Educause Security Discussion mailing list archives
Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49)
From: "Tanner, Andrea" <atanner3 () CCBCMD EDU>
Date: Mon, 25 Mar 2019 17:01:00 +0000
Hi everyone, We are talking about doing this at the Community College of Baltimore County as well. I am curious, did you get a lot of user complaints and flood of calls to the Help Desk? I’d be curious to know your process, such as did you give people time to migrate to the Outlook Apps on phones and computers? What sort of messages and migration documents did you create about this change, if you are willing to share those materials? Did you start with one protocol at a time or did you turn them all off at the same time? I assume POP, IMAP, and SMTP? My email is below if you don’t want to clutter the list. Thank you! Andrea Pronouns: She/Her/Hers Andrea Tanner, M.S. | Senior Director, Technology Support | Community College of Baltimore County Phone: 443-840-4155 | Catonsville Campus CLLB 104B | atanner3 () ccbcmd edu<mailto:atanner3 () ccbcmd edu> CCBC. The incredible value of education. -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Garmon, Joel Sent: Friday, March 22, 2019 9:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) CAUTION: This email originated from outside of CCBC. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, We use Exchange and turned off the legacy email protocols. We have seen a dramatic drop in compromised accounts sending out spam. Thank you, Joel Garmon Chief Information Security Officer Computer Services and Systems Development (CSSD) University of Pittsburgh 412-624-5595 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of SECURITY automatic digest system Sent: Friday, March 22, 2019 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) There are 11 messages totalling 2409 lines in this issue. Topics of the day: 1. Turning off IMAP (11) ---------------------------------------------------------------------- Date: Thu, 21 Mar 2019 14:09:01 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Turning off IMAP I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains. We are looking to do this by the beginning of May and we are wondering if those-who-have-gone-before-us have any words of advice or caution. Ideally, we'd like to turn it off domain-wide and then allow it for certain users - is that even possible for Google? We just started looking at those options and how to manage our exceptional cases (of which we know of a few). TIA! ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 ------------------------------ Date: Thu, 21 Mar 2019 14:51:46 -0400 From: Valdis Klētnieks <valdis.kletnieks () VT EDU<mailto:valdis.kletnieks () VT EDU>> Subject: Re: Turning off IMAP On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 14:59:46 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Re: Turning off IMAP YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3
for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 15:05:49 -0400 From: Kevin Wilcox <wilcoxkm () APPSTATE EDU<mailto:wilcoxkm () APPSTATE EDU>> Subject: Re: Turning off IMAP On Thu, 21 Mar 2019 at 14:51, Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
The biggies for us are that so few clients do proper MFA and application-specific passwords are essentially $DEITY_MODE. By "so few clients" I mean "I really love mutt but it isn't Duo-friendly". We don't turn them off but I advocate it regularly, even if it's meant I had to leave my beloved mutt. kmw ------------------------------ Date: Thu, 21 Mar 2019 15:08:46 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU<mailto:gfrouin () BERKLEE EDU>> Subject: Re: Turning off IMAP I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=04XeUS2jtmnrxP%2FFdBGstN21g3feshdQ1RJM8YcW%2BLw%3D&reserved=0 for Less secure apps management) Gaël Frouin *Information Security Officer* *Berklee* On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open
allows a criminal with a credential to get into someone's email and
use the Google SMTP server to send spam. This has happened (to our
knowledge) twice. The users never replied to phishing, had changed
their password within the last 12 months (so it was not an old hack /
password reuse issue; it was likely a random malware / key logging
event on a public machine or during travel. Since we are on SSO,
Google 2FA is bypassed. We did figure out a (convoluted) way to make
that part of the equation, but from a user perspective I think it is
harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks
<valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>>
wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3
for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 16:02:47 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Re: Turning off IMAP We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less secure
apps" for your users. This will force users to use OAuth or SAML in
your case. It will prevent plain text login/password while still
allowing the user of email clients (see
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
ort.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg
%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3
a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7GE9B
PYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure apps
management)
Gaël Frouin
*Information Security Officer*
*Berklee*
On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open
allows a criminal with a credential to get into someone's email and
use the Google SMTP server to send spam. This has happened (to our
knowledge) twice. The users never replied to phishing, had changed
their password within the last 12 months (so it was not an old hack /
password reuse issue; it was likely a random malware / key logging
event on a public machine or during travel. Since we are on SSO,
Google 2FA is bypassed. We did figure out a (convoluted) way to make
that part of the equation, but from a user perspective I think it is
harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks
<valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>>
wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3
for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 20:16:43 +0000 From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU<mailto:Mark.B.Jones () UTH TMC EDU>> Subject: Re: Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu<mailto:gfrouin () berklee edu%3cmailto:gfrouin () berklee edu>>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=04XeUS2jtmnrxP%2FFdBGstN21g3feshdQ1RJM8YcW%2BLw%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=t7y7x11N%2B2Mh%2F1wQT4tsFnGrv6h4O3%2BNxQbmPEzHGzI%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=04XeUS2jtmnrxP%2FFdBGstN21g3feshdQ1RJM8YcW%2BLw%3D&reserved=0%3chttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=t7y7x11N%2B2Mh%2F1wQT4tsFnGrv6h4O3%2BNxQbmPEzHGzI%3D&reserved=0>=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu<mailto:emharris () vassar edu%3cmailto:emharris () vassar edu>>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu%3cmailto:valdis.kletnieks () vt edu>>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 16:18:39 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU<mailto:gfrouin () BERKLEE EDU>> Subject: Re: Turning off IMAP You can create one or multiple sub OUs in google and change the setting just for that OU while inheriting the other from the parent OU E.g. staff - STALessSecure Student - STULessSecure Etc. There will definitely be exceptions (e.g. genetic accounts used in various random systems not supported oauth2 for authentication) On Thu, Mar 21, 2019 at 16:03 Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
We've rolled it around here at Vassar over the last few hours - agreed
that it would be preferred to disable less secure apps, but are still
waffling on the exceptions, which we believe will surface.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less
secure apps" for your users. This will force users to use OAuth or
SAML in your case. It will prevent plain text login/password while
still allowing the user of email clients (see
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
port.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cj
sg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87
cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7
GE9BPYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure
apps management)
Gaël Frouin
*Information Security Officer*
*Berklee*
On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open
allows a criminal with a credential to get into someone's email and
use the Google SMTP server to send spam. This has happened (to our
knowledge) twice. The users never replied to phishing, had changed
their password within the last 12 months (so it was not an old hack
/ password reuse issue; it was likely a random malware / key logging
event on a public machine or during travel. Since we are on SSO,
Google 2FA is bypassed. We did figure out a (convoluted) way to
make that part of the equation, but from a user perspective I think
it is harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <
valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and
POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally
on the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 20:22:10 +0000 From: "Telfer, Will" <Will_Telfer () BAYLOR EDU<mailto:Will_Telfer () BAYLOR EDU>> Subject: Re: Turning off IMAP With the caveat that we are not a Google campus as we use MS/Office 365, we disabled IMAP access to email for all but a handful of faculty/staff that had been using it for years…with the understanding that if their accounts were ever compromised via phishing, etc. that there would be no discussion & it would be disabled permanently after that (this was communicated to all users who remained on IMAP). Our reasoning was that IMAP allowed accounts that were compromised to continue sending phishing/junk without enforcing our 2-factor authentication via Duo. Once we disabled it, our compromised accounts went from hundreds per week (at the peak times) to zero (to be fair the 2-factor enforcement on Office 365 was the bigger factor in this quick decrease). Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: https://nam02.safelinks.protection.outlook.com/?url=www.facebook.com%2FBearAware&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=sE2M0fihERM1KiS58MKpN25UAHZAKKqHgsEm1GBm8CU%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FBearAware&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=NpJpv69gIqziFZiJLns2abM9c2P8PRZHZZj4bWazI8I%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=www.facebook.com%2FBearAware&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=sE2M0fihERM1KiS58MKpN25UAHZAKKqHgsEm1GBm8CU%3D&reserved=0%3chttps://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FBearAware&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=NpJpv69gIqziFZiJLns2abM9c2P8PRZHZZj4bWazI8I%3D&reserved=0>> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 3:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu<mailto:gfrouin () berklee edu%3cmailto:gfrouin () berklee edu>>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=04XeUS2jtmnrxP%2FFdBGstN21g3feshdQ1RJM8YcW%2BLw%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e%3D&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350647785&sdata=xLR8vtoDfl6cSTJS1p7UG5te7UQpmx7g5PL4L%2BdXKIc%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350637780&sdata=04XeUS2jtmnrxP%2FFdBGstN21g3feshdQ1RJM8YcW%2BLw%3D&reserved=0%3chttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e%3D&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350647785&sdata=xLR8vtoDfl6cSTJS1p7UG5te7UQpmx7g5PL4L%2BdXKIc%3D&reserved=0>> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu<mailto:emharris () vassar edu%3cmailto:emharris () vassar edu>>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu%3cmailto:valdis.kletnieks () vt edu>>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 20:25:48 +0000 From: John Jennings <jjennings () ALLIANT EDU<mailto:jjennings () ALLIANT EDU>> Subject: Re: Turning off IMAP We blocked IMAP/POP/SMTP at the edge after monitoring usage for a couple of weeks and notifying users. As a result, we have seen hits against our O365 domain drop by over 10K per month. We still have some internal app service accounts communicating using these protocols and are working with the vendors to modify them. In the interim we have ensured they have very complex, lengthy, and rotating passwords. John Jennings, CISSP Vice President/Acting CIO 10455 Pomerado Road, M-13 San Diego, CA 92131 Direct: (720)480-5913 Email: jjennings () alliant edu<mailto:jjennings () alliant edu<mailto:jjennings () alliant edu%3cmailto:jjennings () alliant edu>> [cid:5f299f2b-3483-4b48-bd7a-2a71e249c505] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 2:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu<mailto:gfrouin () berklee edu%3cmailto:gfrouin () berklee edu>>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350647785&sdata=FsVzqPAXYAe7T22fiCZ7N4MZk3HLNmpRXi%2BmuPq1dPk%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350647785&sdata=qoxRwgZoORJbQEGrkhu8c8WhGbwXbzRiYCONPUrEzRY%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350647785&sdata=FsVzqPAXYAe7T22fiCZ7N4MZk3HLNmpRXi%2BmuPq1dPk%3D&reserved=0%3chttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Catanner3%40CCBCMD.EDU%7C9ae95b63430d472df93b08d6aece46d9%7C2afa200077264920a9570397c340fc3d%7C0%7C0%7C636888598350647785&sdata=qoxRwgZoORJbQEGrkhu8c8WhGbwXbzRiYCONPUrEzRY%3D&reserved=0>=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu<mailto:emharris () vassar edu%3cmailto:emharris () vassar edu>>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu%3cmailto:valdis.kletnieks () vt edu>>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? NOTICE - This email was sent from outside of the University - do NOT open any attachments or click on links if you are unsure of the sender’s identity. NOTICE - This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited. ------------------------------ Date: Thu, 21 Mar 2019 16:38:11 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Re: Turning off IMAP It definitely surfaces the fact that we have too many Sub OUs in the first place. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 4:18 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
You can create one or multiple sub OUs in google and change the
setting just for that OU while inheriting the other from the parent OU
E.g.
staff
- STALessSecure
Student
- STULessSecure
Etc.
There will definitely be exceptions (e.g. genetic accounts used in
various random systems not supported oauth2 for authentication)
On Thu, Mar 21, 2019 at 16:03 Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
We've rolled it around here at Vassar over the last few hours -
agreed that it would be preferred to disable less secure apps, but
are still waffling on the exceptions, which we believe will surface.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less
secure apps" for your users. This will force users to use OAuth or
SAML in your case. It will prevent plain text login/password while
still allowing the user of email clients (see
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
pport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7
Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04ee
b87cc3a526112fd0d%7C1%7C0%7C636888240059852149&sdata=nnVQlRtruVj
PeZLMPNPilCGsesAu%2FbyVQ8X1k6omJZg%3D&reserved=0 for Less secure
apps management)
Gaël Frouin
*Information Security Officer*
*Berklee*
On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>>
wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3
open allows a criminal with a credential to get into someone's
email and use the Google SMTP server to send spam. This has
happened (to our knowledge) twice. The users never replied to
phishing, had changed their password within the last 12 months (so
it was not an old hack / password reuse issue; it was likely a
random malware / key logging event on a public machine or during
travel. Since we are on SSO, Google 2FA is bypassed. We did
figure out a (convoluted) way to make that part of the equation,
but from a user perspective I think it is harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <
valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and
POP3
for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally
on the user's computer?
------------------------------ End of SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) **************************************************************
Current thread:
- Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) Garmon, Joel (Mar 22)
- Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) Tanner, Andrea (Mar 25)