Login from unusual locations messages

From CT Wiki
Jump to navigation Jump to search

DRAFT

Login of Your Name (login name) to Nikhef from an unusual location: Country

What is this about?

A major problem in IT security is compromised user accounts. This happens through phishing, customer database breaches at large companies, spreading incidents in collaborating infrastructures, etc.

Unless attackers execute actions that trigger alarms (ex. bulk spam mail), it is difficult to detect that an account has been compromised.

To address this problem CERN, Google, Apple and others have implemented tools that helps their users detect potentially malicious logins to their acconts.

Nikhef provides this functionality through the: Login from unusual location warning system.

How it works

When you connect to Nikhef services over the internet, the warning system checks if the remote IP used to sign in to Nikhef is from a known/trusted pool of IP addresses.

If the remote IP/user account combination is unknown to the system, it sends a mail to the user, with the time and place (geo location remote IP) of the sign-in. If you do not recognize the time/remote IP geolocation you are then asked contact Nikhef-Helpdesk.

If you do not react, the system will automatically white-list the domains stated in the warning message.

At the beginning you might receive a few mails from the warning system, in particular if you are using Nikhef mail on your mobile devices (phones, tablets, etc). The noise will get less once the usual domains are white-listed for you.

Examples

  • You are working behind your desk at Nikhef and receive a warning mail that your account was used from Bangkok to read email. Since you are not in Thailand at that moment, apparently someone else has logged in with your credentials. You should report this as soon as possible to the CT Helpdesk or security@nikhef.nl.
  • You are traveling to a hotel in Rome. In train between the airport and the hotel you are reading email via your smartphone. You may receive an email that your account was used to connect from an Italian mobile network operator. This is correct and you don't need to take any action. After arriving in the hotel you connect to the Wifi and read email again. You will receive another warning message because this hotel is a new location. Again, you don't need to take action. The next day you connect again via the hotel Wifi to read your email. This time you will not receive a warning message because the hotel's Wifi network has been registered as known origin.

These warning mails have the following content:

[English follows Dutch]

Geachte Erika Mustermann,

U, of iemand die zich als u voordeed, heeft ingelogged vanaf onderstaande
locatie. U ontvangt deze waarschuwing omdat het de eerste keer is dat u vanaf
deze plek inlogde. Wilt u controleren of u het inderdaad zelf was die 
hiervandaan inlogde? En zo niet, ons - de Nikhef helpdesk op telefoonnr 2200,
zie onder - onmiddellijk waarschuwen?

  Eerste verbinding op: Aug 31 12:55:21
  Verbinding vanaf:     SURFsara Science Park Watergraafsmeer (WTCW)
                        Amsterdam, Netherlands
                        145.100.47.173 (unknown, no name given!)
  Gebruikte dienst:     Email reading (with an IMAP client)

Is de verbinding inderdaad door u gemaakt?

- als dat NIET ZO IS:
  dan is er op uw account <login_name>@nikhef.nl waarschijnlijk ingebroken.
  Neem direct contact op met de Nikhef helpdesk, op telefoonnummer 
  020 592 2200, of stuur een mail naar security .at. nikhef.nl

- was u dit WEL:
  u kunt deze mail negeren. U krijgt dan geen verdere meldingen 
  van ons over onze diensten die u vanaf deze locatie gebruikt.

Heeft u nog vragen of opmerkingen, stuur die dan naar security .at. nikhef.nl

Bij voorbaat dank!
  Nikhef helpdesk en de computer security groep.
  https://www.nikhef.nl/security/

------------------------------------------------- QfU0FUoA4p on gallego ----

Dear Erika Mustermann:

We have noticed that you, or someone pretending to be you, logged in
from the location detailed below. You receive this warning as it's the
first time we've seen you login from there. Please check if it was
indeed you. If it was not you, contact us immediately (call or mail
to the address below).

  First connection:  Aug 31 12:55:21
  Connection from:   SURFsara Science Park Watergraafsmeer (WTCW)
                     Amsterdam, Netherlands
                     145.100.47.173 (unknown, no name given!)
  Connection to:     Email reading (with an IMAP client)

Please CHECK that this connection was really made by you:

- If NOT: 
  Your account <login_name>@nikhef.nl has most probably been broken into.
  Immediately contact the Nikhef helpdesk at phone number 
  +31 20 592 2200, or mail to security .at. nikhef.nl

- If YES:
  then please ignore this e-mail. You will not get another
  e-mail notification for any of your sessions from the domains listed
  above (also not for other services you access from there).

If you have any questions or comments please contact us at security .at. nikhef.nl

Thank you for your collaboration,
  Nikhef helpdesk and security team.
  https://www.nikhef.nl/security/



Background

Most of the connections to compromised Nikhef accounts came from geolocations the affected user had absolutely no relation to, and would have been immediately recognized by the user to be very suspicious. Therefore, with this tool you can improve the security of your Nikhef account, please use it and check the important bits of the warning messages (First Connection / From / Service).

This has proven to be a very effective method to detect compromised accounts.


FAQ

I received a warning email and I am not sure whether I did connect from that location. What should I do?

In case of doubt, contact the Helpdesk or send an email to security@nikhef.nl

I don't like these emails. Can I unsubscribe from this service?

No, it is not possible to unsubscribe. Compromised accounts can be hard to detect otherwise, whereas their damage is quite expensive.

Why do I receive so many warning emails?

The system sends an email the first time you connect from that network. After a while, more networks are registered as known (trusted) locations and therefore you will receive fewer emails.

During my visit to <location> I did not receive a warning email. How is that possible?

Either you have visited <location> before, or you connected from one of the white-listed networks for which no warnings are sent (such as certain mobile phone networks or frequently visited institutes).