
Oxford Temporarily Blocks Google Docs - danielwozniak
http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/
======
mcherm
They're attacking the wrong part of the problem.

If misleading messages ("phishing") are leading their users to enter
credentials onto forms which are then used to send out spam, then the solution
is not to block access to one of the sites that supports forms. There are an
unlimited number of sites that support forms. There are LOTS of better ways to
solve this problem. Here are a few:

* Train your users where it is and isn't safe to enter credentials.

* Don't give your users credentials. Have some alternate way to authenticate them like a login token.

* Put rate limiting on the ability of a single account to send out emails.

Blocking the site for just a few hours as an emergency response to a short-
term attack is a much more reasonable approach. Sometimes, to react quickly,
you need to take measures that are not the best possible choice. But there
were better approaches, and the security team should take measures to ensure
that they can react more effectively next time. For instance, in this case, a
single mass-email or email "virus" had gone out and was tempting a large
number of users to give out their credentials. Instead of blocking the site
that was collecting the credentials, a better solution would have been to
remove the email from the mailboxes of all the students. After all, the emails
system is provided by the university, and this cuts off the problem at the
root. They should institute the necessary technology to support doing this
next time they have a phishing problem... perhaps they can even do this
proactively: set up some honeypot accounts not receiving any legitimate emails
and automatically destroy any emails matching the signature of emails received
by these honeypot accounts (with manual review afterward to correct for false
positives).

~~~
alan_cx
Oooooooooooooooo rant coming on.............

Im sorry, but that is the typical tech reply that blows normal people's minds.
Blame the user. Well, the user says, sod that, lets just block the problem and
get on with what we wanted to do in the first place.

People, normal non tech people, want to use computers as a tool, not become
experts in thwarting criminals, etc. If a user cant just go to a computer and
simply use it, like say a library or book, then the computer and its champions
are failing. Its not the users job to provide security. And no, its not like
locking a door. The sheer amount of rubbish poor users have to go through to
be safe on a computer is frankly a joke, and the reason so many non geeks love
Apple. Yes geeks know Apple are as insecure and any one else, but users
_believe_ they are simple and safe.

(At this point, by all means picture a toddler going mental in a shop)

I've been in this business for 30 years, and "train the users" is for me a 30
year mantra that no one out side of geekdom wants to hear. It was my job to
enable them to do their job more efficiently, not expect them to become some
sort of security expert.

This Uni is doing the simple easy thing to let its users function safely. If
the IT world doens't like it, then 1: tough, 2: damn well fix it, and 3: stop
blaming users.

Then, you tell them to limit emails. "Oh right" says the user, "I thought one
point of email was easy mass mailing, and now you want to bloke it?"

Really think about the user. Its they who make computers and the internet
worth bothering with.

I feel better now. Thank you.

~~~
subway
I'd like to use my car like a tool. Why do manufacturers make them so
difficult to safely operate, I shouldn't require any additional training to
operate it, I should be able to just hop in at location A and hop out at
location B.

Regardless of what some folks in the "User Friendly" movement would like to
think, most tools require basic instruction in order to be safely used. We
can't code away all individual responsibility.

~~~
bonaldi
Spotting a phishing form only seems like "basic instruction" to you because
you're highly computer-literate. It's not; it involves understanding at least
some of DNS and the difference between hosts, domains and TLDs, URLs, HTTPS,
and not to mention certificates and their validity.

In your analogy, it's like saying "people shouldn't be allowed to use cars
unless they can verify the hydraulic pressure in the master brake cylinder"

Which is wrong: manufacturers should (and did) install brakes warning lights.
And we need to come up with better warnings for users. Blaming them for these
sorts of problems is unacceptable.

~~~
thomaslangston
How to spot a phishing form:

1) Did you click a link from an email? 2) Does the page it redirect you to ask
for your login info?

You may have received a phishing email. Are either true?

1) You expected this email because you were notified about it from another
source e.g. website, support staff. 2) If you login to the website not via the
suspicious link, the linked web page does not ask for your login.

If you answered yes, you probably don't have a phishing email.

~~~
bonaldi
"Login to the website not via the suspicious link" requires understanding what
URLs are, how to isolate which part is "the website", how to edit them and how
to enter them. The amount of people Googling for "log into Facebook" proves
none of this is a given.

"You expected this email" is also not a hard test to pass in either academia
or corporate settings, where users are generally besieged by unsolicted
instructions to "Go here, do this, hurry up about it".

~~~
mgkimsal
Not huge blame, but browser makers are making it harder to understand what's
going on what how to use the web - obfuscating the URL - taking off parts of
it, sometimes hiding the entire URL bar altogether.

Similarly, 'cookies' are 'scary' - there's _no_ visual indication in a browser
of what's going on with cookies, what they are, what they hold - you have to
dig deep in 'preferences' then 'advanced' or 'security'. Instead of easier to
use tools, we get legislation around cookies. WTF?

Don't get me started on certificates...

------
EwanToo
It's the perfect example of why security teams are often considered to be the
least friendly, least approachable part of an already unapproachable
department (IT).

Their reasoning seems to be "Google Docs causes us (the security team) hassle,
we don't use Google Docs, so we'll shut it down".

They might as well of shut down the whole of the Internet, for all their
nonsensical reasoning, except they'd of been affected themselves then..

~~~
anonymouz
No, their reasoning is that the continuous phishing attacks caused
unacceptable trouble with their email system (e.g., Hotmail dropping all
emails coming from Oxford). Due to extensive international collaborations,
keeping a universities email system running is probably one of the most
important tasks of the IT team. Google Docs is nice and useful, but nowhere
near as important. Given that they, practically speaking, had no alternative
way of dealing with the phishing attacks effectively, they made the right
choice in temporarily suspending Google Docs access.

~~~
betterunix
"no alternative way of dealing with the phishing attacks effectively"

How about not using passwords? All students, staff, and faculty should have ID
cards; start issuing smartcards, and start using cryptographic techniques to
authenticate users. Also, digitally sign all official mail, and instruct the
users to check those signatures.

These are not insurmountable problems. The real issue is that the IT team is
not willing to push for a real solution, and instead went for a bandaid on a
broken leg.

~~~
pfortuny
Your solutions do not take into account the main problem with the security
department: budget. There is a huge budgetary crisis in ALL european
universities at this moment, including Oxford and Cambridge.

I bet if they ask for the resources to implement all those solutions, they
will be told: find something at zero cost, I repeat zero-cost. Roger that?

Not that I agree blocking google docs is reasonable, just pointing out the
problems with your suggestions.

~~~
huhsamovar
>Your solutions do not take into account the main problem with the security
department: budget. There is a huge budgetary crisis in ALL european
universities at this moment, including Oxford and Cambridge.

False.

------
zerovox
Misleading headline. They blocked it for a few hours until n people
complained. There was more legitimate use than expected, so they unblocked it
again.

~~~
bane
The real question is, as IT professionals, why would there be more use than
expected? Would you expect the premier free cloud competitor to Office to be
heavily used?

It's as misguided as most of the IT departments I've had to deal with blocking
browsers other than IE because they are "insecure". No the other browser are
not insecure, they just haven't bothered getting up to speed on the security
profile of those browsers and confuse getting regular security bulletins about
IE to be the same as being "secure".

~~~
pwthornton
Yes, they should have known better. Google Docs is used a lot at universities
because of its collaborative abilities. If you need to work with several
people putting a report together, Google Docs is a great way to get started.
We often eventually take it out of Docs into a desktop program to finish it
off, but Google Docs is one of the best ways to collaborate.

How the IT department didn't know what its students, faculty and staff were
doing is kind of hard to believe. For students and teachers in particular,
Google Docs is a big deal. It's not just because it's a cloud version of
Office, but rather that it has things that Office can't do that are especially
important in a university setting.

~~~
jacques_chester
> _Yes, they should have known better._

As they point out, connections to Google Docs are encrypted. There's no way
for them to tell what is and isn't legitimate traffic.

~~~
pwthornton
There are multiple ways to know what your users are doing, and there is more
than just monitoring traffic. They can do surveys and qualitative studies, and
they would have then known how widely used Google Docs was.

Lack of knowledge is not an excuse.

------
cypherdog
I currently work for the web communications part of a small-to-medium size
university. We have around 2000 employees and 8000 students. We embrace all
google products on campus. We actually use gmail for our primary email system.
We use google forms to collect data throughout our website (not perfect by a
long shot, but makes data collection approachable and accessible to end
users). We would never shut down google forms. We simply couldn't. We regulate
mass email by only allowing a select few individuals to email to all users. We
have literally a dozen or so users on campus that can send an email to all
users, and most are in the communications department or IT. All this talk of
authentication systems, and teaching users not to get caught by phishing,
sounds like "ideal world" solutions. Our solution is simple. If you want to
send out an email to everyone, send it to a central authority that can approve
the sending. It is easier to make sure a dozen people have the skill to send a
mass email appropriately and avoid phishing attempts, then it is ten thousand.
Also, it has the added advantage to allow us to consolidate less urgent emails
into a single newsletter once a week, keeping faculty/staff and students email
boxes free of non-urgent notifications. I'm not pretending we have a perfect
solution, but it seems like we'd never get approval to stop using google docs
in a situation like this. I'm actually rather impressed by Oxford's ability to
react and then write a long and thorough explanation of their actions.

~~~
DangerousPie
> Our solution is simple. If you want to send out an email to everyone, send
> it to a central authority that can approve the sending.

It sounds like all you are doing is regulating access to some sort of
all@university mailing list. How does this solve the much bigger problem of
spammers using compromised accounts to spam Gmail/Hotmail addresses, which
then end up getting the university blocked? And even ignoring that how does it
prevent people from just looping through a list of your university's email
addresses and sending them one at a time?

~~~
cypherdog
You are mostly correct. We are primarily regulating access to a all@university
mailing list, but we also have restrictions that prevent mass emails being
sent via gmail (though I'm not the authority on this). You are correct,
nothing prevents a compromised account, that I know of, from sending out
emails one at a time to an list of users, though we do have control over all
email accounts and can disable a compromised accounts. If the traffic is
internal we have other ways of preventing it. I'm not saying our solution is
an absolute substitute for all combinations of possibilities. Just that if we
were to be blocked we'd have to deal with it in some other way then to disable
google forms. We just couldn't get away with it, and according to some of the
comments, Oxford couldn't get away with it very long either.

------
blisterpeanuts
Summary of the blog posting: Google Docs forms are being used in phishing
attacks against stupid users. We closed down Google Docs. It didn't work and
we had to open it up again after 2.5 hours.

Unfortunately, there's no easy solutions to so-called phishing attacks other
than educating users. I would recommend that the IT dept. dedicate its
considerable resources and creativity to that end, and try to minimize use of
the shotgun approach in the future!

~~~
marios
This.

The only effective solution is to educate users, but that in itself is a
difficult task.

Phishing attacks rely on users being gullible / distracted / ignorant. Telling
users _not_ to be any of these usually results in angry answers such as "Are
you implying I am stupid !?", and the important part of the dialogue where you
explain things to be wary of is completely ignored.

Another way to communicate these things it to _phish your own users_. Email
them a fishy message ultimately asking them their password for instance, the
same way an attacker would. Of course, some phishing emails / sites look
incredibly legit but in my experience most have noticeable deficiencies. If
your users can spot at least those, then they can protect against a good
number of attacks. Once the victim falls for the trap, redirect them to a page
explaining how they were tricked, and showing what they need to pay attention
to.

You even get their passwords, so that you can do some analysis and see how
many will change it following the 'incident'.

~~~
blisterpeanuts
"phish your own users"

Now that's the best idea I've heard all morning. You should be running
Oxford's IT dept!

~~~
jacques_chester
I disagree.

At best the users who don't care will continue not to care. At worst it will
train users to think "oh, it's another drill, ho hum".

Somewhere in the middle is some deeply embarrassed Deputy Vice Chancellor who
decides to make those horrid computer people his personal enemies.

~~~
raldi
_> At worst it will train users to think "oh, it's another drill, ho hum"._

How is that a bad outcome? Whether they think it's phishing or a drill, the
important thing is that they don't enter their credentials.

~~~
marios
It's bad if users are trained to only recognize _your_ phishing attempts :-)

I'm not sure I understand which users jacques_chester is talking about. There
are users that can recognize phishing, and they are entitled not to care about
your teaching. And then there are those that can't recognize phishing - or
perhaps don't even know about it - but I'm pretty sure any user would start
caring when they find out someone else can gain access to their
email/bank/facebook/whatever online service they use if they aren't careful.

To avoid training users into thinking it's another drill, perhaps it's a good
idea to 'attack' them at random intervals, and wait a few months before
repeating (thus giving you enough time to prepare the new attack; giving the
users enough time to forget about the threat, and to account for new
arrivals).

I'd rather be embarrassed by the local BOFH, rather than be a real victim

------
doppel
I feel for them. I attend an IT-focused university that has both hardcore
techies (computer science and such) but also a lot of non-techies
(communication, UI design, etc.)

We frequently (at least once per month) get a phishing e-mail asking us to
reply or click a link and provide our credentials. For anyone who has attended
the university more than 6 months, there will have been at _least_ 3 e-mails
from the IT-department telling people to not ever, in any way, give out
credentials. Yet, for every phishing mail we get at least 3-4 accounts get
compromised (out of ~1500), and more would get compromised if the IT
department weren't quick to block traffic to the offending URLs. And again,
this is in a crowd that should be somewhat unfavourable to scammers (as most
of us know and can recognise such attempts).

You can try to educate your users, and you should, but just know that it only
minimizes the risk, it will never, ever nullify it and if they can send 1
million e-mails from just 1 account, then it is practically a dead-end in
terms of stopping the scammers. I can completely understand why they are
blocking Google Docs, it's a matter of settling for the "lesser evil"
solution.

~~~
tmcdonald
I've had 4 emails in the past month providing information about the phishing
emails from my department, JCR and IT services, and despite that a number of
accounts still got compromised.

Couldn't agree more about education never actually fixing the problem.

------
bat99
I wonder how many of the keyboard warriors in this thread have any experience
of running very large and incredibly diverse networks like Oxford
University's.

The guys handling security for Oxford are highly experienced and capable.
Oxford's network is far more complicated than a typical University.

~~~
deelowe
Yet they apparently have not implemented 2-factor authentication or rate
limiting for students' email accounts...

As others have pointed out, there are a few very simple ways to deal with this
sort of thing. Rate limiting alone would like take care of the problem. This
is probably a simple config update on the smtp server.

~~~
bat99
Catering for such a large and varied set of users requires difficult
evaluation of risks and benefits to the majority.

The underlying problem in this situation was that Google were so slow to
respond to reports of malicious content.

The brief block on Google Docs has served as an excellent way to get attention
and highlight a number of things that need consideration.

~~~
deelowe
Google was picked on b/c it was an easy target. I'm sure there are plenty of
other fishing sites out there that don't use Google, yet those weren't
blocked. This a seriously boneheaded way to go about things. Unless you are
just going for media attention.

------
fixed_input
"We have to ask why Google, with the far greater resources available to them,
cannot respond better. Indeed much, if not all, of the process could be
entirely automated."

The problem lies with the people on the Internet though. I doubt the whole
thing could be automated because of the simple fact that there are people out
there who, just to troll, would and probably already zip through plenty of
legitimate public Google docs and click the "report abuse" link at the bottom
of each page.

The result is most likely an overwhelming amount of reported "abuse" pages are
most likely legitimate, which is why actual malware docs don't get dealt with
in a timely manner. Its like when people prank call 911, which could lead to
actual emergencies not being responded to immediately.

~~~
etherealG
I think a reasonable solution here would be to only automate reported abuse
with a registered account, and only automate a certain number per account per
time. it wouldn't be insurmountable to abuse, but you push the barrier for
abuse over the average troll's willingness.

not a perfect solution, but would help cover a sizeable volume of this kind of
phishing attacks.

------
Major_Grooves
My comment on their page:

So if the real problem stems from the Oxford mail accounts being hacked and
then used to propagate the phishing attacks, why not concentrate on that?

You should use 2-step authentication for the email accounts, so that randoms
in some other part of the world can't just hack in to an email account and use
it.

I was at SBS, and we were on Mircosoft Exchange servers for email I think.
Unfortunately, afaik Microsoft doesn't offer 2-step authentication. Instead of
blocking Google Docs, you should be moving all email systems to Google Apps so
you can use their better security. We just did it at my company for a few
thousand users and several domains - I think you could do it too.

------
mpunaskar
May be im wrong but why not set LIMIT of only X no. of mails can be
Sent/Minute via user account.

Find out how many emails people usually send per minute/hour and just DENY
relaying anything else over that limit. That way it'll be less profitable for
spammers to acquire user account details if he/she can only sent X mails every
minute.

------
Unosolo
Why not enforce a velocity restriction on outgoing e-mails instead and put
spam filters on outgoing e-mail then bounce offending mail back to sender?

Spammers are phishing for ox.ac.uk accounts because they're easy to exploit,
right? Just raise the bar.

------
praptak
If a fixed login/password pair is enough for someone from external network to
send mass e-mail via your network, you have a problem.

Obviously I know little about their network so I'm probably already sounding
arrogant but there are some solutions that (generally) have better
inconvenience/security ratio than just plain login&pass. Especially if you
account for the inconvenience of getting the whole site blacklisted. My site
uses one-time, limited-time passwords to authorize external connections but
the users are tech savvy so I'm not sure if it works in general settings.

------
michaelfeathers
Sometimes I wonder what the world would be like if it were illegal for
institutions to block sites. It shouldn't be too hard to imagine. No one can
block postal mail or telephone calls (except as a user). And, the FCC has
banned wireless jamming. In spite of those guarantees of service we manage to
survive and, on the whole, protect ourselves from fraudsters.

I think it is too late now to guarantee service through legislation, but the
upsides do outweigh the downsides.

------
jamesjguthrie
On another note, my University (uws.ac.uk) started blocking HN this week.

I bet it's probably just because of the illicit connotations of the 'Hacker'
word.

------
meaty
When did OUCS suddenly become a bunch of muppets. They had some credibility
once that appears to have gone out of the window.

------
sebastianmarr
"In the absence of effective monitoring, it can be easy for over a million
messages to be sent out before someone happened to notice."

Just wanted to point out this specific detail. They seem to be attacking the
wrong problem, as many others already noted.

------
davidf18
User education is not the way to solve these sorts of problems. The proper way
to solve the problem is through automation -- use of a "forcing function." An
example of a forcing function is not allowing an automobile driver to shift
into reverse until the they have their foot on the brake pedal. This is a far
superior solution to educating drivers to not shift into reverse until they
have their foot on the brake pedal.

Google needs to implement a forcing function with Google docs so that their
software is not misused on the Internet. No amount of user education will fix
the problem -- only some sort of forcing function will fix it.

~~~
Achshar
Can you give an example of how it would work? (online for forms, not
offline/IRL)

~~~
davidf18
I haven't thought about it at all as to how Google would fix their problem.
Still, they've introduced a component into the Internet ecosystem that has
been found to be abusable and they are accountable to install the forcing
functions to prevent that abuse. To depend upon user education is simply
irresponsible.

The idea of forcing functions is well known in organizational/system theory.

Another way to think about this is the recent notices that Java (and at other
times Adobe Flash) has recently introduced a security flaw where people using
their computer can have it hacked into (Apple suggests removing Java unless
you really need it).

Just as we would expect Java/Oracle and Adobe/Flash to fix their security
flaws so should Google fix theirs.

~~~
cbr
This is a very different sort of security flaw than with Java and Flash.
Google Forms was allowing users to create forms asking for information and
then send links to other people asking them to fill them out. Which is exactly
the intent of the program.

When you ask for a "forcing function" you're requesting a way to let people
create forms asking for information in general but not letting them ask for
information that people aren't allowed to give out. This may be possible, but
it is at least very difficult.

------
raesene2
This kind of black-listing of specific domains is, unfortunately, just a game
of whack-a-mole that's very hard for defenders to win.

If they're seeing targeted phishing (which the article implies that they are),
then the attackers will just observe the drop off in people following the
links and move the phishing forms to another domain or service, making it very
difficult for the admins to keep up.

Really addressing this kind of problem has to come down to a combination of
awareness training and improved authentication techniques (i.e. move away from
static username/password combinations)

------
brador
How about putting a middle page up with a warning?

So a student on the university network clicks a link to google docs and a
warning appears warning of potential attacks using google docs, be aware, and
click next to continue.

Is this doable?

~~~
toyg
Users don't read warnings, they just click next.

------
twodayslate
My school blocks Google Docs. When I asked why... they blamed China.

------
franchie
I don't think there are any professors for Cloud Computing dept in Oxford.

Why not filter the emails/Ips who send out spam rather than blocking the URL?
What if Google blocks Oxford?

------
Pezmc
Could they not just block google forms? I don’t see many users entering their
username and password into a PowerPoint/Word Document.

Perhaps they could implement some more advanced email filters, e.g. removing
all links to google docs, instead of blocking the service for all users?

I'd imagine a mass of the user-base of Oxford uses Google Docs for important
things, from group work on a PowerPoint/Word doc, through storing their work
in the cloud without the Office Suite.

~~~
jpswade
No.

"Another is that traffic is encrypted. Many educational establishments will
have some capability for filtering traffic to malicious URLs as it flows
through their network. That’s easy with unencrypted traffic. If the site uses
SSL, then you have to do some kind of SSL interception."

~~~
joelthelion
Network Admins need to learn that looking at what your users do and meddling
with his data is not a legitimate activity. They should have learned that long
ago. Fortunately, with encryption becoming more widespread, they will have to
learn the lesson.

~~~
FourthProtocol
If it's your network, and you graciously allow me to use it, and I, through my
use of your network breach the security of systems on your network, would you
not do anything in the interests of not meddling with my data?

~~~
bigfudge2
Except the network belongs to the institution (i.e. its users), not the IT
department (although most do seem to think this way).

------
brohoolio
The problem is that unless you are a Google Apps for education customer who
can get Google on the phone, the form doesn't come down for weeks.

That means they'll have hundreds of credentials and can do all sorts of nasty
things to your computing environment and to people's accounts.

That's not acceptable.

Hopefully Google will treat this more seriously now that it's hit the press.

------
im3w1l
Teaching users is an O(N+T) solution with N users (term comes from time spent
teaching), T total time spent on computers (term comes from time spent being
cautious).

------
robmcm
How about breaking down the email domains into students, faculty, departments,
collages etc. That way it's less disruptive across the board when domains are
blocked.

------
geori
Why don't they block Microsoft Outlook? I'm sure a lot more scams come through
it.

~~~
andybak
It's nothing to do with Gmail Google Docs Forms are used as the destination
for the phishing attack.

------
JagMicker
Why not simply block emails that contain a link to a publicly-shared Google
Doc?

------
willvarfar
"the importance of the March Hare to the Aztecs"

a reference to an episode of QI, right?

------
martinced
They ask "what's next?" at the end of TFA.

Here's what's next: Oxford blocks roads because criminals are using roads.
Oxford blocks food deliveries because criminal are using restaurants to eat.

Seriously now: what's the Microsoft rebate Oxford got for taking such a
measure?

