leastauthority.com
leastauthority.com copied to clipboard
LeastAuthority
gmail remediation checklist
Ensure that each employee does these things:
- Reset passwords
- Enable 2FA
- Search for "clouddock" and for each email seen:
- Take a screenshot while viewing the message.
- Do "view original" and cut and paste the text of that into a local file.
- Review all Trash for suspicious activity
- Examine filters for anything suspicious, such as: if it matches "clouddock" delete and skip inbox.
- Take a screenshot showing the filters list
- For each suspicious filter take two screenshots for the "what to match" and the "what to do" dialogs.
- Examine all other settings. In particular:
- Check for email forwarding.
- Turn off pop. (If the date it was enabled correlates to any suspicious event, please take a screenshot. Note: If you use a gmail phone app or some other apps they may use pop. You should reconsider, IMHO.)
- Turn off chat. Let's just make a company policy that we don't do google xmpp.
- Turn off any other features and take screenshots if any settings seem suspicious.
Finally: Gather all of these screenshots and original message pastes into one place and then pester the assignee of this ticket to handle them.
Assignee: Gather all this evidence into a big tarball (avoid google if possible).
Everyone: Add more checklist items.
I'm going to actively start bugging every employee until they explicitly put a comment here saying "I have completed every item in this checklist." After they all do, I will close this ticket.
I have completed every item in this checklist.
Edit: Note: I do have IMAP enabled, but that's because I enabled it myself, so that I can use Thunderbird.
I've gone through the checklist with some caveats.
I didn't take a screenshot of the suspiciously enabled POP and IMAP settings for [email protected]. (I'd already disabled them before I read this ticket.)
I only took one screenshot that showed both the "match" and "action" for the two suspicious filters in [email protected].
I also checked under: Account --> Security --> Account Permissions and removed the applications which had some permissions to access the account. "[email protected]".
I recommend that we all review those permissions for all accounts.
Finally, what are "info@L", "support@L", "interest@L", "everyone@L", "product-team@L" ? Those are just mailing lists, correct?
I completed the checklist for:
[email protected] [email protected]
Which accounts has Taylor completed the checklist for? Which accounts has Nathan completed the checklist for? Which accounts remain unexamined? How can I get that list?
I have not completed this checklist yet.
Also, this ticket is intended for people to do this "for their own accounts" and #246 is intended for someone to go through all of our other "infrastructure" style accounts.
Google has their own checklist, for future reference: https://support.google.com/mail/checklist/2986618
It sounds like these accounts have completed the checklist:
These accounts have not acknowledged this checklist:
Plus any number of "non-human" accounts which should be tracked as part of #246
Have I forgotton any other "human" accounts?
I'm now going to pester Zooko, Jessica, and Daira.
I had already done everything except disabling chat, which I've now done, and disabling POP. I intentionally have POP enabled (configured to delete mail from the server) for Thunderbird.
On Wed, Jul 16, 2014 at 7:28 AM, Daira Hopwood [email protected] wrote:
I had already done everything except disabling chat, which I've now done, and disabling POP. I intentionally have POP enabled (configured to delete mail from the server) for Thunderbird.
— Reply to this email directly or view it on GitHub https://github.com/LeastAuthority/leastauthority.com/issues/244#issuecomment-49173245 .
Using POP is fine, so long as it's intentional. I merely wanted everyone to disable features they do not use.
We're down to a pester-list of @zookoatleastauthoritycom and @jessicaaugustus .
Okay I have done everything in this list. I am sending my screenshots to nathan now. On the day of the attack I shared screenshots of my suspicious trash and filters in a frenzy but I don't remember where. there is not currently anything suspicious there.
I've now done the whole checklist. (I did most of it already way back when this was a fresh issue.)
One surprise was that I had POP enabled on my personal [email protected] account since 2011. I turned it off.
Otherwise, no surprises. The resulting screenshot tarball is 2.7 MB. Want it?
On Tue, Sep 16, 2014 at 2:32 PM, zookoatleastauthoritycom < [email protected]> wrote:
I've now done the whole checklist. (I did most of it already way back when this was a fresh issue.)
One surprise was that I had POP enabled on my personal [email protected] account since 2011. I turned it off.
I had the same surprise, so I hope google just enabled that feature across the board at some point.
Otherwise, no surprises. The resulting screenshot tarball is 2.7 MB. Want it?
Yes, for completeness I'll put it into a forensics directory on my local laptop that I don't believe is backed up. Unless there's some followup, I might forget this directory or lose the data. :-<
But send the tarball anyway for consistency.
— Reply to this email directly or view it on GitHub https://github.com/LeastAuthority/leastauthority.com/issues/244#issuecomment-55816986 .
Nathan Wilcox Least Authoritarian
email: [email protected] twitter: @least_nathan PGP: 11169993 / AAAC 5675 E3F7 514C 67ED E9C9 3BFE 5263 1116 9993