Athens under attack
Wilbert Kraan, CETIS staff
January 21, 2003

The security of the UK's de facto education standard for federated web access, Athens, is the target of a scam. A bogus email that purports to come from Athens administrators tries to fool users into submitting usernames and passwords.

Because the key feature of Athens is secure single username access to multiple web-based access controlled services, the loss of usernames and passwords from several institutions is potentially quite serious. So far, the bogus email has been reported from Cambridge and Southampton.

The email tries to wheedle usernames and passwords out of unsuspecting users by purporting to check "for any unauthorized activities" picked up by "heuristic analysis". It also claims that "Before we freeze access to any accounts, we will need to verify our heuristic analysis with a more detailed verification" via the users' usernames and passwords. For good measure, the email requires users not to send "E-MAIL/UNIX/FTP PASSWORDS", just Athens ones.

The Athens service suspects that the email is part of a systematic attempt to compromise the security of the system. Users are requested not to reply to the email and warn their local Athens administrators if they receive it.

This particular attempted fraud highlights one of the inherent weaknesses of 'single sign-on' web security services: human psychology. The technical integrity of such services may be virtually uncrackable, but that's not enough if you can get the 'key to everything' with a bit of social engineering.