According to the network security team at Oxford University Computing Services (OxCERT) with the title of 'Google Blocks' the world famous seat of learning has decided to put a block, albeit a temporary one, on the use of Google Docs. Robin Stevens from the network security team at Oxford says that the "extreme action" was felt necessary in order to protect "the majority of University users".
While admitting that Google Docs is a "perfectly legitimate site" and one which is "widely used by staff and students as part of their work and personal lives" Stevens explains that it is "also frequently used for illegal activities... which threaten the security of the University’s systems and data". Of course, the same could be said of the Internet itself, or the students themselves, and neither of these have been banned.
It would appear that the IT Security folk at Oxford University are particularly concerned about phishing, and specifically phishing which is targeted at harvesting University email account credentials. If successful, and one has to assume they have been seeing as it has been felt necessary to take such drastic action, the phishers are then using these compromised accounts in order to distribute spam. The method of choice for the phishermen is linking to web forms hosted on Google Docs.
"Google Docs has many advantages. One significant one is that millions of people use it for perfectly law-abiding purposes. Another is that traffic is encrypted" Stevens says, continuing "Many educational establishments will have some capability for filtering traffic to malicious URLs as it flows through their network. That’s easy with unencrypted traffic. If the site uses SSL, then you have to do some kind of SSL interception. Straightforward on a corporate network full of tightly-managed systems. Much harder on a network full of student machines, visitor laptops and the like, and in our opinion, something to be avoided".
As a result of a "marked increase in phishing activity" at Oxford University during the last few weeks, according to the network security team, resulting in them having to deal with "several account compromises within a short length of time". In order to prevent these incidents, or at least the resulting spam runs, from having a negative impact on the University's reputation with external email services such as Hotmail and Gmail the decision to block Google Docs was taken. Hotmail has rejected all Oxford University mail for days on end in the past, as a direct result of the domain being a host for spam, and that causes obvious disruption to University business.
"Almost all the recent attacks have used Google Docs URLs" Stevens insists "seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action".
So, is Oxford University right to ban Google in this way? Not according to David Gibson, VP of Strategy at data security specialists Varonis who warned that it will "take more than a single ban to ensure the organisation is protected from increasing attacks that leverage trusted services like Google". Gibson recommends instead that IT managers should reduce exposure to phishing by:
Educating users about the risks - with some awareness, they will become more alert when they receive links in their email, or are asked to submit login credentials or Personal Identifiable Information via an external site (like a Google form) rather than a site hosted on the organisation’s own domain.
Using company-wide SSL for all web services - purchasing an Extended Validation Certificate, which gives users an added visual cue in their browser, informs them they’re visiting a site that is run by your organisation.
Publishing a policy - specifically one that describes the circumstances under which students might be asked for personal information, along with the types of information that will and will not be collected. This will give users something to reference when they’re unsure.