In July 2017, I received an email from a professor reporting a spear phishing attack against Ryerson. He was one of the 500 people targeted with a message asking them to log in to a Ryerson site that wasn’t actually set up by Ryerson. The attacker had created a copy of the RMail login page on their own server so they could capture Ryerson usernames and passwords.
While the attacker sent the message to 500 people, only the 14 people who were using RMail ended up with the message in their inbox. The remaining 484 active accounts were all on Gmail. Google’s email filters correctly identified the message as a phishing attack and diverted it to their spam folder.
CCS’ response to the spear phishing attack
In response to the attack, Computing and Communications Services (CCS) blocked access to the attacker’s website from Ryerson’s network. We also detected that seven people visited the malicious site. Eventually, CCS contacted the 14 people who received the email with information about what to do if they had entered their Ryerson password on the fake site.
Overall, had all the recipients been protected by Gmail, the risk of compromised accounts would have been much less and CCS’ follow-up work would have been unnecessary.
Phishing and malicious link alerts
Gmail not only diverts phishing messages into your spam folder, but also inserts a warning and removes the malicious link to prevent you from clicking on it.
Here’s an example of a phishing email received in a Gmail account in January 2018:
For comparison, this is the same message as received in an RMail account. Notice that hovering over the malicious link shows it leads to the attacker’s server and not to a Ryerson site:
Detecting malware
Despite significant effort by CCS to improve RMail’s security, it’s been difficult to match it with Gmail’s ability to detect malicious email attachments. Google’s anti-malware system automatically runs many types of executable files and allows the code to execute inside simulated PC and Mac environments.
Running these files allows Google to detect malware without relying on file signatures which only works if there is a match to a specific malware type. CCS has attempted to set up a similar service for RMail but doing so caused long delays in delivering email and was less effective at detecting evasive malware than a similar cloud-based service.
Two-factor authentication compatibility
RMail does not work with Ryerson’s two-factor authentication system as the software used to provide the RMail service does not support Ryerson’s Central Authentication Service (CAS). CAS is the system you use to log in to the my.ryerson portal and systems like Gmail, Google Drive, eHR, D2L Brightspace and RAMSS amongst others.
Since CAS is also the system that provides two-factor authentication, the same issue does not exist for Gmail, which works with CAS. To increase RMail’s security, we’re investigating requiring RMail users to log in to one of our firewalls using two-factor authentication before logging in to RMail. While the two logins may be a hindrance to RMail users and would require additional work on CCS’s part, at least RMail accounts would be better protected.
Operating on a global scale
Overall, Gmail is much more secure than RMail and other locally-hosted solutions. Part of the reason for this is due to Google’s ability to operate at a scale that allows them to detect and respond to attacks quickly and effectively.
At the 2018 Google Next conference, Google announced that they:
- support 1.4 billion monthly active Gmail users, including 80 million students;
- stop 99.9 per cent of spam and phishing attacks; and
- block 10 million bad messages per minute.
Why does this matter?
Occasionally, someone will tell me none of this really matters because they aren’t going to be fooled by phishing attacks and know better than to open most attachments. I wish that’s all there was to it. The truth is that RMail is a security liability.
Compromised RMail accounts can be used by attackers to send very convincing phishing and other malicious emails to other people at Ryerson. Those emails can be injected into existing email discussions and will deceive just about everyone. This phishing technique has been successfully used at other universities to compromise accounts as part of payroll diversion attacks.
Seven years ago, running RMail in parallel with Gmail didn’t seem that risky. CCS already had in place both open source and proprietary spam and attachment filtering systems that worked reasonably well. But a lot has changed since then—the internet has become an increasingly hostile place. RMail has fallen behind and we don’t have the capacity to protect it in the same way Google can protect Gmail.
References
Of course, there is much more to Gmail security so I have provided references for those who may be interested.
- Electronic Frontier Foundation’s Encrypt the Web Report
- New Built-In Gmail Protections to Combat Malware in Attachments
- Understanding differences between corporate and consumer Gmail threats
- Protecting You Against Phishing
- A reminder about government-backed phishing
- G Suite Security and Trust (Scroll down to get to the content.)
Readers may also be interested in our first blog post for this consultation, “Is it time to shut down RMail?”.
Yours truly,
Brian Lesser
Chief Information Officer
Ryerson University
This blog post was originally communicated via email to Ryerson students, faculty and staff currently using RMail.
Hi Brian,
Its quite telling you have once again chosen to evade on the elephant in the room. Google may do a better job of protecting us from phishing but who will protect us from Google? Its also frustrating to see you not acknowledge the idea that we do not want to be forced to use a product from a campaign whose explicit goal and business model is to collect private data which they can in turn sell to advertisers. Its not relevant whether Gmail for education has any ads or not, its the data collection that bothers us. Please rethink this approach of forcing Gmail on those of us who have chosen to value privacy
Hi NM,
I have been reading the comments on the blog site and the emails that I’ve received with interest. I do not always agree with how Google has been characterized. For example, some people have not distinguished between Google’s add-driven consumer services and the G Suite of applications it provides to corporations and public sector organizations. Google has roughly 4 million corporate/public sector clients who pay something like one billion a quarter for these services. So they are not ad driven and must protect the confidentiality of their client’s data. G Suite is provided under a written agreement which limits what Google can do with our content. Basically the only use they can make of our data is to provide the service. An example would be indexing email for the purpose of allowing you to search on it.
I hope to write more about the “elephant in the room” later. I expect it will take some time.
Yours truly,
Brian
Were any other email options considered besides Gmail?
Yes, back in 2011 we did a lengthy request for proposals and evaluated a number of options. Google came out the winner. We also did a full Privacy Impact Assessment which you can read here:
http://email.blog.ryerson.ca/2015/04/02/email-and-collaboration-tools-privacy-impact-assessment/
The archives of this blog also provide some history as to how the decision was made to go with Google.