Login from unusual locations messages

From CT Wiki
Jump to: navigation, search


Contents

Login of Your Name (login name) to Nikhef from an unusual location: Country

What is this about?

A major problem in IT security is compromised user accounts. This happens through phishing, customer database breaches at large companies, spreading incidents in collaborating infrastructures, etc.

Unless attackers execute actions that trigger alarms (ex. bulk spam mail), it is difficult to detect that an account has been compromised.

To address this problem CERN, Google, Apple and others have implemented tools that helps their users detect potentially malicious logins to their acconts.

Nikhef provides this functionality through the: Login from unusual location warning system.

How it works

When you connect to Nikhef services over the internet, the warning system checks if the remote IP address used to sign in to Nikhef is from a known/trusted pool of IP addresses.

If the remote IP address/user account combination is unknown to the system, it sends a mail to the user, with the time and place (geo location remote IP) of the sign-in. If you do not recognize the time/remote IP geolocation you are then asked to contact Nikhef-Helpdesk.

If you do not react, the system will automatically add domain of the IP address stated in the warning message to the trusted pool.

At the beginning you will receive a few mails from the warning system, in particular if you are using Nikhef mail on your mobile devices (phones, tablets, etc). The mails will get less once the usual domains are added to the trusted pool for you.

Examples

  • You are working behind your desk at Nikhef and receive a warning mail that your account was used from Bangkok to read email. Since you are not in Thailand at that moment, apparently someone else has logged in with your credentials. You should report this as soon as possible to the CT Helpdesk or security@nikhef.nl. Please forward the warning email that you received because the information in the mail headers is important.
  • You are traveling to a hotel in Rome. In the train between the airport and the hotel you are reading email via your smartphone. You may receive an email that your account was used to connect from an Italian mobile network operator. This is correct and you don't need to take any action. After arriving in the hotel you connect to the Wifi and read email again. You will receive another warning message because this hotel is a new location. Again, you don't need to take action. The next day you connect again via the hotel Wifi to read your email. This time you will not receive a warning message because the hotel's Wifi network has been registered as known origin.

These warning mails have the following content:

[English follows Dutch]

Geachte Erika Mustermann,

U, of iemand die zich als u voordeed, heeft ingelogged vanaf onderstaande
locatie. U ontvangt deze waarschuwing omdat het de eerste keer is dat u vanaf
deze plek inlogde. Wilt u controleren of u het inderdaad zelf was die 
hiervandaan inlogde? En zo niet, ons - de Nikhef helpdesk op telefoonnr 2200,
zie onder - onmiddellijk waarschuwen?

  Eerste verbinding op: Aug 31 12:55:21
  Verbinding vanaf:     SURFsara Science Park Watergraafsmeer (WTCW)
                        Amsterdam, Netherlands
                        145.100.47.173 (unknown, no name given!)
  Gebruikte dienst:     Email reading (with an IMAP client)

Is de verbinding inderdaad door u gemaakt?

- als dat NIET ZO IS:
  dan is er op uw account <login_name>@nikhef.nl waarschijnlijk ingebroken.
  Neem direct contact op met de Nikhef helpdesk, op telefoonnummer 
  020 592 2200, of stuur een mail naar security .at. nikhef.nl

- was u dit WEL:
  u kunt deze mail negeren. U krijgt dan geen verdere meldingen 
  van ons over onze diensten die u vanaf deze locatie gebruikt.

Heeft u nog vragen of opmerkingen, stuur die dan naar security .at. nikhef.nl

Bij voorbaat dank!
  Nikhef helpdesk en de computer security groep.
  https://www.nikhef.nl/security/

------------------------------------------------- QfU0FUoA4p on gallego ----

Dear Erika Mustermann:

We have noticed that you, or someone pretending to be you, logged in
from the location detailed below. You receive this warning as it's the
first time we've seen you login from there. Please check if it was
indeed you. If it was not you, contact us immediately (call or mail
to the address below).

  First connection:  Aug 31 12:55:21
  Connection from:   SURFsara Science Park Watergraafsmeer (WTCW)
                     Amsterdam, Netherlands
                     145.100.47.173 (unknown, no name given!)
  Connection to:     Email reading (with an IMAP client)

Please CHECK that this connection was really made by you:

- If NOT: 
  Your account <login_name>@nikhef.nl has most probably been broken into.
  Immediately contact the Nikhef helpdesk at phone number 
  +31 20 592 2200, or mail to security .at. nikhef.nl

- If YES:
  then please ignore this e-mail. You will not get another
  e-mail notification for any of your sessions from the domains listed
  above (also not for other services you access from there).

If you have any questions or comments please contact us at security .at. nikhef.nl

Thank you for your collaboration,
  Nikhef helpdesk and security team.
  https://www.nikhef.nl/security/



Background

Most of the connections to compromised Nikhef accounts came from geolocations the affected user had no relation to and would have been recognized by the user to be suspicious. Therefore, with this tool you can improve the security of your Nikhef account, please use it and check the important bits of the warning messages (First Connection / From / Service).

This has been proven to be a very effective method to detect compromised accounts by our colleagues at CERN.

FAQ

I received a warning email and I am not sure whether I connected from that location. What should I do?

In case of doubt, contact the Helpdesk or send an email to security@nikhef.nl

I don't like these emails. Can I unsubscribe from this service?

No, it is not possible to unsubscribe. Compromised accounts can be hard to detect, whereas their damage is quite expensive.

Why do I receive so many warning emails?

The system sends an email the first time you connect from that network. After a while, networks are registered as known (trusted) locations and you will receive fewer emails.

Everyday I read my email from my mobile phone using the 3G/4G network. Will I receive an email every day?

No, you may receive a warning the first day, but after that the network is a known location. However, this depends on the correct registration of the "owner" of the network (IP block). If a mobile provider uses various network blocks that are registered to different parties, you may get more than one email. Unfortunately, we cannot prevent that from happening.

During my visit to <location> I did not receive a warning email. How is that possible?

Either you have visited <location> before, or you connected from one of the white-listed networks for which no warnings are sent (such as certain mobile phone networks or frequently visited institutes).

Note for gmail users

If you use gmail to read your Nikhef emails, you may get warnings that you connected from the Unites States, although you are not there. This can only happen if you shared your Nikhef SSO password with Google (which is violation of our Acceptable Use Policy ....) to let Google retrieve emails from our mail server using your account.

Views
Personal tools