Educause Security Discussion mailing list archives
Re: Compromised Accounts Procedures
From: Steven Tardy <sjt5 () ITS MSSTATE EDU>
Date: Thu, 24 May 2012 11:21:20 -0500
some of this was mentioned by others in the thread... the list of "what to do" is in our internal wiki abbreviated here: immediate cleanup: * scramble password * remove sessions in webmail * clean email queues * remove sessions in vpn * any other successful logins from the same ip? ** did account login from other suspect ips? (we use a homegrown system similar to columbia's GULP) post threat cleanup: * clean identity in webmail * add ip addresses to watch list ** 2000+ ip addresses in our watch list * add email addresses to watch list * report phishing page via firefox * submit web form with fake credentials, aka phish the phishers (: * follow up with abuse@ emails or 'report abuse' links on web pages * log report follow up with individual: * how did this happen? ** did you "share your password" with anyone? ** did you "upgrade your quota"? ** did you "verify your account"? * reset password ** make sure it's different and not a simple "add digit" variation. ** was this compromised password used elsewhere? (bank,etc) to quote dr gregory house: "Everybody lies." we've had hundreds of phished accounts since 2008. we estimate 90+% users were phished. we watch for anomalies in behaviour.
Current thread:
- Re: Compromised Accounts Procedures, (continued)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Jacobson, Dick (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Rich Graves (May 23)
- Re: Compromised Accounts Procedures Bidwell, Lesley (May 23)
- Re: Compromised Accounts Procedures Pollock, Joseph (May 23)
- Re: Compromised Accounts Procedures Matthew Hodgett (May 23)
- Re: Compromised Accounts Procedures Rick Lesniak (May 23)
- Re: Compromised Accounts Procedures Steven Tardy (May 24)
- Re: Compromised Accounts Procedures Schoenefeld, Keith P. (May 24)
- Re: IPv6 and DHCP randy marchany (May 23)
- Re: IPv6 and DHCP Mark Boolootian (May 23)
- Re: IPv6 and DHCP Rich Graves (May 23)