View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
February 22, 2013updated 19 Aug 2016 9:27am

Oxford Uni must do more than block Google Docs: updated

University accused of Google-bashing

By Jason Stamper Blog

Oxford University’s decision to temporarily block access to Google Docs over fears it was leading to a rise in phishing attacks is not enough to stop the threat, according to VP of strategy at Varonis, David Gibson.

Oxford University said on February 18th that it had suspended access to Google Docs for staff and students a few days earlier, as it saw a sudden escalation in attacks. Oxford University Computing Services explained that, "Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action."

However it’s understood there was considerable dismay amongst students and staff at the block, leading the department to say, "It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. This was taken into account along with changes to the threats and balance of risks over the course of the afternoon, and after around two and a half hours, the restrictions on access to Google Docs were removed."

Numerous commenters on the university computer department’s website were dismayed at the temporary block. One user wrote, "Aren’t you guys closing the wrong door? If the spam problem is volume, why not implement an email quota for your users? 100 emails a day? Come on guys, if an university of your prestige can’t deal with that, who can?"

A user called Ray Allen said, "I was disappointed to see this action being taken. It seemed like a point score against Google rather than a serious attempt to improve security. Phishing is a constantly moving target and until you educate users not to give out passwords (by email, form, phone or any other mechanism) you’ll have the same issue."

Meanwhile Varonis’ Gibson believes that a temporary block is not enough to stop attacks. His firm said it will take more than a single ban to ensure the organisation is protected from increasing attacks that leverage trusted services like Google. "Google docs and other public cloud file sharing services have proven to be very convenient for end users — it’s unfortunate that they are now proving to be convenient for cybercriminals and phishing attacks. As so many are dependent on digital collaboration it’s not surprising that the block on Google docs turned out to be temporary, despite the "severe consequences" for the university mentioned by Robin Stevens, " said Gibson.

The good news, he said, is that IT professionals – and their managers – can help reduce their exposure to phishing with a few steps. Educating users about the risks is key, he said, but he also recommended using organisation-wide SSL for all web services.

Content from our partners
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business
When it comes to AI, remember not every problem is a nail

"Purchase an Extended Validation Certificate, which gives users an added visual cue in their browser, telling them they’re visiting a site that is run by your organisation," he said. Finally, "Publish a policy that describes the circumstances under which employees might be asked for personal information, along with the types of information that will and will not be collected (e.g., "We will never, ever ask for your social security number"). This will give users something to reference when they’re unsure."

Oxford University put at least some of the blame for the spate of phishing attacks with Google itself: "We will also be pressuring Google that they need to be far more responsive, if not proactive, regarding abuse of their services for criminal activities. Google’s persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions.

"If OxCERT are alerted to criminal abuse of a University website, we would certainly aim to have it taken down within two working hours, if not substantially quicker. Even out of official hours there is a good chance of action being taken," the university’s computer services department said. "We have to ask why Google, with the far greater resources available to them, cannot respond better. Indeed much, if not all, of the process could be entirely automated – and part of their corporate culture is that their programmers and sysadmins should be automating common tasks such that they can devote efforts to more interesting matters. Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services."

UPDATE: I asked Google whether it is correct that it sometimes takes the firm ‘weeks’ to remove reported abuse by phishers, and also whether it believes it needs to be more proactive, as Oxford University’s computer services team argued. I received this fairly generic reply from Google:

"Google actively works to protect our users from phishing attempts. Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes. Users can report suspicious forms by clicking "Report Abuse" at the bottom of any form."




Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.