Educause Security Discussion mailing list archives
Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49)
From: "Garmon, Joel" <JSG () PITT EDU>
Date: Fri, 22 Mar 2019 13:57:06 +0000
Hi, We use Exchange and turned off the legacy email protocols. We have seen a dramatic drop in compromised accounts sending out spam. Thank you, Joel Garmon Chief Information Security Officer Computer Services and Systems Development (CSSD) University of Pittsburgh 412-624-5595 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of SECURITY automatic digest system Sent: Friday, March 22, 2019 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) There are 11 messages totalling 2409 lines in this issue. Topics of the day: 1. Turning off IMAP (11) ---------------------------------------------------------------------- Date: Thu, 21 Mar 2019 14:09:01 -0400 From: Emily Harris <emharris () VASSAR EDU> Subject: Turning off IMAP I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains. We are looking to do this by the beginning of May and we are wondering if those-who-have-gone-before-us have any words of advice or caution. Ideally, we'd like to turn it off domain-wide and then allow it for certain users - is that even possible for Google? We just started looking at those options and how to manage our exceptional cases (of which we know of a few). TIA! ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 ------------------------------ Date: Thu, 21 Mar 2019 14:51:46 -0400 From: Valdis Klētnieks <valdis.kletnieks () VT EDU> Subject: Re: Turning off IMAP On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 14:59:46 -0400 From: Emily Harris <emharris () VASSAR EDU> Subject: Re: Turning off IMAP YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 15:05:49 -0400 From: Kevin Wilcox <wilcoxkm () APPSTATE EDU> Subject: Re: Turning off IMAP On Thu, 21 Mar 2019 at 14:51, Valdis Klētnieks <valdis.kletnieks () vt edu> wrote:
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer?
The biggies for us are that so few clients do proper MFA and application-specific passwords are essentially $DEITY_MODE. By "so few clients" I mean "I really love mutt but it isn't Duo-friendly". We don't turn them off but I advocate it regularly, even if it's meant I had to leave my beloved mutt. kmw ------------------------------ Date: Thu, 21 Mar 2019 15:08:46 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU> Subject: Re: Turning off IMAP I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7GE9BPYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure apps management) Gaël Frouin *Information Security Officer* *Berklee* On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu> wrote:
YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu> wrote:On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 16:02:47 -0400 From: Emily Harris <emharris () VASSAR EDU> Subject: Re: Turning off IMAP We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu> wrote:
I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp ort.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg %40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3 a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7GE9B PYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure apps management) Gaël Frouin *Information Security Officer* *Berklee* On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu> wrote:YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu> wrote:On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 20:16:43 +0000 From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU> Subject: Re: Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7GE9BPYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=HHvQVkUI0ERj2vjjT6LgNbBs96Ghl9SepSDbwoN5uJQ%3D&reserved=0=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 16:18:39 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU> Subject: Re: Turning off IMAP You can create one or multiple sub OUs in google and change the setting just for that OU while inheriting the other from the parent OU E.g. staff - STALessSecure Student - STULessSecure Etc. There will definitely be exceptions (e.g. genetic accounts used in various random systems not supported oauth2 for authentication) On Thu, Mar 21, 2019 at 16:03 Emily Harris <emharris () vassar edu> wrote:
We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu> wrote:I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup port.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cj sg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87 cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7 GE9BPYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure apps management) Gaël Frouin *Information Security Officer* *Berklee* On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu> wrote:YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks < valdis.kletnieks () vt edu> wrote:On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 20:22:10 +0000 From: "Telfer, Will" <Will_Telfer () BAYLOR EDU> Subject: Re: Turning off IMAP With the caveat that we are not a Google campus as we use MS/Office 365, we disabled IMAP access to email for all but a handful of faculty/staff that had been using it for years…with the understanding that if their accounts were ever compromised via phishing, etc. that there would be no discussion & it would be disabled permanently after that (this was communicated to all users who remained on IMAP). Our reasoning was that IMAP allowed accounts that were compromised to continue sending phishing/junk without enforcing our 2-factor authentication via Duo. Once we disabled it, our compromised accounts went from hundreds per week (at the peak times) to zero (to be fair the 2-factor enforcement on Office 365 was the bigger factor in this quick decrease). Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: https://nam05.safelinks.protection.outlook.com/?url=www.facebook.com%2FBearAware&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=wbgSLTVZiytEen9n3UVihV8h3DsxdKIYTgsXlZcj8xM%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FBearAware&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=wDf6KHdx7V0npYdCJ5OKpr%2F3LqShhES7CQt94pbJs9E%3D&reserved=0> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 3:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7GE9BPYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e%3D&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=qXyxyOwsmhOoyNSe7wzgLL8JmxSFvEKLrmw%2Fcfthk%2Bo%3D&reserved=0> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 20:25:48 +0000 From: John Jennings <jjennings () ALLIANT EDU> Subject: Re: Turning off IMAP We blocked IMAP/POP/SMTP at the edge after monitoring usage for a couple of weeks and notifying users. As a result, we have seen hits against our O365 domain drop by over 10K per month. We still have some internal app service accounts communicating using these protocols and are working with the vendors to modify them. In the interim we have ensured they have very complex, lengthy, and rotating passwords. John Jennings, CISSP Vice President/Acting CIO 10455 Pomerado Road, M-13 San Diego, CA 92131 Direct: (720)480-5913 Email: jjennings () alliant edu<mailto:jjennings () alliant edu> [cid:5f299f2b-3483-4b48-bd7a-2a71e249c505] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 2:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059852149&sdata=nnVQlRtruVjPeZLMPNPilCGsesAu%2FbyVQ8X1k6omJZg%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636888240059852149&sdata=U%2FrKmqCVwnZEKEsBjl45xqmcICn7XBne%2Boo0kizUMN8%3D&reserved=0=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? NOTICE - This email was sent from outside of the University - do NOT open any attachments or click on links if you are unsure of the sender’s identity. NOTICE - This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited. ------------------------------ Date: Thu, 21 Mar 2019 16:38:11 -0400 From: Emily Harris <emharris () VASSAR EDU> Subject: Re: Turning off IMAP It definitely surfaces the fact that we have too many Sub OUs in the first place. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 4:18 PM Gael Frouin <gfrouin () berklee edu> wrote:
You can create one or multiple sub OUs in google and change the setting just for that OU while inheriting the other from the parent OU E.g. staff - STALessSecure Student - STULessSecure Etc. There will definitely be exceptions (e.g. genetic accounts used in various random systems not supported oauth2 for authentication) On Thu, Mar 21, 2019 at 16:03 Emily Harris <emharris () vassar edu> wrote:We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu> wrote:I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu pport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7 Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04ee b87cc3a526112fd0d%7C1%7C0%7C636888240059852149&sdata=nnVQlRtruVj PeZLMPNPilCGsesAu%2FbyVQ8X1k6omJZg%3D&reserved=0 for Less secure apps management) Gaël Frouin *Information Security Officer* *Berklee* On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu> wrote:YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks < valdis.kletnieks () vt edu> wrote:On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:I am wondering if anyone on this list has turned off IMAP and POP3fortheir Google domains.Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer?
------------------------------ End of SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) **************************************************************
Current thread:
- Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) Garmon, Joel (Mar 22)
- Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) Tanner, Andrea (Mar 25)