Schneier on Security
A blog covering security and security technology.
« How the FBI Intercepts Cell Phone Data |
| Ross Anderson's Security Engineering Online »
March 8, 2013
Oxford University Blocks Google Docs
Google Docs is being used for phishing. Oxford University felt that it had to block the service because Google isn't responding to takedown requests quickly enough.
Think about this in light of my essay on feudal security. Oxford University has to trust that Google will act in its best interest, and has no other option if it doesn't.
Posted on March 8, 2013 at 6:23 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And the students have to trust that the university will act in their best interest...
So people host phishing forms with "input your email username and password here" on Google Docs instead of hosting it separately and the University blocks Google Docs because Google took an immense 2.5h to disable the account? Hmmrpf ... if only other ISPs hosting phishing sites would be as fast to reacted instead of moping around for days/weeks.
It seems clear to me that the problem is not Google Docs at all in that case. It is the terrible password authentication system that allows common human errors to completely breach security. It could just as easily be phone calls asking for passwords (hence the name phishing after all) as Google Docs.
I do find it quite funny...
But there is also another imporrtant message hidden away in there.
The tight integration of Google into OxUni's business.
I doubt this is to OxUni's interest and they may well want to reduce that undesired coupling. If they simply cut google off there will be a lot of kickback.
However make google unreliable for "good and proper reasons" and all of a sudden google despite it's low price will be unatractive to use. OxUni's users will migrate to other places and google cannot lower the price, nor can they fix the reliability...
Google have a problem OxUni is to big to ignore it's student go world wide they will spread a No Google message to other Uni's world wide the message will stick way way to long for Google to avoid ossing what many will regard as important market share...
Potentialy there is only one course open to Google, lets see how long it's going to take them...
Really simple solution. Redirect to a form (with an incorrect SSL certificate). Have them fill in their email and verify. If they do this ban their IP address and have them report for reeducation*. If they immediately report it to CERT on a form provided for that then automatically open the access to Google docs with a warning message.
* on threat that the party ^W^W their email access will be suspended if they don't do so.
It seems the problem is not lack of security in Google Docs, but lack of security in the Oxford E-mail system. They should consider rolling out 2fa.
Y||B: not 2.5 hours: the article says it's taken Google "a day or two" and "in the past...weeks" to shut down phishing scams on Google Docs/Drive.
This problem doesn't seem unique to google docs. It's just a lot easier to implement than trying to set up a form on a compromised server, and the fact that google uses SSL on all traffic just complicates identification.
The real underlying problem is with naive users typing their credentials into any random form, but that isn't likely to change. I think 2-factor auth would solve the problem, but would be very expensive to implement. The userbase at a universitiy is not as easy to manage as at corporations.
Another possible solution is to try to filter the email outbound. Try to recognize the pattern of spamming on outbound servers and block it (or throttle it) there. Some simple baysian filters combined with volume limits would seem to make spamming much less attractive through university accounts.
Clive Robinson: This is increasingly the case for many universities; there's been a big trend over the last five years in which even universities with long legacy of inventing fundamental Internet technologies have moved their email provision to Hotmail or Gmail. For cash-strapped institutions, "free" is a powerful USP.
I think Oxford does a great disservice by doing this instead of educating their users on why giving up their username and passwords on any site is bad ? What will stop users from accesing the phising link when they get home ? :)
Security theatre. This and nothing more.
Your statement about Oxford having no other option is ambiguous. Do you mean no other option than blocking this service, or no other way of keeping its students safe, or no other solution to store and edit documents?
Why would they need to block the entirety of Google Apps? We have the same problem from time-to-time. We block just that individual URL or form.
Many of our students (and professors and staff) don't even access their email from a campus-networked PC anymore. Much of the access is off the campus network via smart phones. So blocking anything at our edge is becoming futile.
Google Docs, GDrive, and many other G-services are blocked within the Department of Defense. Gmail is allowed as is sending attachments... but not receiving them.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.