"no alternative way of dealing with the phishing attacks effectively"
How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users. Also, digitally sign all official mail, and instruct the users to check those signatures.
These are not insurmountable problems. The real issue is that the IT team is not willing to push for a real solution, and instead went for a bandaid on a broken leg.
Your solutions do not take into account the main problem with the security department: budget. There is a huge budgetary crisis in ALL european universities at this moment, including Oxford and Cambridge.
I bet if they ask for the resources to implement all those solutions, they will be told: find something at zero cost, I repeat zero-cost. Roger that?
Not that I agree blocking google docs is reasonable, just pointing out the problems with your suggestions.
>Your solutions do not take into account the main problem with the security department: budget. There is a huge budgetary crisis in ALL european universities at this moment, including Oxford and Cambridge.
> How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users.
Costs. At my university (though of course slightly smaller than Oxford) that would never work.
> Also, digitally sign all official mail, and instruct the users to check those signatures.
Have you met users? That's as good as saying they shouldn't be idiots and never enter their credentials in a site linked in a mail. If that would work all anti virus vendors could close shop.
I also wonder why so many phishing emails are getting through the university spam filters - a slightly better solution might of been to remove links in external emails that point to docs.google.com.
But anyway, I don't want to start slagging off a particular team that I've never met - maybe they wanted to do all sorts of other, smarter, things and weren't allowed, and maybe they'll be allowed to do them now..
I can believe it, I just don't know why it's not been customised to react to links to docs.google.com if it's such a high volume issue.
It's not a trivial problem by any means, but from the network security team's blog it doesn't seem like they've taken many of the steps that I'd expect prior to cutting off a very high traffic website.
There's the nice clever intelligent solution which could be developed over a few weeks, or there's the fact that the phishers have decided -- for whatever reason -- to go apeshit today.
True, but in this case it seems like it's not a particularly new problem, just something that they've finally reacted to?
They actually mention sinkholing spreadsheets.google.com in this post from August 2011 [1], they actually say "There are also some forms which are more difficult to block ( I don’t think we’d be too popular if we sink-holed spreadsheets.google.com for example)".
Their email client can do it automatically. Basically, you just need to tell them, "Official emails will always have a big, green border around them."
Also, the number of people who fall for 419 scams is fairly low, just barely above the threshold of profitability. The reason people are shocked when they hear that anyone falls for such scams is that hardly anyone does. There is a hypothesis that 419 scams are designed to be obvious, because it helps in filtering potential victims: anyone who would be naive enough to reply is an easy target.
I think a broader problem is that most people are not just unaware of cryptography, but they use an email client that has no support for checking digital signatures. Webmail is by far the most popular email client type, but many popular webmail systems have no support for digital signatures at all, not even checking them for validity. It would be a lot easier to tell people to check for a digital signature if that meant looking for a border color, or a big gold star, or if hovering over/clicking on a link in an unsigned message displayed an annoying warning but no warnings were displayed in signed messages; sufficiently annoying warnings do help in making cryptosystems more effective in practice:
How about not using passwords? All students, staff, and faculty should have ID cards; start issuing smartcards, and start using cryptographic techniques to authenticate users. Also, digitally sign all official mail, and instruct the users to check those signatures.
These are not insurmountable problems. The real issue is that the IT team is not willing to push for a real solution, and instead went for a bandaid on a broken leg.