Re: Releasing details

[Joel Rosenblatt <joel () COLUMBIA EDU>]

We use our GULP (Grand Unified Logging Program) to track all authenticated logins to any system, including email.  
Since we know all of the usual IP addresses
that a user logs in from, it is usually fairly easy to spot a login from an unusual address - we can find out from the 
complainant if they were at the location
of the login in question and then we can also trace all logins from the IP in questions to see what other ID's logged in - 
then it's up to our Public Safety
people to interview the list of suspects - we have very successfully caught hackers using this, and it works whether or 
not the IP was on our campus.

The information you need is in your logs .. you just have to have some organized way to dig it out.

My 2 cents.

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Tuesday, January 22, 2008 4:31 PM -0500 Theresa Rowe <rowe () OAKLAND EDU> wrote:

> We sometimes get requests from student and staff that read something like the following:
>
> "Joan Doe called the Help Desk asking for if we could trace an IP address of a
> computer that sent an email from her account on January 19 sometime around 3:30 AM.
> She said that someone had hacked into her email account and deleted some
> messages as well as sent some. She has since then changed her password but is now
> looking to take action on the person that sent it."
>
> Do you have protocols on how you handle such an incident?  In most of these cases, the logins look authentic - i.e., 
> the real ID and password were used.
>
>
> --
> Theresa Rowe
> Chief Information Officer
> rowe () oakland edu
> Oakland University



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel