The university website mentions student ID cards with chip. Is that not sufficient to provide strong authentication towards a self-service portal for password reset?
We have no real information on the systems targeted or the vector(s), so it’s possible that JLU is currently carefully running a black start scenario.
It is possible that even if the ID cards or something else could be used as a factor, what we don’t know, systems or certificates vouching for the student ID cards are now considered not trusted. This now seems like a painful but responsible way to hand out new credentials.
While a lot more information would be interesting, I gather the sysadmins involved have to priotitize as they are right now. I hope that there will be an interesting post mortem, though.
> The university website mentions student ID cards with chip. Is that not sufficient to provide strong authentication towards a self-service portal for password reset?
In theory it should be sufficient. In practice there is very little awareness of the capabilities of these smartcards and that they could, in theory, be used as a 2FA token. These cards are mostly used for physical access control, library pass and cafeteria payment.
There's left a lot to be desired in most (german) university networks. Yes, there is usually some sort of Radius and 801.1X infrastructure in place, but it's only used for WiFi login and eduroam, not for machines plugged into wall sockets. Yes, there usually is some sort of Active Directory and/or Kerberos infrastructure in place (yes, I am aware that AD is essentially LDAP + Kerberos), but it's often used only for the student computer pools, but not office workstations.
There seems to be zero awareness, that if you have AD and/or Kerberos authentication working in place (one can only dream of it being coupled to the student / staff smartcards), you can use it GSSAPI for web single sign-on which would instantly neuter any attempts of phishing.
Also you will still often find the preconception of there being such a thing as a "secure network" and an "insecure, hostile" internet. The notion of lateral movement and treating every network segment as insecure, no matter where or how it's managed in your org, is more or less nonexisting.
> There's left a lot to be desired in most (german) university networks. Yes, there is usually some sort of Radius and 801.1X infrastructure in place, but it's only used for WiFi login and eduroam, not for machines plugged into wall sockets.
When I was a student and later staff member at the Technical University of Kaiserslautern, Eduroam authentication infrastructure (801.1X) was also used to authenticate at ethernet ports in the walls of public rooms.
Does this let you neuter phishing? I'm not certain of all the moving parts but it's not obvious to me that it defeats proxy attacks of a sort now available out of the box to bad guys and effective against things like TOTP.
While a lot more information would be interesting, I gather the sysadmins involved have to priotitize as they are right now. I hope that there will be an interesting post mortem, though.