Educause Security Discussion mailing list archives

Re: Compromised Accounts Procedures

From: "Schoenefeld, Keith P." <Keith_Schoenefeld () BAYLOR EDU>
Date: Fri, 25 May 2012 04:00:13 +0000

The real answer is "It depends on the level of access the compromised account has with regard to sensitive 
information", but for the most general case I'd add:

- Check to ensure the 'password reset questions' weren't modified by the hacker (we've seen this)
- Ensure any forwards and/or other filter modifications put in place by the hacker are removed (deliver and forward 
rules allow the hacker to reset passwords for remote sites linked to the local user's university email account)
- Restore email messages that were deleted by the hacker.

-- KS

Keith Schoenefeld
Information Security Analyst
Baylor University
254-710-6667


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven 
Tardy
Sent: Thursday, May 24, 2012 11:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Compromised Accounts Procedures

some of this was mentioned by others in the thread...

the list of "what to do" is in our internal wiki abbreviated here:

immediate cleanup:
* scramble password
* remove sessions in webmail
* clean email queues
* remove sessions in vpn
* any other successful logins from the same ip?
** did account login from other suspect ips?
   (we use a homegrown system similar to columbia's GULP)

post threat cleanup:
* clean identity in webmail
* add ip addresses to watch list
** 2000+ ip addresses in our watch list
* add email addresses to watch list
* report phishing page via firefox
* submit web form with fake credentials, aka phish the phishers (:
* follow up with abuse@ emails or 'report abuse' links on web pages
* log report

follow up with individual:
* how did this happen?
** did you "share your password" with anyone?
** did you "upgrade your quota"?
** did you "verify your account"?
* reset password
** make sure it's different and not a simple "add digit" variation.
** was this compromised password used elsewhere? (bank,etc)

to quote dr gregory house: "Everybody lies."

we've had hundreds of phished accounts since 2008.
we estimate 90+% users were phished.
we watch for anomalies in behaviour.

Attachment: PGP.sig
Description:

Current thread:

Re: Compromised Accounts Procedures, (continued)
- - - Re: Compromised Accounts Procedures Jacobson, Dick (May 23)
    - Re: Compromised Accounts Procedures Aaron Kirby (May 23)
    - Re: Compromised Accounts Procedures Robert Meyers (May 23)
    - Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
    - Re: Compromised Accounts Procedures Rich Graves (May 23)
    - Re: Compromised Accounts Procedures Bidwell, Lesley (May 23)
    - Re: Compromised Accounts Procedures Pollock, Joseph (May 23)
    - Re: Compromised Accounts Procedures Matthew Hodgett (May 23)
    - Re: Compromised Accounts Procedures Rick Lesniak (May 23)
    - Re: Compromised Accounts Procedures Steven Tardy (May 24)
    - Re: Compromised Accounts Procedures Schoenefeld, Keith P. (May 24)
    - Re: IPv6 and DHCP randy marchany (May 23)
    - Re: IPv6 and DHCP Mark Boolootian (May 23)
    - Re: IPv6 and DHCP Rich Graves (May 23)
- Re: IPv6 and DHCP Curtis, Bruce (May 22)