If misleading messages ("phishing") are leading their users to enter credentials onto forms which are then used to send out spam, then the solution is not to block access to one of the sites that supports forms. There are an unlimited number of sites that support forms. There are LOTS of better ways to solve this problem. Here are a few:
* Train your users where it is and isn't safe to enter credentials.
* Don't give your users credentials. Have some alternate way to authenticate them like a login token.
* Put rate limiting on the ability of a single account to send out emails.
Blocking the site for just a few hours as an emergency response to a short-term attack is a much more reasonable approach. Sometimes, to react quickly, you need to take measures that are not the best possible choice. But there were better approaches, and the security team should take measures to ensure that they can react more effectively next time. For instance, in this case, a single mass-email or email "virus" had gone out and was tempting a large number of users to give out their credentials. Instead of blocking the site that was collecting the credentials, a better solution would have been to remove the email from the mailboxes of all the students. After all, the emails system is provided by the university, and this cuts off the problem at the root. They should institute the necessary technology to support doing this next time they have a phishing problem... perhaps they can even do this proactively: set up some honeypot accounts not receiving any legitimate emails and automatically destroy any emails matching the signature of emails received by these honeypot accounts (with manual review afterward to correct for false positives).
Im sorry, but that is the typical tech reply that blows normal people's minds. Blame the user. Well, the user says, sod that, lets just block the problem and get on with what we wanted to do in the first place.
People, normal non tech people, want to use computers as a tool, not become experts in thwarting criminals, etc. If a user cant just go to a computer and simply use it, like say a library or book, then the computer and its champions are failing. Its not the users job to provide security. And no, its not like locking a door. The sheer amount of rubbish poor users have to go through to be safe on a computer is frankly a joke, and the reason so many non geeks love Apple. Yes geeks know Apple are as insecure and any one else, but users believe they are simple and safe.
(At this point, by all means picture a toddler going mental in a shop)
I've been in this business for 30 years, and "train the users" is for me a 30 year mantra that no one out side of geekdom wants to hear. It was my job to enable them to do their job more efficiently, not expect them to become some sort of security expert.
This Uni is doing the simple easy thing to let its users function safely. If the IT world doens't like it, then 1: tough, 2: damn well fix it, and 3: stop blaming users.
Then, you tell them to limit emails. "Oh right" says the user, "I thought one point of email was easy mass mailing, and now you want to bloke it?"
Really think about the user. Its they who make computers and the internet worth bothering with.
I feel better now. Thank you.
Regardless of what some folks in the "User Friendly" movement would like to think, most tools require basic instruction in order to be safely used. We can't code away all individual responsibility.
So if you fall for email phishing attacks despite training, then you shouldn't be trusted with mass email rights. Likewise, the admins have an obligation to control those resources, and to train users. (If that's too hard to expect, then we need to find out why.)
Point is, users should get the blame for their fuckups-- when they fuck up. It's not an all-or-nothing thing.
Were the IT dept. folks thinking about the user, they would never have blocked Google Docs in the first place. People want to use tool X, so the job of university IT is to ensure they are able to use tool X. They did exactly the opposite.
Also, solutions proposed by GP are reasonable ways to reduce / mitigate the risk of phishing without inconveniencing users too much.
20 years earlier, wouldn't you have expected an office secretary to not send postal mail to everyone in the city? Or give the cabinet keys with the petty cash to anyone who dressed like his/her boss?
Perhaps a better approach to "training the users" might be for the University to actively attempt to phish its own users on a regular basis.
Those who fall for the phishing could be contacted directly, or have email access limited for some period of time (for example, a reduced sending rate limit).
Making self-phishing a regular occurrence (say, weekly) would train users to recognise and ignore it.
My bad... I never intended to suggest "blame the user".
> If a user cant just go to a computer and simply use it, like say a library or book, then the computer and its champions are failing. Its not the users job to provide security.
If I ran a library and I found that my visitors were just passing the same library card around to everyone in line, even strangers, instead of having each person get their own card, then I would say we needed some user education. We wouldn't need to issue special biometric IDs with a 22-step process to check out a book... but we would need to tell people "Hey, get your own card!"
Similarly, if I find that my IT system users are entering their login passwords in ANYTHING other than the login box (particularly online forms), then I have failed them -- I have failed to educate them about basic use of the systems. I should correct that, by coming to them and letting them know that I will NEVER ask for their password in ANY place other than the login form, and that they shouldn't enter it anywhere else.
> Then, you tell them to limit emails. "Oh right" says the user, "I thought one point of email was easy mass mailing, and now you want to bloke it?"
Actually, I wouldn't do it that way. I would set reasonable quotas (say, 100 outgoing emails before our rate limiting kicks in). After that, I would have it slow the rate of email sending, not block it. And if any user had sent enough that their mails were getting delayed, I'd also trigger a message to them inviting them to contact IT if they had special needs for mass emails. (We could change their quota, either temporarily or permanently, depending on what they were trying to accomplish.)
> Really think about the user.
Extremely good advice. I agree with your rant.
We can't eliminate all possible danger and coat the world in foam rubber because someone people are accident prone.
That's not user-driven logic, that's bureaucrat logic, and pushing for education as a way to mitigate the dangers isn't some kind of 'geek logic' that mainstream people couldn't be bothered with, it's very simple logic.
There are infinite threats. We all have our own whitelists and blacklists.
I don't want to live in a world without electricity, cars, swimming pools, stairs, and knives because some people may hurt themselves, because I may even hurt myself.
Potentially getting fucked over should be in the TOS for human life. Click here to agree or sit in the corner and make collages with non-toxic glue, magazines full of approved harmless imagery, and safety scissors.
that's the hardest nut and that's the income comes. blocking some sources is simply easy. " We found Google Docs brings more and more phishing, OK let's just block it and sorry and apologize to our users." " We found again zoho brings more and more phishing, Ok let's block it too." Well, we will find more like this situation.
Oh, it's scary! Let's just block the internet and turn on our TV...
And yes, that means not putting in the password when they click a link. Only when they access the website themselves.
No solution is perfect, but GP's are certainly better.
This demonstrably doesn't work. It reduces but cannot eliminate all instances of phishing.
> Don't give your users credentials. Have some alternate way to authenticate them like a login token.
Better, but scrounging up a few million pounds for dongles, plus the non-stop cost and effort of replacing lost and stolen dongles, is not easy for a university, no matter how famous.
> Put rate limiting on the ability of a single account to send out emails.
Many users have legitimate reasons to send out mass emails.
> Instead of blocking the site that was collecting the credentials, a better solution would have been to remove the email from the mailboxes of all the students.
Phishing emails are often varied into multiple templates to avoid being scrubbed this way.
They also tend to trickle in at random, rather than turning up all at once.
Doesn't solve the problem of users without smart phones though, which I imagine is still not ignorable at most universities.
Additionally, what OSes will these dongles support? Would you rather "Oxford University bans Windows XP"? or "Oxford University bans iPhones"? etc.
As far as email, there are several things to consider: One, that I would think it a rarity for a student, or even a teacher! to need to send a single email to more than a handful of /external/ email addresses at a time. Put an email firewall in place between your internal and external systems, and have IT security monitor that system for peaks in traffic. Single users sending outbound mail a lot. Obviously, there should be a spam filter going in AND out.
And yes, spam email does trickle in sometimes, and from different SMTP servers, but from the bit I've dealt with them, there are definite patterns that a person can pick up on when they're watching for it.
I manage barely a 100 users and I have talked to each of them personally. They're good people and can comprehend instructions. But they still fall for these every now and then. Training doesn't help. They are fantastic in their respective fields but to them, all prompt boxes and all login screens have the same exact amount of legitimacy. Just like how every spark plug looks the same to me. Training can help some users but most of them are going to fall for it eventually.
It is 2013, two factor authentication is here and it is open source software. You can use Google Authenticator[1] for free or you can use something like the YubiKey[2]. If the students have a smartphone then Google Authenticator is on almost all of the major platforms.
How do you actually suggest this be done? Seriously? Classes? OK what's the estimated success rate of that class (i.e. how many people will go to the class, then ignore all the advice)? 80%? What do you do about the 20% who haven't been 'trained'? What next? Computer licences? How long will that take, and again, how many people will ignore it?
Their reasoning seems to be "Google Docs causes us (the security team) hassle, we don't use Google Docs, so we'll shut it down".
They might as well of shut down the whole of the Internet, for all their nonsensical reasoning, except they'd of been affected themselves then..
How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users. Also, digitally sign all official mail, and instruct the users to check those signatures.
These are not insurmountable problems. The real issue is that the IT team is not willing to push for a real solution, and instead went for a bandaid on a broken leg.
For example, blocking all outgoing SMTP traffic except via approved internal relay servers would make tracking these millions of unexpected outgoing emails much easier. Most organisations already put these kinds of restrictions in place, it seems Oxford don't.
As far as I can see, their temporary blocking of Google Docs access did nothing but annoy users, cause them to lose face amongst users, and in the long term make users less likely to cooperate with the security team.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=61...
edited to add: here's the paper for you to read, i forgot i had a copy lying around.
This can be a problem for universities in specific ways. Students get emailed some change to course work, all students using hotmail don't get the email, students then have a case to appeal the (possibly) worse mark they received.
Sure. Which is why after so many people complained it is already back up.
Did you miss the recent articles about how spreadsheets were essential to many people? I know many SMEs and individuals which are doing nearly everything besides email in Google Docs. And what do they use email for? To send PDF of Google Docs to those that don't have GMail accounts.
In the recent "tools of the trade" for HN readers one of the webapp that came out the most often was Google Docs. It is also, quite arguably, seen all its functionalities and seen that it's made by a team of, what, 600 Googlers (!) the most advanced webapp ever.
I think you really don't realize how important Google Docs has become. And it is growing by the day.
There are people who create a GMail account only to get Google Docs after they've seen a demo of it.
It's as misguided as most of the IT departments I've had to deal with blocking browsers other than IE because they are "insecure". No the other browser are not insecure, they just haven't bothered getting up to speed on the security profile of those browsers and confuse getting regular security bulletins about IE to be the same as being "secure".
How the IT department didn't know what its students, faculty and staff were doing is kind of hard to believe. For students and teachers in particular, Google Docs is a big deal. It's not just because it's a cloud version of Office, but rather that it has things that Office can't do that are especially important in a university setting.
Unfortunately, there's no easy solutions to so-called phishing attacks other than educating users. I would recommend that the IT dept. dedicate its considerable resources and creativity to that end, and try to minimize use of the shotgun approach in the future!
The only effective solution is to educate users, but that in itself is a difficult task.
Phishing attacks rely on users being gullible / distracted / ignorant. Telling users _not_ to be any of these usually results in angry answers such as "Are you implying I am stupid !?", and the important part of the dialogue where you explain things to be wary of is completely ignored.
Another way to communicate these things it to _phish your own users_. Email them a fishy message ultimately asking them their password for instance, the same way an attacker would. Of course, some phishing emails / sites look incredibly legit but in my experience most have noticeable deficiencies. If your users can spot at least those, then they can protect against a good number of attacks. Once the victim falls for the trap, redirect them to a page explaining how they were tricked, and showing what they need to pay attention to.
You even get their passwords, so that you can do some analysis and see how many will change it following the 'incident'.
Now that's the best idea I've heard all morning. You should be running Oxford's IT dept!
This is a British university, not Goldman Sachs. The action was a dramatic, low-cost effort to get users' attention, educating users, if you like (from OP):
> While this wouldn’t be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users’ attention and, we hoped, serve to moderate the “chain reaction”.
I took that to mean, we were planning a longer term outage, but when it inconvenienced Someone Important, we were forced to reinstate the service, and to cover our rears, we're now claiming it was planned as a 2-hour outage from the very start.
The guys handling security for Oxford are highly experienced and capable. Oxford's network is far more complicated than a typical University.
As others have pointed out, there are a few very simple ways to deal with this sort of thing. Rate limiting alone would like take care of the problem. This is probably a simple config update on the smtp server.
The underlying problem in this situation was that Google were so slow to respond to reports of malicious content.
The brief block on Google Docs has served as an excellent way to get attention and highlight a number of things that need consideration.
The fact that they do something doesn't mean that they do it well. As others have mentioned, email filtering in Exchange (bizarre email platform for a university, but ignoring that) seems like a rudimentary starting point here.
So a student on the university network clicks a link to google docs and a warning appears warning of potential attacks using google docs, be aware, and click next to continue.
Is this doable?
TBH, many faculty and staff will be just as bad; though, I question their assertion that anyone interested in a Higgs Boson would let a Uni-admin task distract them. Some physicists may not have any common sense, but are generally more tech-literate than average.
It sounds like all you are doing is regulating access to some sort of all@university mailing list. How does this solve the much bigger problem of spammers using compromised accounts to spam Gmail/Hotmail addresses, which then end up getting the university blocked? And even ignoring that how does it prevent people from just looping through a list of your university's email addresses and sending them one at a time?
Google needs to implement a forcing function with Google docs so that their software is not misused on the Internet. No amount of user education will fix the problem -- only some sort of forcing function will fix it.
The idea of forcing functions is well known in organizational/system theory.
Another way to think about this is the recent notices that Java (and at other times Adobe Flash) has recently introduced a security flaw where people using their computer can have it hacked into (Apple suggests removing Java unless you really need it).
Just as we would expect Java/Oracle and Adobe/Flash to fix their security flaws so should Google fix theirs.
Perhaps they could implement some more advanced email filters, e.g. removing all links to google docs, instead of blocking the service for all users?
I'd imagine a mass of the user-base of Oxford uses Google Docs for important things, from group work on a PowerPoint/Word doc, through storing their work in the cloud without the Office Suite.
"Another is that traffic is encrypted. Many educational establishments will have some capability for filtering traffic to malicious URLs as it flows through their network. That’s easy with unencrypted traffic. If the site uses SSL, then you have to do some kind of SSL interception."
We frequently (at least once per month) get a phishing e-mail asking us to reply or click a link and provide our credentials. For anyone who has attended the university more than 6 months, there will have been at least 3 e-mails from the IT-department telling people to not ever, in any way, give out credentials. Yet, for every phishing mail we get at least 3-4 accounts get compromised (out of ~1500), and more would get compromised if the IT department weren't quick to block traffic to the offending URLs. And again, this is in a crowd that should be somewhat unfavourable to scammers (as most of us know and can recognise such attempts).
You can try to educate your users, and you should, but just know that it only minimizes the risk, it will never, ever nullify it and if they can send 1 million e-mails from just 1 account, then it is practically a dead-end in terms of stopping the scammers. I can completely understand why they are blocking Google Docs, it's a matter of settling for the "lesser evil" solution.
Couldn't agree more about education never actually fixing the problem.
The problem lies with the people on the Internet though. I doubt the whole thing could be automated because of the simple fact that there are people out there who, just to troll, would and probably already zip through plenty of legitimate public Google docs and click the "report abuse" link at the bottom of each page.
The result is most likely an overwhelming amount of reported "abuse" pages are most likely legitimate, which is why actual malware docs don't get dealt with in a timely manner. Its like when people prank call 911, which could lead to actual emergencies not being responded to immediately.
not a perfect solution, but would help cover a sizeable volume of this kind of phishing attacks.
So if the real problem stems from the Oxford mail accounts being hacked and then used to propagate the phishing attacks, why not concentrate on that?
You should use 2-step authentication for the email accounts, so that randoms in some other part of the world can't just hack in to an email account and use it.
I was at SBS, and we were on Mircosoft Exchange servers for email I think. Unfortunately, afaik Microsoft doesn't offer 2-step authentication. Instead of blocking Google Docs, you should be moving all email systems to Google Apps so you can use their better security. We just did it at my company for a few thousand users and several domains - I think you could do it too.
Find out how many emails people usually send per minute/hour and just DENY relaying anything else over that limit. That way it'll be less profitable for spammers to acquire user account details if he/she can only sent X mails every minute.
Spammers are phishing for ox.ac.uk accounts because they're easy to exploit, right? Just raise the bar.
Obviously I know little about their network so I'm probably already sounding arrogant but there are some solutions that (generally) have better inconvenience/security ratio than just plain login&pass. Especially if you account for the inconvenience of getting the whole site blacklisted. My site uses one-time, limited-time passwords to authorize external connections but the users are tech savvy so I'm not sure if it works in general settings.
I think it is too late now to guarantee service through legislation, but the upsides do outweigh the downsides.
I bet it's probably just because of the illicit connotations of the 'Hacker' word.
Just wanted to point out this specific detail. They seem to be attacking the wrong problem, as many others already noted.
If they're seeing targeted phishing (which the article implies that they are), then the attackers will just observe the drop off in people following the links and move the phishing forms to another domain or service, making it very difficult for the admins to keep up.
Really addressing this kind of problem has to come down to a combination of awareness training and improved authentication techniques (i.e. move away from static username/password combinations)
Why not filter the emails/Ips who send out spam rather than blocking the URL? What if Google blocks Oxford?
That means they'll have hundreds of credentials and can do all sorts of nasty things to your computing environment and to people's accounts.
That's not acceptable.
Hopefully Google will treat this more seriously now that it's hit the press.
a reference to an episode of QI, right?
Here's what's next: Oxford blocks roads because criminals are using roads. Oxford blocks food deliveries because criminal are using restaurants to eat.
Seriously now: what's the Microsoft rebate Oxford got for taking such a measure?
