Educause Security Discussion mailing list archives

Re: Oxford and Google Apps

From: "Santabarbara, Angelo" <asantabarbara () SIENA EDU>
Date: Tue, 19 Feb 2013 12:27:45 -0500

We've been using OpenDNS to block known phishing hosts. We then immediately
report the site to phishtank.org as well as Google and usually it gets
blocked within a couple of hours if enough legitimate reports are received.

Angelo D. Santabarbara
Director Networks & Systems
Siena College
On Feb 19, 2013 11:59 AM, "Bob Bayn" <bob.bayn () usu edu> wrote:

 Oops,   our warning is only added to our inbound messages, so you didn't
see what I was referring to.  Here's what was added when I got my message
back from the listserv.

Bob**
 ------------------------------
*From:* The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Bob Bayn [bob.bayn () USU EDU]
*Sent:* Tuesday, February 19, 2013 7:29 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Oxford and Google Apps

  *Warning:** Do not enter your USU A-Number and password on any web form
linked from this email message.*

*This warning has been added by Utah State University's Ironport Spam
Filter System. *

*Our spam filter has detected a Google Docs Spreadsheet Form link or a
PHPformgenerator form link in the message below.   Those forms are
sometimes used by "phishers" to obtain your USU A-Number and password for
their use.  The spam filter cannot detect all types of password collection
forms, so you still need to be an Internet Skeptic! *

*==== ORIGINAL MESSAGE BEGINS BELOW THIS LINE ====
*
**
I'm including a google docs link from a recent phish here to illustrate
how we handle this problem.  I expect there will be a warning about the
mischief possible with google docs inserted by our spam filter above my
message.  In that way, we can still allow the relatively rare legitimate
use of google docs to proceed.


https://docs.google.com/forms/d/1jPFqAvX4n4IW7eZhPoEFpJh9lNEMlKj-QXzpvqxFV_w/viewform?pli=1

By the way, this particular google docs link is still live this morning,
even thought I reported it to google last Friday.   If you follow the link
and submit some bogus data, you will find on the thank you page a link to
review the database.  Phishers don't often leave that option in, but it did
allow me to collect nearly 300 addresses and send out a warning to them, in
hopes they see the message before the phisher accesses their account.


Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     *1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password*
 ------------------------------
*From:* The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Lorenz, Eva [
evalorenz () UNC EDU]
*Sent:* Tuesday, February 19, 2013 7:17 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Oxford and Google Apps

  I agree that user education is the preferred method to avoid any
security incident, not just phishing. I have a question to the list members
who have seen positive effects from user awareness training. Do you have
any requirement for user awareness training, such as a required annual
training for all affiliates? If you do outreach, do you cover all
departments or select high value targets, such as finance?



I am wondering whether Oxford does any user security training? Blocking
Google docs seem like overkill, especially since they admit that the
business impact was higher than expected. But allow me to speculate here;
maybe options are limited in terms of outreach and blocking seems like a
way to limit damage, but possible also has the benefit of making users
aware that Google docs can be used as a vehicle for security incidents.
Maybe something along the lines of awareness training by impact. In our
environment, as other have mentioned already for their universities,
blocking Google docs would not work, not even for the timeframe mentioned
in the article.



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Tracy Mitrano
*Sent:* Tuesday, February 19, 2013 7:11 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Oxford and Google Apps



Thoughts on this matter among the experts?
http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/

Current thread:

Oxford and Google Apps Tracy Mitrano (Feb 19)
- Re: Oxford and Google Apps Drew Perry (Feb 19)
  - Re: Oxford and Google Apps Richard Biever (Feb 19)
- Re: Oxford and Google Apps Ken Connelly (Feb 19)
- Re: Oxford and Google Apps Bradner, Scott (Feb 19)
- Re: Oxford and Google Apps Roger A Safian (Feb 19)
- Re: Oxford and Google Apps Hall, Rand (Feb 19)
- Re: Oxford and Google Apps Lorenz, Eva (Feb 19)
  - Re: Oxford and Google Apps Bob Bayn (Feb 19)
    - Re: Oxford and Google Apps Bob Bayn (Feb 19)
    - Re: Oxford and Google Apps Santabarbara, Angelo (Feb 19)
    - Re: Oxford and Google Apps Bob Bayn (Feb 19)
    - Re: Oxford and Google Apps Santabarbara, Angelo (Feb 19)
    - Re: Oxford and Google Apps Roger A Safian (Feb 19)
  - Re: Oxford and Google Apps King, Ronald A. (Feb 19)
- Re: Oxford and Google Apps David Opitz (Feb 19)
  - Re: Oxford and Google Apps Mike Porter (Feb 19)
  - Re: Oxford and Google Apps David Gillett (Feb 19)
- Re: Oxford and Google Apps Tim Doty (Feb 19)
  - Re: Oxford and Google Apps Justin C. Klein Keane (Feb 19)
- Re: Oxford and Google Apps Sigmon, Aaron (Feb 19)

(Thread continues...)