Campus IT officials discuss Oxford's Google Docs block
The University of Oxford's decision this week to block the use of Google Docs because of security concerns generated discussion -- and some disagreement -- among college technology experts.
The British university took what a member of its own security team called the “extreme action” of temporarily restricting access to Google’s office suite following the California company’s “persistent failures to put a halt to criminal abuse” of its products.
The blockage -- which was meant to get users’ attention -- lasted about two and a half hours on Monday, according to the Oxford security team’s blog.
Reaction in the campus technology world to Oxford’s move was mixed. Some technology experts said the university had gone too far or could have taken other measures to secure its campus network without cutting off access to a popular application. Others said that, indeed, Google has not reacted quickly enough to curb untoward activity on its servers.
Oxford’s move came after an uptick in “phishing” attempts. Phishing covers a variety of ploys meant to deceive computer users into giving up personal information.
Scammers targeted Oxford to try to get users to enter their usernames and passwords into a form set up by the scammers. Scammers trying this kind of phishing can use online form-making services, including Google Docs, to capture legitimate usernames and passwords from duped Oxford users.
The scammers then turn around and use the information to log into Oxford e-mail accounts and send money-seeking spam to millions of others on the Internet. These e-mails, in turn, may appear more legitimate coming from an Oxford address.
An Oxford network security team member, Robin Stevens, blogged that to get a booby-trapped form removed from Google’s servers, the university and others “essentially need to ask Google nicely if they could take the form down” by reporting abuse through Google’s website.
But he said it sometimes takes Google days to remove the forms from its servers. In the meantime, a baited trap remains on the Internet.
“Google’s persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions,” Stevens wrote. “If [Oxford technology officials] are alerted to criminal abuse of a university website, we would certainly aim to have it taken down within two working hours, if not substantially quicker.”
Stevens said Google’s process to remove suspect content should be faster or automated.
“Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services,” Stevens said.
Google 'Actively' Working
It is unclear, however, how Google could automatically decide how to judge whether content is truly abusive. If the process became automated, people could potentially attempt to get content removed automatically simply because they didn’t like it, not because it was actually illicit. Stevens did not reply to an e-mail seeking comment.
A Google spokesman said the company is “actively” working to protect its users from phishing attempts using its products.
“Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes,” the spokesman said in an e-mail.
Other university technology officials have similar frustration with Google’s reaction time, judging by chatter on e-mail lists for campus IT officials. But Oxford’s reaction, which even Stevens conceded was extreme, did appear to be unusual.
Some campuses have taken steps to raise the wariness of their users instead of trying to restrict access to popular products, like Google Docs.
At Utah State University, officials urge 20,000 or so network users to "be an Internet skeptic." That’s a middle ground the university’s IT department website says is somewhere between “gullibility” and “paranoia.”
The university also has a simple way to put some users on guard about phishing forms.
Bob Bayn, a Utah State network security team member, said the university has set up a system to automatically warn users who receive e-mails that link to forms generated by Google Docs or PHPformgenerator.com, another popular form-making website.
The university’s computer system adds a boilerplate message to e-mails that contain those two kinds of forms: “Do not enter your USU A-Number and password on any web form linked from this email message.”
Bayn said the university took that step after it began its Internet skeptic campaign, which encourages people to report phishing attempts to the university.
“During all that reporting, I began to notice the frequency of Google Docs among the links,” he said in an e-mail Tuesday to Inside Higher Ed. “In fact, I had dealt with many Google phish forms before I ever saw a legit Google form.”
No corner of the campus security world seems to be immune from network security problems. Educause announced Tuesday its own server had been breached. The nonprofit association said it did not believe credit card data, financial accounts or “other sensitive information” had been accessed, but urged all users to change their site password.
In a sign of how often they deal with phishing attempts, university IT officials in e-mail exchanges were so wary of scams that some suspected Educause’s announcement was, itself, an attempt to get users to enter usernames and passwords into a booby-trapped form.
In response, Educause said its e-mails were not phishing attempts: its server actually had been compromised and the password change was necessary.