IT Security For Libraries

ECPA reform: The 1986 email privacy law might finally get updated.

federal law protects some of your email from government snooping without a warrant. But it doesn’t protect your email if it’s been left on a server for too long, and, worse, it doesn’t protect your metadata—information that can get you arrested and prosecuted, that can reveal intimate secrets about you, and that would expose the entire network of people you talk to. On Wednesday the Senate Judiciary Committee is set to address the first problem, but reform efforts in both houses of Congress have largely passed over the second issue. In dodging the problem of metadata, legislators have missed the forest for the twigs.

From ECPA reform: The 1986 email privacy law might finally get updated.

Unmasked: An Analysis of 10 Million Passwords

A lot is known about passwords. Most are short, simple, and pretty easy to crack. But much less is known about the psychological reasons a person chooses a specific password. We’ve analyzed the password choices of 10 million people, from CEOs to scientists, to find out what they reveal about the things we consider easy to remember and hard to guess.

From Unmasked: An Analysis of 10 Million Passwords

Ashley Madison, Organizational Doxing, and the End of Online Privacy

Most of us get to be thoroughly relieved that our emails weren't in the Ashley Madison database. But don’t get too comfortable. Whatever secrets you have, even the ones you don’t think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there’s largely nothing you can do about it.

Welcome to the age of organizational doxing.

From Ashley Madison, Organizational Doxing, and the End of Online Privacy - The Atlantic

How To Secure Your Library's Social Media Presence

The ALA lost control of its Facebook page over the weekend so this seems like a pretty good time to review IT Security! Any size small or midsized organization is difficult, if not impossible to secure. It's very easy to overlook things and leave ourselves vulnerable to things like this.

Who/Why: That person that did it, it's probably their job. They're most likely professionals, either they get paid by others, or this is the life they've carved out for themselves. If you're lucky enough to have a considerable numbers of followers/friends, you'll be a target eventually. Chances are good it's not personal, it's just business. These people are probably just trying to make money. It may also be you're just a small step in a much larger campaign.

How: Mostly likely one of three ways. One of the people with the login credentials gave it away. Either they had their email account compromised, or maybe one of their devices was hacked. It could be someone used an infected public network and gave it away without knowing it. It could be someone was “spear fished” and replied to an email that looked like it came from someone else. Maybe someone lost a password in another compromise and that same password was reused.

Review Your Settings: Take a look at all the security and privacy settings. Now. And again every few months. Facebook has an especially wide range of settings you can change. Those controls are all there for you to limit risk, control who can see what on your profiles, and make things better for you. There are settings in there to help you recover from a comprimied account as well.

Passwords: Make them LONG, at least 20 characters. Make sure you know who has access and how they are storing those passwords. Every single accounts needs a long, strong, unique, rare password. Better yet, a different email account for every account as well. Change that password monthly. Checkout all the different password managers out there, I use LastPass, but there are many more.

Be suspicious: Funny looking emails or links in social media are DANGEROUS. If you're not 100% sure of the source, either ask or just hit delete.

Stay in control: Know who in the library has access to what. Your library needs to have control over who is posting what. The more people that have logins, the less secure things become. Try HootSuite or other managers and you can give access without giving away the credentials.

Who and what else has access: Check those 3rd party apps that have been authorized and make sure you know what they can do and why. Get rid of everything you don't need.

Know what to do if your account is compromised: Both Twitter ( And Facebook ( have pages devoted to this.

Digital Privacy and Security at ALA Next Week #alaac15

Join Blake Carver from LYRASIS and Alison Macrina from the Library Freedom Project to learn strategies for security from digital surveillance. We'll teach tools that keep data safe inside the library and out -- securing your network, website, and PCs, and tools you can teach to patrons in computer classes. We’ll tackle security myths, passwords, tracking, malware, and more, covering a range of tools from basic to advanced, making this session ideal for any library staff.

From Digital Privacy and Security: Keeping You And Your Library Safe and Secure In A Post-Snowden World | 2015 ALA Annual Conference

1 Billion Data Records Stolen in 2014

Data breaches increased 49% with almost 1 billion data records compromised in 1,500 attacks in 2014 – a 78% increase in the number of data records either lost or stolen in 2013, a new report by digital security firm Gemalto said. The Netherlands-based firm said about 575 million records were compromised in 2013.

Identity theft was by far the largest type of attack, with 54% of the breaches involving the theft of personal data, up from 23% in 2013.

How a Librarian Made Me a Surveillance Skeptic

From I was at a dinner table about a year ago, right after the first Edward Snowden leaks, when I heard for the first time an argument I've heard many times since.

"Why should I care? I'm not doing anything wrong." This appears to be the opinion of the majority when it comes to the idea of the government using surveillance to fight terrorism. By Pew Research's estimates, 56 percent of Americans support the government listening in while it fights the "bad guys." And it has been this way for something like 12 years -- right after the September 11th attacks and the beginning of the war on terror.

All of this thinking about surveillance, government, and legislation has also reminded me of a chapter in my own history that I haven't thought of in a while. During my junior year of college in 2003, I worked in the D.C. office of a moderate Republican Congressman. My main job was to answer constituent correspondence with letters that represented the Congressman's policy positions, which he would then sign. One day near the end of my spring semester, I had an assignment I couldn't complete: I was supposed to answer a constituent letter about a proposed expansion of the Patriot Act. The letter had been sent, and signed, by librarians throughout the Congressman's home state who were opposed to the Patriot Act's allowance of officials to access library records. They were asking the Congressman to oppose any extension or expansion of the legislation, and really to roll it back entirely. As I was preparing to tell the librarians that the congressman fully supported the legislation, I made a discovery. One of the librarian signatures on the constituent letter was familiar to me. It belonged to my mother.

IT Security for You and Your Library


It’s easy, in theory, to keep your PC safe. It all comes down to three things:

Keep everything patched and updated.
Never trust anything.
Use good passwords.

How To Defend Yourself Against Hacking On Any Device
If you can plug it in or connect it to a network, your device—no matter what it is—can be harnessed by someone else. And that someone doesn’t have to be a Chinese superhacker to do some serious damage with it, either on purpose or by accident. It can be your Uncle Roger, who doesn’t have his new iPhone figured out and is cluelessly turning your lights on and off via your Belkin WeMo.


Subscribe to IT Security For Libraries