Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Joseph Tam <tam () MATH UBC CA>
Date: Fri, 8 Dec 2017 14:14:23 -0800
On Thu, 7 Dec 2017, Valdis Kletnieks wrote:
On Thu, 07 Dec 2017 00:09:46 -0800, Joseph Tam said:I've seen both diffuse and intensive failed logins -- neither are worth looking at from a security standpoint. It's not uncommon for me to see thousands of guesses against one account, especially against administrative accounts.Are you employing any sort of rate limiting or temp lockout/block when these thousands are flooding in from off campus?
On some systems (e.g. ssh), yes. However, for mail authentication, consecutive failures followed by success is typical of people who change their password, but neglect to update the cached password in their reader. Or they enter the wrong password to start with, then walk away, then come back to find they haven't authenticated properly. If your talking an office worth of people or a small set of highly locked down accounts, OK, look at it. But on a scale of 10K users, forget it. In the scenario your talking about, a typical scenario might be a third party password compromised that leads to the intruder trying variation at your site. This will usually be detected by locale anlysis, which can operate at scale. In another scenario, s student shoulder surfs an office staff members, gets a rough idea of keyboard location of the password, then tries variations from your local WiFi. That's tough, and I concede if you investigated that, it could have caught the student. However, as I pointed out, the problem is differentiating this from the 100x more likely scenario that someone fat fingered their password. Joseph Tam <tam () math ubc ca>
Current thread:
- Re: Measures of detecting breached email accounts, (continued)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)