Educause Security Discussion mailing list archives
<SPAM> RE: user account compromise?
From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 24 Apr 2008 18:02:18 -0400
We had this happen here a couple months ago. You can check the list archives. We disabled the student's account overnight until we had time to perform a thorough investigation the next morning. We then changed the student's password, and told them to reset it, and not change it back to the same thing. We simply warned them that if they did, we would not turn their account back on if it happened again. I was primarily concerned about someone accessing the student's social security number or other personal information using our other services (i.e. payment services) with his account. I was informed by our application folks they had eliminated SSN and other confidential information from those systems a while back. Kudos to them. Why would a student ever need to see their own SSN or DOB anyway? Either way it did not matter, as we checked logs on those systems and verified the attacker's IP addresses did not access the systems within about a month's period. The student was unaware of how their password was compromised. I believe it was either phishing or an external database on some site they frequented was compromised (i.e. a sports site that they used their campus e-mail address for verification and used the same password as they did on campus). Honestly it wasn't worth the time pursuing 'legal' action. The attack originated from two IP addresses in the Netherlands (I believe, check the archives). We checked log files on other servers and saw no trace of the IP address. It was an attack solely to send spam from our mail servers. Our students have no remote access other than web services such as webmail, online courses, registration information, and ftp, which we have access logs on each, so this was easily verified. The student obviously was not responsible for the attack and I wasn't flying overseas to ring someone's neck. Maybe it would be different if we had an attorney on staff? Matt Matthew Jenkins Network/Server Administrator Fairmont State University Visit us online at www.fairmontstate.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Barros, Jacob Sent: Thursday, April 24, 2008 4:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] user account compromise? Ken and all. That was it. He did reply to one of those phishing scams. No more than 12 hours before the SPAM was launched. Any non-internal legal advice would be appreciated. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly Sent: Thursday, April 24, 2008 4:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] user account compromise? Jake - There have been numerous phishing attempts aimed at .edu students (and faculty/staff) over the past couple of months. I'm sure the archives of this list have examples. Webmail accounts (in particular) of those who fall for the phishing attempt and provide their credentials are used for exactly the things you have seen. The student should change his password if that hasn't already happened. He should also check things like his signature file and any auto-responder messages to ascertain that additional spam is not included there. - ken Barros, Jacob wrote:
Beginning around 5:30pm yesterday, SPAM messages were sent from a
student's
user account. The student claims to not know what is happening.. and I
think
believe him. He actually sent an email about the problem to our
helpdesk at 1
am because he was getting so many delayed delivery and NDR messages.
We are
still examining his laptop. So far my assumption is that his account was compromised as copies of
the
message are actually in his sent items and drafts folders. Anyone
disagree
with that assumption? Sounds like a ludicrous question but is there
any way I
can track who was using his account? Also, I am unsure how to respond to the situation and no applicable
policies
are in place. Should campus departments or otherwise be notified of
the
compromise? Any non-internal legal ramifications here, i.e. I am
getting many
responses from users who received the message. Should I reply to
them? Does
that imply that we claim responsibility? Should I mention that it
actually
was our fault when I try to get off the blacklists we are already on? Is this topic better suited for the email admin discussion group? Any
advice
or shared experience would be appreciated. Jake Barros Grace College
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <Possible follow-ups>
- <SPAM> Re: user account compromise? Cal Frye (Apr 24)
- Re: <SPAM> Re: user account compromise? Dick Jacobson (Apr 24)
- Re: <SPAM> Re: user account compromise? Stephen John Smoogen (Apr 24)
- <SPAM> RE: user account compromise? Jenkins, Matthew (Apr 24)
- <SPAM> Re: user account compromise? Paul Russell (Apr 24)