[Apologies for cross-posting, and to those who may be on JISC-SHIBBOLETH / MIDDLEWARE and ATHENS lists; you'll have seen Lyn Norris' post to the latter already. And to any Catholics who don't get the joke]
This incident demonstrates that publishing access passwords, or the means to derive them from other public information, err, isn't very clever. Duh!
But I suspect it may be a widespread practice by libraries for defining at least initial Athens usernames/passwords. I know of libraries that base allocated Athens passwords on the 4-digit PIN used as to access personal user information in proprietary library management systems. Whilst not fully 'public', such PINs are often readable (not just reset-able) by any library staff with admin access to such library management systems, and so they breach the rule of being known by only one human user.
I wonder if Eduserv has collected any statistics on what proportion of it's 3million individual Athens users ever change the initial Athens password they're given, and how often. (Feel free to reply off-list, Lyn...)
It may also serve as another evidential argument for devolved authentication (using either AthensDA or Shibboleth/SAML as the underpinning technology), *if* the assumption can be made that users and institutions will apply greater security to their 'important' passwords for institutional network access (and an increasing number of other resources) - as opposed to their yet-another-access-password to get at some e-resources.
I don't have any clear evidence for these assumptions about end-user security attitudes/behaviour; I'm just guessing. Can anyone point me to some? The only study I can think of was done in NL a few years ago, and showed that if you enable a smartcard to buy *beer* (instead of just boring stuff like photocopying and network access), students look after it *really* carefully ;->
From: Eduserv Athens Service Desk [mailto:[log in to unmask]]
Sent: Fri 22/04/2005 10:41
To: [log in to unmask]
Subject: [ATHENS] Security: Constant Vigilance needed
There have been two serious incidents of Athens account abuse recently. In the first incident, an institution had a simple password policy which was publicly available on the web. Unscrupulous individuals used this to locate Athens accounts which they subsequently used to access resources licensed by that organisation. Several accounts from this institution were used worldwide to access a number of resources. This abuse came to light thanks to the vigilance of one of the resource hosts, who identified peculiar patterns of usage from China in particular. Athens has now taken action to disable all compromised accounts and has asked the institution to reset passwords on all their Athens accounts.
In the other incident, an Athens account was used to download a substantial number of pages from an Athens protected resource. This was detected by the resource host as excessive usage and the institution’s subscription immediately suspended. The individual account owner has been identified and the institution is investigating what disciplinary action is appropriate.
These incidents emphasise the need for constant vigilance in preventing abuse of licensed resources. Athens continues to monitor unusual usage patterns, and will enhance its monitoring of international usage. However incidents cannot always be detected by Athens alone. Resource owners should ensure that they have processes in place to detect excessive or unusual usage; organisations should ensure that their Athens enabled accounts are not easily compromised, that accounts are deleted promptly when individuals leave and that disciplinary procedures are in place.
Organisations should also be aware that detection of suspect activity may result in accounts being automatically disabled. There are also likely to be incidents when Eduserv Athens will expect the organisation to act promptly on our advice.
The Athens terms and conditions for organisations are currently under review and will be re-issued shortly. In line with this, Athens will also be issuing guidelines for the secure management of usernames and passwords. These will apply to any Athens-enabled accounts i.e. both usernames held in classic Athens, and local usernames used in any devolved authentication mode, whether using AthensDA, Shibboleth or SAML protocols.
[log in to unmask] <mailto:[log in to unmask]>
tel: +44 (0)1225 474347
fax: +44 (0)1225 474332
Eduserv Athens is a service of Eduserv Technologies Ltd