After witnessing a dramatic increase in the number of phishing attacks, Oxford University took the drastic step of temporarily blocking access to Google Docs for a few hours on Monday, blaming Google for failing to act quickly enough to prevent the attacks.
The Google Docs ‘outage’ lasted for about two and a half hours, before the university decided that the negative impact it was having on its business was too great. However, the university complained bitterly that Google had done nothing to help it prevent the phishing attacks, and warned that it could take similar action in future.
Phishers Hijack Google Docs
Robin Stevens of the Oxford University network security team later wrote a detailed blog post explaining the decision to block Google Docs, saying that his team acted in order to stave off a wave of phishing attacks aimed at stealing usernames and passwords for the university’s computer systems. In order to hack into Oxford’s accounts, the phishers came up with the cunning idea of inserting forms into Google Docs in a bid to get users to enter their personal details.
Oxford University’s security team reported a number of phishing incidents to Google almost as soon as they came across them – but Google’s apparent ‘inaction’ on the matter left officials with no choice but to pull the plug on Google Docs altogether.
“Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised university account to large numbers of other Oxford users,” wrote Stevens on the OxCert blog.
“Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate university business by temporarily suspending access to Google Docs was outweighed by the risks to university business by not taking such action.”
“It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services. While this wouldn’t be effective for users on other networks, in the middle of the working day a substantial proportion of users would be on our network and actively reading email. A temporary block would get users’ attention and, we hoped, serve to moderate the ‘chain reaction’” of compromised accounts being used to compromise further accounts.”
But in spite of the “great impact” that blocking Google Docs had on Oxford University students and employees, Stevens warned that his team might take similar action in the future if the threat re-emerges. In addition, Stevens said that the university would look into other measures that could be taken without having such a terrible impact on its legitimate users.
Stevens also took a swipe at Google, criticizing the web firm for its “persistent failure” to put a stop to the criminal abuse of Google Docs in a timely manner.
“Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services. If OxCERT are alerted to criminal abuse of a university website, we would certainly aim to have it taken down within two working hours, if not substantially quicker. Even out of official hours there is a good chance of action being taken. We have to ask why Google, with the far greater resources available to them, cannot respond better.”
Security Concerns Could Turn Enterprise Users Off
This bad bit of PR for Google comes at a critical juncture for the web company, just when it might have gotten its hopes up that it could begin to tempt users away from Microsoft Office, in light of its rival’s decision to alter its end-user licensing agreement. Previously, users who bought a copy of Microsoft Office and installed it on their machine were free to use it on a second computer if the machine broke down or was stolen. But with the new changes, that will no longer be the case, and anyone who purchases a license for Office 2013 will only be able to use it with the first machine it’s installed upon.
SiliconANGLE’s John Casaretto warned in an interview with NewsDesk yesterday that Microsoft’s licensing rules could push users away from Office, especially with Google offering a free alternative that most consider to be just as good.
But security issues could well force those considering a switch to rethink their plans, especially in light of Steven’s accusations that Google were slow to respond to the phishing attacks. Most users consider Google Docs to be safe, as they trust that the world’s biggest web company will have suitable security systems in place and will ensure that traffic is encrypted – but in light of Oxford University’s complaints, this clearly isn’t the case, and enterprise users in particular will rightly be concerned that they too could suffer from similar attacks.