Re: EDUCAUSE Statement on Server Breach

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

On 2/19/13 11:50 AM, Kevin Halgren wrote:
> It's worth noting that this e-mail was literally impossible to
> differentiate from a phishing e-mail as sent via the e-mail marketer, to
> my eyes it looked more like phishing than not.  Confirmation via
> alternate channels was required to confirm its authenticity.

<rant>
This should be a lesson to all of us, since EDUCAUSE is definitely not
alone here: We all do regular, legitimate business in ways that is
sometimes indistinguishable from phishing, at least to regular users.
That needs to stop.  Email marketers and analytics junkies will not like
to hear this, but we need to put an end to embedded email links that are
redirected through other systems.  IMO, we should put an end to *all*
legitimate links in emails; instead have a business portal with all of
the links to surveys, training sites, etc., and have notification emails
for when new things appear on the portal.  In addition, we could modify
our SSO sites so that they alert users when they need to take care of
something that we would normally use email for which to notify the user.
 Once that's done, we can assure users that we will NEVER ask them to
click on a link in an email, just like we currently remind them that we
never ask them for passwords.

If that is "too hard" and/or the analytics stuff is "too valuable" then
we need to simply accept the risk that our users will get caught in
phishing attacks.  The bad guys have figured out that it is very easy to
mimic our business practices, and they have gotten very good at doing
it.  Unless we change those practices, they will find us to be easy
pickings.
</rant>

Again, if this sounds like picking on EDUCAUSE, it's not.  We, as a
community, all do these things.  We need to change our own conventional
wisdom.

michael