Main Nav

Google Docs is one of a rather large number of exploitable platforms (most of the URLs in the phishing I've seen point to hacked systems in various other universities or homes) - blocking that one will make almost no difference to the actual security of the university or the university users so the next logical step is to cut the university off from the Internet and to require that university facility, staff and students do not have Internet access anywhere else then they might be safe (safe in the 1950s) Scott

Comments

 

I agree with what the others have said.  To me this seems like an extreme position and I’m not sure it would even be an option here.  I can’t help thinking that there’s more to this story.

 

After one wide-spread, well-written phishing attempt that tried to trick users into going to Googledocs, I looked up the IP addresses of docs.google.com and blocked them at our firewall.  I was just planning to do it for one day, until the threat was past.  It wasn’t long until I started getting complaints that users (mostly students) could not get to Youtube.  It took me a few minutes to realize that I had also blocked Google’s Youtube IP addresses.  I won’t be doing that again.

 

It is so frustrating that when you click the “report abuse” button on a Google doc that it takes a week for the document to get taken down.  Is Google just that slow?  Sometimes I cheer myself up by thinking that Google is investigating the person who created the doc somehow, but I’ve never heard anything that says that it the case.

 

Peace,

Dave Opitz

Loyola University Maryland

 

I'm including a google docs link from a recent phish here to illustrate how we handle this problem.  I expect there will be a warning about the mischief possible with google docs inserted by our spam filter above my message.  In that way, we can still allow the relatively rare legitimate use of google docs to proceed.

https://docs.google.com/forms/d/1jPFqAvX4n4IW7eZhPoEFpJh9lNEMlKj-QXzpvqx...

By the way, this particular google docs link is still live this morning, even thought I reported it to google last Friday.   If you follow the link and submit some bogus data, you will find on the thank you page a link to review the database.  Phishers don't often leave that option in, but it did allow me to collect nearly 300 addresses and send out a warning to them, in hopes they see the message before the phisher accesses their account.


Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password

Annual SAT is required for all employees and managed through Awareity’s MOAT.  I would say it has cut down on the amount of those responding to phishing, but, there are still going to be some that “forget” their training.  In those cases, we have a one on one chat to help them understand and ask if they need to retake the training. 

 

 

Ronald King

Security Engineer

Norfolk State University

http://security.nsu.edu

 

On Tue, 19 Feb 2013, David Opitz wrote: > After one wide-spread, well-written phishing attempt that tried to trick users into going to Googledocs, I looked up the IP addresses of docs.google.com and blocked them at our firewall. I was just planning to do it for one day, until the threat was past. It wasn't long until I started getting complaints that users (mostly students) could not get to Youtube. It took me a few minutes to realize that I had also blocked Google's Youtube IP addresses. I won't be doing that again. > > It is so frustrating that when you click the "report abuse" button on a Google doc that it takes a week for the document to get taken down. Is Google just that slow? Sometimes I cheer myself up by thinking that Google is investigating the person who created the doc somehow, but I've never heard anything that says that it the case. > Google does what it is in Google's best interests to do. All the majors act the same way. It is interesting to read a phishing message from a GoogleApps account. Mike Porter Systems Programmer V IT/NSS University of Delaware > Peace, > Dave Opitz > Loyola University Maryland > >
On 02/19/2013 06:11 AM, Tracy Mitrano wrote: > Thoughts on this matter among the experts? http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/ > Some of the reactions here seem to indicate that people think Oxford is still doing this. The block was temporary (about two hours I think they said) and due to collateral damage would not happen again without things being worse than they were when done the first time. In terms of "we've got to do something *now*" I understand it, but it doesn't seem like something that is particularly effective. As others have noted, it is trivial to setup a collection form pretty much anywhere so blocking the forms by blocking an entire service or IP is unlikely to ever have that much effect. We certainly have received pressure to "block that IP" when users are taking action on a phish (or even if no one is). I've always viewed it as too dynamic to be worth much. Honestly, I don't think there are any good answers. Tim Doty
Message from bsigmo15@uncc.edu

At the previous educational institute I worked for, we added the google docs phishing URL's to a block list on our Palo Alto's.  This was achieved by creating a custom URL category called "Phishing Links", and then used SSL-Decryption on that custom category for it to decrypt the SSL session and block the URL.


Thanks,

 

Aaron Sigmon | Sr. Information Security Engineer

UNC Charlotte | Information and Technology Services

9201 University City Blvd. | Charlotte, NC 28223

bsigmo15@uncc.edu | http://www.uncc.edu

-------------------------------------------------------------------------------------

If you are not the intended recipient of this transmission or a person responsible for delivering it to the intended recipient, any disclosure, copying, distribution, or other use of any of the information in this transmission is strictly prohibited. If you have received this transmission in error, please notify me immediately by email. Thank you.


From: Tracy Mitrano <tbm3@CORNELL.EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU>
Date: Tuesday, February 19, 2013 7:11 AM
To: "SECURITY@LISTSERV.EDUCAUSE.EDU" <SECURITY@LISTSERV.EDUCAUSE.EDU>
Subject: [SECURITY] Oxford and Google Apps

Thoughts on this matter among the experts?  http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Feb 19, 2013 at 02:46:25PM +0000, Sigmon, Aaron wrote: > At the previous educational institute I worked for, we added the google > docs phishing URL's to a block list on our Palo Alto's. This was achieved > by creating a custom URL category called "Phishing Links", and then used > SSL-Decryption on that custom category for it to decrypt the SSL session > and block the URL. The same can be achieved for significantly less cash using Squid as an SSL proxy (of course, that means you need folks who understand the intricacies of proxying content and Unix or Linux in general...). The kicker for either is that you have to terminate the SSL connections on the proxy and a lot of institutions have very vocal faculty who take offence to that. InfoSec may take offence to it as well, depending on who controls the proxies (a lot of institutions still have InfoSec as a joint networking/systems function, even if they have the equivalent of an ISO/CISO). As much as it's a game of whack-a-mole, I still think that SSL decryption and blocking as you're made aware of them is The Right Thing To Do -- defence-in-depth and all that. kmw PS - Aaron, congratulations on the new .edu address! - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlEjmWgACgkQsKMTOtQ3fKGV2ACgldXBiS/WRyDwBIG9dge9+Wy0 mUAAmwS50QyPDOBWnJgy5qe3TyuHey2h =0tjs - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlEjmXIACgkQsKMTOtQ3fKFzfACcC2XGyyoOgAMnbeS5ihulIeKf CAcAnRP820vo6Cb3aAsks5d9xrKPuyLO =GoLb -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm always firmly in favor of a technical solution to issues like this since people will always fail to adequately understand the technology and be duped. For better or worse, computers are merely appliances for the vast majority of users. Training is destined to fail against a sophisticated attack, but there are technical controls that could defeat this vector. A (true) second factor for authentication, such as a soft token, could serve as an adequate mitigation to defeat this sort of attack and remove the security officer from the role of adaptive Little Dutch Boy on the firewall rules. Just my $0.02. Justin C. Klein Keane, MA MCIT Security Engineer University of Pennsylvania, School of Arts & Sciences The digital signature on this message can be verified using the key at https://sites.sas.upenn.edu/kleinkeane/pages/pgp-key On 02/19/2013 09:39 AM, Tim Doty wrote: > On 02/19/2013 06:11 AM, Tracy Mitrano wrote: >> Thoughts on this matter among the experts? >> http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/ >> > > Some of the reactions here seem to indicate that people think > Oxford is still doing this. The block was temporary (about two > hours I think they said) and due to collateral damage would not > happen again without things being worse than they were when done > the first time. > > In terms of "we've got to do something *now*" I understand it, but > it doesn't seem like something that is particularly effective. As > others have noted, it is trivial to setup a collection form pretty > much anywhere so blocking the forms by blocking an entire service > or IP is unlikely to ever have that much effect. > > We certainly have received pressure to "block that IP" when users > are taking action on a phish (or even if no one is). I've always > viewed it as too dynamic to be worth much. > > Honestly, I don't think there are any good answers. > > Tim Doty > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRI60uAAoJEIH7slQlJAgKixkP/2n9J94LX8drkxEZqxPGGaes 4uaRWtiLp/j/2Bk11Hzdr/QTQc3UVavJSf2tFgi1j4RPfwRxQ6Pz9gXaZ9E8YYPe zkt95pDWuETFBR7wjfeJ1kDjv6FFKOw3oWH1qhFa+axm/a2/6316CFn8dpYf5orz yKWQNoEJLSms9gJHtbrmjULXj11GQjMjXoYtiLTLk0gJgubNhz3KM4RpAs+8/cLS ndKhk79FFaSUHPtf1n1IYpRy4E8gr2Me02r3ydgBAaRpyvLD2PDHzTBOpLTHDHOh mV0eOz+iJsNyIWnAmolOCjaBI44Z86aWTV5fZ8D/5d5Q8qahk2lCTjzBmxxwcNB/ hGdDeOy56NNamq00CGeGplswKBx7HvVftQyGwvtc3hCN42wuGXpPMuknzcJdwz0G ftKyaVPd6K/rfHI+Gz7+wwl3f8rmfvEda4wjtbchKnoopc/ysPaRFNLgEfpqcxBS h+EuenN3D8KkQiMEu+5RcnHSQvr2XvKss+azpeUXUrhZgGUTfhkgfhxkHYRXze44 A//GpbxAhgYy6B401FigPIAdLFRbUJ4i680dxjcdDuONb6wwuRuJWkmPTliW5jRu 5ydNbNovjYYO0BfVCH8aP5osXyKn3vV+IM+qVmGb3WSZHLC9jmbSjwQ5ZC9QVrW3 Z++QW3NleduYn84cGv4R =sQv9 -----END PGP SIGNATURE-----
> It is so frustrating that when you click the "report abuse" button on a Google doc that it takes a > week for the document to get taken down.  Is Google just that slow?  Sometimes I cheer myself > up by thinking that Google is investigating the person who created the doc somehow, but I've > never heard anything that says that it the case. Gmail's Terms of Service prohibit its use to harass, etc, but our experience with several incidents is that it is effectively an anonymizing proxy, thoroughly hidind the actual source of emails sent through it. So that our ONLY option is to report the incident to Google and HOPE they'll "deal with it". David Gillett
Oops,   our warning is only added to our inbound messages, so you didn't see what I was referring to.  Here's what was added when I got my message back from the listserv.

Bob
Why should it take more than one "legitimate" report?  It seems pretty obvious to me that a password collection form is a password collection form.  And a quick peek at the database behind the form will probably show the unrelated variety of victims.  As they err on the side of caution, more victims accumulate.


Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password

That's just their policy. We have our user services people submit samples and then others add verification. As your "reputation" rises, a smaller number of confirmations are required.  However they explicitly state that it always requires more than one.

Angelo D. Santabarbara
Director Networks & Systems

On Feb 19, 2013 12:40 PM, "Bob Bayn" <bob.bayn@usu.edu> wrote:
Why should it take more than one "legitimate" report?  It seems pretty obvious to me that a password collection form is a password collection form.  And a quick peek at the database behind the form will probably show the unrelated variety of victims.  As they err on the side of caution, more victims accumulate.


Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.