Google Blocks

We recently felt it necessary to take, temporarily, extreme action for the majority of University users: we blocked Google Docs.

Why would we do such a thing, you might well ask. Surely Google Docs is a perfectly legitimate site, widely used by staff and students as part of their work and personal lives?

We know that. Unfortunately, it is also frequently used for illegal activities; importantly, illegal activities which threaten the security of the University’s systems and data.

Background: phishing attacksTaken from http://www.flickr.com/photos/patrickgage/1620195364/

Many readers will be aware that over the past few years, phishing has been a major problem for us. Not the sort of phishing in which the attacker gets hold of online banking details – in general that’s a matter for users, their banks, and law enforcement. What we care about are phishing attacks harvesting credentials for University systems, in particular email accounts.

In general the attackers are seeking accounts from which to send out spam. Lots of spam. Universities tend to have well-connected email systems which are generally considered reputable by other email providers. In the absence of effective monitoring, it can be easy for over a million messages to be sent out before someone happened to notice. Once a compromised account is closed off, the attackers simply move to another one. Every so often they need to send out a bunch of phishing emails to snare some more accounts from which to advertise their little blue pills or whatever.

For a successful phishing attack, the attackers need some means of capturing login credentials. Not so long ago, they’d simply ask for users to reply to the phishing email, including their details. These days that approach is less common, and most attacks bear a link to a web form. The forms are hosted anywhere they can find – perhaps a compromised webserver, perhaps one of the world’s many free webform hosting providers.

Now, Mom & Pop’s Free Form Farm is unlikely to be used by many legitimate users, and if we were to block access to it, it’s unlikely to be a big deal for anyone but the phishers. But as well as all the small providers, there’s a big one: Google Docs.

Google Docs and phishing

One of many recent phishing pages on Google Docs

Google Docs has many advantages. One significant one is that millions of people use it for perfectly law-abiding purposes. Another is that traffic is encrypted. Many educational establishments will have some capability for filtering traffic to malicious URLs as it flows through their network. That’s easy with unencrypted traffic. If the site uses SSL, then you have to do some kind of SSL interception. Straightforward on a corporate network full of tightly-managed systems. Much harder on a network full of student machines, visitor laptops and the like, and in our opinion, something to be avoided.

So how can you stop your users reaching the phishing forms? Assuming that the phishing emails get past all your anti-spam and anti-malware defences, you essentially need to ask Google nicely if they could take the form down. That’s simple enough – Google’s own security team have advised us that the best way is to use the “Report abuse” link that’s at the bottom of each page. Easy enough.

Unfortunately, you then need to wait for them to take action. Of late that seems typically to take a day or two; in the past it’s been much longer, sometimes on a scale of weeks. Most users are likely to visit the phishing form when they first see the email. After all it generally requires “urgent” action to avoid their account being shut down. So the responses will be within a few hours of the mails being sent, or perhaps the next working day. If the form is still up, they lose. As do you – within the next few days, you’re likely to find another spam run being dispatched from your email system.

Recent attacks

Over the past few weeks there has been a marked increase in phishing activity against our users. Now, we may be home to some of the brightest minds in the nation. Unfortunately, their expertise in their chosen academic field does not necessarily make them an expert in dealing with such mundane matters as emails purporting to be from their IT department. Some users simply see that there’s some problem, some action is required, carry it out, and go back to considering important matters such as the mass of the Higgs Boson, or the importance of the March Hare to the Aztecs. Granted, many, if not most of our users do spot the scams, and do nothing (or better, warn us about it). But as with most spam, it only takes a small proportion to respond for the attacks to be worthwhile. And we have tens of thousands of users. Despite all attempts at user education, some will inevitably respond. We see a good mix: first-year “digital native” undergraduates, ancillary staff, emeritus professors.

The recent attacks have often seen us dealing with several account compromises within a short length of time. We are keen to see that compromises and associated spam runs do not adversely impact the University’s “reputation” with external email services such as Hotmail and GMail. We have had problems in the past in which Hotmail have rejected all mail from us over a period of many days, owing to too high a proportion of the mail from us being marked as spam. Such incidents can cause major disruption to legitimate University business, especially given the number of sites which make use of Live@edu and other outsourced email solutions. Spam is not the only threat to University business from an account compromise, of course – something the University of East Anglia know all too well.

Blocking Google Docs

Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action. While this wouldn’t be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users’ attention and, we hoped, serve to moderate the “chain reaction”.

It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. This was taken into account along with changes to the threats and balance of risks over the course of the afternoon, and after around two and a half hours, the restrictions on access to Google Docs were removed.

What next?

We appreciate and apologise for the disruption this caused for our users. Nevertheless, we must always think in terms of the overall risk to the University as a whole, and we certainly cannot rule out taking such action again in future, although our thresholds for doing so may be somewhat higher. We are meanwhile investigating several possible technical measures for reducing the risks to the University with less impact on legitimate network usage, and will be reviewing our emergency communications procedures.

We will also be pressuring Google that they need to be far more responsive, if not proactive, regarding abuse of their services for criminal activities. Google’s persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions. If OxCERT are alerted to criminal abuse of a University website, we would certainly aim to have it taken down within two working hours, if not substantially quicker. Even out of official hours there is a good chance of action being taken. We have to ask why Google, with the far greater resources available to them, cannot respond better. Indeed much, if not all, of the process could be entirely automated – and part of their corporate culture is that their programmers and sysadmins should be automating common tasks such that they can devote efforts to more interesting matters. Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services.

Posted in Email, General Security, Google | 90 Comments

90 Responses to “Google Blocks”

  1. Denise McDonough says:

    Excellent explanation which I will refer our users. Thanks!

  2. John McLear says:

    Have you considered providing an internal Etherpad instance so the students still have some collaborative writing/editing functionality? http://etherpad.org — It’s free and open source, and supported by JISC

  3. Pez says:

    Is it possible for you to just block google forms? I don’t see many users entering their username and password into a PowerPoint/Word Document.

    Perhaps you could implement some more advanced email filters, e.g. removing all links to google docs, instead of blocking the service for all users?

  4. nobody says:

    Aren’t you guys closing the wrong door?

    If the spam problem is volume, why not implement an email quota for your users? 100 emails a day?

    Come on guys, if an university of your prestige can’t deal with that, who can?

    • Robin Stevens says:

      Without going into the details, there are some restrictions in place. The trouble is that many of our users have perfectly reasonable grounds for sending out large numbers of messages – for instance, colleges wish to keep in touch with their alumni. Mailing lists aren’t always appropriate. We have to achieve a reasonable balance between limiting the threats to the University and minimising the disruption to legitimate University business. If there were a simple and cost-effective solution to the problem, that would be effective in our decentralised environment, we’d know about it – unfortunately, there isn’t.

      • Neil Youngman says:

        I don’t know how practical it would be for Oxford, but there are rate limiting/blocking approaches based on the number of rejections. This relies on spam lists containing lots of bad email addresses, so if a user is sending a lot of email and getting an unusually high number of “550 No such user” responses, say >2% of 1000 messages or an absolute limit, e.g 100/hour, then they are blocked or rate limited.

        This message gives an implementation of a hard limit for Exim.
        https://lists.exim.org/lurker/message/20111218.131134.a7a0e0b6.en.html

        Of course you knew about this approach already, didn’t you?

  5. Interesting situation..

  6. Ray Allen says:

    As well as being the web manager for area studies I am a Google Apps deployment specialist so I am aware of the extent to which Google Docs and Forms are used in and beyond the university.

    I was disappointed to see this action being taken. It seemed like a point score against Google rather than a serious attempt to improve security. Phishing is a constantly moving target and until you educate users not to give out passwords (by email, form, phone or any other mechanism) you’ll have the same issue.

    Good luck all the same.

    Ray

    • Robin Stevens says:

      It was a temporary emergency measure taken to reduce the immediate risks posed by ongoing attacks. I’m very much hoping it won’t be necessary again, in part due to some of the other countermeasures we’re working on.

      Considerable efforts have been made regarding user education over the years, both centrally and by local IT staff. Indeed we’d circulated a warning to all users a few days before this incident. The problem is in getting through to absolutely everyone. For example, if 99% of our c.50000 users get the message, that still leaves us with 500 who haven’t – a small proportion overall but nevertheless a huge impact if all of them fall victim within a short length of time. Identifying those 500 is incredibly hard – the victims of phishing attacks spans the entire range of University users.

    • GG says:

      Ray,

      Your bias as someone who profits from Google is clear from this email. If it’s Oxford’s problem for not properly educating their users (something I’m quite sure they’re doing), then it’s even more Google’s problem for not educating, screening, and prosecuting their own users who are actually conducting the illegal activities (something they are not doing).

      Spammers and Phishing are a global problem, and even educated users occasionally make mistakes. Google Apps Profiteers undermining IT staffs by promising executives that Google fixes everything doesn’t help the issue.

      • Tom K says:

        How are you supposed to “educate” users into not pursuing an wholly intentional, profit-oriented misuse of a product? Prosecution is highly unlikely as well, considering the jurisdictions that many of these folks come from. The reality is that any general purpose tool is going to be mis-used by some percentage of folks. Google has an obligation to try to suppress that usage as much as possible, but even if they did it perfectly, you’d still see phishing attacks coming from other vectors. That’s why it’s so critical to educate the targeted users, and minimize the fallout when someone still falls for a phishing account, by using things like two-factor authentication.

        • I agree with you Tom: any tool can be misused. Censorship is not an appropriate answer.

          I recently reported an abuse to Google regarding a Google form that asked your banking information. I found this form of phishing extremely gross, and doubt many people would be stupid enough to supply their banking details in this case (not to speak of educated people). I nevertheless think it is appropriate from Google to provide a “Report abuse” button.

          Why not block “mail” which is actually the main source of phishing? Google Docs/Drive is actually promoting document sharing and direct collaboration on these shared documents, much more efficient than the use of mail. Mail was initially a wonderful tool for communication: it has become totally spoiled by SPAM. The real problem is with “mail” that should be modernized to become more secure and thus recover its past efficiency, not with Google Docs/Drive.

          In spring 2012, I traveled to China, and at the same time China authority blocked Google Docs/Drive/Maps, Dropbox, and even Facebook, probably to promote Baidu. I was so shocked that I immediately looked for a workaround, and found one, which cost me 3€ pour the rest of my stay, but I was relieved. Since then, China stopped blocking these services.

          I like freedom. I am sure Oxford University students and staff will easily find a workaround: they are well educated people. If any case, Google Docs/Drive is not blocked in the UK, so they can still use it from home.

          • I am happy to see that Oxford University Computer Services actually stopped blocking these marvelous and extremely useful tools – Google docs, after 2.5 hours!

    • Ray:

      I totally agree with you!

      Years ago, Microsoft Office was considered as the great Satan; now it is Google. Why?

      Mail is the problem, not Google Docs or Google Apps: it should be made more secure, if possible, or not used when document sharing and direct collaboration is a much more efficient and reliable approach than mail exchanges with document attachments.

      I discovered “mail” in the late seventies, in California: at that time, it was a wonderful Arpanet invention for communication. It has become totally spoiled with SPAM. It is also intrinsically inefficient in many circumstances for sharing information.

      I don’t like censorship. If necessary, we should educate people on ways to recognize and handle phishing attempts.

  7. Trey Guinn says:

    What is the plan for the future? Will Google docs stay blocked forever because it can be misused? Should we expect all other services which could be used for nefarious reasons to be blocked as well?

    • Robin Stevens says:

      Access to Google Docs was only suspended for 2.5 hours, very much as a temporary measure. For us to impose any block, we need to be confident that the risks of not imposing it have to exceed the risks of doing so. If that ceases to be the case then of course the sensible course of action is to remove the restriction.

      • I am very happy to hear that it was only for 2.5 hours! Then Oxford students and staff won’t have been too much penalized.

        Otherwise, knowing the prestige of Oxford University, our own computer services in my school might have used this Google docs blockade as a good argument for doing the same on us: this frightens me!

  8. Steven says:

    So if the real problem stems from the Oxford mail accounts being hacked and then used to propagate the phishing attacks, why not concentrate on that?

    You should use 2-step authentication for the email accounts, so that randoms in some other part of the world can’t just hack in to an email account and use it.

    I was at SBS, and we were on Mircosoft Exchange servers for email I think. Unfortunately, afaik Microsoft doesn’t offer 2-step authentication. Instead of blocking Google Docs, you should be moving all email systems to Google Apps so you can use their better security. We just did it at my company for a few thousand users and several domains – I think you could do it too.

    • Sam S says:

      This! I mean, the whole problem seems to come from compromised e-mail accounts … and NOT Google Docs I think? It seems overkill to block Google Docs as a solution for a phishing problem … and then blame Google for the same?

    • Heh, that’s a good one. Oxford and Cambridge are two of the founders of the UK precursors to the internet. They’ve been running (and probably writing…) mail servers since the founders of Google were in short pants. I’ll bet you anything you like they aren’t running Exchange, either – heh, the very idea. The day major UK research institutions decide they need Google to run their mail servers for them will be a sad one indeed…

      • David says:

        They are using a hosted service right now so I’d question that assumption.

        A quick telnet to the mail server seems to indicate they are using Exim.

      • Robin Stevens says:

        I might take you up on that bet. See https://nexus.ox.ac.uk/ :-)

        For clarity, the university chose a few years ago to move our central user mailstore to Exchange; our external-facing mail relays remain on Exim.

  9. Ichiro Yamamoto says:

    This has been posted on http://news.ycombinator.com/item?id=5243908. Quoting the top comment here:

    They’re attacking the wrong part of the problem.

    If misleading messages (“phishing”) are leading their users to enter credentials onto forms which are then used to send out spam, then the solution is not to block access to one of the sites that supports forms. There are an unlimited number of sites that support forms. There are LOTS of better ways to solve this problem. Here are a few:

    * Train your users where it is and isn’t safe to enter credentials.
    * Don’t give your users credentials. Have some alternate way to authenticate them like a login token.
    * Put rate limiting on the ability of a single account to send out emails.

    Blocking the site for just a few hours as an emergency response to a short-term attack is a much more reasonable approach. Sometimes, to react quickly, you need to take measures that are not the best possible choice. But there were better approaches, and the security team should take measures to ensure that they can react more effectively next time. For instance, in this case, a single mass-email or email “virus” had gone out and was tempting a large number of users to give out their credentials. Instead of blocking the site that was collecting the credentials, a better solution would have been to remove the email from the mailboxes of all the students. After all, the emails system is provided by the university, and this cuts off the problem at the root. They should institute the necessary technology to support doing this next time they have a phishing problem… perhaps they can even do this proactively: set up some honeypot accounts not receiving any legitimate emails and automatically destroy any emails matching the signature of emails received by these honeypot accounts (with manual review afterward to correct for false positives).

  10. PizzaPanther says:

    How idiotic. I’m sure the spammers won’t Google “form builder” and use one of the other dozens of online form builders like WuFoo, Jot Form, etc. Or maybe even spend 5 minutes to write one themselves. Have fun playing whack-a-mole.

    • PizzaPanthers:

      I totally agree with you! I made the same point in one of my replies, but you give the names of other form builder, which I did not know.

      I personally do not like censorship, and I am sure educated students and staff will find a workaround, if Google Docs/Drive remains blocked in their university. I found one when traveling in China in spring 2012, and Goodle Docs/Drive/Maps, Dropbox and Facebook where blocked [later on, the blocking has apparently been blocked].

  11. James says:

    How about educating your users about phishing attacks? Or, if a user sends more than (say) 200 emails in a day, automatically disable the account? I think that might even be technically easier than blocking an entire service.

    • Robin Stevens says:

      See my other comments. We’ve put resources into user education and email rate-limiting. They reduce but do not eliminate the problem.

  12. Jason Etchen says:

    This sounds like an onion article. University security blocks essential applications in order to not have to do their jobs.

    Perhaps all forms should be blocked. Or any traffic on port 80.

  13. Rob Johnstone says:

    I suspect the reason that Google do not automate “take down” requests is that it would allow malicious users to take down entirely innocent forms. With current technology at least, human eyes are still required to ensure the take down requests are legitimate.

    Could you not use two-factor authentication? This is what Google themselves use to protect gmail accounts: http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744. They’ve even open-sourced the technology so it would be relatively simple to incorporate into your own systems: http://code.google.com/p/google-authenticator/.

    The only real drawback is that it relies on users having smartphones. However, even if you allow the small proportion of users who do not have one to opt out, you will still protect the majority and reduce spam from a torrent to a trickle.

    • ssl says:

      Why would this need to be automated? Let’s face it. Google’s weak point with Apps is their skimpy “live person” IE basic “customer service” support.

      Google is in love with AI. And this attitude has served them well in many ways. But it’s a drawback to think that one tool solves all problems. People can (surprise!) actually be useful in many ways. There is no reason with all of their megabucks that they could not have a human-powered quick response team to staff requests to take down spam or phishing sites. There is also no reason they could not prioritize requests of this type from legitimate Enterprise customers.

      • Kevin says:

        Except there is no indication that Oxford, for example, wants to _pay_ for that prioritization. This isn’t an instance of Oxford paying for a service and getting lackluster results. This is an example of an organization who wants a free service to do _even more work_ for free. There are a _lot_ of things Oxford could do _proactively_ to help prevent this. They’ve taken the easy way out by trying to make this Google’s fault or their problem. The fact that Google gets this stuff down in a day or two is, frankly, amazing.

        Sure, they’ve got more tech but guess what? The comparison to OxCERT is disingenuous at best. There are orders of magnitude more data to deal with on Google’s side of things as well as far more products to manage.

        Make it harder for people to compromise your system and you won’t have such a problem to begin with. 2-factor authentication on your mail system might be a good start. Don’t know how to manage that? Turns out Google’s got you covered. Maybe use gmail as your primary mail provider instead of a home-rolled system if you aren’t competent enough to deal with the issues faced by an email provider on the modern internet.

  14. Steven says:

    The whole ”training users” suggestion doesn’t work. If we’re going to quote HN:

    ”I manage barely a 100 users and I have talked to each of them personally. They’re good people and can comprehend instructions. But they still fall for these every now and then. Training doesn’t help. They are fantastic in their respective fields but to them, all prompt boxes and all login screens have the same exact amount of legitimacy. Just like how every spark plug looks the same to me. Training can help some users but most of them are going to fall for it eventually.”

  15. Douglas Muth says:

    >
    > In the absence of effective monitoring, it can be easy for over a million messages to be sent out
    > before someone happened to notice.
    >

    Maybe you should spend some effort into setting up an “effective monitoring” system to catch spams in progress, instead of punishing everybody else for the actions of a few spammers.

  16. Simon Geller says:

    Rob, I don’t think two-step authentication requires a smartphone. What it does is send you a text with a code if you are using a different browser or device from the one you usually use – there’s a voice option as well so you don’t even need a mobile . You enter the code and off you go. It is useful for smartphones & tablets but they are not required!

  17. Dan Palmer says:

    I’m from Southampton University and we are having a similar problem with accounts being hacked and large scale phishing attacks.

    The solution here, although ongoing, was to educate users. Posters are up around campus telling students and staff of the dangers of phishing.

    The solution is not to block one of the most useful pieces of software for students. From my experience, blocking access to Google Docs would be worse for students than blocking access to Microsoft Word, it always surprises me just how many people rely on Google Docs for all of their writing.

    I don’t know how receptive the OUCS is to student feedback, but if it’s receptive at all, I give this measure at most a few weeks before the outcry is too much for them to bear.

  18. Tony Brett says:

    it would be lovely if people actually read the post carefully before commenting on what they think happened rather than on what actually happened.

  19. Chris says:

    Are you guys that gullible to give away passwords just because a form asks so?

    • Ludo says:

      Yes, users fall for phishing scams, even the easy-to-spot ones. They are becoming cleverer and harder to spot, too. This is not stupidity; it is taking advantage of aspects of human psychology. User education on key points is always necessary.

      ATMs have been ubiquitous in the UK and North America for years, but users still need to be educated not to give out the PIN, even to bank staff or the police.

  20. Troy McConaghy says:

    There’s another way to train users: let them fall for the phishing scams. After a while, they’ll learn.

    When babies are learning to walk, they fall all the time, but you don’t tie them down to protect them. Eventually they figure it out. Smart babies can even learn from their friends’ falling-down stories.

    Most Oxford staff and scholars are probably swifter than your average baby.

    • Ludo says:

      This won’t work, Troy. Babies fell a slight pain or discomfort when they fall down (if they’re in a safe place!). Users don’t find out when they fall for phishing scams, unless the phishing scammers helpfully send back an email saying “Ha ha! Got you! Now we’re going to send spam from your uni email account. Do be a dear and don’t report us to the university IT helpdesk, OK?”

      This doesn’t happen of course. The spammers just send a million dodgy emails from ox.ac.uk.

  21. Good read. Thanks for the information.

    Personally I think you made the right decision. If Oxford’s systems were being threatened and simply blocking a website for a couple of hours would stop it, taking this action would seem sensible.

    It seems many people think Google has some special place on the internet and should never be bocked. But as you say, any company not taking responsibility for it’s own systems should expect this type of response.

    It’s also interesting to note the number of respondents who’ve said “Why block Google Docs? Spammers will just use some other form site.” – My conclusion is that this specific attack was imminent and blocking Google Docs was the simplest means to thwart it. It should also be noted that spammers chose to use Google Docs *because* it is used by millions and therefore highly unlikely to ever be blocked by an organisation from fear of stopping internal users.

    In regards to email limiting: by the time some attack has been detected – i.e. spam been sent – an attacker has already been inside your network for sometime plausibly causing untold damage throughout. As always, prevention is better than detection.

    Your actions were justified.

  22. Two way authentication which is optional, available for free and implemented in minutes requires a PIN code via SMS to logon. That, combined with DKIM Email authentication will put a stop to such attempts immediately. Please contact your Google Apps authorized reseller. Cheers from Germany. Alex

    • Ludo says:

      Tag Alex… have you ever run a university IT service?

      Normal users are not used to dealing with 2-step auth. I use it; I’m an IT professional. Most other IT professionals I know don’t use it. Many ordinary folks would have a hard time with it. And of course, they’d all have to have a working mobile with them any time they use a new computer. Almost all of them probably do, but you’ll find times when they don’t. Especially as we’re dealing with students here.

      Do you know how many times students change their mobile numbers? A lot. Students aren’t like staff in a company. You can’t tell them what to do.

      Oxford could decide to do this, but that would be as big a project as user education about phishing. You certainly can’t just do it from next Monday morning onwards (even after you’ve installed all the right bits on your servers).

      Oxford do (reputedly) have some cash behind them, though, so they could buy all students and staff a little authentication widget instead of using mobiles. But they’re going to get lost all the time. Oh dear… now an attacker owns one. The devil is in the detail.

  23. Carl Schroeder says:

    Oxford’s problem is their users, not some service on the web. Sure, Google could remove a form in a day, but the spammers can make a new form in seconds. Stopping all forms at the firewall won’t change the fact that users are giving away the keys to the castle.

    It has been proven that humans can be trained to lock doors and windows after placing their valuables in a secure location. The problem is that this set of humans seem to place little or no value on their credentials. Why should they in fact? The “credentials” are easily forged and effortless (once part of Oxford) to obtain. A username in combination with a string that can be then obtained by anyone, through the cunning use of 2 input boxes.

    Oxford should put some effort into its credentials to make having control of an Oxford email address actually mean something. 2 factor authentication is a good start, but strict rules about where those credentials are used is also needed. Oxford should have zero tolerance for compromised accounts. Before an account can be unlocked the user needs to be re-verified and reissued credentials. (This should involve some process more detailed than them announcing which password they are going to give out next.)

    Using Oxford’s network and it’s resources is a privilege not a right. That is the first thing Oxford needs to educate its users about.

  24. Fletch says:

    Some have suggested using two-factor authentication like tokens. The problem is that this is expensive for the uni and a hassle for the 99% of non-susceptible users. It might be worth considering segregating users. If you want to send lots of emails you need a token. Or if you somehow prove you can handle it you don’t have to use a token. The trick is to figure out how to segregate. Hmmm…

  25. Emmanuel Lepage says:

    Just show a page with a visible warning, then offer to redirect the page to Google Doc. It wont fix the problem, but will warn the users of the specific risk and mitigate the attack vector to the point where the flow of credential wont be enough compared to other type of phishing. Solved

    • Robin Stevens says:

      Google Docs uses SSL, so redirecting to our own warning page would require users either to accept our own root certificate or to encounter a certificate error.

  26. Chris says:

    Send out your own google phising attack to all of your users. The people who responded with their username and password will then be required to attend training before their account is unlocked.

    • Anonymous says:

      This is an AWESOME idea. I love it.

      On an unrelated note, the *only* reason why I think Oxford’s measures are justifiable is because it was such a short outage. If 2 hours of being off Google docs was so disruptive, go to a Starbucks. However, some institutions are blocking Google docs permanently and that really makes me crazy. I love Google docs and they are really ESSENTIAL in managing collaborations across Europe. The more Google blocking that happens, the more clunky alternatives need to be set up that are less secure, less stable, not to mention less capable.

  27. therealme says:

    did not realize people at Oxford are so stupid. Why in the world would anyone enter their email credentials in response to a random email?

  28. JD says:

    So am I to assume that the ideas of some of our nation’s brightest people are written to Google docs? I’m certain they are all read (under the guise of the “Patriot Act”) and disseminated to a foreign power.
    Here we are (some of us), trying to keep confidential and valuable data away from US clouds, while it seems others are just giving it away. How disappointing.

    • SJM says:

      I must also question the use Google Docs is being put to.

      Is the University, its collaborators, students and academics comfortable that valuable research, information and data is stored at a location outside their control.

      In America we see instances of power system stress resulting in utilities go down for days. How long before we see this here? What would you do if your information and data were inaccessible or lost?

      Maybe the phishes will turn next to the content of the Docs and start selling access to the highest bidder as a way of making money?

  29. Mike says:

    This seems like the wrong solution. If the phishing attempts are coming through e-mail, why not just quarantine e-mail that contains a Google Docs link? Better yet, you could simply modify the content of the e-mail with a warning about a potential phishing attempt.

    • David F. Skoll says:

      Many phishers use URL shorteners, making it impractical to detect all Google Docs links in messages.

      • Robin Stevens says:

        That’s a good point. On the whole I’m no great fan of such services, but to be fair, some of them have proved more responsive than Google in getting redirects to malicious sites removed. And for those which don’t use SSL, then there is the potential of blocking known malicious redirects at an intercepting proxy or similar, which isn’t possible with Google Docs itself.

  30. Mark says:

    I’m a mail admin at an Australian university, and I have in the past put temporary blocks in both the web and mail filters for Google Docs in response to immediate threats. Does it inconvenience a few legitimate users? Sure, I won’t deny that at all, but the Internet can be a dangerous place. Just like there have been times when it was difficult to get a pizza delivery or a taxi pick-up in Brixton or Cronulla, there are some times it becomes too dangerous on the balance of probabilities to permit your users to visit particular parts of the web. Sometime that’s because the whole neighbourhood is owned by criminals, but sometimes (as with Google Docs) it’s because a bunch of opportunists have stormed in and caused trouble and they just haven’t been kicked out yet.

  31. Keith says:

    The URLs embedded in documents are probably servers that redirect to compromised sites.
    If you report compromised sites then Google will flag them as compromised in modern browsers. However the person behind the redirecting server can then redirect to another compromised site.
    It is much more effective to report the URL of the redirecting server to the appropriate authority. Hovering over the phishing link should show the URL of the redirecting server.

  32. LK says:

    Is this the smart Oxford or like some community college somewhere?

  33. PT says:

    Have you considered, sending a fake phishing email to all students at the beginning of each year and educating the ones who fall for it (at least blocking their account, asking them to change their password)?

  34. BM says:

    Very unprofessional, Oxford. This is a bit like cutting of a town’s water supply because somebody drowned in their bath.

    Phishing is, without doubt, a serious and frustrating problem. But cutting off access to important software that people depend on is a kneejerk response which does not address the real source of the problem. Sure, Google would do well to respond more quickly to reports of phishing. But the “Phishermen” can just go and find somewhere else to host their attacks.

    • David F. Skoll says:

      It’s the correct solution. Until Google takes responsibility and makes its services harder to abuse, Oxford is doing the right thing.

      • Eugeniu Patrascu says:

        Yes, blame it on Google because a bunch of half witted persons just give out their credentials on any online form that requests it.

        What is going to be next ? Block the whole internet access at Oxford because bad guys might be out there somewhere ?

        Educate the users through an awareness campaign and if if they are still ignorant, give them hefty penalties each time they complain their account has been hacked. After a few tries they’ll all use 32 character passwords and never give out password not even on official sites that request them until they check them out :)

  35. [...] is why I was shocked and surprised to find out Oxford University decided to permanently block all access to Google Docs and Google Drive services. Yep, that’s right – they blocked it at the [...]

  36. Alex Y. says:

    It’s a tough job to educate your users not to touch something, especially when bad guys are getting smarter and paying more attention to this than your users.

    So, the concern for the university is the reputation of outbound IPs. How do you route your outbound traffic and what kind of content screen mechanism are you using for outbound mail traffic? I think you may need consider implement outbound traffic management. By this, you may define criteria like the percentage of improper content of all outgoing traffic of one single mailbox in past 10 minutes. And then taking some actions like blocking the mailbox or even cut off the connection relaying the ill content.

    My 2 cents.

  37. [...] be home to some of a brightest minds in a nation,” Robin Stevens of OxCERT explained in a post. “Unfortunately, their imagination in their selected educational margin does not [...]

  38. JH says:

    The real problem is that people have been conditioned to think that authentication using passwords is normal, acceptable and secure.

    In fact, passwords are a very poor choice for authentication for all but low-value applications.

    It wouldn’t, I think, be incorrect to say that password auth is essentially broken – passwords can be sniffed, guessed, brute-forced, shoulder-surfed and obtained using social engineering (e.g. phishing) and thus provide zero authenticity.

    Oxford IT seem to have a choice between crippling accounts so that they are of sufficiently low value that it almost doesn’t matter who is using a given account or implementing an authentication scheme commensurate with the value of the accounts it will protect.

  39. John says:

    Maybe it is now time to move to Office365? It does not have the security issues of Google! And you get better productivity as well.

  40. [...] Robin Stevens of Oxford University Computing Services explained in a blog post – docs.google.com was only blocked for 2.5 hours: "Almost all the recent attacks have used Google [...]

  41. [...] block was short-lived. As Robin Stevens of Oxford University Computing Services explained in a blog post – docs.google.com was only blocked for 2.5 [...]

  42. [...] Robin Stevens of Oxford University Computing Services explained in a blog post – docs.google.com was only blocked for 2.5 hours: “Almost all the recent attacks have [...]

  43. [...] Robin Stevens of Oxford University Computing Services explained in ablog post - docs.google.com was only blocked for 2.5 hours: "Almost all the recent attacks have used Google [...]

  44. [...] Robin Stevens of Oxford University Computing Services explained in a blog post – docs.google.com was only blocked for 2.5 hours: “Almost all the recent attacks have [...]

  45. [...] Robin Stevens of Oxford University Computing Services explained in a blog post – docs.google.com was only blocked for 2.5 hours: “Almost all the recent attacks have [...]

  46. [...] of OxCERT, the university’s network security team, on the University Computing Services blog. Hotmail rejected all mail from the university over a period of many days due to a high proportion [...]

  47. [...] typically to take a day or two; in the past it’s been much longer, sometimes on a scale of weeks. Oxford Univerty blocks access to Google Docs. Original [...]

  48. Gary says:

    Being an educational institution, would it not make more sense to actually educate your e-mail users about phishing scams and what not to do? Will you shut down access to Survey Monkey, or general website providers, because they don’t take down a phishing scam form in less than a couple days as well?

    If an Oxford e-mail user’s typical knee jerk reaction is to click on a link in an e-mail and automatically give up their credentials, then Google removing a phishing scam form in hours or even minutes won’t help you. Teach your e-mail users not to give up their credentials in an online form no matter how legitimate it looks.

  49. David F. Skoll says:

    Good for you! Many months ago, I suggested this to Google:

    Unconditionally include the following at the top of all user-created web forms:

    Note: This is a document hosted by Google Docs. Do not enter any sensitive information such as credit-card numbers, usernames or passwords. If the form asks for any such sensitive information, please report it as abuse.

    Google completely ignored my suggestion. Maybe if enough people pressure Google, they’ll take concrete steps to make their services harder to abuse.

  50. [...] "CRITEO-300×250", 300, 250); 1 meneos   Oxford bloquea temporalmente Google Docs a causa del "phishing" [eng] blogs.it.ox.ac.uk/oxcert/2013/02/18/google-blocks/  por klam hace [...]

  51. Michael Depetrillo says:

    Wait your saying you blocked google docs, the best online document collaboration service ever created, because it can host forms that scam your users? Any website in the world can host a phishing form. Why don’t you just block the Internet from your users? Why don’t you ban windows computers they have been responsible for more spam them google has. This doesn’t make sense, this phishers will just use another service. Your not accomplishing anything but hurting student productivity.

  52. Eugeniu Patrascu says:

    Instead of blocking Google Docs (and any internet site for this matter) you should tell your user base not to be so gullible and believe everything they see and deal with the consequences.
    Acting like a big nanny does more harm than good in the long run where you’ll have a lot of people expecting problems to automagically disappear.