User: Password:
Subscribe / Log in / New account

Oxford blocks Google Docs as a phishing countermeasure

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 10:18 UTC (Thu) by epa (subscriber, #39769)
Parent article: Oxford blocks Google Docs as a phishing countermeasure

Sorry what exactly is the attack here? If you just want to get the user to visit a certain web page and download some malware, you can do that without Google Docs. From the blog entry it appears that the attackers are tricking users into entering their webmail username and password. Obviously the usual Slashdot answer of "just educate the users not to give out their password" does not work in practice, so is there something else that can be done?

(Log in to post comments)

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 13:34 UTC (Thu) by pboddie (guest, #50784) [Link]

I think that making the situations where passwords are employed really stand out, as almost a completely different mode of operation (a bit like the Ctrl-Alt-Delete action on Windows NT and later), and then making sure that no-one ever enters a password under any other circumstances, would probably build up a level of resistance to such attacks.

Phishing attacks like this are pretty common, and I was fairly exasperated a few years ago when, after having receiving a phishing attempt sent to users at my employer from a faked address at my employer, I pointed out that since my employer's e-mail infrastructure is delivering the mail to me, the least they could do is to detect, filter, and take appropriate action on stuff that they obviously wouldn't be sending to their own users. Unfortunately, all I got in return was a patronising "we know what we're doing, you don't" kind of response, which obviously wasn't true.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 15:12 UTC (Thu) by epa (subscriber, #39769) [Link]

Unfortunately browsers don't give much help for letting the user know what is a valid password prompt and what is not.

I think an animated agent (like the old Office Assistants of MS Office) could help here; whenever a site displays a form the agent could appear in the corner of the window with a face that communicates 'OK' or 'not sure who you're talking to here', and a banner saying what the website is and whether it is verified.

So when going to a plain http: page hosted at the little guy would shake his head, or wag his finger, and point out that (a) anybody can see the password you're entering as it goes across the wire, and (b) this is a page at Google.

(Five years ago this would have generated too many warnings all over the web, but nowadays major sites are increasingly using https.)

Browsers do have a well-intentioned warning that you are submitting form data over an insecure connection, but it's so annoying that everyone turns it off immediately. A notification that (mostly) gets out of your way and lets you continue to enter the data if you want, but communicates security concerns in a more human way, might do a better job of getting users to think before they click.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 16:08 UTC (Thu) by pboddie (guest, #50784) [Link]

Well, some of the passwords involved aren't even Web application passwords. So, the phishing mails that purport to come from a university mail service might be concerned with passwords that might only be used in dialogue windows employed by a mail client, not a Webmail service, although the latter might also be used.

An alternative to password usage in order to avoid habitual password use/misuse might involve client certificates for authentication, although that wouldn't make remote access to things like institution-provided Webmail particularly convenient, but it would make password usage so unusual that people might stop and think before typing one into a form.

The other issue I mentioned was that of trusting people who tell you or ask you for stuff. Here, the lack of adoption of proper e-mail signing and encryption is perhaps the biggest drag on any progress being made in keeping e-mail a relatively safe and reliable medium. Indeed, in many managed environments, making signed messages the default and having trusted and untrusted inboxes should be fairly straightforward to implement.

Maybe Oxford University should consider such measures if their e-mail infrastructure is up to it, which these days might have something to do with whether the vendor of that infrastructure supports it or not (and the wider matter of why/why not).

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds