The administrators of 7,000 university websites are being required to change their .edu domain account passwords after a security breach ... one that was reported to them by Educause, the non-profit higher-education IT group that administers .edu, via an email that some complained bore the markings of a phishing attempt.
First the breach. From a statement issued yesterday by Garth Jordan, vice president of operations for Educause:
"On February 5th, EDUCAUSE discovered that the server that maintains the .edu domain information and our member profile information was breached. The breach may have compromised .edu domain passwords and information contained in individual EDUCAUSE website profiles, including names, titles, e-mail addresses, usernames, and passwords. Based on our investigation to date, we do not believe the breach included access to credit card data, financial accounts, or other sensitive information.
(2013’s 25 Geekiest 25th Anniversaries)
"EDUCAUSE took immediate steps to contain this breach and we are working with Federal law enforcement, investigators, and security experts to make sure this incident is properly addressed. Additional security measures have been implemented to help prevent any future occurrences.
"As a precaution, we are proceeding as though all individual EDUCAUSE website profiles and all .edu domain holders might have been impacted. We have notified via email all .edu domain holders and all individuals with website profiles about the breach and requested that they change their passwords. All that is required from those impacted by this breach is a password re-set."
More information from Educause and instructions for changing the passwords can be found here.
That initial Educause breach notification, however, had some treading carefully, as the fact that it included links to a third-party website made it "impossible to differentiate from a phishing e-mail," according to one member.
Another urging caution was Purdue computer science professor and security expert Gene Spafford, who in a listserv reply yesterday called the email "a reasonably good fake and some people are likely to fall for it."
Today Spafford expounded on his concern in an email exchange with me.
"Organizations should structure their email to reinforce avoidance of 'phishing' email," he said. "Thus, including clickable links and using links to unidentified third parties should be avoided, because these are standard in phishing email.
"The EDUCAUSE (password) reset message was especially egregious because it so resembled a standard phishing approach: 'Your password needs to be reset now! Click on the following!' where the embedded link went to a third-party site with 'educause' embedded in the URL along with a sequence of meaningless characters. Given what is known about phishing and user behavior, this was bad form. For an education-oriented organization to do this is particularly troubling."
In response, a spokesman for the group tells me: "EDUCAUSE understands their member concerns about phishing, and responded to alleviate their concerns."
By "responded" he means they assured those who expressed concern that the email was legitimate.
Hopefully, there won't be a need to do so next time around, if, unfortunately, there is a next time.
Welcome regulars and passersby. Here are a few more recent buzzblog items. And, if you’d like to receive Buzzblog via e-mail newsletter, here’s where to sign up. You can follow me on Twitter here and on Google+ here.
- 2013’s 25 Geekiest 25th Anniversaries
- Google Glass: Why Zuck's excited and I'm not.
- Oxford overreacts to phishing, blocks Google Docs.
- The pleasure of finding things out about Richard Feynman.
- Reddit brings down Dolly Parton’s Imagination Library
- Press, bloggers fall for iPhone cup holder ‘joke’
- ‘iPhone cup holder’ no sillier than ‘Team Duct Tape’ jacket.
- You can lead an anchorman to Twitter, but you can’t make him tweet.
- Unlucky Vegas guy besieged by lost-phone seekers.
- For the first time, a small data breach draws a big fine ($50K).
- Video about ESD painfully funny.
- 2013 is the first year since 1987 to …
- Cisco VP to memo leaker: Finding you is “now my hobby.”