, DELETE!

The ones pretending to be from CNN had subject lines that were similar or said Top10 ______. Again, delete these.

Some of these messages would open a pop-up if you viewed the message claiming that you needed to install something to view the news. DO NOT INSTALL. In fact, don’t click on the pop-up at all. Instead, immediately delete the message. The pop-up will go away.

If you click cancel on the pop-up, you’re stuck. Once you activate that pop-up by clicking, you are stuck in a loop of clicking the X button to close it or clicking cancel. Neither of which work. At this point, you need to reboot. NEVER CLICK THE OK.

For those in IT, you may want to consider an IDS signature that watches for downloads of adobe_flash.exe. If your organization has a SIEM product, I’d also recommend going a step further and configuring it to alert any time that IDS signature triggers, and have it also email your security team.

For instance, create a Snort signature to look for HTTP GET requests for adobe_flash.exe. Number your signature 10000001. Now, from here I’d go to the SIEM, say Intellitactics Security Manager, and configure alerting for this signature.

I would create a correlation for this that simply watches for my new Snort signature ID number and creates an alert for each one of them it sees. I would have that correlation give the alert a priority of 99 (I want to make sure they get attention quickly). Also, have the correlation set a unique alert id. Let’s use 99000001.

From there, I would configure Alert Notifications and setup an email notification. I would make the notification look for the unique alert id 99000001 and generate an email for everyone of the alerts (the hope is there won’t be a lot of these).

Now you’re logging what’s happening with your IDS, passing those logs to the SIEM for long term storage, near real-time correlation, and investigation.

Well, tomorrow is my last day at Intellitactics.  I have enjoyed my time with the company, though I have to admit, it has been much shorter than I originally thought it would be.

With this job I have had the opportunity to travel to new places, meet lots of new people, and learn a lot about how other companies and government organizations deal with IT Security.  In the last 17 months I have traveled to Albany, NY; Philadelphia, PA; the Pentagon (what a place!); Fort Walton Beach, FL (vacation here); Fayetteville, NC (July here is miserably hot); San Diego/Coronado, CA; Calgary, Alberta; Palo Alto/San Franciso/San Jose, CA; Washington, DC; Raleigh/Durham, NC; Ottawa, Ontario (my first time to the Canadian Capital city); Richland, WA (I enjoyed this trip so much and the beauty of this area that I am disappointed I won’t be going back to follow up on the sale I helped with out there); and Toronto (NOT the Canadian Capital!)/Cambridge, Ontario.

Along the way I learned a lot about business travel.  For instance, if you’re flying US Air, NEVER CHECK A BAG!  And, if you’re flying US Air, never expect to get anywhere on time.  Really, what I learned is Airtran and Southwest are the best two airlines to fly to and from the Hampton Roads, VA area.  Try to avoid US Air and United at all costs!

Thanks to some of the people I have met along the way I have found great ways to spend time in some of these cities along the way.

For instance, it was Paul at Hurlburt that told me about the Sheraton on Okaloosa Island I stayed in for two weeks while I was there on business and the family was down on vacation.  Right on the beach facing the Gulf of Mexico.  That was a wonderful time.

Or Mike H. in Coronado taking me to the Coronado Brewing Company (I hope that’s right) for lunch.  I’m a picky eater as most know, but the Pepperoni Calzone is amazing!!

And also there is Hank in DC.  He introduced me to the Virginia Railway Express (OK, Tyler had mentioned it once, too).  It is so much nicer to work in DC when you can ride the train in from Fredericksburg instead of trying to drive in and out everyday!  Not to mention the hotels and food are a heck of a lot cheaper in Fredericksburg.  Though you have to be careful parking at the VRE lots, they like to tow (I speak from experience).

And especially to all of the Intellitactics employees I have had the privilege to work with.  It has been a very interesting place to work (you know what I mean).

I’ve definitely had a good time traveling overall, despite US Air losing my suitcase the second week in Ottawa.  And I have really enjoyed the work and the people.

If you ever find yourself needing a full SIEM solution, or maybe just an appliance for log monitoring and compliance reporting, I would strongly recommend Intellitactics and its people.  I hope to be able to continue work with them as I return to the IT Security team at LaRC where I was first introduced to the company.