Weekly Edition
Return to the Security page
| |||||||||||||
Oxford blocks Google Docs as a phishing countermeasureGoogle services are nearly ubiquitous these days. Although the most oft-repeated concern is that this ubiquity compromises user privacy, recent action by Oxford University illustrates that there are other risks accompanying the search giant's omnipresence, such as security. Robin Stevens, from the University's IT department, posted a blog entry about the action on February 18, explaining that IT "recently felt it necessary to take, temporarily, extreme action for the majority of University users: we blocked Google Docs." University officials enforced the block for only two and a half hours, not to combat the security threat itself, but to get the attention of its own users. Go phishThe issue at hand is phishing attacks delivered via Google Docs's web forms. Phishing itself is not a new problem, Stevens noted, but historically phishing attacks would be delivered as email messages asking the recipient to reply and include account information (such as the password). The replying accounts would then be taken over and used as a platform from which to send out thousands of spam emails through the university's email servers. As a large, established university, Oxford's servers are implicitly trusted by many other email providers and ISPs, which raises the chance of the outgoing spam flood sneaking past filters. This type of email-based phishing attack would generally masquerade as an urgent request from some on-campus office (such as IT itself), warning the user of a policy violation, a full mailbox, or some other issue requiring rapid attention. These days, however, direct-reply phishing is on the decline, and the more common approach is to trick users into visiting a legitimate-looking web form. Like the phishing email, this form masquerades as official communication, perhaps asking the user to log in (with his or her real password) to take care of some urgent account problem. The trouble is that Google Docs offers a free web form creation service—and it delivers it over SSL, thus making it harder for the university's anti-malware defenses to detect. Stevens reported that recent weeks had seen a "marked increase" in such phishing activity, and that although the majority of the university's users spotted the scams, a small proportion did not.
Now, we may be home to some of the brightest minds in the
nation. Unfortunately, their expertise in their chosen academic field
does not necessarily make them an expert in dealing with such mundane
matters as emails purporting to be from their IT department. Some
users simply see that there's some problem, some action is required,
carry it out, and go back to considering important matters such as the
mass of the Higgs Boson, or the importance of the March Hare to the
Aztecs.
With even a small fraction of the tens of thousands of university email users falling for the phishing forms, a sizable number of accounts were compromised—and, presumably, could be used to mount spam floods at any time. That put the university at additional risk, Stevens said, because in the past there have been incidents where major email providers began rejecting Oxford email due to large-scale spam. The recent surge in Google Docs form-phishing attacks happened over a short period of time, but thanks to the potential for a site-wide rejection by other ISPs, it risked causing a major disruption to email service for university users. ResponseThe straightforward response to phishing attacks delivered via Google Docs would seem to be reporting the incident to Google, but Stevens said that this approach proved futile. IT could report each phishing web form to Google's security team, but:
Unfortunately, you then need to wait for them to take action. Of late
that seems typically to take a day or two; in the past it’s been much
longer, sometimes on a scale of weeks. Most users are likely to visit
the phishing form when they first see the email. After all it
generally requires “urgent” action to avoid their account being shut
down. So the responses will be within a few hours of the mails being
sent, or perhaps the next working day. If the form is still up, they
lose. As do you – within the next few days, you’re likely to find
another spam run being dispatched from your email system.
Instead, the university decided to pull the plug on Google Docs from the university network, in the hopes that the outage would awaken users to the risk. "A temporary block would get users' attention and, we hoped, serve to moderate the 'chain reaction'." Evidently the block did get users' attention—but IT failed to take into account how tightly Google Docs has become integrated with other Google services in recent years. The disruption to legitimate users was "greater than anticipated," causing Stevens's office to issue an apology and a detailed explanation of the problem. On the other hand, Stevens did report that the temporary block accomplished its goal of short-circuiting the phishing attack. In the future, he said, the university would both search for a less disruptive way to circumvent Google Docs phishing attacks, and pressure Google to be "far more responsive, if not proactive, regarding abuse of their services for criminal activities." Google's slow reaction to reports of criminal activity has severe consequences for the university, he said. We have to ask why
Google, with the far greater resources available to them, cannot
respond better. [...] Google may not themselves be being evil, but
their inaction is making it easier for others to conduct evil
activities using Google-provided services.
The 800 pound gorillaSo far, Google has not issued a public response to the Oxford incident. But one does not need to be a major university to find lessons in the story. First, the existence of web forms in Google Docs provides a nearly worldwide-accessible platform for mounting phishing attacks. Google's ubiquity has turned it into a de-facto "generic service" which many users may be oblivious to. In fact, Google Docs is widespread enough that many universities do use it to send out general polls, surveys, and other form-based questionnaires. Yes, the IT department is far less likely to employ a Google Docs form than is (for example) Human Resources, but that is the sort of detail it is all too easily missed by some small proportion of users on any particular email. Second, Google's multi-day turnaround time for taking action against reported criminal activity is a problem in its own right. But while accurate reports of such criminal activity need to be acted on as soon as possible, the reality is that swift action raises the risk of false positives, too. Here again, Google services are so widespread now that it would be a challenge to police them all in real time. If, as Stevens suggested, Google were to automate any part of the form shutdown process, one nasty side effect would be that the automated process might turn into a vehicle for widespread denial of service instead. Third, some will say that the sort of large-scale phishing attack seen at Oxford demonstrates that passwords alone are no longer sufficient for account security. But the university's tens of thousands of users present a daunting set of accounts to manage; supplying that many users with cryptographic security tokens or supporting that many users in a multi-factor authentication scheme would constitute a substantially higher cost than it would for most businesses—more so when one considers that the student population turns over regularly. Of course, Oxford's experience is only one data point. In the Hacker News discussion of the event, commenter Jose Nazario pointed to a 2011 IEEE paper (and provided a PDF link for those without IEEE library access) he co-authored that examined the prevalence of form-based phishing attacks. Google Docs was the second-most popular host for form phishing attacks, and phishing forms based there lasted, on average, more than six days. The most widely-used service for form-based phishing attacks was addaform.com, and there were several others with numbers somewhat close to those of Google Docs. The prospect of intercepting all form-based phishing is a daunting one, to be sure. But regardless of the precise rankings, eliminating the threat from Google Docs is likely to be far more difficult since, like Big Brother, Google services are everywhere. (Log in to post comments)
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 10:18 UTC (Thu) by epa (subscriber, #39769) [Link]
Sorry what exactly is the attack here? If you just want to get the user to visit a certain web page and download some malware, you can do that without Google Docs. From the blog entry it appears that the attackers are tricking users into entering their webmail username and password. Obviously the usual Slashdot answer of "just educate the users not to give out their password" does not work in practice, so is there something else that can be done?
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 13:34 UTC (Thu) by pboddie (subscriber, #50784) [Link]
I think that making the situations where passwords are employed really stand out, as almost a completely different mode of operation (a bit like the Ctrl-Alt-Delete action on Windows NT and later), and then making sure that no-one ever enters a password under any other circumstances, would probably build up a level of resistance to such attacks.
Phishing attacks like this are pretty common, and I was fairly exasperated a few years ago when, after having receiving a phishing attempt sent to users at my employer from a faked address at my employer, I pointed out that since my employer's e-mail infrastructure is delivering the mail to me, the least they could do is to detect, filter, and take appropriate action on stuff that they obviously wouldn't be sending to their own users. Unfortunately, all I got in return was a patronising "we know what we're doing, you don't" kind of response, which obviously wasn't true.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 15:12 UTC (Thu) by epa (subscriber, #39769) [Link]
Unfortunately browsers don't give much help for letting the user know what is a valid password prompt and what is not.
I think an animated agent (like the old Office Assistants of MS Office) could help here; whenever a site displays a form the agent could appear in the corner of the window with a face that communicates 'OK' or 'not sure who you're talking to here', and a banner saying what the website is and whether it is verified.
So when going to a plain http: page hosted at google.com the little guy would shake his head, or wag his finger, and point out that (a) anybody can see the password you're entering as it goes across the wire, and (b) this is a page at Google.
(Five years ago this would have generated too many warnings all over the web, but nowadays major sites are increasingly using https.)
Browsers do have a well-intentioned warning that you are submitting form data over an insecure connection, but it's so annoying that everyone turns it off immediately. A notification that (mostly) gets out of your way and lets you continue to enter the data if you want, but communicates security concerns in a more human way, might do a better job of getting users to think before they click.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 16:08 UTC (Thu) by pboddie (subscriber, #50784) [Link]
Well, some of the passwords involved aren't even Web application passwords. So, the phishing mails that purport to come from a university mail service might be concerned with passwords that might only be used in dialogue windows employed by a mail client, not a Webmail service, although the latter might also be used.
An alternative to password usage in order to avoid habitual password use/misuse might involve client certificates for authentication, although that wouldn't make remote access to things like institution-provided Webmail particularly convenient, but it would make password usage so unusual that people might stop and think before typing one into a form.
The other issue I mentioned was that of trusting people who tell you or ask you for stuff. Here, the lack of adoption of proper e-mail signing and encryption is perhaps the biggest drag on any progress being made in keeping e-mail a relatively safe and reliable medium. Indeed, in many managed environments, making signed messages the default and having trusted and untrusted inboxes should be fairly straightforward to implement.
Maybe Oxford University should consider such measures if their e-mail infrastructure is up to it, which these days might have something to do with whether the vendor of that infrastructure supports it or not (and the wider matter of why/why not).
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 12:50 UTC (Thu) by dskoll (subscriber, #1630) [Link] Good for Oxford! Google could greatly mitigate the abuse of its services by phishers by unconditionally including the following text on all user-created web forms: Note: This is a document hosted by Google Docs. Do not enter any sensitive information such as credit-card numbers, usernames or passwords. If the form asks for any such sensitive information, please report it as abuse. I recommended to Google that they do that and had absolutely no response. Google has a responsibility not to Be Evil and they really need to make it harder for phishers to abuse their services.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 19:46 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
> Google could greatly mitigate the abuse of its services by phishers by unconditionally including the following text on all user-created web forms:
> Note: This is a document hosted by Google Docs. Do not enter any sensitive information such as credit-card numbers, usernames or passwords. If the form asks for any such sensitive information, please report it as abuse.
That won't work if you need people to login to Google Docs because you use things there internally.
Google cannot set the policy for your organization about what can and can't be entered into a document (and do you _really_ want them to????)
Note, I am not saying that using Google Docs this way is a good thing, it's not. But it's also the reality in may organizations.
You want to dig up a lot of dirt on a major company, send an e-mail to any address in the company you can find that claims to be a survey that the company management has asked for, and you can get people to answer all sorts of sensitive information (and volunteer even more in the free-form fields). The fact that so many companies DO use outside survey companies to do exactly this will lead employees to consider such survey requests 'normal' and tell them anything.
This abuse of Google Docs forms to do the same type of thing is facilitated by the expectation of users that there is so much legitimate use of Google Docs.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 21:14 UTC (Thu) by dskoll (subscriber, #1630) [Link] That won't work if you need people to login to Google Docs because you use things there internally. So you disable the warning for forms created by paying customers. If a paying customer uses it for phishing, that customer will usually be a lot easier to track down than some anonymous free user.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 22:50 UTC (Thu) by nowster (subscriber, #67) [Link]
That only works if the credit card used for paying for the scam account is not stolen.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 23:20 UTC (Thu) by dskoll (subscriber, #1630) [Link] *sigh* Come on, this is Google we're talking about. They can surely use some of the massive globs of data they collect to tell who is reputable and who isn't. OK, fine. Only suppress the warning for paying customers in good standing who have been paying customers for at least 6 months. That should make it uneconomical for phishers.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 16:34 UTC (Sat) by felixfix (subscriber, #242) [Link]
Until someone hijacks the account or steals the credentials.
Surely you know of Mr Murphy by now :-)
People looking to get work done don't have sneak thieves on their mind 24 hours a day, they have work to think of, but for people looking for easy ways to steal such data, that *is* their job.
Google Forms mitigation text Posted Mar 17, 2013 19:53 UTC (Sun) by ccurtis (guest, #49713) [Link] Google could greatly mitigate the abuse of its services by phishers by unconditionally including the following text on all user-created web forms: Google has been placing this text on my forms for quite a while: Never submit passwords through Google Forms. It's not as verbose, but it's right there next to the Submit button.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 15:17 UTC (Thu) by sorokin (subscriber, #88478) [Link]
Personally I think "just educate the users" is the only option that works. You can not protect everybody from every possible kind of fraud. Fool will be cheated, no matter how hard you are trying to protect him.
I don't understand Oxford's actions. The protection of users is not their responsibility and not their business.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 15:43 UTC (Thu) by mpr22 (subscriber, #60784) [Link] Now, we may be home to some of the brightest minds in the nation. Unfortunately, their expertise in their chosen academic field does not necessarily make them an expert in dealing with such mundane matters as emails purporting to be from their IT department. Some users simply see that there's some problem, some action is required, carry it out, and go back to considering important matters such as the mass of the Higgs Boson, or the importance of the March Hare to the Aztecs. Please read the above paragraph again. It seems to me that it contains all the information you should need to understand the motivations of the University of Oxford's computing service in this matter. (It also bears a more than passing resemblance to the sort of thing those of my friends who have worked as I.T. staff at the University of Cambridge and its several departments and colleges would say.)
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 16:03 UTC (Thu) by ewan (subscriber, #5533) [Link]
It's not about protecting the users so much as protecting the University's ability to send email without getting its outgoing servers blacklisted as spam sources, or having other services accessed by unauthorized people using stolen Oxford credentials. It's not just that 'people in Oxford' are being phished; it's that University accounts are.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 7, 2013 22:34 UTC (Thu) by marcH (subscriber, #57642) [Link]
With great power comes great responsibility. IT-illiterate Oxford users (the ones easy to fool) should simply not be allowed to send any high volume of email or access important internal services. What Oxford needs is just different classes of users.
The other thing Oxford needs is Single Sign On. I work in a company with tens of thousands of employees, a mixed Windows+Linux and often cumbersome environment, hundreds of different internal web sites... yet I almost never have to enter my password. So, any page asking for a password instantly becomes more suspect.
And of course more "education" - there is never enough. Make sure everyone has to sign one short and extremely scary document before getting any account, severe punishments for careless users, etc., etc. All the usual things universities tend to be too lax to do whereas it's performed in almost every business.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 8, 2013 0:22 UTC (Fri) by ewan (subscriber, #5533) [Link] "The other thing Oxford needs is Single Sign On. I work in a company with tens of thousands of employees, a mixed Windows+Linux and often cumbersome environment, hundreds of different internal web sites... yet I almost never have to enter my password. So, any page asking for a password instantly becomes more suspect."Oxford has SSO; there's really only two web pages that should ever ask for a University login, as explained here; the main SSO login, and the OWA login. Some people will still fall for it. The vast majority won't, but with fifty thousand users, a small minority is enough. Getting a 100% solution here is hard.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 8:18 UTC (Sat) by marcH (subscriber, #57642) [Link]
> The vast majority won't, but with fifty thousand users, a small minority is enough.
Then sorry to repeat myself but a small minority of lusers with obviously restricted rights (since they are lusers) should not be able to damage the entire 50.000 users system. How come just a few people can get the campus blacklisted as a whole? This does not make a lot of sense, does it?
Many problems appear in a brand new light as soon as you start digging a bit and _quantifying_.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 10:29 UTC (Sat) by hummassa (subscriber, #307) [Link]
Blacklists often overreach by design.
The idea is that if you blacklist one whole network, people who weren't doing anything wrong will set the wrongdoers straight for you.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 14:46 UTC (Sat) by marcH (subscriber, #57642) [Link]
> ... who weren't doing anything wrong will set the wrongdoers straight for you.
Yes, and for instance in the case of email it translates into something dead simple and sane implemented by most networks: no random luser granted permission to send any significant volume of email unless explicitly allowed.
Next blacklist(s)?
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 19:32 UTC (Sat) by pboddie (subscriber, #50784) [Link]
This goes beyond e-mail, I would imagine, since the e-mail password is probably good for all services as some kind of "university account" password, and that would then permit wrongdoers to attempt logins to various machines, install software, attempt to gain additional privileges (either through legitimate mechanisms or by employing exploits), and then to start doing bad network-related stuff that might include sending e-mails.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 13, 2013 15:16 UTC (Wed) by union (subscriber, #36393) [Link]
You seem to have attitude problem.
They are not luzers, they are users. Their job is to educate/learn and or preform research.
The reason for oxford IT staff and IT infrastructure including mail servers to exist is so the people you call luzers can spend their time doing more productive things.
Spam/phishing/viruses are IT problems, any solution that relies on end users to be "educated" will fail.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 13, 2013 19:02 UTC (Wed) by marcH (subscriber, #57642) [Link]
> Their job is to educate/learn and or preform research.
... and surely this requires permission to send hundreds of email per minute continuously and access all kinds of sensitive IT resources?
I'll stop because it looks like you just stopped the left side of your brain as soon as you read "luser" and let the offended right side provide a recorded answer.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 15, 2013 9:05 UTC (Fri) by marcH (subscriber, #57642) [Link]
> Many problems appear in a brand new light as soon as you start digging a bit and _quantifying_.
This discussion made me think and realize how why good software engineers are so poorly equipped to think about security.
Software engineering is binary: it's about fixing problems and making things work. It's about avoiding randomness at all costs. Either it works or it does not.
Whereas security is all about risk assessment, statistics, measurements and economics. As all the banking and insurance industry knows, there is almost never a silver bullet. As opposed to what could be seen in this discussion, security is not about trying to find the one silver bullet but actually about buying ALL the good value bullets that are available on the market. "Defence in depth" follows that line.
How _many_ Oxford IT[l]users will fall for a basic phishing attack? How _many_ will fall for a more elaborate one? What kind of cheap "education" can significantly reduce these _numbers_? How many more privileged users will fall for the same attacks? How many emails per day does a basic Oxford IT user need to send? After how _much_ spam will the whole campus be blacklisted? How strong is this password? How often is this or that software found to be vulnerable?
One of the most blatant proof that software engineers don't understand security can be found in the infamous "why your spam solution won't work" list http://craphound.com/spamsolutions.txt
Bruce Schneier probably said this already somewhere in his blog or books much better than I just tried. Any decent security worker reading the above would probably think I just stated the obvious. Well, it was not obvious for me and clearly not obvious for other people in this thread.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 15, 2013 12:51 UTC (Fri) by etienne (subscriber, #25256) [Link]
> One of the most blatant proof that software engineers don't understand security
Maybe they understand, but they also know the consequences, i.e. you can spend massive amount of time checking if you have rights to do what you are about to do - and it can take a lot longer to do those checks than do the initial job.
Now those software engineers may be people who are using their computers, more than writing an E-mail times to times, and even with an up-to-date hardware it just takes 3 hours CPU time to regenerate the 10 Gbyte tree to produce the good output file, you may need 3 versions of those output files, and the night in between days is not that long.
Add all the "security" you are talking of, and it will take weeks to get one of these output file - people have tried that on other Operating Systems. I am not sure people have been more secure on those other OS.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 15, 2013 13:22 UTC (Fri) by marcH (subscriber, #57642) [Link]
> Maybe they understand, but they also know the consequences, i.e. you can spend massive amount of time checking if you have rights to do what you are about to do - and it can take a lot longer to do those checks than do the initial job.
... and then they generalize and conclude from just that example that all security features are equally bad. Not equipped to properly assess the value and return on investment of various security features: my point exactly.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 15, 2013 19:22 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]
> One of the most blatant proof that software engineers don't understand security
Actually, most IT security people don't understand security either. They talk in absolutes, and every exploit is talked about as if it's one that if you don't solve it you are completely unprotected and may as well not bother with securing anything.
Most of them pay lip service to 'defense in depth', but don't really think about it, or about what they are allowing to go from layer to layer (hint, a machine on one tier that just reformats a request and sends it down to your next tier without doing any validation of the request is adding almost zero security)
In addition, many security people are completely unwilling to discuss any trade-off in security vs anything else (availability, time to market, performance, maintainability, etc)
As you say, Security issues are one more risk that everyone must deal with.
The problem is that it's _really_ hard to evaluate the risk posed by a security hole. The probability that a particular vulnerability will be attacked is basically impossible to define. Something may seem really hard or obscure, but this can change at any time with no notice (someone writes a script-kiddie tool that makes a really hard attack trivial to execute and publicizes the attack and something went from 'extremely unlikely' to 'extremely likely' in an instant.
David Lang (working security in banking for 16 years)
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 13:50 UTC (Sat) by cstanhop (subscriber, #4740) [Link]
Does Google have a "report this form for phishing" link or button these forms? It seems a link like that could work as well as a "report spam" for email. At least it might help with rapid, automated responses to lock out suspicious forms.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 20:04 UTC (Sat) by vmpn (subscriber, #55435) [Link]
I think it is time to enhance https to support session key escrow. browser does sesion key exchange but beyond that proxy issues a challenge for the session key and does not pass any more traffic that it cannot decrypt.
Browser can make sure to alert the user that 3rd party is requesting keys and have a different icon. Meanwhile corp proxy can block any access, while connection to outside world remaining encrypted
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 9, 2013 23:31 UTC (Sat) by jimparis (subscriber, #38647) [Link] Maybe it's time for some better browser anti-phishing support. If I were to stand over my dad's shoulder, and I saw him typing his Paypal password into Google Docs, I'd tell him to stop. The browser could do that too: <input type="password" warn-other-domain="paypal.com">
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 11, 2013 6:03 UTC (Mon) by sorpigal (subscriber, #36106) [Link]
I don't see why warn-other-domain would be required. The browser, or an extension, could assume that the domain from the form's action (or the current location if action is empty) is the correct one. There would still be an annoying training period and "needless" warnings, given that a lot of people re-use passwords between sites, but the effect would be just as good in the end: The user gets an alert if the receiving site *might not* be one that he was expecting.
Oxford blocks Google Docs as a phishing countermeasure Posted Mar 11, 2013 9:25 UTC (Mon) by micka (subscriber, #38720) [Link]
I'm not sure if it's possible with google doc, but the server can receive the password you typed before you submit the form. You can event send each key to the server as soon as it's typed, with a bit of javascript.
So the user is warned that it may be sending a password to a new site and press "no", but the password is already sent.
|
|||||||||||||