skip to main page content CETIS: Click here to return to the homepage
the centre for educational technology interoperability standards

skip over the long navigation bar
Home
News
Features
Events
Forums
Reference
Briefings
Press centre

Inside Cetis
what is Cetis?
Contact us
Cetis staff
Jobs at CETIS


 




Syndication
XML: Click here to get the news as an RSS XML file XML: Click here to get the news as an Atom XML file iCAL: Click here to get the events as an iCalendar file

Background
what are learning technology standards?
who's involved?
who's doing what?

CETIS Groups
what are cetis groups?
what difference can they make?
Assessment SIG
Educational Content SIG
Enterprise SIG
Metadata SIG
Life Long Learning Group
Portfolio SIG
Accessibility Group
Pedagogy Forum
Developer's forum

Subjects
Accessibility (310)
Assessment (74)
Content (283)
Metadata (195)
Pedagogy (34)
Profile (138)
Tools (197)
For Developers (569)
For Educators (344)
For Managers (339)
For Members (584)
SCORM (118)
AICC (18)
CEN (34)
DCMI (36)
EML (47)
IEEE (79)
IMS (302)
ISO (21)
OAI (24)
OKI (20)
PROMETEUS (12)
W3C (37)

print this article (opens in new window) view printer-friendly version (opens in new window)

Athens under attack

The security of the UK's de facto education standard for federated web access, Athens, is the target of a scam. A bogus email that purports to come from Athens administrators tries to fool users into submitting usernames and passwords.

Because the key feature of Athens is secure single username access to multiple web-based access controlled services, the loss of usernames and passwords from several institutions is potentially quite serious. So far, the bogus email has been reported from Cambridge and Southampton.

The email tries to wheedle usernames and passwords out of unsuspecting users by purporting to check "for any unauthorized activities" picked up by "heuristic analysis". It also claims that "Before we freeze access to any accounts, we will need to verify our heuristic analysis with a more detailed verification" via the users' usernames and passwords. For good measure, the email requires users not to send "E-MAIL/UNIX/FTP PASSWORDS", just Athens ones.

The Athens service suspects that the email is part of a systematic attempt to compromise the security of the system. Users are requested not to reply to the email and warn their local Athens administrators if they receive it.

This particular attempted fraud highlights one of the inherent weaknesses of 'single sign-on' web security services: human psychology. The technical integrity of such services may be virtually uncrackable, but that's not enough if you can get the 'key to everything' with a bit of social engineering.

Related items:

Comments:

No responses have been posted

copyright cetis.ac.uk
Creative Commons License This work is licensed under a Creative Commons License.

syndication |publisher's statement |contact us |privacy policy

 go to start of page content