Educause Security Discussion mailing list archives
Re: EDUCAUSE Statement on Server Breach
From: Benjamin Parker <parkerbc () MOUNTUNION EDU>
Date: Tue, 19 Feb 2013 15:08:37 -0500
I have been thinking this is very well what might have happened in the Oxford/Google Apps discussion. I know our institution would do the same thing, where a VP or Dean says we are going to message students and have them click on links despite protests. Then bad stuff happens and you have to over react the other way because of the political mess rolling downhill. On Tue, Feb 19, 2013 at 3:04 PM, Michael Sinatra < michael () rancid berkeley edu> wrote:
On 2/19/13 11:50 AM, Kevin Halgren wrote:It's worth noting that this e-mail was literally impossible to differentiate from a phishing e-mail as sent via the e-mail marketer, to my eyes it looked more like phishing than not. Confirmation via alternate channels was required to confirm its authenticity.<rant> This should be a lesson to all of us, since EDUCAUSE is definitely not alone here: We all do regular, legitimate business in ways that is sometimes indistinguishable from phishing, at least to regular users. That needs to stop. Email marketers and analytics junkies will not like to hear this, but we need to put an end to embedded email links that are redirected through other systems. IMO, we should put an end to *all* legitimate links in emails; instead have a business portal with all of the links to surveys, training sites, etc., and have notification emails for when new things appear on the portal. In addition, we could modify our SSO sites so that they alert users when they need to take care of something that we would normally use email for which to notify the user. Once that's done, we can assure users that we will NEVER ask them to click on a link in an email, just like we currently remind them that we never ask them for passwords. If that is "too hard" and/or the analytics stuff is "too valuable" then we need to simply accept the risk that our users will get caught in phishing attacks. The bad guys have figured out that it is very easy to mimic our business practices, and they have gotten very good at doing it. Unless we change those practices, they will find us to be easy pickings. </rant> Again, if this sounds like picking on EDUCAUSE, it's not. We, as a community, all do these things. We need to change our own conventional wisdom. michael
-- Ben Parker Senior Network Engineer University of Mount Union Phone: 330-829-2866 Twitter: @BenParker82
Current thread:
- Re: EDUCAUSE Statement on Server Breach, (continued)
- Re: EDUCAUSE Statement on Server Breach Bob Bayn (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Maloney, Michael (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Valdis Kletnieks (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Lorenz, Eva (Feb 20)
- Re: EDUCAUSE Statement on Server Breach Mark Boolootian (Feb 20)
- Re: EDUCAUSE Statement on Server Breach Bob Bayn (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Kevin Halgren (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Valerie Vogel (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Kevin Halgren (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Michael Sinatra (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Mike Porter (Feb 20)
- Message not available
- Re: EDUCAUSE Statement on Server Breach Benjamin Parker (Feb 19)
- Re: EDUCAUSE Statement on Server Breach Scherck, Daniel (Feb 19)