They're attacking the wrong part of the problem.<p>If misleading messages ("phishing") are leading their users to enter credentials onto forms which are then used to send out spam, then the solution is not to block access to one of the sites that supports forms. There are an unlimited number of sites that support forms. There are LOTS of better ways to solve this problem. Here are a few:<p>* Train your users where it is and isn't safe to enter credentials.<p>* Don't give your users credentials. Have some alternate way to authenticate them like a login token.<p>* Put rate limiting on the ability of a single account to send out emails.<p>Blocking the site for just a few hours as an emergency response to a short-term attack is a much more reasonable approach. Sometimes, to react quickly, you need to take measures that are not the best possible choice. But there were better approaches, and the security team should take measures to ensure that they can react more effectively next time. For instance, in this case, a single mass-email or email "virus" had gone out and was tempting a large number of users to give out their credentials. Instead of blocking the site that was collecting the credentials, a better solution would have been to remove the email from the mailboxes of all the students. After all, the emails system is provided by the university, and this cuts off the problem at the root. They should institute the necessary technology to support doing this next time they have a phishing problem... perhaps they can even do this proactively: set up some honeypot accounts not receiving any legitimate emails and automatically destroy any emails matching the signature of emails received by these honeypot accounts (with manual review afterward to correct for false positives).
It's the perfect example of why security teams are often considered to be the least friendly, least approachable part of an already unapproachable department (IT).<p>Their reasoning seems to be "Google Docs causes us (the security team) hassle, we don't use Google Docs, so we'll shut it down".<p>They might as well of shut down the whole of the Internet, for all their nonsensical reasoning, except they'd of been affected themselves then..
Misleading headline. They blocked it for a few hours until n people complained. There was more legitimate use than expected, so they unblocked it again.
I currently work for the web communications part of a small-to-medium size university. We have around 2000 employees and 8000 students. We embrace all google products on campus. We actually use gmail for our primary email system. We use google forms to collect data throughout our website (not perfect by a long shot, but makes data collection approachable and accessible to end users). We would never shut down google forms. We simply couldn't. We regulate mass email by only allowing a select few individuals to email to all users. We have literally a dozen or so users on campus that can send an email to all users, and most are in the communications department or IT. All this talk of authentication systems, and teaching users not to get caught by phishing, sounds like "ideal world" solutions. Our solution is simple. If you want to send out an email to everyone, send it to a central authority that can approve the sending. It is easier to make sure a dozen people have the skill to send a mass email appropriately and avoid phishing attempts, then it is ten thousand. Also, it has the added advantage to allow us to consolidate less urgent emails into a single newsletter once a week, keeping faculty/staff and students email boxes free of non-urgent notifications. I'm not pretending we have a perfect solution, but it seems like we'd never get approval to stop using google docs in a situation like this. I'm actually rather impressed by Oxford's ability to react and then write a long and thorough explanation of their actions.
Summary of the blog posting:
Google Docs forms are being used in phishing attacks against stupid users. We closed down Google Docs. It didn't work and we had to open it up again after 2.5 hours.<p>Unfortunately, there's no easy solutions to so-called phishing attacks other than educating users. I would recommend that the IT dept. dedicate its considerable resources and creativity to that end, and try to minimize use of the shotgun approach in the future!
I feel for them. I attend an IT-focused university that has both hardcore techies (computer science and such) but also a lot of non-techies (communication, UI design, etc.)<p>We frequently (at least once per month) get a phishing e-mail asking us to reply or click a link and provide our credentials. For anyone who has attended the university more than 6 months, there will have been at <i>least</i> 3 e-mails from the IT-department telling people to not ever, in any way, give out credentials. Yet, for every phishing mail we get at least 3-4 accounts get compromised (out of ~1500), and more would get compromised if the IT department weren't quick to block traffic to the offending URLs. And again, this is in a crowd that should be somewhat unfavourable to scammers (as most of us know and can recognise such attempts).<p>You can try to educate your users, and you should, but just know that it only minimizes the risk, it will never, ever nullify it and if they can send 1 million e-mails from just 1 account, then it is practically a dead-end in terms of stopping the scammers. I can completely understand why they are blocking Google Docs, it's a matter of settling for the "lesser evil" solution.
I wonder how many of the keyboard warriors in this thread have any experience of running very large and incredibly diverse networks like Oxford University's.<p>The guys handling security for Oxford are highly experienced and capable. Oxford's network is far more complicated than a typical University.
"We have to ask why Google, with the far greater resources available to them, cannot respond better. Indeed much, if not all, of the process could be entirely automated."<p>The problem lies with the people on the Internet though. I doubt the whole thing could be automated because of the simple fact that there are people out there who, just to troll, would and probably already zip through plenty of legitimate public Google docs and click the "report abuse" link at the bottom of each page.<p>The result is most likely an overwhelming amount of reported "abuse" pages are most likely legitimate, which is why actual malware docs don't get dealt with in a timely manner. Its like when people prank call 911, which could lead to actual emergencies not being responded to immediately.
My comment on their page:<p>So if the real problem stems from the Oxford mail accounts being hacked and then used to propagate the phishing attacks, why not concentrate on that?<p>You should use 2-step authentication for the email accounts, so that randoms in some other part of the world can't just hack in to an email account and use it.<p>I was at SBS, and we were on Mircosoft Exchange servers for email I think. Unfortunately, afaik Microsoft doesn't offer 2-step authentication. Instead of blocking Google Docs, you should be moving all email systems to Google Apps so you can use their better security. We just did it at my company for a few thousand users and several domains - I think you could do it too.
May be im wrong but why not set LIMIT of only X no. of mails can be Sent/Minute via user account.<p>Find out how many emails people usually send per minute/hour and just DENY relaying anything else over that limit. That way it'll be less profitable for spammers to acquire user account details if he/she can only sent X mails every minute.
Why not enforce a velocity restriction on outgoing e-mails instead and put spam filters on outgoing e-mail then bounce offending mail back to sender?<p>Spammers are phishing for ox.ac.uk accounts because they're easy to exploit, right? Just raise the bar.
If a fixed login/password pair is enough for someone from external network to send mass e-mail via your network, you have a problem.<p>Obviously I know little about their network so I'm probably already sounding arrogant but there are some solutions that (generally) have better inconvenience/security ratio than just plain login&pass. Especially if you account for the inconvenience of getting the whole site blacklisted. My site uses one-time, limited-time passwords to authorize external connections but the users are tech savvy so I'm not sure if it works in general settings.
Sometimes I wonder what the world would be like if it were illegal for institutions to block sites. It shouldn't be too hard to imagine. No one can block postal mail or telephone calls (except as a user). And, the FCC has banned wireless jamming. In spite of those guarantees of service we manage to survive and, on the whole, protect ourselves from fraudsters.<p>I think it is too late now to guarantee service through legislation, but the upsides do outweigh the downsides.
On another note, my University (uws.ac.uk) started blocking HN this week.<p>I bet it's probably just because of the illicit connotations of the 'Hacker' word.
"In the absence of effective monitoring, it can be easy for over a million messages to be sent out before someone happened to notice."<p>Just wanted to point out this specific detail. They seem to be attacking the wrong problem, as many others already noted.
User education is not the way to solve these sorts of problems. The proper way to solve the problem is through automation -- use of a "forcing function." An example of a forcing function is not allowing an automobile driver to shift into reverse until the they have their foot on the brake pedal. This is a far superior solution to educating drivers to not shift into reverse until they have their foot on the brake pedal.<p>Google needs to implement a forcing function with Google docs so that their software is not misused on the Internet. No amount of user education will fix the problem -- only some sort of forcing function will fix it.
This kind of black-listing of specific domains is, unfortunately, just a game of whack-a-mole that's very hard for defenders to win.<p>If they're seeing targeted phishing (which the article implies that they are), then the attackers will just observe the drop off in people following the links and move the phishing forms to another domain or service, making it very difficult for the admins to keep up.<p>Really addressing this kind of problem has to come down to a combination of awareness training and improved authentication techniques (i.e. move away from static username/password combinations)
How about putting a middle page up with a warning?<p>So a student on the university network clicks a link to google docs and a warning appears warning of potential attacks using google docs, be aware, and click next to continue.<p>Is this doable?
I don't think there are any professors for Cloud Computing dept in Oxford.<p>Why not filter the emails/Ips who send out spam rather than blocking the URL? What if Google blocks Oxford?
Could they not just block google forms? I don’t see many users entering their username and password into a PowerPoint/Word Document.<p>Perhaps they could implement some more advanced email filters, e.g. removing all links to google docs, instead of blocking the service for all users?<p>I'd imagine a mass of the user-base of Oxford uses Google Docs for important things, from group work on a PowerPoint/Word doc, through storing their work in the cloud without the Office Suite.
The problem is that unless you are a Google Apps for education customer who can get Google on the phone, the form doesn't come down for weeks.<p>That means they'll have hundreds of credentials and can do all sorts of nasty things to your computing environment and to people's accounts.<p>That's not acceptable.<p>Hopefully Google will treat this more seriously now that it's hit the press.
Teaching users is an O(N+T) solution with N users (term comes from time spent teaching), T total time spent on computers (term comes from time spent being cautious).
How about breaking down the email domains into students, faculty, departments, collages etc. That way it's less disruptive across the board when domains are blocked.
They ask "what's next?" at the end of TFA.<p>Here's what's next: Oxford blocks roads because criminals are using roads. Oxford blocks food deliveries because criminal are using restaurants to eat.<p>Seriously now: what's the Microsoft rebate Oxford got for taking such a measure?