Educause Security Discussion mailing list archives
Re: Recent Phishing Uptick
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Thu, 20 Feb 2014 15:35:21 -0500
This is pretty much what we see as well. I posted some instructions on how to get these via the API Explorer earlier in the thread. But the very short basics are: 1. Sign in as a Google Admin (you need reporting rights) 2. Go here: https://developers.google.com/admin-sdk/reports/v1/get-start/getting-started 3. Click on the APIs Explorer link 4. Click on "reports.activites.list" 5. Have fun Note that you're not going to get a pretty-printed report; you're just getting a JSON-encoded list of events. For any "real" applications of this data you'll want to write code of some sort, but for just taking a quick look at things or poking around a bit, it's serviceable. -- *DAVID A. CURRY, CISSP* * DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* * 55 W. 13TH STREET * NEW YORK, NY 10011 +1 212 229-5300 x4728 * david.curry () newschool edu On Thu, Feb 20, 2014 at 2:27 PM, Joel L. Rosenblatt <joel () columbia edu>wrote:
Hi, Here is what we see - xxxx replaces random stuff - one of these for each login session. "kind": "admin#reports#activities", "etag": "\"D9R4-hwaf8ZZEeXP-Hlyt8X8_a4/ZxxxxruXkXh8fQ_c_rgLUVjAbc8\"", "items": [ { "kind": "admin#reports#activity", "id": { "time": "2013-11-24T16:51:47.000Z", "uniqueQualifier": "-307151507009133xxxx", "applicationName": "login", "customerId": "C0181xxxx" }, "etag": "\"D9R4-hwaf8ZZEeXP-Hlyt8X8_a4/oAQY9Gm7DHM27x6D2vmHhc4xxxx\"", "actor": { "email": "xxxxxx () columbia edu", "profileId": "11176437517216916xxxx" }, "ipAddress": "xxx.xxx.xxx.xxx", "events": [ { "type": "login", "name": "login_success", "parameters": [ { "name": "login_type", "value": "saml" Joel Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Thu, Feb 20, 2014 at 2:03 PM, Frank Barton <bartonf () husson edu> wrote:I'm curious as to where you folks are seeing the login reports. I havenotbeen able to find them Incidentally, I did request an additional alert from google, specifically when an account hits the pre-configured sending limits, and the abilityto"train" the suspicious login alerts -- Frank Barton Apple Certified Mac Technician Technology Support Coordinator Husson University
Current thread:
- Re: Recent Phishing Uptick, (continued)
- Re: Recent Phishing Uptick Gary Warner (Feb 19)
- Re: Recent Phishing Uptick Bob Bayn (Feb 19)
- Re: Recent Phishing Uptick Brandon Hume (Feb 20)
- Re: Recent Phishing Uptick Roger A Safian (Feb 20)
- Re: Recent Phishing Uptick Paul Chauvet (Feb 20)
- Re: Recent Phishing Uptick Derek Diget (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Frank Barton (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Ejike, Emechete C. (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick Frank Barton (Feb 21)
- Re: Recent Phishing Uptick Mike Iglesias (Feb 21)
- Re: Recent Phishing Uptick Tim Doty (Feb 21)
- Re: Recent Phishing Uptick Mally Mclane (Feb 20)
- More details for Google Apps Phishing warning Josef Fortier (Feb 20)