When will an account be suspended
Any unauthorized access to an account that is observed by the system administrators will lead to the immediate suspending of the account, in order to prevent any future abuse through the compromised account.
How intruders obtain passwords
There are a number of possibilities:
- by responding to a phishing message
- by clicking on a link in a phishing or strange message
- by using a computer or smartphone/tablet that is infected by viruses and/or spyware
- by consulting e-mail in an non-secure way (note: webmail is secured)
- by logging on onto an non-secured website (HTTP vs HTTPS)
- uploading documents with FTP rather than with SFTP
- by using an unsecured wireless network
- by having another account with the same password hacked
- by communicating the password to a third party (friend, family member,...)
It is primordial to determine the cause of the intrusion, and fix it, to prevent any recurring incident of this type in the future. Each compromised account is a security risk, for the user but also for the university, as a third party can get unauthorized access to secured information or networks. It may also endanger internet access or access to internet services for all members of the university.
What users should do
when having responded to a phishing message
If the owner of a suspended account has responded to a phishing message, the cause of the intrusion is pretty clear. In that case, users have to read the 'Beware for phishing e-mails' webnote that contains useful info about phishing and practical examples.
They should also look into the Phishing Alerts webnote that contains most recent phishing alerts, and let the ICT-Helpdesk known which one they responded to.
when *not* having responded to a phishing message
In that case users will have to take the following actions:
- make sure that their Windows and Android system has up-to-date antivirus and antimalware software installed and active, and check their computers and other equipment for the existence of both. See the Links at the bottom for additional information.
Malwarebytes is a dedicated antimalware software that is available for Windows and Android systems.
Users with a Mac or iPhone or iPad should be reasonably safe from viruses, unless they are running Windows on their system.
- make sure that their mailprogram - except when they only
use webmail - is configured in a secure way, that is activating SSL for the incoming mail server. See the Links at the bottom for additional information.
Users may also have used a computer or device belonging to another person, or a public computer on which viruses and malware were active. They should inform the owner of it, especially if they plan to use the same computer again in the future.
Users should be extremely careful when using unknown wireless networks, and unsecured communication may lead to the compromise of an account.
Choosing a new password
Users of whom the account was compromised must
choose a new password for their account.
1. they must choose a completely new password
, not just change a letter or digit or special character
2. they cannot ever again
set their password to the old one, not even in 1 or 5 or 50 years, as it is forever compromised
3. they should also choose a new password for any other service on the internet for which they use the same password, and preferably choose a different password for each service.
How to have an account unsuspended
Users who have taken the necessary steps to secure their access can call or send an e-mail to the ICT-Helpdesk (email@example.com or firstname.lastname@example.org) to request the release of their account.
When sending an e-mail, they must
indicate which steps they have taken to secure their access, indicate which phishing message they responded to if they did so, and report any suspicious findings on their computers and devices. They have to confirm explicitly
to have taken all the necessary steps to avoid their account will be compromised again in the future, and they will also have to confirm explicitly
that they will choose a completely new password
set the old password on their account again.
The Helpdesk Team will then release the account and allow the owner to choose a new password through PAM's Lost Password procedure. Make sure to respect the instructions given in Choosing a new password
A final note
A lot of the abused accounts are accessed in Webmail. Users should examine their Identity settings in Webmail as the intruders frequently change the name and e-mail address of the account. They should also check if their signature does not contain any publicity.