User: Password:
|
|
Subscribe / Log in / New account

Oxford blocks Google Docs as a phishing countermeasure

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 15:17 UTC (Thu) by sorokin (subscriber, #88478)
Parent article: Oxford blocks Google Docs as a phishing countermeasure

Personally I think "just educate the users" is the only option that works. You can not protect everybody from every possible kind of fraud. Fool will be cheated, no matter how hard you are trying to protect him.

I don't understand Oxford's actions. The protection of users is not their responsibility and not their business.


(Log in to post comments)

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 15:43 UTC (Thu) by mpr22 (subscriber, #60784) [Link]

Now, we may be home to some of the brightest minds in the nation. Unfortunately, their expertise in their chosen academic field does not necessarily make them an expert in dealing with such mundane matters as emails purporting to be from their IT department. Some users simply see that there's some problem, some action is required, carry it out, and go back to considering important matters such as the mass of the Higgs Boson, or the importance of the March Hare to the Aztecs.

Please read the above paragraph again. It seems to me that it contains all the information you should need to understand the motivations of the University of Oxford's computing service in this matter. (It also bears a more than passing resemblance to the sort of thing those of my friends who have worked as I.T. staff at the University of Cambridge and its several departments and colleges would say.)

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 16:03 UTC (Thu) by ewan (subscriber, #5533) [Link]

It's not about protecting the users so much as protecting the University's ability to send email without getting its outgoing servers blacklisted as spam sources, or having other services accessed by unauthorized people using stolen Oxford credentials. It's not just that 'people in Oxford' are being phished; it's that University accounts are.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 7, 2013 22:34 UTC (Thu) by marcH (subscriber, #57642) [Link]

With great power comes great responsibility. IT-illiterate Oxford users (the ones easy to fool) should simply not be allowed to send any high volume of email or access important internal services. What Oxford needs is just different classes of users.

The other thing Oxford needs is Single Sign On. I work in a company with tens of thousands of employees, a mixed Windows+Linux and often cumbersome environment, hundreds of different internal web sites... yet I almost never have to enter my password. So, any page asking for a password instantly becomes more suspect.

And of course more "education" - there is never enough. Make sure everyone has to sign one short and extremely scary document before getting any account, severe punishments for careless users, etc., etc. All the usual things universities tend to be too lax to do whereas it's performed in almost every business.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 8, 2013 0:22 UTC (Fri) by ewan (subscriber, #5533) [Link]

"The other thing Oxford needs is Single Sign On. I work in a company with tens of thousands of employees, a mixed Windows+Linux and often cumbersome environment, hundreds of different internal web sites... yet I almost never have to enter my password. So, any page asking for a password instantly becomes more suspect."

Oxford has SSO; there's really only two web pages that should ever ask for a University login, as explained here; the main SSO login, and the OWA login.

Some people will still fall for it. The vast majority won't, but with fifty thousand users, a small minority is enough. Getting a 100% solution here is hard.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 9, 2013 8:18 UTC (Sat) by marcH (subscriber, #57642) [Link]

> The vast majority won't, but with fifty thousand users, a small minority is enough.

Then sorry to repeat myself but a small minority of lusers with obviously restricted rights (since they are lusers) should not be able to damage the entire 50.000 users system. How come just a few people can get the campus blacklisted as a whole? This does not make a lot of sense, does it?

Many problems appear in a brand new light as soon as you start digging a bit and _quantifying_.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 9, 2013 10:29 UTC (Sat) by hummassa (subscriber, #307) [Link]

Blacklists often overreach by design.
The idea is that if you blacklist one whole network, people who weren't doing anything wrong will set the wrongdoers straight for you.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 9, 2013 14:46 UTC (Sat) by marcH (subscriber, #57642) [Link]

> ... who weren't doing anything wrong will set the wrongdoers straight for you.

Yes, and for instance in the case of email it translates into something dead simple and sane implemented by most networks: no random luser granted permission to send any significant volume of email unless explicitly allowed.

Next blacklist(s)?

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 9, 2013 19:32 UTC (Sat) by pboddie (guest, #50784) [Link]

This goes beyond e-mail, I would imagine, since the e-mail password is probably good for all services as some kind of "university account" password, and that would then permit wrongdoers to attempt logins to various machines, install software, attempt to gain additional privileges (either through legitimate mechanisms or by employing exploits), and then to start doing bad network-related stuff that might include sending e-mails.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 13, 2013 15:16 UTC (Wed) by union (guest, #36393) [Link]

You seem to have attitude problem.

They are not luzers, they are users. Their job is to educate/learn and or preform research.

The reason for oxford IT staff and IT infrastructure including mail servers to exist is so the people you call luzers can spend their time doing more productive things.

Spam/phishing/viruses are IT problems, any solution that relies on end users to be "educated" will fail.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 13, 2013 19:02 UTC (Wed) by marcH (subscriber, #57642) [Link]

> Their job is to educate/learn and or preform research.

... and surely this requires permission to send hundreds of email per minute continuously and access all kinds of sensitive IT resources?

I'll stop because it looks like you just stopped the left side of your brain as soon as you read "luser" and let the offended right side provide a recorded answer.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 15, 2013 9:05 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Many problems appear in a brand new light as soon as you start digging a bit and _quantifying_.

This discussion made me think and realize how why good software engineers are so poorly equipped to think about security.

Software engineering is binary: it's about fixing problems and making things work. It's about avoiding randomness at all costs. Either it works or it does not.

Whereas security is all about risk assessment, statistics, measurements and economics. As all the banking and insurance industry knows, there is almost never a silver bullet. As opposed to what could be seen in this discussion, security is not about trying to find the one silver bullet but actually about buying ALL the good value bullets that are available on the market. "Defence in depth" follows that line.

How _many_ Oxford IT[l]users will fall for a basic phishing attack? How _many_ will fall for a more elaborate one? What kind of cheap "education" can significantly reduce these _numbers_? How many more privileged users will fall for the same attacks? How many emails per day does a basic Oxford IT user need to send? After how _much_ spam will the whole campus be blacklisted? How strong is this password? How often is this or that software found to be vulnerable?

One of the most blatant proof that software engineers don't understand security can be found in the infamous "why your spam solution won't work" list http://craphound.com/spamsolutions.txt
I always felt something was wrong with this list and I understood what only just now. This list is written from a "silver bullet" perspective. Of course there is no silver bullet that definitively solves the spam problem. In practice spam is successfully fought with a _combination_ of "good value" solutions, none of which works alone.

Bruce Schneier probably said this already somewhere in his blog or books much better than I just tried. Any decent security worker reading the above would probably think I just stated the obvious. Well, it was not obvious for me and clearly not obvious for other people in this thread.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 15, 2013 12:51 UTC (Fri) by etienne (guest, #25256) [Link]

> One of the most blatant proof that software engineers don't understand security

Maybe they understand, but they also know the consequences, i.e. you can spend massive amount of time checking if you have rights to do what you are about to do - and it can take a lot longer to do those checks than do the initial job.
At a low level, you can check if a memory pointer points to an acceptable part of memory each time you are going to get its content.
At a medium level, you can spend a lot of time checking stuff about a hard disk sector read: do you have the right to read it, does it contain the right stuff, has it been corrupted since it has been written on the hard disk.
At a high level, you can spend massive amount of time to check if any file in your file-system contain a virus, or if your file-system is corrupted.

Now those software engineers may be people who are using their computers, more than writing an E-mail times to times, and even with an up-to-date hardware it just takes 3 hours CPU time to regenerate the 10 Gbyte tree to produce the good output file, you may need 3 versions of those output files, and the night in between days is not that long.

Add all the "security" you are talking of, and it will take weeks to get one of these output file - people have tried that on other Operating Systems. I am not sure people have been more secure on those other OS.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 15, 2013 13:22 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Maybe they understand, but they also know the consequences, i.e. you can spend massive amount of time checking if you have rights to do what you are about to do - and it can take a lot longer to do those checks than do the initial job.

... and then they generalize and conclude from just that example that all security features are equally bad. Not equipped to properly assess the value and return on investment of various security features: my point exactly.

Oxford blocks Google Docs as a phishing countermeasure

Posted Mar 15, 2013 19:22 UTC (Fri) by dlang (subscriber, #313) [Link]

> One of the most blatant proof that software engineers don't understand security

Actually, most IT security people don't understand security either. They talk in absolutes, and every exploit is talked about as if it's one that if you don't solve it you are completely unprotected and may as well not bother with securing anything.

Most of them pay lip service to 'defense in depth', but don't really think about it, or about what they are allowing to go from layer to layer (hint, a machine on one tier that just reformats a request and sends it down to your next tier without doing any validation of the request is adding almost zero security)

In addition, many security people are completely unwilling to discuss any trade-off in security vs anything else (availability, time to market, performance, maintainability, etc)

As you say, Security issues are one more risk that everyone must deal with.

The problem is that it's _really_ hard to evaluate the risk posed by a security hole. The probability that a particular vulnerability will be attacked is basically impossible to define. Something may seem really hard or obscure, but this can change at any time with no notice (someone writes a script-kiddie tool that makes a really hard attack trivial to execute and publicizes the attack and something went from 'extremely unlikely' to 'extremely likely' in an instant.

David Lang (working security in banking for 16 years)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds