Educause Security Discussion mailing list archives
Re: SECURITY Digest - 22 Mar 2019 to 25 Mar 2019 (#2019-51)
From: "Garmon, Joel" <JSG () PITT EDU>
Date: Tue, 26 Mar 2019 11:40:08 +0000
Password manager. We use LastPass. Functionality is good and the pricing was through Internet 2 which was really good. Thank you, Joel Garmon Chief Information Security Officer Computer Services and Systems Development (CSSD) University of Pittsburgh 412-624-5595 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of SECURITY automatic digest system Sent: Tuesday, March 26, 2019 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: SECURITY Digest - 22 Mar 2019 to 25 Mar 2019 (#2019-51) There are 6 messages totalling 6525 lines in this issue. Topics of the day: 1. Password managers (5) 2. SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) ---------------------------------------------------------------------- Date: Mon, 25 Mar 2019 05:09:59 +0000 From: Patrick McElhinney <patrick.mcelhinney () NEWCASTLE EDU AU> Subject: Password managers Hi All, We’re starting to do some exploratory work to see what end-user password managers are working well across the sector, and can work with our use cases with professional staff, students and research communities. Some of the solutions we’ve identified through Google searches include: · LastPass · Dashlane · Password State · Stashword · Bit Warden · Zoho · StickyPassword · RoboForm We’re looking to hopefully integrate with Okta for SSO (SAML), and provide some kind of ability to on-board users if they already use a password safe, and off-board users gracefully when they cease being a student or member of staff, i.e. let them take their own secrets with them when they leave, and for us to hold on to University secrets. The solution also needs to be cost-effective. Has anyone got any suggestions on what’s worked for them, and any other options not listed above that we should consider? Many Thanks, Patrick PATRICK McELHINNEY | Senior Security Specialist IT Services - Resources Division Tel: +61 2 498 54156 Mobile: +61 437 680 105 Email: patrick.mcelhinney () newcastle edu au<mailto:patrick.mcelhinney () newcastle edu au> The University of Newcastle (UON) University Drive, Callaghan NSW 2308 Australia [The University of Newcastle]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2F&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=7zvwsl6qqhkYYrMfiywzdhvlqZLQ1iShB7Hy%2B4hfIvQ%3D&reserved=0> [https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fs.uon.nu%2Fimg%2Fvert-divider-2017.png&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=rR5GlvqeKMQJE2WPQ%2Fj82OQM5bXRrDVOu8nOtolCO3E%3D&reserved=0] [The World Needs New]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2Fnew&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=sxDCvsPYab6X3%2FHX1UuZcsl%2BA0AJNC%2Fmyy82p4rePQo%3D&reserved=0> Ranked in the top 1% of universities in the world by QS World University Rankings 2017/18 CRICOS Provider 00109J ------------------------------ Date: Mon, 25 Mar 2019 12:20:55 +0000 From: "Madl, Michael" <michael.madl () INDWES EDU> Subject: Re: Password managers Hi Patrick We are using Keeper Security. Functionality is fine and price was right. Thanks Mike MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY [cid:image001.jpg@01D4E2E3.AA1FEEA0] DO NOT provide your username, password, or any personal information requested by any email. IWU WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Patrick McElhinney Sent: Monday, March 25, 2019 1:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password managers ** This message originated from outside the Indiana Wesleyan University email system ** ________________________________ Hi All, We’re starting to do some exploratory work to see what end-user password managers are working well across the sector, and can work with our use cases with professional staff, students and research communities. Some of the solutions we’ve identified through Google searches include: * LastPass * Dashlane * Password State * Stashword * Bit Warden * Zoho * StickyPassword * RoboForm We’re looking to hopefully integrate with Okta for SSO (SAML), and provide some kind of ability to on-board users if they already use a password safe, and off-board users gracefully when they cease being a student or member of staff, i.e. let them take their own secrets with them when they leave, and for us to hold on to University secrets. The solution also needs to be cost-effective. Has anyone got any suggestions on what’s worked for them, and any other options not listed above that we should consider? Many Thanks, Patrick PATRICK McELHINNEY | Senior Security Specialist IT Services - Resources Division Tel: +61 2 498 54156 Mobile: +61 437 680 105 Email: patrick.mcelhinney () newcastle edu au<mailto:patrick.mcelhinney () newcastle edu au> The University of Newcastle (UON) University Drive, Callaghan NSW 2308 Australia [The University of Newcastle]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2F&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=7zvwsl6qqhkYYrMfiywzdhvlqZLQ1iShB7Hy%2B4hfIvQ%3D&reserved=0> [https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fs.uon.nu%2Fimg%2Fvert-divider-2017.png&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=rR5GlvqeKMQJE2WPQ%2Fj82OQM5bXRrDVOu8nOtolCO3E%3D&reserved=0] [The World Needs New]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2Fnew&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=sxDCvsPYab6X3%2FHX1UuZcsl%2BA0AJNC%2Fmyy82p4rePQo%3D&reserved=0> Ranked in the top 1% of universities in the world by QS World University Rankings 2017/18 CRICOS Provider 00109J ------------------------------ Date: Mon, 25 Mar 2019 12:25:54 +0000 From: Jeff Borton <jborton () SCHOOLCRAFT EDU> Subject: Re: Password managers We are using LastPass, not a lot of adoption, and we have had issues with the Sharing, other than that it is working good for those who use it. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Madl, Michael Sent: Monday, March 25, 2019 8:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [POSSIBLE SPAM-2] Re: [SECURITY] Password managers Importance: Low Hi Patrick We are using Keeper Security. Functionality is fine and price was right. Thanks Mike MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY [cid:image001.jpg@01D4E2E4.5D225920] DO NOT provide your username, password, or any personal information requested by any email. IWU WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Patrick McElhinney Sent: Monday, March 25, 2019 1:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Password managers ** This message originated from outside the Indiana Wesleyan University email system ** ________________________________ Hi All, We’re starting to do some exploratory work to see what end-user password managers are working well across the sector, and can work with our use cases with professional staff, students and research communities. Some of the solutions we’ve identified through Google searches include: * LastPass * Dashlane * Password State * Stashword * Bit Warden * Zoho * StickyPassword * RoboForm We’re looking to hopefully integrate with Okta for SSO (SAML), and provide some kind of ability to on-board users if they already use a password safe, and off-board users gracefully when they cease being a student or member of staff, i.e. let them take their own secrets with them when they leave, and for us to hold on to University secrets. The solution also needs to be cost-effective. Has anyone got any suggestions on what’s worked for them, and any other options not listed above that we should consider? Many Thanks, Patrick PATRICK McELHINNEY | Senior Security Specialist IT Services - Resources Division Tel: +61 2 498 54156 Mobile: +61 437 680 105 Email: patrick.mcelhinney () newcastle edu au<mailto:patrick.mcelhinney () newcastle edu au> The University of Newcastle (UON) University Drive, Callaghan NSW 2308 Australia [The University of Newcastle]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2F&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=7zvwsl6qqhkYYrMfiywzdhvlqZLQ1iShB7Hy%2B4hfIvQ%3D&reserved=0> [https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fs.uon.nu%2Fimg%2Fvert-divider-2017.png&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=rR5GlvqeKMQJE2WPQ%2Fj82OQM5bXRrDVOu8nOtolCO3E%3D&reserved=0] [The World Needs New]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2Fnew&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=sxDCvsPYab6X3%2FHX1UuZcsl%2BA0AJNC%2Fmyy82p4rePQo%3D&reserved=0> Ranked in the top 1% of universities in the world by QS World University Rankings 2017/18 CRICOS Provider 00109J ------------------------------ Date: Mon, 25 Mar 2019 13:51:14 +0000 From: "Barton, Robert W." <bartonrt () LEWISU EDU> Subject: Re: Password managers Morning, We’ve been using Password Safe by Bruce Schneier (https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpwsafe.org&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=mRjrNfhXNKcuWuZfkLK0k9TUggFXT7XRQB8bmqi3pHs%3D&reserved=0) for individuals. It is open source, last updated in December, and has hooks for 2FA. We are looking at Password State for the enterprise level. Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Patrick McElhinney Sent: Monday, March 25, 2019 12:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Password managers Hi All, We’re starting to do some exploratory work to see what end-user password managers are working well across the sector, and can work with our use cases with professional staff, students and research communities. Some of the solutions we’ve identified through Google searches include: · LastPass · Dashlane · Password State · Stashword · Bit Warden · Zoho · StickyPassword · RoboForm We’re looking to hopefully integrate with Okta for SSO (SAML), and provide some kind of ability to on-board users if they already use a password safe, and off-board users gracefully when they cease being a student or member of staff, i.e. let them take their own secrets with them when they leave, and for us to hold on to University secrets. The solution also needs to be cost-effective. Has anyone got any suggestions on what’s worked for them, and any other options not listed above that we should consider? Many Thanks, Patrick PATRICK McELHINNEY | Senior Security Specialist IT Services - Resources Division Tel: +61 2 498 54156 Mobile: +61 437 680 105 Email: patrick.mcelhinney () newcastle edu au<mailto:patrick.mcelhinney () newcastle edu au> The University of Newcastle (UON) University Drive, Callaghan NSW 2308 Australia [The University of Newcastle]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2F&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=7zvwsl6qqhkYYrMfiywzdhvlqZLQ1iShB7Hy%2B4hfIvQ%3D&reserved=0> [https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fs.uon.nu%2Fimg%2Fvert-divider-2017.png&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=rR5GlvqeKMQJE2WPQ%2Fj82OQM5bXRrDVOu8nOtolCO3E%3D&reserved=0] [The World Needs New]<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2Fnew&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=sxDCvsPYab6X3%2FHX1UuZcsl%2BA0AJNC%2Fmyy82p4rePQo%3D&reserved=0> Ranked in the top 1% of universities in the world by QS World University Rankings 2017/18 CRICOS Provider 00109J This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ------------------------------ Date: Mon, 25 Mar 2019 07:21:57 -0700 From: Francisco Chavez <fac3 () STMARYS-CA EDU> Subject: Re: Password managers Patrick, We are also using Keeper Security. The functionality fits our needs and with our configuration gives us a on-prem solution with SSO. Regards, - Francisco Chavez ----------------------------------------------------------------------------------- Francisco Chavez Manager, IT Security | Saint Mary's College of California 925-631-8236 | fac3 () stmarys-ca edu <mailto:fac3 () stmarys-ca edu>
On Mar 25, 2019, at 5:20 AM, Madl, Michael <michael.madl () INDWES EDU> wrote: Hi Patrick We are using Keeper Security. Functionality is fine and price was right. Thanks Mike MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY <image001.jpg> DO NOT provide your username, password, or any personal information requested by any email. IWU WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () listserv educause edu>> On Behalf Of Patrick McElhinney Sent: Monday, March 25, 2019 1:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () listserv educause edu> Subject: [SECURITY] Password managers ** This message originated from outside the Indiana Wesleyan University email system ** Hi All, We’re starting to do some exploratory work to see what end-user password managers are working well across the sector, and can work with our use cases with professional staff, students and research communities. Some of the solutions we’ve identified through Google searches include: LastPass Dashlane Password State Stashword Bit Warden Zoho StickyPassword RoboForm We’re looking to hopefully integrate with Okta for SSO (SAML), and provide some kind of ability to on-board users if they already use a password safe, and off-board users gracefully when they cease being a student or member of staff, i.e. let them take their own secrets with them when they leave, and for us to hold on to University secrets. The solution also needs to be cost-effective. Has anyone got any suggestions on what’s worked for them, and any other options not listed above that we should consider? Many Thanks, Patrick PATRICK MCELHINNEY | Senior Security Specialist IT Services - Resources Division Tel: +61 2 498 54156 Mobile: +61 437 680 105 Email: patrick.mcelhinney () newcastle edu au <mailto:patrick.mcelhinney () newcastle edu au> The University of Newcastle (UON) University Drive, Callaghan NSW 2308 Australia <image005.png> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2F&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=7zvwsl6qqhkYYrMfiywzdhvlqZLQ1iShB7Hy%2B4hfIvQ%3D&reserved=0> <image006.png> <image007.png> <https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.newcastle.edu.au%2Fnew&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796683543&sdata=sxDCvsPYab6X3%2FHX1UuZcsl%2BA0AJNC%2Fmyy82p4rePQo%3D&reserved=0> Ranked in the top 1% of universities in the world by QS World University Rankings 2017/18 CRICOS Provider 00109J
------------------------------ Date: Mon, 25 Mar 2019 17:01:00 +0000 From: "Tanner, Andrea" <atanner3 () CCBCMD EDU> Subject: Re: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) Hi everyone, We are talking about doing this at the Community College of Baltimore County as well. I am curious, did you get a lot of user complaints and flood of calls to the Help Desk? I’d be curious to know your process, such as did you give people time to migrate to the Outlook Apps on phones and computers? What sort of messages and migration documents did you create about this change, if you are willing to share those materials? Did you start with one protocol at a time or did you turn them all off at the same time? I assume POP, IMAP, and SMTP? My email is below if you don’t want to clutter the list. Thank you! Andrea Pronouns: She/Her/Hers Andrea Tanner, M.S. | Senior Director, Technology Support | Community College of Baltimore County Phone: 443-840-4155 | Catonsville Campus CLLB 104B | atanner3 () ccbcmd edu<mailto:atanner3 () ccbcmd edu> CCBC. The incredible value of education. -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Garmon, Joel Sent: Friday, March 22, 2019 9:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) CAUTION: This email originated from outside of CCBC. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, We use Exchange and turned off the legacy email protocols. We have seen a dramatic drop in compromised accounts sending out spam. Thank you, Joel Garmon Chief Information Security Officer Computer Services and Systems Development (CSSD) University of Pittsburgh 412-624-5595 -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of SECURITY automatic digest system Sent: Friday, March 22, 2019 12:00 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) There are 11 messages totalling 2409 lines in this issue. Topics of the day: 1. Turning off IMAP (11) ---------------------------------------------------------------------- Date: Thu, 21 Mar 2019 14:09:01 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Turning off IMAP I am wondering if anyone on this list has turned off IMAP and POP3 for their Google domains. We are looking to do this by the beginning of May and we are wondering if those-who-have-gone-before-us have any words of advice or caution. Ideally, we'd like to turn it off domain-wide and then allow it for certain users - is that even possible for Google? We just started looking at those options and how to manage our exceptional cases (of which we know of a few). TIA! ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 ------------------------------ Date: Thu, 21 Mar 2019 14:51:46 -0400 From: Valdis Klētnieks <valdis.kletnieks () VT EDU<mailto:valdis.kletnieks () VT EDU>> Subject: Re: Turning off IMAP On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 14:59:46 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Re: Turning off IMAP YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3
for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 15:05:49 -0400 From: Kevin Wilcox <wilcoxkm () APPSTATE EDU<mailto:wilcoxkm () APPSTATE EDU>> Subject: Re: Turning off IMAP On Thu, 21 Mar 2019 at 14:51, Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
The biggies for us are that so few clients do proper MFA and application-specific passwords are essentially $DEITY_MODE. By "so few clients" I mean "I really love mutt but it isn't Duo-friendly". We don't turn them off but I advocate it regularly, even if it's meant I had to leave my beloved mutt. kmw ------------------------------ Date: Thu, 21 Mar 2019 15:08:46 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU<mailto:gfrouin () BERKLEE EDU>> Subject: Re: Turning off IMAP I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=3XqoNoeOo2MBkrZkL1bn9CGBDNaQvJ8Z%2BJwUHh78%2Fg8%3D&reserved=0 for Less secure apps management) Gaël Frouin *Information Security Officer* *Berklee* On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open
allows a criminal with a credential to get into someone's email and
use the Google SMTP server to send spam. This has happened (to our
knowledge) twice. The users never replied to phishing, had changed
their password within the last 12 months (so it was not an old hack /
password reuse issue; it was likely a random malware / key logging
event on a public machine or during travel. Since we are on SSO,
Google 2FA is bypassed. We did figure out a (convoluted) way to make
that part of the equation, but from a user perspective I think it is
harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks
<valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>>
wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3
for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 16:02:47 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Re: Turning off IMAP We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less secure
apps" for your users. This will force users to use OAuth or SAML in
your case. It will prevent plain text login/password while still
allowing the user of email clients (see
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
ort.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg
%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87cc3
a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7GE9B
PYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure apps
management)
Gaël Frouin
*Information Security Officer*
*Berklee*
On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open
allows a criminal with a credential to get into someone's email and
use the Google SMTP server to send spam. This has happened (to our
knowledge) twice. The users never replied to phishing, had changed
their password within the last 12 months (so it was not an old hack /
password reuse issue; it was likely a random malware / key logging
event on a public machine or during travel. Since we are on SSO,
Google 2FA is bypassed. We did figure out a (convoluted) way to make
that part of the equation, but from a user perspective I think it is
harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks
<valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>>
wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3
for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally on
the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 20:16:43 +0000 From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU<mailto:Mark.B.Jones () UTH TMC EDU>> Subject: Re: Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu<mailto:gfrouin () berklee edu%3cmailto:gfrouin () berklee edu>>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=3XqoNoeOo2MBkrZkL1bn9CGBDNaQvJ8Z%2BJwUHh78%2Fg8%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=zlWnk2BpMA%2F0%2FsIGA7amw4KpUV7hI12Nb8RxT71GNAk%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=3XqoNoeOo2MBkrZkL1bn9CGBDNaQvJ8Z%2BJwUHh78%2Fg8%3D&reserved=0>=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu<mailto:emharris () vassar edu%3cmailto:emharris () vassar edu>>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu%3cmailto:valdis.kletnieks () vt edu>>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 16:18:39 -0400 From: Gael Frouin <gfrouin () BERKLEE EDU<mailto:gfrouin () BERKLEE EDU>> Subject: Re: Turning off IMAP You can create one or multiple sub OUs in google and change the setting just for that OU while inheriting the other from the parent OU E.g. staff - STALessSecure Student - STULessSecure Etc. There will definitely be exceptions (e.g. genetic accounts used in various random systems not supported oauth2 for authentication) On Thu, Mar 21, 2019 at 16:03 Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
We've rolled it around here at Vassar over the last few hours - agreed
that it would be preferred to disable less secure apps, but are still
waffling on the exceptions, which we believe will surface.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less
secure apps" for your users. This will force users to use OAuth or
SAML in your case. It will prevent plain text login/password while
still allowing the user of email clients (see
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
port.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cj
sg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04eeb87
cc3a526112fd0d%7C1%7C0%7C636888240059842140&sdata=%2FfB5kp5%2FOr7
GE9BPYUp8X8QYBl2%2BuCmYBB298Eduqw4%3D&reserved=0 for Less secure
apps management)
Gaël Frouin
*Information Security Officer*
*Berklee*
On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open
allows a criminal with a credential to get into someone's email and
use the Google SMTP server to send spam. This has happened (to our
knowledge) twice. The users never replied to phishing, had changed
their password within the last 12 months (so it was not an old hack
/ password reuse issue; it was likely a random malware / key logging
event on a public machine or during travel. Since we are on SSO,
Google 2FA is bypassed. We did figure out a (convoluted) way to
make that part of the equation, but from a user perspective I think
it is harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <
valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and
POP3 for their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally
on the user's computer?
------------------------------ Date: Thu, 21 Mar 2019 20:22:10 +0000 From: "Telfer, Will" <Will_Telfer () BAYLOR EDU<mailto:Will_Telfer () BAYLOR EDU>> Subject: Re: Turning off IMAP With the caveat that we are not a Google campus as we use MS/Office 365, we disabled IMAP access to email for all but a handful of faculty/staff that had been using it for years…with the understanding that if their accounts were ever compromised via phishing, etc. that there would be no discussion & it would be disabled permanently after that (this was communicated to all users who remained on IMAP). Our reasoning was that IMAP allowed accounts that were compromised to continue sending phishing/junk without enforcing our 2-factor authentication via Duo. Once we disabled it, our compromised accounts went from hundreds per week (at the peak times) to zero (to be fair the 2-factor enforcement on Office 365 was the bigger factor in this quick decrease). Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services [sig] Twitter: @BearAware Facebook: https://nam05.safelinks.protection.outlook.com/?url=www.facebook.com%2FBearAware&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=1WrMtI4wJPCCkyo5o%2BGEmp3sUW3USY0mwdINJwVCJ34%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2FBearAware&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=WnyPEJUZnDxCPJfeoYSSRxDv%2BtAgS2N6wn0LICYXcb0%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=www.facebook.com%2FBearAware&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=1WrMtI4wJPCCkyo5o%2BGEmp3sUW3USY0mwdINJwVCJ34%3D&reserved=0>> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 3:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu<mailto:gfrouin () berklee edu%3cmailto:gfrouin () berklee edu>>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796693543&sdata=3XqoNoeOo2MBkrZkL1bn9CGBDNaQvJ8Z%2BJwUHh78%2Fg8%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e%3D&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796703552&sdata=MCwrz2%2FJOtEO%2B15AxKNaSpKqekYxJ34tfCmIcctlaC0%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796703552&sdata=zm7qhC%2BpDmurcRVorLV6QZsV8IXUYIcxUcJss6jpCjk%3D&reserved=0>> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu<mailto:emharris () vassar edu%3cmailto:emharris () vassar edu>>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu%3cmailto:valdis.kletnieks () vt edu>>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? ------------------------------ Date: Thu, 21 Mar 2019 20:25:48 +0000 From: John Jennings <jjennings () ALLIANT EDU<mailto:jjennings () ALLIANT EDU>> Subject: Re: Turning off IMAP We blocked IMAP/POP/SMTP at the edge after monitoring usage for a couple of weeks and notifying users. As a result, we have seen hits against our O365 domain drop by over 10K per month. We still have some internal app service accounts communicating using these protocols and are working with the vendors to modify them. In the interim we have ensured they have very complex, lengthy, and rotating passwords. John Jennings, CISSP Vice President/Acting CIO 10455 Pomerado Road, M-13 San Diego, CA 92131 Direct: (720)480-5913 Email: jjennings () alliant edu<mailto:jjennings () alliant edu<mailto:jjennings () alliant edu%3cmailto:jjennings () alliant edu>> [cid:5f299f2b-3483-4b48-bd7a-2a71e249c505] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Jones, Mark B Sent: Thursday, March 21, 2019 2:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Turning off IMAP +1 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>>> On Behalf Of Emily Harris Sent: Thursday, March 21, 2019 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%3cmailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Turning off IMAP **** EXTERNAL EMAIL **** We've rolled it around here at Vassar over the last few hours - agreed that it would be preferred to disable less secure apps, but are still waffling on the exceptions, which we believe will surface. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu<mailto:gfrouin () berklee edu%3cmailto:gfrouin () berklee edu>>> wrote: I believe that the right setting then would be to disable "less secure apps" for your users. This will force users to use OAuth or SAML in your case. It will prevent plain text login/password while still allowing the user of email clients (see https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796703552&sdata=zm7qhC%2BpDmurcRVorLV6QZsV8IXUYIcxUcJss6jpCjk%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__support.google.com_a_answer_6260879-3Fhl-3Den%26d%3DDwMFaQ%26c%3DbKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw%26r%3DLgw4Sh6g47kM5A_tpEcLZDyPGvmOKdeDlyp60PwA78c%26m%3DEmvQfnwoek_8TAwETFZ5rc_5-1J10g6jKng3cAzm-14%26s%3DmiWuR0GURwAknQKgEsdgi7uTMp0WAy_ljzAI8Ei8jTY%26e&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796703552&sdata=5S6k6glRnHX2gkjLetrI9C0WDE8uUKVKXq8igKs7sRU%3D&reserved=0<https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7Cjsg%40PITT.EDU%7Cc6f38bf553db4daa5ef708d6b19f758b%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636891695796703552&sdata=zm7qhC%2BpDmurcRVorLV6QZsV8IXUYIcxUcJss6jpCjk%3D&reserved=0>=> for Less secure apps management) Gaël Frouin Information Security Officer Berklee On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu<mailto:emharris () vassar edu%3cmailto:emharris () vassar edu>>> wrote: YES. We use SSO - SAML and protected via MFA. Leaving IMAP and POP3 open allows a criminal with a credential to get into someone's email and use the Google SMTP server to send spam. This has happened (to our knowledge) twice. The users never replied to phishing, had changed their password within the last 12 months (so it was not an old hack / password reuse issue; it was likely a random malware / key logging event on a public machine or during travel. Since we are on SSO, Google 2FA is bypassed. We did figure out a (convoluted) way to make that part of the equation, but from a user perspective I think it is harder to explain rather than just turning it off. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu%3cmailto:valdis.kletnieks () vt edu>>> wrote: On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and POP3 for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this? Is there a reason to force "Thou Shalt Use The Web Interface" and prohibit the use of mail software that processes the mail locally on the user's computer? NOTICE - This email was sent from outside of the University - do NOT open any attachments or click on links if you are unsure of the sender’s identity. NOTICE - This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited. ------------------------------ Date: Thu, 21 Mar 2019 16:38:11 -0400 From: Emily Harris <emharris () VASSAR EDU<mailto:emharris () VASSAR EDU>> Subject: Re: Turning off IMAP It definitely surfaces the fact that we have too many Sub OUs in the first place. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221 On Thu, Mar 21, 2019 at 4:18 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
You can create one or multiple sub OUs in google and change the
setting just for that OU while inheriting the other from the parent OU
E.g.
staff
- STALessSecure
Student
- STULessSecure
Etc.
There will definitely be exceptions (e.g. genetic accounts used in
various random systems not supported oauth2 for authentication)
On Thu, Mar 21, 2019 at 16:03 Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>> wrote:
We've rolled it around here at Vassar over the last few hours -
agreed that it would be preferred to disable less secure apps, but
are still waffling on the exceptions, which we believe will surface.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 3:09 PM Gael Frouin <gfrouin () berklee edu<mailto:gfrouin () berklee edu>> wrote:
I believe that the right setting then would be to disable "less
secure apps" for your users. This will force users to use OAuth or
SAML in your case. It will prevent plain text login/password while
still allowing the user of email clients (see
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
pport.google.com%2Fa%2Fanswer%2F6260879%3Fhl%3Den&data=02%7C01%7
Cjsg%40PITT.EDU%7Cba712e77c88b4eabb9b408d6ae7adc6f%7C9ef9f489e0a04ee
b87cc3a526112fd0d%7C1%7C0%7C636888240059852149&sdata=nnVQlRtruVj
PeZLMPNPilCGsesAu%2FbyVQ8X1k6omJZg%3D&reserved=0 for Less secure
apps management)
Gaël Frouin
*Information Security Officer*
*Berklee*
On Thu, Mar 21, 2019 at 3:01 PM Emily Harris <emharris () vassar edu<mailto:emharris () vassar edu>>
wrote:
YES.
We use SSO - SAML and protected via MFA. Leaving IMAP and POP3
open allows a criminal with a credential to get into someone's
email and use the Google SMTP server to send spam. This has
happened (to our knowledge) twice. The users never replied to
phishing, had changed their password within the last 12 months (so
it was not an old hack / password reuse issue; it was likely a
random malware / key logging event on a public machine or during
travel. Since we are on SSO, Google 2FA is bypassed. We did
figure out a (convoluted) way to make that part of the equation,
but from a user perspective I think it is harder to explain rather than just turning it off.
----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221
On Thu, Mar 21, 2019 at 2:51 PM Valdis Klētnieks <
valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote:
On Thu, 21 Mar 2019 14:09:01 -0400, Emily Harris said:
I am wondering if anyone on this list has turned off IMAP and
POP3
for
their Google domains.
Out of curiosity, what problem are you trying to solve by doing this?
Is there a reason to force "Thou Shalt Use The Web Interface" and
prohibit the use of mail software that processes the mail locally
on the user's computer?
------------------------------ End of SECURITY Digest - 20 Mar 2019 to 21 Mar 2019 (#2019-49) ************************************************************** ------------------------------ End of SECURITY Digest - 22 Mar 2019 to 25 Mar 2019 (#2019-51) **************************************************************
Current thread:
- Re: SECURITY Digest - 22 Mar 2019 to 25 Mar 2019 (#2019-51) Garmon, Joel (Mar 26)