 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
First of all, without the specifics of the spam messages and knowledge of Harvard.Net's mail server setup it's possible that this was just a case of mail forging. Someone could have seen your address and decided to use it to get around the sender check on the mail server. On many servers you wouldn't need a password to do that, just some knowledge of SMTP commands. If this was sniffing the most likely case is the POP3 access across the internet. Anyone with access to a machine on an intermediate segment can watch traffic going by. There's really no way to prevent that except for hoping the administrators of those networks are diligent and ethical. Normal POP3 uses cleartext passwords (read: BAD), and unless the ISP supports POP-SSL or the SSH workaround hack (see the "Secure POP/SSH HOWTO") that's just the way it is. I'm not experienced with POP-SSL (or SSL-POP, I'm not sure) but it sounds like a good idea. You should use a different password for the laptop, and change it soon. If you're logging in over the internet you are using some sort of session encryption (SSH), right? At this point you should check every available log on the laptop for anything unusual. Large chunks of missing entries, strange error messages from daemons, or corrupted files are all bad signs. The "last" command is especially valuable, since it not only indicates if someone logged on at a time that you wouldn't be around, but it's also relatively difficult to edit the wtmp file without making a really obvious mess. If you find anything, then use whatever evidence is there to try and fix any existing holes or added backdoors, and change ALL of the passwords. A good idea would be to double check for unneeded services and reinstall known good copies of anything you stil need. I hope that covers enough. Matthew J. Brodeur, mbrodeur at NextTime.com Hostmaster for NextTime.com http://www.NextTime.com On Mon, 10 Jul 2000, Ron Peterson wrote: > My ISP (HarvardNet) just had me change my dial-up password. It seems > they had been getting SPAM complaints which implicated me. The SPAM <snip> > How did they get my password? I use the same password for my user <snip> > I'm guessing someone got me on number (2). Which means I'll probably > stop getting my email except when I have a dial-in connection. > > Any other suggestions about what I should do at this point to make sure > I haven't been further compromised? Let's just say, for the sake of > argument, that I haven't compiled lists of the suid and guid programs on > my laptop in a known secured state. - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
