Main Nav

Message from advax@triumf.ca

In the last few months on two occasions we've had a user's email credentials compromised and used to send spam via SMTP. We have a Postfix mail relay where users can authenticate via SASL to send mail from offsite, and this was what was used. There was no obvious trace of a dictionary attack; it seems the attackers knew a password somehow and then proceeded to use it from a couple of hundred different client addresses around the world (which themselves appear to be SMTP servers, rather than home PCs). Both the users in question deny "risky network behaviour" and are fairly clueful - would not fall for phishing, do not frequent cybercafes etc. Their passwords (now changed of course) were robust enough not to fall to a few hours of "John the Ripper" so I doubt they were trivially guessed. I wondered if anyone else had seen this kind of abuse. Right now it's not a serious problem, but of course if we've got unexplained compromises I want to understand. I'll probably write some kind of filter to flag/block excessive offsite logins, or impossibly short travel times like the credit card companies do. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager

Comments

I'm sure you've already checked this but did the user re-use the password on another site that was compromised (LinkedIn perhaps)? Derek Tonkin Andrew Daviel wrote: In the last few months on two occasions we've had a user's email credentials compromised and used to send spam via SMTP. We have a Postfix mail relay where users can authenticate via SASL to send mail from offsite, and this was what was used. There was no obvious trace of a dictionary attack; it seems the attackers knew a password somehow and then proceeded to use it from a couple of hundred different client addresses around the world (which themselves appear to be SMTP servers, rather than home PCs). Both the users in question deny "risky network behaviour" and are fairly clueful - would not fall for phishing, do not frequent cybercafes etc. Their passwords (now changed of course) were robust enough not to fall to a few hours of "John the Ripper" so I doubt they were trivially guessed. I wondered if anyone else had seen this kind of abuse. Right now it's not a serious problem, but of course if we've got unexplained compromises I want to understand. I'll probably write some kind of filter to flag/block excessive offsite logins, or impossibly short travel times like the credit card companies do. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Did changing their passwords stop the spam? If not, did the spammer change accounts or was he able to keep using the ones you'd already identified? Did you ask the users if they used the same password for any other accounts? Did you double-check to make sure that the Postfix server is setup correctly and that it's not actually an open relay? Steven Alexander Jr. Online Education Systems Manager Merced College
On 10/10/2012 03:03 PM, Andrew Daviel wrote: > Both the users in question deny "risky network behaviour" and are fairly > clueful - would not fall for phishing, do not frequent cybercafes etc. > Their passwords (now changed of course) were robust enough not to fall to a > few hours of "John the Ripper" so I doubt they were trivially guessed. They may have had outdated software on a system they used (like Flash, Java, Adobe Reader) that was leveraged by a web site to gain control of the system, install a keylogger, and had their password(s) captured. This doesn't necessarily need "risky network behavior" to happen - it could be an ad server that has been compromised and is distributing attack code with the ads it is serving, or something along those lines. -- Mike Iglesias Email: iglesias@uci.edu University of California, Irvine phone: 949-824-6926 Office of Information Technology FAX: 949-824-2270
Message from valdis.kletnieks@vt.edu

On Wed, 10 Oct 2012 16:23:24 -0700, Mike Iglesias said: > They may have had outdated software on a system they used (like Flash, Java, > Adobe Reader) that was leveraged by a web site to gain control of the system, > install a keylogger, and had their password(s) captured. This doesn't > necessarily need "risky network behavior" to happen - it could be an ad server > that has been compromised and is distributing attack code with the ads it is > serving, or something along those lines. A useful Firefox add-on: https://addons.mozilla.org/en-US/firefox/addon/ipvfox/ Running that and NoScript, and you will be *astounded* at how many different sites and domains you're downloading from to get a web page displayed (I think at one point I caught www.cnn.com sourcing Javascript from well over a dozen servers, and content from 2 dozen). And compromise of *any* of them can lead to a drive-by fruiting.
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.