Educause Security Discussion mailing list archives

Re: Abuse of web proxy access to library databases

From: Jeremy Mooney <j-mooney () BETHEL EDU>
Date: Fri, 22 Feb 2008 15:22:06 -0600

Jeff Giacobbe wrote on 2008/02/22 7:25:

Colleagues-

Just wanted to alert you to potential exposure of usernames/passwords
for access to various online database services.  We were alerted
anonymously yesterday that one of our student account credentials had
been posted to a "clearing house" site - in Iran, of all places. We have
locked that account after verifying that the credentials were real.

We uncovered the following site in a Google search that appears to offer
dozens of usernames/passwords for logging into various databases with
university credentials (including ours)

http://nejoom.persianblog.ir/1386_3_nejoom_archive.html

Might want to check it out in case there are compromised accounts from
your institution listed.


We've seen this a handful of times in the past, and twice in the last
month (those being the same account).  Unfortunately the users haven't
been able to give us any idea of how it was compromised (or won't admit
anything), and the most recent one at least was a decent password.  In
any case, we haven't noticed any pattern of failed attempts on the
accounts (so it's likely it was sniffed or phished).  At least it's a
chance to educate people about using the same password for everything,
and they may even listen due to it having caused them inconvenience.

Apparently these sites are somewhat common, as I've occasionally been
forwarded discussions from the proxy software users lists of pages where
someone found accounts.  It may be good to ask/remind anyone in the
library watching those lists to watch for and immediately forward
anything they see regarding accounts at the school to the appropriate
people in IT.

Our library hasn't been thrilled about losing access to resources
temporarily after mass-download attempts, so we started looking at
detection options.  As our proxy is behind our web authentication
system, we've decided to move the checks to watch for suspicious
activity across the entire web space.  In the cases of these postings a
simple high-rate limit would probably catch them, but I started looking
a bit closer to catch other oddities.  On login I now check a general
rate, a rough comparison based on the usage over the last week, and a
closer comparison if their usage levels are similar over multiple weeks.
 It probably should have been done here long ago, as manually auditing
logs just isn't quick enough to prevent bigger problems anymore.

--
Jeremy Mooney
ITS - Bethel University

Current thread:

Abuse of web proxy access to library databases Jeff Giacobbe (Feb 22)
- <Possible follow-ups>
- Re: Abuse of web proxy access to library databases Mark Wilson (Feb 22)
- Re: Abuse of web proxy access to library databases Mike Iglesias (Feb 22)
- Re: Abuse of web proxy access to library databases Jeremy Mooney (Feb 22)