Compromised Computer Accounts
Information Technology and it's staff are committed to ensuring a safe
and secure computing environment for UW employees and students. To this
end, there are instances where computer accounts must be disabled in an
effort to protect the account, its owner, and to protect sensitive
information that resides on administrative and academic computing
resources. We hope the information you find here helps explain why IT
would disable an account that we suspect has been compromised.
Here's a real scenario!
Information Technology Security employees
become aware of multiple UW accounts being logged into from computers in
Vietnam. After some sleuthing, it is pretty obvious that we don't have
UW students and four UW employees all in Vietnam accessing their UW
computer accounts from afar.
To protect the accounts, IT staff first attempt to contact the owners
by phone (it doesn't make sense to email our suspicions to you if the
hackers are reading your email) to ask them to change their password
immediately, and to collect information to help IT figure out how the
vulnerabilities may have been created. If we cannot reach the owners
within a couple of hours – remember, the bad guys have access to your
account during this time – IT staff will disable the account so that no
one can use it. When the owner calls the Help Desk (307-766-4357 option 1), information is collected at that time, and
then a request to re-enable the account is submitted to the account
While it may be frustrating to have the account disabled, in the end
it really is intended to protect you and your account.
Definition: Compromised Account – Any account that is accessed by
someone who is not authorized by the University of Wyoming to use the
How are accounts typically compromised?
Certain types of virus and malware infections can compromise account passwords
Phishing emails attempt to trick users into giving up their username/ID and passwords
A user’s password is easy to guess
Sharing passwords is a violation of University policy
How does IT’s Security Office identify compromised accounts?
Log file analysis:
The IT Security office looks through their log
files regularly to find suspicious activity. They look for logins from
locations that are out of the ordinary for users. They also keep a
database of known compromised IP (Internet Protocol) addresses that they
have seen in the past.
If an account is flagged on the e-mail gateway(s) as sending spam,
the account is shut down. This usually indicates that the owner did not
intentionally set up their own email account to send out spam to
hundreds or thousands of people.
Third party notification:
Other universities or businesses alert the
Security Office to compromised account activity.
How does the IT Security Office deal with compromised accounts?
- For accounts that are exhibiting suspicious behavior, the Security
Office, an IT consultant, or the IT Help Desk will contact the user to
verify that the account has not been compromised.
- For accounts that have been verified as compromised, it depends on the
severity of the case
- In general, IT staff will attempt to contact users by phone to
- Change their password
- Collect information in an effort to determine how the compromise may
have occurred. The forensic information will help the IT Security Office
reinforce protection of UW resources.
- In severe cases where access to sensitive institutional data is
compromised, IT staff may immediately disable the account. Users will
have to contact the IT Help Desk or their IT user consultant to get the
account re-enabled. Information will be collected in an effort to
determine how the compromise may have occurred. The forensic information
will help the IT Security Office reinforce protection of UW resources.