Educause Security Discussion mailing list archives
Re: Abuse of web proxy access to library databases
From: Jeremy Mooney <j-mooney () BETHEL EDU>
Date: Fri, 22 Feb 2008 15:22:06 -0600
Jeff Giacobbe wrote on 2008/02/22 7:25:
Colleagues- Just wanted to alert you to potential exposure of usernames/passwords for access to various online database services. We were alerted anonymously yesterday that one of our student account credentials had been posted to a "clearing house" site - in Iran, of all places. We have locked that account after verifying that the credentials were real. We uncovered the following site in a Google search that appears to offer dozens of usernames/passwords for logging into various databases with university credentials (including ours) http://nejoom.persianblog.ir/1386_3_nejoom_archive.html Might want to check it out in case there are compromised accounts from your institution listed.
We've seen this a handful of times in the past, and twice in the last month (those being the same account). Unfortunately the users haven't been able to give us any idea of how it was compromised (or won't admit anything), and the most recent one at least was a decent password. In any case, we haven't noticed any pattern of failed attempts on the accounts (so it's likely it was sniffed or phished). At least it's a chance to educate people about using the same password for everything, and they may even listen due to it having caused them inconvenience. Apparently these sites are somewhat common, as I've occasionally been forwarded discussions from the proxy software users lists of pages where someone found accounts. It may be good to ask/remind anyone in the library watching those lists to watch for and immediately forward anything they see regarding accounts at the school to the appropriate people in IT. Our library hasn't been thrilled about losing access to resources temporarily after mass-download attempts, so we started looking at detection options. As our proxy is behind our web authentication system, we've decided to move the checks to watch for suspicious activity across the entire web space. In the cases of these postings a simple high-rate limit would probably catch them, but I started looking a bit closer to catch other oddities. On login I now check a general rate, a rough comparison based on the usage over the last week, and a closer comparison if their usage levels are similar over multiple weeks. It probably should have been done here long ago, as manually auditing logs just isn't quick enough to prevent bigger problems anymore. -- Jeremy Mooney ITS - Bethel University
Current thread:
- Abuse of web proxy access to library databases Jeff Giacobbe (Feb 22)
- <Possible follow-ups>
- Re: Abuse of web proxy access to library databases Mark Wilson (Feb 22)
- Re: Abuse of web proxy access to library databases Mike Iglesias (Feb 22)
- Re: Abuse of web proxy access to library databases Jeremy Mooney (Feb 22)