Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised Accounts Procedures

From: Steven Tardy <sjt5 () ITS MSSTATE EDU>
Date: Thu, 24 May 2012 11:21:20 -0500
some of this was mentioned by others in the thread...

the list of "what to do" is in our internal wiki abbreviated here:

immediate cleanup:
* scramble password
* remove sessions in webmail
* clean email queues
* remove sessions in vpn
* any other successful logins from the same ip?
** did account login from other suspect ips?
  (we use a homegrown system similar to columbia's GULP)

post threat cleanup:
* clean identity in webmail
* add ip addresses to watch list
** 2000+ ip addresses in our watch list
* add email addresses to watch list
* report phishing page via firefox
* submit web form with fake credentials, aka phish the phishers (:
* follow up with abuse@ emails or 'report abuse' links on web pages
* log report

follow up with individual:
* how did this happen?
** did you "share your password" with anyone?
** did you "upgrade your quota"?
** did you "verify your account"?
* reset password
** make sure it's different and not a simple "add digit" variation.
** was this compromised password used elsewhere? (bank,etc)

to quote dr gregory house: "Everybody lies."

we've had hundreds of phished accounts since 2008.
we estimate 90+% users were phished.
we watch for anomalies in behaviour.
Previous By Date Next
Previous By Thread Next

Current thread: