Re: The Slate breakin

[Jon Miner <000000c6eeb80cc9-dmarc-request () LISTSERV EDUCAUSE EDU>]

Unfortunately, odds are the person would use the same username and password for both accounts anyway.

jon
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mahmud Rahman 
<mrahman () MILLS EDU>
Sent: Friday, March 8, 2019 12:11
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] The Slate breakin

I'm assuming most folks in this group have read this morning's news. We received the alert from Slate yesterday that 
something had happened, but details were few.

https://www.insidehighered.com/admissions/article/2019/03/08/three-private-colleges-have-admissions-files-hacked

http://fortune.com/2019/03/08/college-applicant-ransomware-hack/

I've seen some blame directed at password reset systems. But it appears that the source of the breach was compromised 
accounts in admissions staff, gained through phishing. The more our colleges go to Single Sign On for everything, the 
greater the risk from compromised accounts. SSO provides convenience but escalates the risk. It would appear now that 
universal SSO has to be combined with universal multi-factor authentication systems. I wonder, though, about universal 
SSO since the keys now open way more doors into the kingdom.

Other than education about phishing, what are other schools doing today? I imagine that the attacks will get more 
targeted and more ingenious.

-Mahmud



Mahmud Rahman MFA '04
Director of Systems and Banner Services, ITS
Mills College, Oakland CA
(510)430-2257
mrahman () mills edu<mailto:mrahman () mills edu>