BYU employs a network recorder from Solera (a Utah based company) and they record about 3 days of all the traffic between campus and the world, it's a nice box and we are looking to get one to put on our server network. They feed the traffic into Snort and are able to be apprised of an attack and even replay the entire attack from the recorded traffic. We recently used their box to look at some suspicious traffic from a computer in our area to see what it was trying to do.
As I talked with the security guy, he mentioned that when they get a phishing message like the one you got, they put a rule to rewrite the reply-to address so that that it goes to them rather than the phisher. They can then inform the sender that they were phished without their sensitive information actually reaching the wrong hands. This is not some thing that they are constantly watching as they record about 4 TB of network traffic a day. Usually if they get an alert they just tell us CSRs that there is a problem with the computer and don't give us the traffic. I had to specially request it from them in this case. The e-mail is different because they what to help educate the users. I'm grateful for their efforts to help secure our computing environment. Understanding what they are doing, why and how has helped ease my mind about it. By the way, they can't look into SSL traffic, but they can reconstruct unencrypted traffic to find files and what not. It is very useful to see the payload in an attack. This is not done on the fly, but has to be specifically requested for a host and a period of time. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Wed, Feb 24, 2010 at 3:39 PM, Andrew McNabb <[email protected]> wrote: > Some of you may have received a phishing email yesterday which was > directed to people in the CS Department. I got one, too, and as a joke, > I sent the attached message to the system list. Most people realized I > was joking, and one person (I won't name names) temporarily freaked out > a little, but in the end everyone had fun. > > Two and a half hours later, I got a phone call from David from Network > Security. He asked me if I had sent out my password as a response to > the phishing attack, and I explained that I had sent a joke message. > Then I asked how he knew about the message. > > It turns out that BYU has an expensive system that does low-level > wiretapping. Something in the email had triggered their filter, so > David read my email and called me about it. He didn't give me any > specifics, but it sounds like it's either all low-level traffic or all > emails that get forwarded to their wiretapping system for filtering. He > mentioned that they have vague plans to let people know what they're > doing, but it sounds like they don't have this posted anywhere. > > I have no clue what expressions they're searching for, or how they deal > with what they read. They obviously didn't realize that I was joking in > this case. Now I'm worried that there might be other situations where > they take things out of context and have no sense of humor. What can I > do to protect myself from being wrongly accused because of the > misinterpreted contents of any future email? > > I know that BYU has some legal rights to monitor its network, but what > are the limits? They aren't supposed to read everyone's emails, are > they? David gave me the email address of his boss <[email protected]> and > I plan on emailing him to ask some of these questions. > > P.S. Hi, David. Since I'm attaching my original email, I'm sure you're > reading this. Doesn't wiretapping make you uncomfortable, too? > > -- > Andrew McNabb > http://www.mcnabbs.org/andrew/ > PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868 > > > ---------- Forwarded message ---------- > From: Andrew McNabb <[email protected]> > To: [email protected] > Date: Wed, 24 Feb 2010 12:02:18 -0700 > Subject: my new password > Thanks for the warning about my compromised account. > > My email address is "[email protected]", my current password is > "password", and I would like my new password to be "password2". Thanks. > > > > ATTENTION: > > This mail is to inform all our [cs.byu.edu ] users that your webmail > account has been compromised by spammers by gaining access to your webmail > account and have been using it for illegal internet activities. You are > requested to provide your current login credentials to enable us reset > your webmail account password immediately to aviod abuse of your account. > > *Email address: > *Current Password: > *Future Password: > > You shall be contacted with a new password upon completion and you are > advised to provide the above information or your account will be > terminated by the abuse team. > > Thank you for using cs.byu.edu Webmail! > Computer Science Department - Brigham Young University Maintenance Team. > > -- > Andrew McNabb > http://www.mcnabbs.org/andrew/ > PGP Fingerprint: 8A17 B57C 6879 1863 DE55 8012 AB4D 6098 8826 6868 > > -------------------- > BYU Unix Users Group > http://uug.byu.edu/ > > The opinions expressed in this message are the responsibility of their > author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. > ___________________________________________________________________ > List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list >
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
