There was an uproar among the university IT security professionals around the world yesterday. Oxford University (yes, that Oxford) blocked access to Google Docs from its campus on Monday.
In case you haven’t heard of it, Google Docs is a very powerful online collaboration tool. You can treat it like an online word processor or spreadsheet, which you can then access from anywhere you can log in to Google (i.e. from any computer anywhere in the world, or from a tablet or smartphone).
But you can also use it to collect data from the web. You can set up a Google Docs form, which you can then publish, and people can visit it and fill out the form, and you’ll get a spreadsheet with all their data. So, for example, you could do an online course evaluation–set up some questions, give your students the URL (web address) and they can fill it out. It does not record who fills it out (assuming you’ve set it up that way), so responses are anonymous. Last semester I set up an informal mid-semester course evaluation because I was teaching a new course in a subject that was new to me (Computers and Linguistics), and the feedback was very valuable. Many faculty around the world are using it for that, and for many other purposes.
However, phishers around the world are using it for something else–they make it look like a log-in screen from the university’s Help Desk, and ask people to enter their AccessID and password. This gives them a nice database of university credentials, which can then be used to take over (in webspeak pwn) many university-based machines. They can then be used to run spam campaigns
Wayne State received such an attack a couple of weeks ago, and we advised anyone who asked us to tell Google about it. They will respond by taking the form down (there is a ‘report abuse’ button on every form)
So what happened at Oxford? The IT security folks there thought it was taking Google too long to react to complaints (a day is way too long–you could collect hundreds of sets of credentials by then), so they thought they’d teach the Oxford community a lesson by temporarily blocking all access to Google Docs. You can read their (very long, but entertaining message here). As you might expect, this caused considerable consternation on the Oxford campus, and around the world. I subscribe to a security listserv and there was a flurry of posts either approving or not about Oxford IT’s decision. It later got picked up in other university news sources, such as Inside Higher Ed and the Chronicle of Higher Education.
Take-away: phishing is getting more sophisticated. NEVER put your credentials into a link provided in an email, not even ‘from’ C&IT.