Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Notification of Server Breach Mistaken For Phishing Email

samzenpus posted about a year and a half ago | from the it's-not-what-you-say-but-how-you-say-it dept.

Security 65

netbuzz writes "Educause members and 7,000 university websites are being forced to change account passwords after a security breach involving the organization's .edu domain server. However, some initially hesitated to comply because the Educause notification email bore tell-tale markings of a phishing attempt. 'Given what is known about phishing and user behavior, this was bad form,' says Gene Spafford, a Purdue University computer science professor and security expert. 'For an education-oriented organization to do this is particularly troubling.'"

cancel ×

65 comments

Sorry! There are no comments related to the filter you selected.

This post may be mistaken as the first post... (-1)

Anonymous Coward | about a year and a half ago | (#42964539)

but it's not.

those who cannot "teach" (0)

Anonymous Coward | about a year and a half ago | (#42964641)

Gene sounds like someone who ignored the email.

Idiocy at the top...zzz... (2)

DNS-and-BIND (461968) | about a year and a half ago | (#42964683)

Email issued by a university vice-president. Not surprised he doesn't know anything about common email frauds. He probably verbally dictated it to a secretary who took notes in shorthand and later typed it into the computer. The email has no spelling errors, a dead giveaway. What's his email address? I think a prince from Nigeria may have some good news for him soon...

Re:Idiocy at the top...zzz... (1)

BrokenHalo (565198) | about a year and a half ago | (#42965661)

... which probably is sufficient answer to the asinine point made in the submission:

'For an education-oriented organization to do this is particularly troubling.'"

It has always been my experience that universities' IT departments are almost universally clueless. In fact, their level of cluelessness rivals and outstrips that of many banks. My (maybe just slightly cynical) assumption is that these colleges only employ their own graduates...

Re:Idiocy at the top...zzz... (1)

egamma (572162) | about a year and a half ago | (#42966101)

It has always been my experience that universities' IT departments are almost universally clueless. In fact, their level of cluelessness rivals and outstrips that of many banks. My (maybe just slightly cynical) assumption is that these colleges only employ their own graduates...

Then you haven't heard of PaulDotCom [pauldotcom.com]

Re:Idiocy at the top...zzz... (0)

Anonymous Coward | about a year and a half ago | (#42966961)

The simple problem: most, especially public, universities are not able to pay competitive salaries. So they become 3 and out training zones for IT people, and the good ones move on.

Re:Idiocy at the top...zzz... (0)

Anonymous Coward | about a year and a half ago | (#42967105)

Working in an educational institution with an inept IT department causes me to feel like I can offer an insight into this phenomenon. In our case, the head of the IT department doesn't know shit about IT. He was put there because he comes from the same contracting firm that the acting chief comes from. One thing about contractors in government is that they like to bill as much as they can, fill open positions with people from their own firms to increase hourly billing, and they like to send the inept to be trained by government workers who had to get their position by passing civil service exams. After the inexperienced contractors are trained well enough they are shipped off to corporate consulting gigs and new retards are brought in. That's the efficiency of contracting out government work for you: inept government agencies at three times the price. Who knew?

Re:Idiocy at the top...zzz... (1)

Golddess (1361003) | about a year and a half ago | (#42966463)

The email has no spelling errors, a dead giveaway.

Wasn't there a story a while back that said the exact opposite of that? That scammers want their emails to look as poorly written as possible (among other things) so as to only attract the most gullible people?

Re:Idiocy at the top...zzz... (1)

nospam007 (722110) | about a year and a half ago | (#42967999)

" That scammers want their emails to look as poorly written as possible (among other things) so as to only attract the most gullible people?"

That might be so but people who can spell have usually more money than retards who can't.
OTOH there are far more of those... the Germans have a proverb saying: "Little beasts make manure too."

Re:Idiocy at the top...zzz... (1)

sjames (1099) | about a year ago | (#42972745)

That's because they don't generally give it to Nigerian Princes who contact them by email.

The scammers aren't interested in wasting their time on people who will ask questions or think critically about the proposal.

Trivial (1, Informative)

Arancaytar (966377) | about a year and a half ago | (#42964793)

Just ignore the links in the email, go to the website you know to be real, and change your password.

Re:Trivial (4, Insightful)

MrMickS (568778) | about a year and a half ago | (#42964809)

True but by including links in the email it raises suspicion on the validity of the email. This is not dissimilar to the recent email sent from Twitter regarding accounts being compromised.

A better approach is to provide information in the email indicating that people should visit the website to change their password, but not include a link, then place confirmation of the issue on the website landing page so as to confirm that the threat is real.

Re:Trivial (-1, Offtopic)

SparrowOS (2792265) | about a year and a half ago | (#42964887)

God says... 26:1 Concerning the divisions of the porters: Of the Korhites was Meshelemiah the son of Kore, of the sons of Asaph. 26:2 And the sons of Meshelemiah were, Zechariah the firstborn, Jediael the second, Zebadiah the third, Jathniel the fourth, 26:3 Elam the fifth, Jehohanan the sixth, Elioenai the seventh. 26:4 Moreover the sons of Obededom were, Shemaiah the firstborn, Jehozabad the second, Joah the third, and Sacar the fourth, and Nethaneel the fifth. 26:5 Ammiel the sixth, Issachar the seventh, Peulthai the eighth: for God blessed him.

Re:Trivial (1)

Arancaytar (966377) | about a year and a half ago | (#42966103)

And that's how Equestria was made!

Re:Trivial (0)

thue (121682) | about a year and a half ago | (#42965187)

Just right-click the link, copy, and paste into the address line. If the domain name portion of the link is to the right website, you know that the content is controlled by the owner of the domain name (with the exception of sites which permits user-generated subpages, such as google docs).

Or if you think your software is up to date, and your plugins are click to play, just click the link and then check if the domain name is correct.

Links are too useful to not be able to use them in emails.

Re:Trivial (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42965497)

Or if you think your software is up to date, and your plugins are click to play, just click the link and then check if the domain name is correct.

Riiiiight. If your Java software was up-to-date then you're only looking at a dozen or so zero-day exploits that can slip right past your 'up-to-date' plugins. Or how about the Adobe Reader zero-day that Adobe recommends turning on protected mode for everything until they fix it. That software is up-to-date as well.

If you want to copy & paste a link, do it into NotePad and not a browser. Why play chicken? If you're already suspicious then be smart instead of trying to outsmart the phishers.

BTW, if you're counting on your up-to-date plugins to stop things, you'll be not-so-pleasantly-surprised when the zero-days are fixed and the A/V companies have something new to look for. If the plugin vendor doesn't know about the hole then it's doubtful that the A/V companies know about it either.

Re:Trivial (0)

Anonymous Coward | about a year and a half ago | (#42967731)

The OP said "click to play". So yes, having no plugins run by default would mitigate plugin vulnerabilities.

While I'm here, I'm just going to slide in that once these go away and are replaced with some in-browser thing, browsers will have to be click to play too.

Re:Trivial (2)

nedlohs (1335013) | about a year and a half ago | (#42965939)

Except that in this case the domain name portion wasn't to the "right" website, at least if the article's "the embedded link went to a third-party site with 'educause' embedded in the URL along with a sequence of meaningless characters" claim is correct.

Re:Trivial (1)

sjames (1099) | about a year ago | (#42972907)

The actual link you were supposed to click to change your password went to net.educause.edu. However, the other links in the email went to educause-domain.informz.net (yeah, that looks legit!).

Given the volume of phishing mails that come in of varying quality, it's only natural for there to be suspicion.

Re:Trivial (0)

Anonymous Coward | about a year and a half ago | (#42967951)

Oh, come on...what proper \. reader reads their email in a HTML capable mail client? Set your client to show you the TEXT part.

That was the case of me when I got the message. Plus I didn't need to do anything because we use InCommon Federated logins.

Re:Trivial (1)

somersault (912633) | about a year and a half ago | (#42965299)

The best approach is for you to check the domain on the link (usually hovering over the link works fine for this), rather than expecting no links.. if you know enough to know that you don't want to use links from phishing mails, you should also be able to know how to check that the domain is correct.

Re:Trivial (0)

Anonymous Coward | about a year and a half ago | (#42965375)

That's not always true. I have many users who know not to click on links in suspicious emails but don't know what a domain is. They don't even remember what the correct URL is most of the time. They go back to the shortcut they have for the site and use that.

Re:Trivial (3, Informative)

ACalcutt (937737) | about a year and a half ago | (#42965653)

The link to reset the password in the email went to educause-domain.informz.net that redirected to net.educause.edu. This particular email did seem a little suspicios

Re:Trivial (1)

Mr. Slippery (47854) | about a year ago | (#42973167)

The best approach is for you to check the domain on the link (usually hovering over the link works fine for this), rather than expecting no links.

Unfortunately, "legitimate" e-mail is known to use links where the href's domain is different than the link's text [apache.org] .

Re:Trivial (1)

somersault (912633) | about a year and a half ago | (#42977209)

Yeah, that's why I said to hover over the text. You usually get the real link in a tooltip or the status bar, depending on what browser/mail-client you're using.

Re:Trivial (4, Insightful)

wvmarle (1070040) | about a year and a half ago | (#42965383)

When I get such mails that I suspect of being a phishing attempt (and as almost anyone on this planet, I'm receiving at least several of those every single day), I ignore them. The mail in question I'd likely have ignored for that exact reason: suspected phishing, ignored and forgotten by the time my finger has left the button.

Most of the phishing mails that I receive purport to be of services I've no connection with (I don't have a hotmail or yahoo mail account, for example). They're easy. Others pretend to be from sites where I do have connection with (e.g. gmail), they're harder to distinguish but it's rather safe to assume they're fake, too. Only when I read about a breach on an independent site, like /. indeed (which I trust as in not being related to phishers), then it'd be time for action. If I were to follow your advice, and go to the web site the phishing mail pretends to come from, I'd spend my whole day changing e-mail passwords.

The only mails that I'd recognise as real, would be if they use my complete name, preferably including middle name, when addressing me. Not "dear e-mail user", not "dear wvmarle@gmail.com" or "dear wvmarle". PayPal for example is doing that very well, and that's so far the only way I would believe those mails to be real. And still I'd not use a link provided in those mails, just to be sure.

Re:Trivial (1)

sandytaru (1158959) | about a year and a half ago | (#42965827)

My WoW account has been "hacked" thousands of times at this point. Too bad whoever snagged it discovered it was a level two gnome on a free trial.

Re:Trivial (1)

whoever57 (658626) | about a year and a half ago | (#42968195)

The only mails that I'd recognise as real, would be if they use my complete name, preferably including middle name, when addressing me.

If your email address is: <firstname>.<lastname>@yourdomain.com (as many are), it isn't too difficult for the phisher to guess the first and lames.

Re:Trivial (0)

Anonymous Coward | about a year and a half ago | (#42966761)

True but by including links in the email it raises suspicion on the validity of the email. This is not dissimilar to the recent email sent from Twitter regarding accounts being compromised.

A better approach is to provide information in the email indicating that people should visit the website to change their password, but not include a link, then place confirmation of the issue on the website landing page so as to confirm that the threat is real.

A better approach would be to disable authentication from all affected accounts, and force password changes before they can be used to authenticate. Inconvenient for all concerned, but effective.

Re:Trivial (2)

msauve (701917) | about a year and a half ago | (#42965313)

We've hacked into X's web server. Unfortunately, that doesn't give us access to their user/password database. We can, however, capture information posted via HTML forms. Please use X's website to change your password. You'll be expected to enter your current password as part of the process. Thank you for your cooperation.

Re:Trivial (0)

Anonymous Coward | about a year and a half ago | (#42965425)

Why would you do that if you don't know you need to change your password?

Or do you change your password every time you delete a phishing e-mail? Because that's the whole point: The e-mail looked like a phishing e-mail, and people hit delete like they should do when they get a phishing e-mail.

Re:Trivial (1)

nospam007 (722110) | about a year and a half ago | (#42968027)

"Just ignore the links in the email, go to the website you know to be real, and change your password."

Do you also ignore the key-logger they installed they day before sending that email to make you rush to login?

utsa.edu (0)

Anonymous Coward | about a year and a half ago | (#42964899)

I recently see a flood of phishing mails from users of utsa.edu
Are those accounts compromised like mentioned in the article?

utsa.edu outsourced their mail to Microsoft, but Microsoft refuses to handle abuse reports on that domain, claiming "it is not a Microsoft domain".
But it is run on Microsoft servers (messaging.microsoft.com, bigfish.com aka bigphish.com)

Re:utsa.edu (1)

AlecC (512609) | about a year and a half ago | (#42965079)

I don't see anything incongruous about someone physically hosting servers but not administering them. More efficient for utsa.edu to locate their servers they use in one of the big boys server farms that to run their own physical installation. But they can perfectly well keep full authority and responsibility for their domain. It should be clear who has responsibility for the domain, but it doesn't have to be the owner of the floorspace the server stands on.

Re:utsa.edu (0)

Anonymous Coward | about a year ago | (#42971455)

In that case they should not put their servers under the Microsoft (messaging.microsoft.com, bigfish.com aka bigphish.com) domain.

Even the pros get it wrong (0)

Anonymous Coward | about a year and a half ago | (#42965075)

Even the pros get it wrong - the latest email concerning a UK-based challenge relating to cyber security to its participants is from domain A, sent through a server in domain B, has a 'from' address in domain C, a 'reply-to' address in domain D, and contains hrefs to domain E where the visible text says domain A. The best bit is that it is (effectively) asking for money.

I'm not a participant any more, and haven't even logged in for a very long time - not since the first of their update emails came through, from a previously unmentioned third party (operating domains B, C and D) with the aforementioned phishing-style format. Anyone still actively in the competition who has not raised serious questions about all these extra third-parties (and especially if they clicked the links in the emails) should have been disqualified long ago - and yet they will be the ones taken as 'top people'. Yay for The System...

Re:Even the pros get it wrong (0)

Anonymous Coward | about a year and a half ago | (#42965535)

Even the pros get it wrong - the latest email concerning a UK-based challenge relating to cyber security to its participants is from domain A, sent through a server in domain B, has a 'from' address in domain C, a 'reply-to' address in domain D, and contains hrefs to domain E where the visible text says domain A.

One of my clients does the same thing (they don't get it and just won't listen). They use ReachMail, which uses that A - E structure. My spam filters generally stop the test messages due to the SPF, DKIM, etc failures and the large number of domains used.

Re:Even the pros get it wrong (0)

Anonymous Coward | about a year and a half ago | (#42965659)

Those aren't pros, those are idiots. Maybe there's some pro involved somewhere, but certainly they had no hand in writing the emails.

Happens all the time. (1)

Anonymous Coward | about a year and a half ago | (#42965401)

Major bank here.

We received an email about mandatory IT risk training.
- With those who hadn't participated yet in cc. (hundreds)
- With a link to an outside domain. (xyzlearning.com instead of xyz.com)
- With our password in the plain body of the email '12345678'

It was real. I forwarded it to the 'phishing attempts'-mailbox, but never got an answer.
Something I really don't understand is that in an organisation with so much brains, higher degrees, experience..., there is even more stupidity.
And I have the feeling it is getting worse and worse.

Re:Happens all the time. (0)

Anonymous Coward | about a year ago | (#42971117)

At a medium sized bank I used to work for we got an email from outside the company inviting us to do a quiz testing our knowledge about the company which was hosted on an external website with an URL that meant nothing to me. While people around me enthousiastically started playing the game by answering some pretty detailed questions it took me a few phone calls to find out it organized by HR. I called them and tried to explain this wasn't a good move and it frustrated the work of others who were trying to increase employee's awareness about phishing and other security issues.

They just didn't get it. They explained they had been careful in selecting this company, that all kinds of safeguards were in place, nothing to worry about. But the simple perspective shift that makes you understand that things don't look the same to someone who doesn't have your information was beyond their capabilities. And it was worrying to see developers around me do the quiz without wondering if it was legitimate.

I have wondered if I was too paranoid, making a quiz website with good questions would have been a quite eleborate and roundabout way to get information. But I have since heard first hand accounts about impressively eleborate and well organized attempts to trick people in key positions into transfering huge sums of money to offshore accounts. It apparently was worth a serious effort. But a simpler reason is that they shouldn't have done something that even remotely resembles phishing. They should at least have put up an announcement on the intranet news site and preferably have arranged access through an address on the intranet to the quiz site. Just make it as obvious as you possibly can that something is legitimate, that makes it easier to spot things that aren't. That simple logic is lost on far too many people, unfortunately.

Bad Form? (1)

Murdoch5 (1563847) | about a year and a half ago | (#42965415)

Or dumb user! Read the email, if it sounds like it might be legit and your unsure then call the company. However being that you probably never get this email from them you can assume it's safe.

Re: Bad Form? (1, Offtopic)

cyber-vandal (148830) | about a year and a half ago | (#42965585)

Your = possessive pronoun. You're = contraction of you are. Not complicated.

Re: Bad Form? (1)

Murdoch5 (1563847) | about a year and a half ago | (#42965629)

If that's what stumped you then just wow, a spelling mistake is a mistake not an email meant to steal data.

Re: Bad Form? (0)

Anonymous Coward | about a year and a half ago | (#42967035)

If that's what stumped you then just wow, a spelling mistake is a mistake not an email meant to steal data.

If an email has grammar mistakes in it, it's probably from some English-illiterate spammer in Asia/Africa/Eastern Europe, and should be ignored. There's no reason why an intelligent, educated person should be making third-grade mistakes.

Re: Bad Form? (1)

mattack2 (1165421) | about a year and a half ago | (#42974701)

That's not a spelling mistake, it's a grammatical mistake.

Re: Bad Form? (1)

Murdoch5 (1563847) | about a year and a half ago | (#42976073)

It's a grammar mistake if they mean't you are and wrote your. It's a spelling mistake if they mean't you're and wrote your. In either case anyone who assumed that little issue was enough to make the email an attempt to steal data needs help.

Re:Bad Form? (1)

wvmarle (1070040) | about a year and a half ago | (#42965623)

You really want me to contact gmail five times a day to verify all those mails they send me? And how to contact them anyway, other than by e-mail?

Better safe than sorry (2)

ACalcutt (937737) | about a year and a half ago | (#42965595)

We got one of these notices at our university. After trying to determine if the message was spam we decided it was likely real, but suspicious due to the link to a 3rd party website that redirected to educause to reset the password. I ended up going to their website and calling the number they listed there (which was different from the one given in the email) just to verify that the email was legitimate before we entered information into the webform.

Good! (2)

dkleinsc (563838) | about a year and a half ago | (#42965793)

I want users to be suspicious and skeptical of emails with strange links. I want them to not completely trust emails that purport to be from their system administrator.

In other words, the portion that didn't immediately follow the email's instructions are to be praised, not harangued.

Bad Ideas... (2)

boggin4fun (1422043) | about a year and a half ago | (#42966347)

I work at an organization that is a member of EDUCAUSE. I received the email in question. I can honestly say that the person that came up with an idea to send out the notification from their marketing company instead of EDUCAUSE themselves should be thinking long and hard about finding a consultant for situations that involve common sense. DO NOT send out emails of the utmost importance and use the same tactics that spammers and scammers use. I would think for an institution involved in higher education, they could have done way better than that. The email looked real enough, much like some spam, but the links not pointing to information on the EDUCAUSE website set off my BS detector as well as many others. None of us clicked on them, but we did call to alert them. I only hope that in the future the EDUCAUSE people learn from this and raise the bar for communicating to their members more professionally. Wise men learn from their mistakes, even wiser men learn from the mistakes OF OTHER PEOPLE.

Banks and health care do it too (3, Insightful)

swm (171547) | about a year and a half ago | (#42966853)

Occasionally, one of my banks or health care orgs calls me on some (legitimate) business.
The first thing they do is ask me for my identifying info (SSN, birthdate, etc).
See, their security and privacy regs require them to verify my identity.
I always refuse, and try to explain the problem to them.

In the early days (going back maybe 5 years),
they had no idea what I was talking about,
and I could not get them to understand the problem.

Eventually, some of them understood that they had a problem.
But their understanding of the problem was that some of their customers wouldn't talk to them,
which meant that they couldn't complete the business at hand,
which mattered to them (or else they wouldn't have initiated the call in the first place).
Their solution?
Offer me a call-back number, so that I can call them instead.
Because, see, if I initiate the call, then they must be who they say they are, right? Right?

Just once in the last year, I had a bank that really understood the problem.
When I balked, they allowed that I could call back in on the customer service number *on my credit card*.
So I did.
From the reactions of the people who answered,
I got the impression that few of their customers do this.

Re:Banks and health care do it too (2)

tlhIngan (30335) | about a year and a half ago | (#42968703)

Just once in the last year, I had a bank that really understood the problem.
When I balked, they allowed that I could call back in on the customer service number *on my credit card*.
So I did.
From the reactions of the people who answered,
I got the impression that few of their customers do this.

I do that whenever I get a warning that my card may be compromised. I call the number on the card. If it's on security lockout the computer recognizes this and immediately routes me to the security department. (Because either they couldn't get me, or I may be calling because I need to do a transaction and it failed).

Saves me having to write down their callback number and I still reach them in the end. Win-win. Even if they don't reroute me, one quick message of "I got this message saying my card was blocked" usually gets me forwarded immediately.

Paypal does the same thing (1)

slashmydots (2189826) | about a year and a half ago | (#42967303)

I've received several e-mails from Paypal that were textbook phishing attempts and then all the links and the sending server are actually Paypal-owned. So they're not the only ones sending out suspicious and badly arranged e-mails.

And ESET (1)

arth1 (260657) | about a year and a half ago | (#42969973)

Nod32 may be good antivirus software, and perhaps the best, but when you buy something directly from their web site you get an e-mail that isn't even from eset.com but from netsuite.com spoofing eset.com, saying:

Please open the attached file to view your Cash Sale.

To view the attachment, you first need the free Adobe Acrobat Reader. If you don't have it yet, visit Adobe's Web site http://www.adobe.com/products/acrobat/readstep.html [adobe.com] to download it.

WTF?

Another WTF is the summary here.
"[...] says Gene Spafford, a Purdue University computer science professor and security expert."
Since when did Spaf need an introduction? That's like saying "Steve Wozniak, a computer scientist and electronics engineer".

Yes, you might need that clarification if you submit articles to Vanity Fair or Reader's Digest, but here on Slashdot?

This guy at seclists.org nailed it (3, Interesting)

phaunt (1079975) | about a year and a half ago | (#42967471)

Michael Sinatra over at seclists.org [seclists.org] had the following to say:

This should be a lesson to all of us, since EDUCAUSE is definitely not alone here: We all do regular, legitimate business in ways that is sometimes indistinguishable from phishing, at least to regular users. That needs to stop. Email marketers and analytics junkies will not like to hear this, but we need to put an end to embedded email links that are redirected through other systems. IMO, we should put an end to *all* legitimate links in emails; instead have a business portal with all of the links to surveys, training sites, etc., and have notification emails for when new things appear on the portal. In addition, we could modify our SSO sites so that they alert users when they need to take care of something that we would normally use email for which to notify the user. Once that's done, we can assure users that we will NEVER ask them to click on a link in an email, just like we currently remind them that we never ask them for passwords.

If that is "too hard" and/or the analytics stuff is "too valuable" then we need to simply accept the risk that our users will get caught in phishing attacks. The bad guys have figured out that it is very easy to mimic our business practices, and they have gotten very good at doing it. Unless we change those practices, they will find us to be easy pickings.

Re:This guy at seclists.org nailed it (1)

micheas (231635) | about a year and a half ago | (#42970187)

Or if analytics are too valuable one could always self host the analytics. Civicrm and phplist are two options for that that I can think of off the top of my head..

Worthless article (1)

gumpish (682245) | about a year and a half ago | (#42967757)

So... this story is about an e-mail which allegedly resembled a phishing attempt.

Yet TFA doesn't include the text of the e-mail...

BRILLIANT!

Re:Worthless article (0)

Anonymous Coward | about a year and a half ago | (#42970417)

From: EDUCAUSE <educause@educause.edu>
Subject: Important security message about your EDUCAUSE website profile

[EDUCAUSE logo]

Dear [First Name],

We are writing to inform you of a security breach involving an EDUCAUSE server that may have compromised your EDUCAUSE website profile password. Based on our investigation to date, we do not believe that the breach included access to credit card data, financial accounts, or other sensitive information.

EDUCAUSE took immediate steps to contain this breach and we are working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed. Additional security measures have been implemented to help prevent any future occurrences.

As a precaution, we have deactivated all EDUCAUSE website profile passwords. We request that you create a new password [educause.edu] .

Please do not use your old password. You should create a new password that is 8 or more characters and is made up of a combination of:

        at least one uppercase letter,
        at least one lowercase letter,
        at least one digit, and
        at least one special character.

Please note that the password reset page may be slow to respond as many individuals try to access this page at once. Your old password has already been deactivated; therefore, it does not need to be changed immediately. We expect traffic to the page to decrease later today and tomorrow.

It is not necessary for InCommon account holders to update their institutional credentials because EDUCAUSE does not have access to, or store on any server, InCommon account information.

Please check the address in your browser before entering your password to be sure that you are on the EDUCAUSE website (http://www.educause.edu).

For more information about this incident, please visit the web page [educause.edu] about this breach or contact EDUCAUSE Member Services at info@educause.edu or +1-303-449-4430.

Thank you for your understanding and patience as we work to minimize the effects of the breach.

Sincerely,

EDUCAUSE

You are receiving this message because you have an EDUCAUSE website profile.

Copyright 2013 EDUCAUSE | 282 Century Place, Suite 5000, Louisville, CO 80027

Privacy Policy [educause.edu] | educause.edu [educause.edu]

Re:Worthless article (1)

gumpish (682245) | about a year and a half ago | (#42984309)

Thanks for that.

I thought one of the complaints about the e-mail was that the password reset link was to a third-party site... ?

My bank just did this (2)

neminem (561346) | about a year and a half ago | (#42967967)

A couple months ago I was informed, in an email that had absolutely every telltale sign of being a phish (other than mispellings, I suppose; it was written in proper English), that someone had probably stolen my card, and I should click on this link if I agreed, or this other one if I had made the charges. The links didn't go to the bank's site. I almost threw it away.

It was a legitimate email; my card had actually been stolen.

I emailed their phishing department with a copy of it, and a pointed "this looks like a phish. I know it's legitimate, but here are all the ways it looks like it isn't. Perhaps you should rethink this email you're sending out?" Their response: "this is not a phish". Yes, I know that. I SAID that. Apparently nobody in that department can think, or read? (Fun fact: this is coming from one of the "big four" banks, according to wikipedia.)

Re:My bank just did this (0)

Anonymous Coward | about a year and a half ago | (#42984121)

no, they can't read. when I told capital one that sending a test text from the website goes right through, but that I never get notifications and it had been set up the same way for over a year, they told me to try sending a test text. After I replied telling them to read the damn email, and that ONLY the test text goes through and reworded it a few different ways, they replied and said they'd look into it... I still don't get text notifications. They're fucking idiots. Their entire website is filled with 90's style technical foibles that even fresh idiots out of college should have been taught to avoid by now...and anyone with half a brain knew was the wrong way to do it even back then.

I got the email, warned colleagues (1)

yannn (1060336) | about a year and a half ago | (#42969003)

Got the email and was confused - it was very well written, actually was overly well written. Alarm bells started ringing. Then checked the actual links on the text for 'create a new password' and they pointed to educause.[some other domain name].net All the graphics had tracking ids in the URLs which is odd for an alert email. Went to look at the educause website and no warnings of a security problem or need to reset passwords. My guess is their emailing service works great for newsletters, they need to show better links to their website. And put a message on the website confirming it

Troubling? (1)

Nethemas the Great (909900) | about a year and a half ago | (#42970409)

What rock did you crawl out of? "Education-oriented organizations" rank among the most incompetent with respect to anything IT, and in particular security. They're staffed not by the best and brightest in the industry but rather those that couldn't hack it in the competitive real world. They're the dross that's left over after business and the DoD have had their fill of graduates.

The e-mail... (0)

Anonymous Coward | about a year and a half ago | (#42970455)

From: EDUCAUSE <educause@educause.edu>
Subject: Important security message about your EDUCAUSE website profile

[EDUCAUSE logo]

Dear [First Name],

We are writing to inform you of a security breach involving an EDUCAUSE server that may have compromised your EDUCAUSE website profile password. Based on our investigation to date, we do not believe that the breach included access to credit card data, financial accounts, or other sensitive information.

EDUCAUSE took immediate steps to contain this breach and we are working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed. Additional security measures have been implemented to help prevent any future occurrences.

As a precaution, we have deactivated all EDUCAUSE website profile passwords. We request that you create a new password [educause.edu] .

Please do not use your old password. You should create a new password that is 8 or more characters and is made up of a combination of:

        at least one uppercase letter,
        at least one lowercase letter,
        at least one digit, and
        at least one special character.

Please note that the password reset page may be slow to respond as many individuals try to access this page at once. Your old password has already been deactivated; therefore, it does not need to be changed immediately. We expect traffic to the page to decrease later today and tomorrow.

It is not necessary for InCommon account holders to update their institutional credentials because EDUCAUSE does not have access to, or store on any server, InCommon account information.

Please check the address in your browser before entering your password to be sure that you are on the EDUCAUSE website (http://www.educause.edu).

For more information about this incident, please visit the web page [educause.edu] about this breach or contact EDUCAUSE Member Services at info@educause.edu or +1-303-449-4430.

Thank you for your understanding and patience as we work to minimize the effects of the breach.

Sincerely,

EDUCAUSE

You are receiving this message because you have an EDUCAUSE website profile.

Copyright 2013 EDUCAUSE | 282 Century Place, Suite 5000, Louisville, CO 80027

Privacy Policy [educause.edu] | educause.edu [educause.edu]

Businesses should know better (0)

Anonymous Coward | about a year ago | (#42971377)

I went to change my TELUS PW a couple of yrs ago & the direct link on their home page to change PW's, screamed PHISHING ATTEMPT. So much so, that I did not use it. Calling Tech Support got a bored, verbal 'shrug' - indicating that's just the way it was, which was just as non-reassuring as the link to change it. Took 3 calls to get someone who cared & the deed was done over the phone, with a follow-up email response from TELUS verifying it. A 'good' security strategy from a telecommunications company: Let's warn everyone about phishing attempts, yet make our 'official' page to do so look just like a classic phishing attempt - smooth move, TELUS!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>