Re: Oxford and Google Apps

[Bob Bayn <bob.bayn () USU EDU>]

Oops,   our warning is only added to our inbound messages, so you didn't see what I was referring to.  Here's what was 
added when I got my message back from the listserv.

Bob
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Bob Bayn 
[bob.bayn () USU EDU]
Sent: Tuesday, February 19, 2013 7:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Oxford and Google Apps


Warning: Do not enter your USU A-Number and password on any web form linked from this email message.

This warning has been added by Utah State University's Ironport Spam Filter System.

Our spam filter has detected a Google Docs Spreadsheet Form link or a PHPformgenerator form link in the message below.  
 Those forms are sometimes used by "phishers" to obtain your USU A-Number and password for their use.  The spam filter 
cannot detect all types of password collection forms, so you still need to be an Internet Skeptic!

==== ORIGINAL MESSAGE BEGINS BELOW THIS LINE ====

I'm including a google docs link from a recent phish here to illustrate how we handle this problem.  I expect there 
will be a warning about the mischief possible with google docs inserted by our spam filter above my message.  In that 
way, we can still allow the relatively rare legitimate use of google docs to proceed.

https://docs.google.com/forms/d/1jPFqAvX4n4IW7eZhPoEFpJh9lNEMlKj-QXzpvqxFV_w/viewform?pli=1

By the way, this particular google docs link is still live this morning, even thought I reported it to google last 
Friday.   If you follow the link and submit some bogus data, you will find on the thank you page a link to review the 
database.  Phishers don't often leave that option in, but it did allow me to collect nearly 300 addresses and send out 
a warning to them, in hopes they see the message before the phisher accesses their account.


Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Lorenz, Eva 
[evalorenz () UNC EDU]
Sent: Tuesday, February 19, 2013 7:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Oxford and Google Apps

I agree that user education is the preferred method to avoid any security incident, not just phishing. I have a 
question to the list members who have seen positive effects from user awareness training. Do you have any requirement 
for user awareness training, such as a required annual training for all affiliates? If you do outreach, do you cover 
all departments or select high value targets, such as finance?

I am wondering whether Oxford does any user security training? Blocking Google docs seem like overkill, especially 
since they admit that the business impact was higher than expected. But allow me to speculate here; maybe options are 
limited in terms of outreach and blocking seems like a way to limit damage, but possible also has the benefit of making 
users aware that Google docs can be used as a vehicle for security incidents. Maybe something along the lines of 
awareness training by impact. In our environment, as other have mentioned already for their universities, blocking 
Google docs would not work, not even for the timeframe mentioned in the article.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tracy 
Mitrano
Sent: Tuesday, February 19, 2013 7:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Oxford and Google Apps

Thoughts on this matter among the experts?  http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/