Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security IT

Notification of Server Breach Mistaken For Phishing Email 65

Posted by samzenpus
from the it's-not-what-you-say-but-how-you-say-it dept.
netbuzz writes "Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"
This discussion has been archived. No new comments can be posted.

Notification of Server Breach Mistaken For Phishing Email

Comments Filter:
  • by phaunt (1079975) * on Thursday February 21, 2013 @10:42AM (#42967471)

    Michael Sinatra over at seclists.org [seclists.org] had the following to say:

    This should be a lesson to all of us, since EDUCAUSE is definitely not alone here: We all do regular, legitimate business in ways that is sometimes indistinguishable from phishing, at least to regular users. That needs to stop. Email marketers and analytics junkies will not like to hear this, but we need to put an end to embedded email links that are redirected through other systems. IMO, we should put an end to *all* legitimate links in emails; instead have a business portal with all of the links to surveys, training sites, etc., and have notification emails for when new things appear on the portal. In addition, we could modify our SSO sites so that they alert users when they need to take care of something that we would normally use email for which to notify the user. Once that's done, we can assure users that we will NEVER ask them to click on a link in an email, just like we currently remind them that we never ask them for passwords.

    If that is "too hard" and/or the analytics stuff is "too valuable" then we need to simply accept the risk that our users will get caught in phishing attacks. The bad guys have figured out that it is very easy to mimic our business practices, and they have gotten very good at doing it. Unless we change those practices, they will find us to be easy pickings.

He: Let's end it all, bequeathin' our brains to science. She: What?!? Science got enough trouble with their OWN brains. -- Walt Kelly

Working...