Oxford University’s decision to temporarily block access to Google Docs over fears it was leading to a rise in phishing attacks is not enough to stop the threat, according to VP of strategy at Varonis, David Gibson.
Oxford University said on February 18th that it had suspended access to Google Docs for staff and students a few days earlier, as it saw a sudden escalation in attacks. Oxford University Computing Services explained that, "Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action."
However it’s understood there was considerable dismay amongst students and staff at the block, leading the department to say, "It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. This was taken into account along with changes to the threats and balance of risks over the course of the afternoon, and after around two and a half hours, the restrictions on access to Google Docs were removed."
Numerous commenters on the university computer department’s website were dismayed at the temporary block. One user wrote, "Aren’t you guys closing the wrong door? If the spam problem is volume, why not implement an email quota for your users? 100 emails a day? Come on guys, if an university of your prestige can’t deal with that, who can?"
A user called Ray Allen said, "I was disappointed to see this action being taken. It seemed like a point score against Google rather than a serious attempt to improve security. Phishing is a constantly moving target and until you educate users not to give out passwords (by email, form, phone or any other mechanism) you’ll have the same issue."
Meanwhile Varonis’ Gibson believes that a temporary block is not enough to stop attacks. His firm said it will take more than a single ban to ensure the organisation is protected from increasing attacks that leverage trusted services like Google. "Google docs and other public cloud file sharing services have proven to be very convenient for end users — it’s unfortunate that they are now proving to be convenient for cybercriminals and phishing attacks. As so many are dependent on digital collaboration it’s not surprising that the block on Google docs turned out to be temporary, despite the "severe consequences" for the university mentioned by Robin Stevens, " said Gibson.
The good news, he said, is that IT professionals – and their managers – can help reduce their exposure to phishing with a few steps. Educating users about the risks is key, he said, but he also recommended using organisation-wide SSL for all web services.
"Purchase an Extended Validation Certificate, which gives users an added visual cue in their browser, telling them they’re visiting a site that is run by your organisation," he said. Finally, "Publish a policy that describes the circumstances under which employees might be asked for personal information, along with the types of information that will and will not be collected (e.g., "We will never, ever ask for your social security number"). This will give users something to reference when they’re unsure."
Oxford University put at least some of the blame for the spate of phishing attacks with Google itself: "We will also be pressuring Google that they need to be far more responsive, if not proactive, regarding abuse of their services for criminal activities. Google’s persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions.
"If OxCERT are alerted to criminal abuse of a University website, we would certainly aim to have it taken down within two working hours, if not substantially quicker. Even out of official hours there is a good chance of action being taken," the university’s computer services department said. "We have to ask why Google, with the far greater resources available to them, cannot respond better. Indeed much, if not all, of the process could be entirely automated – and part of their corporate culture is that their programmers and sysadmins should be automating common tasks such that they can devote efforts to more interesting matters. Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services."
UPDATE: I asked Google whether it is correct that it sometimes takes the firm ‘weeks’ to remove reported abuse by phishers, and also whether it believes it needs to be more proactive, as Oxford University’s computer services team argued. I received this fairly generic reply from Google:
"Google actively works to protect our users from phishing attempts. Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes. Users can report suspicious forms by clicking "Report Abuse" at the bottom of any form."