IT Security For Libraries

TSA Master Keys, Threat Models, and Encryption

This is the perfect illustration of why security that has backdoors for law enforcement isn’t actually security. Once there is an intentionally created hole in your security strategy, you should assume that anyone that you are attempting to prevent accessing your luggage/email/passwords will ALSO have access to your intentionally created security hole. This is the same concept that Cory Doctorow uses in his condemnation of DRM (you can’t lock something up with a key and then give the key to the person you are trying to prevent accessing your thing) as well as the argument against giving backdoor access keys for encryption algorithms to governmental agencies. It is simply impossible to have security, whether that term is used for physical objects, communication, storage of information, or anything else, and also to have holes intentionally added to the system for the benefit of “the good guys”. Once the key exists, anyone can make their own copy of it.

From TSA Master Keys, Threat Models, and Encryption | Pattern Recognition

The Challenges of Securing University Computer Networks

Can Campus Networks Ever Be Secure?
Universities are struggling to find balance between academic openness and the need for computer security across their networks.

From The Challenges of Securing University Computer Networks - The Atlantic

ECPA reform: The 1986 email privacy law might finally get updated.

federal law protects some of your email from government snooping without a warrant. But it doesn’t protect your email if it’s been left on a server for too long, and, worse, it doesn’t protect your metadata—information that can get you arrested and prosecuted, that can reveal intimate secrets about you, and that would expose the entire network of people you talk to. On Wednesday the Senate Judiciary Committee is set to address the first problem, but reform efforts in both houses of Congress have largely passed over the second issue. In dodging the problem of metadata, legislators have missed the forest for the twigs.

From ECPA reform: The 1986 email privacy law might finally get updated.

Unmasked: An Analysis of 10 Million Passwords

A lot is known about passwords. Most are short, simple, and pretty easy to crack. But much less is known about the psychological reasons a person chooses a specific password. We’ve analyzed the password choices of 10 million people, from CEOs to scientists, to find out what they reveal about the things we consider easy to remember and hard to guess.

From Unmasked: An Analysis of 10 Million Passwords

Ashley Madison, Organizational Doxing, and the End of Online Privacy

Most of us get to be thoroughly relieved that our emails weren't in the Ashley Madison database. But don’t get too comfortable. Whatever secrets you have, even the ones you don’t think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there’s largely nothing you can do about it.

Welcome to the age of organizational doxing.

From Ashley Madison, Organizational Doxing, and the End of Online Privacy - The Atlantic

How To Secure Your Library's Social Media Presence

The ALA lost control of its Facebook page over the weekend so this seems like a pretty good time to review IT Security! Any size small or midsized organization is difficult, if not impossible to secure. It's very easy to overlook things and leave ourselves vulnerable to things like this.

Who/Why: That person that did it, it's probably their job. They're most likely professionals, either they get paid by others, or this is the life they've carved out for themselves. If you're lucky enough to have a considerable numbers of followers/friends, you'll be a target eventually. Chances are good it's not personal, it's just business. These people are probably just trying to make money. It may also be you're just a small step in a much larger campaign.

How: Mostly likely one of three ways. One of the people with the login credentials gave it away. Either they had their email account compromised, or maybe one of their devices was hacked. It could be someone used an infected public network and gave it away without knowing it. It could be someone was “spear fished” and replied to an email that looked like it came from someone else. Maybe someone lost a password in another compromise and that same password was reused.

Review Your Settings: Take a look at all the security and privacy settings. Now. And again every few months. Facebook has an especially wide range of settings you can change. Those controls are all there for you to limit risk, control who can see what on your profiles, and make things better for you. There are settings in there to help you recover from a comprimied account as well.

Passwords: Make them LONG, at least 20 characters. Make sure you know who has access and how they are storing those passwords. Every single accounts needs a long, strong, unique, rare password. Better yet, a different email account for every account as well. Change that password monthly. Checkout all the different password managers out there, I use LastPass, but there are many more.

Be suspicious: Funny looking emails or links in social media are DANGEROUS. If you're not 100% sure of the source, either ask or just hit delete.

Stay in control: Know who in the library has access to what. Your library needs to have control over who is posting what. The more people that have logins, the less secure things become. Try HootSuite or other managers and you can give access without giving away the credentials.

Who and what else has access: Check those 3rd party apps that have been authorized and make sure you know what they can do and why. Get rid of everything you don't need.

Know what to do if your account is compromised: Both Twitter ( And Facebook ( have pages devoted to this.

Digital Privacy and Security at ALA Next Week #alaac15

Join Blake Carver from LYRASIS and Alison Macrina from the Library Freedom Project to learn strategies for security from digital surveillance. We'll teach tools that keep data safe inside the library and out -- securing your network, website, and PCs, and tools you can teach to patrons in computer classes. We’ll tackle security myths, passwords, tracking, malware, and more, covering a range of tools from basic to advanced, making this session ideal for any library staff.

From Digital Privacy and Security: Keeping You And Your Library Safe and Secure In A Post-Snowden World | 2015 ALA Annual Conference

1 Billion Data Records Stolen in 2014

Data breaches increased 49% with almost 1 billion data records compromised in 1,500 attacks in 2014 – a 78% increase in the number of data records either lost or stolen in 2013, a new report by digital security firm Gemalto said. The Netherlands-based firm said about 575 million records were compromised in 2013.

Identity theft was by far the largest type of attack, with 54% of the breaches involving the theft of personal data, up from 23% in 2013.

How a Librarian Made Me a Surveillance Skeptic

From I was at a dinner table about a year ago, right after the first Edward Snowden leaks, when I heard for the first time an argument I've heard many times since.

"Why should I care? I'm not doing anything wrong." This appears to be the opinion of the majority when it comes to the idea of the government using surveillance to fight terrorism. By Pew Research's estimates, 56 percent of Americans support the government listening in while it fights the "bad guys." And it has been this way for something like 12 years -- right after the September 11th attacks and the beginning of the war on terror.

All of this thinking about surveillance, government, and legislation has also reminded me of a chapter in my own history that I haven't thought of in a while. During my junior year of college in 2003, I worked in the D.C. office of a moderate Republican Congressman. My main job was to answer constituent correspondence with letters that represented the Congressman's policy positions, which he would then sign. One day near the end of my spring semester, I had an assignment I couldn't complete: I was supposed to answer a constituent letter about a proposed expansion of the Patriot Act. The letter had been sent, and signed, by librarians throughout the Congressman's home state who were opposed to the Patriot Act's allowance of officials to access library records. They were asking the Congressman to oppose any extension or expansion of the legislation, and really to roll it back entirely. As I was preparing to tell the librarians that the congressman fully supported the legislation, I made a discovery. One of the librarian signatures on the constituent letter was familiar to me. It belonged to my mother.


Subscribe to IT Security For Libraries