Educause Security Discussion mailing list archives

Re: The Slate breakin

From: Mahmud Rahman <mrahman () MILLS EDU>
Date: Fri, 8 Mar 2019 12:44:58 -0800

The Fortune article is the only one I've seen specifically mentioning
phishing. The mention of password-reset systems in other articles, and
Slate's message, also suggests the possibility of someone managing to get
through the password reset systems in other ways. I would assume the
implications for that are to review our password reset systems and evaluate
weaknesses there.

Mahmud Rahman MFA '04
Director of Systems and Banner Services, ITS
Mills College, Oakland CA
(510)430-2257
mrahman () mills edu


On Fri, Mar 8, 2019 at 10:34 AM Allan Chen <allanchen () muhlenberg edu> wrote:

The fortune article is the only one that explicitly comments on phishing.
Were the others that cited phishing specifically?

Chief Information Officer
Muhlenberg College <http://www.muhlenberg.edu>
484-664-3464

Office of Information Technology Blog <http://it.blogs.muhlenberg.edu>
twitter: @kaiyen <https://twitter.com/kaiyen>




On Fri, Mar 8, 2019 at 1:11 PM Mahmud Rahman <mrahman () mills edu> wrote:

I'm assuming most folks in this group have read this morning's news. We
received the alert from Slate yesterday that something had happened, but
details were few.


https://www.insidehighered.com/admissions/article/2019/03/08/three-private-colleges-have-admissions-files-hacked

http://fortune.com/2019/03/08/college-applicant-ransomware-hack/

I've seen some blame directed at password reset systems. But it appears
that the source of the breach was compromised accounts in admissions staff,
gained through phishing. The more our colleges go to Single Sign On for
everything, the greater the risk from compromised accounts. SSO provides
convenience but escalates the risk. It would appear now that universal SSO
has to be combined with universal multi-factor authentication systems. I
wonder, though, about universal SSO since the keys now open way more doors
into the kingdom.

Other than education about phishing, what are other schools doing today?
I imagine that the attacks will get more targeted and more ingenious.

-Mahmud



Mahmud Rahman MFA '04
Director of Systems and Banner Services, ITS
Mills College, Oakland CA
(510)430-2257
mrahman () mills edu

Current thread:

Re: [EXTERNAL]Re: [SECURITY] Phishing Blog, (continued)
- - - Re: [EXTERNAL]Re: [SECURITY] Phishing Blog Eyachabbe, Lynnetta J. (Feb 22)
- Re: Phishing Blog Tom Miller (Feb 22)
- Re: Phishing Blog PACC (Feb 22)
  - Re: Phishing Blog Ed Jalinske (Feb 22)
    - The Slate breakin Mahmud Rahman (Mar 08)
    - Re: The Slate breakin Mahmud Rahman (Mar 08)
    - Re: The Slate breakin Jon Miner (Mar 08)
    - Re: The Slate breakin Nicholas Garigliano (Mar 08)
    - Re: The Slate breakin Ruth Ginzberg (Mar 08)
    - Re: The Slate breakin Allan Chen (Mar 08)
    - Re: The Slate breakin Mahmud Rahman (Mar 08)