IT Security For Libraries

IT Security For Libraries

IT Security For Libraries - Index

Join Me For My IT Security 101 Workshop At Internet Librarian

W14 - IT Security 101 1:30 p.m. - 4:30 p.m. Tracy Z Maleeff, Principal, Sherpa Intelligence LLC Blake Carver, Senior Systems Administrator, LYRASIS We all know we should use good passwords, keep everything updated, and follow other basic precautions online. Understanding the reasons behind these rules is critical to help us convince ourselves and others that the extra work is indeed worth it. Who are the bad guys? What tools are they using? What are they after? Where are they working? How are they doing it? Why are we all targets? Experienced workshop leaders discuss how to stay safe at the library and at home. They share ways to keep precious data safe inside the library and out—securing your network, website, and PCs—and tools you can teach to patrons in computer classes. They tackle security myths, passwords, tracking, malware, and more. They share a range of tools and techniques, making this session ideal for any library staff.
From Internet Librarian Program for Sunday, October 16, 2016

Come learn about IT Security with me at Internet Librarian!

Come learn about IT Security with me at Internet Librarian!
SUNDAY, OCTOBER 16, 2016
IT Security 101
1:30 p.m. - 4:30 p.m.
Tracy Z Maleeff, Principal, Sherpa Intelligence LLC
Blake Carver, Senior Systems Administrator, LYRASIS
We all know we should use good passwords, keep everything updated, and follow other basic precautions online. Understanding the reasons behind these rules is critical to help us convince ourselves and others that the extra work is indeed worth it. Who are the bad guys? What tools are they using? What are they after? Where are they working? How are they doing it? Why are we all targets? Experienced workshop leaders discuss how to stay safe at the library and at home. They share ways to keep precious data safe inside the library and out—securing your network, website, and PCs—and tools you can teach to patrons in computer classes. They tackle security myths, passwords, tracking, malware, and more. They share a range of tools and techniques, making this session ideal for any library staff.

http://internet-librarian.infotoday.com/2016/Sessions/W14-IT-Security-101-9920.aspx

National Library Week – thoughts on cybersecurity

There are two ways in which libraries could be doing a lot better in the realm of cybersecurity. And I should note, I work for rural libraries and digitally divided patrons for the most part so a lot of my ideas are on human scale but there are a lot of good ideas in the larger scale about just encrypting and anonymizing data but they’re sort of the same as they would be for any big business.
From National Library Week – thoughts on cybersecurity | librarian.net

NH bill would explicitly allow libraries to run Tor exit nodes

Inspired by the Library Freedom Project's uncompromising bravery in the face of a DHS threat against a town library in Kilton, NH, that was running a Tor exit node to facilitate private, anonymous communication, the New Hampshire legislature is now considering a bill that would explicitly permit public libraries to "allow the installation and use of cryptographic privacy platforms on public library computers for library patrons use."

From NH bill would explicitly allow libraries to run Tor exit nodes / Boing Boing

Everything you need to know about the Apple versus FBI case

Summary
This issue is much bigger than just Apple providing access to a single device, it’s much bigger than the encryption debate and it’s much bigger than just the US. There are angles to this we haven’t thought about yet and it’ll continue to be sensationalised by the press, misrepresented by the government and rebuked by Apple.

The ramifications of them actually complying with this court order would likely spread well beyond just compromising a device that’s in the physical possession of law enforcement. A precedent the likes of Apple being forced to weaken consumer protections will very likely then be applied to other channels; what would it mean for iMessage when the authorities identify targets actively communicating where they’re unable to gain physical access to the device? It sets an alarming precedent and all the same arguments mounted here by the FBI could just as easily be applied to end to end encryption.

But let me finish on a lighter note: this also has the potential to result in greater consumer privacy for everyone. In part because if Apple successfully defends their stance then they’ll have the precedent the next time the issue is raised. In part also because this incident may well prompt them to tie their own hands even further and indeed this appears to be the case with the newer generation of device. And finally, because the world is watching how this plays out and it will influence the position of other governments and tech companies outside the US. If sanity prevails, we may well all be better off for having gone through this.

From Troy Hunt: Everything you need to know about the Apple versus FBI case

Stronger Locks, Better Security

What if, in response to the terrorist attacks in Paris, or cybersecurity attacks on companies and government agencies, the FBI had come to the American people and said: In order to keep you safe, we need you to remove all the locks on your doors and windows and replace them with weaker ones. It's because, if you were a terrorist and we needed to get to your house, your locks might slow us down or block us entirely.  So Americans, remove your locks! And American companies: stop making good locks!

From Stronger Locks, Better Security | Electronic Frontier Foundation

TSA Master Keys, Threat Models, and Encryption

This is the perfect illustration of why security that has backdoors for law enforcement isn’t actually security. Once there is an intentionally created hole in your security strategy, you should assume that anyone that you are attempting to prevent accessing your luggage/email/passwords will ALSO have access to your intentionally created security hole. This is the same concept that Cory Doctorow uses in his condemnation of DRM (you can’t lock something up with a key and then give the key to the person you are trying to prevent accessing your thing) as well as the argument against giving backdoor access keys for encryption algorithms to governmental agencies. It is simply impossible to have security, whether that term is used for physical objects, communication, storage of information, or anything else, and also to have holes intentionally added to the system for the benefit of “the good guys”. Once the key exists, anyone can make their own copy of it.

From TSA Master Keys, Threat Models, and Encryption | Pattern Recognition

The Challenges of Securing University Computer Networks

Can Campus Networks Ever Be Secure?
Universities are struggling to find balance between academic openness and the need for computer security across their networks.

From The Challenges of Securing University Computer Networks - The Atlantic

ECPA reform: The 1986 email privacy law might finally get updated.

federal law protects some of your email from government snooping without a warrant. But it doesn’t protect your email if it’s been left on a server for too long, and, worse, it doesn’t protect your metadata—information that can get you arrested and prosecuted, that can reveal intimate secrets about you, and that would expose the entire network of people you talk to. On Wednesday the Senate Judiciary Committee is set to address the first problem, but reform efforts in both houses of Congress have largely passed over the second issue. In dodging the problem of metadata, legislators have missed the forest for the twigs.

From ECPA reform: The 1986 email privacy law might finally get updated.

Unmasked: An Analysis of 10 Million Passwords

A lot is known about passwords. Most are short, simple, and pretty easy to crack. But much less is known about the psychological reasons a person chooses a specific password. We’ve analyzed the password choices of 10 million people, from CEOs to scientists, to find out what they reveal about the things we consider easy to remember and hard to guess.

From Unmasked: An Analysis of 10 Million Passwords

Ashley Madison, Organizational Doxing, and the End of Online Privacy

Most of us get to be thoroughly relieved that our emails weren't in the Ashley Madison database. But don’t get too comfortable. Whatever secrets you have, even the ones you don’t think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there’s largely nothing you can do about it.

Welcome to the age of organizational doxing.

From Ashley Madison, Organizational Doxing, and the End of Online Privacy - The Atlantic

How To Secure Your Library's Social Media Presence

The ALA lost control of its Facebook page over the weekend so this seems like a pretty good time to review IT Security! Any size small or midsized organization is difficult, if not impossible to secure. It's very easy to overlook things and leave ourselves vulnerable to things like this.

Who/Why: That person that did it, it's probably their job. They're most likely professionals, either they get paid by others, or this is the life they've carved out for themselves. If you're lucky enough to have a considerable numbers of followers/friends, you'll be a target eventually. Chances are good it's not personal, it's just business. These people are probably just trying to make money. It may also be you're just a small step in a much larger campaign.

How: Mostly likely one of three ways. One of the people with the login credentials gave it away. Either they had their email account compromised, or maybe one of their devices was hacked. It could be someone used an infected public network and gave it away without knowing it. It could be someone was “spear fished” and replied to an email that looked like it came from someone else. Maybe someone lost a password in another compromise and that same password was reused.

Review Your Settings: Take a look at all the security and privacy settings. Now. And again every few months. Facebook has an especially wide range of settings you can change. Those controls are all there for you to limit risk, control who can see what on your profiles, and make things better for you. There are settings in there to help you recover from a comprimied account as well.

Passwords: Make them LONG, at least 20 characters. Make sure you know who has access and how they are storing those passwords. Every single accounts needs a long, strong, unique, rare password. Better yet, a different email account for every account as well. Change that password monthly. Checkout all the different password managers out there, I use LastPass, but there are many more.

Be suspicious: Funny looking emails or links in social media are DANGEROUS. If you're not 100% sure of the source, either ask or just hit delete.

Stay in control: Know who in the library has access to what. Your library needs to have control over who is posting what. The more people that have logins, the less secure things become. Try HootSuite or other managers and you can give access without giving away the credentials.

Who and what else has access: Check those 3rd party apps that have been authorized and make sure you know what they can do and why. Get rid of everything you don't need.

Know what to do if your account is compromised: Both Twitter (https://support.twitter.com/articles/31796) And Facebook (https://www.facebook.com/hacked) have pages devoted to this.

Digital Privacy and Security at ALA Next Week #alaac15

Join Blake Carver from LYRASIS and Alison Macrina from the Library Freedom Project to learn strategies for security from digital surveillance. We'll teach tools that keep data safe inside the library and out -- securing your network, website, and PCs, and tools you can teach to patrons in computer classes. We’ll tackle security myths, passwords, tracking, malware, and more, covering a range of tools from basic to advanced, making this session ideal for any library staff.

From Digital Privacy and Security: Keeping You And Your Library Safe and Secure In A Post-Snowden World | 2015 ALA Annual Conference

1 Billion Data Records Stolen in 2014

Data breaches increased 49% with almost 1 billion data records compromised in 1,500 attacks in 2014 – a 78% increase in the number of data records either lost or stolen in 2013, a new report by digital security firm Gemalto said. The Netherlands-based firm said about 575 million records were compromised in 2013.

Identity theft was by far the largest type of attack, with 54% of the breaches involving the theft of personal data, up from 23% in 2013.

http://blogs.wsj.com/digits/2015/02/12/1-billion-data-records-stolen-in-2014-says-gemalto/

How a Librarian Made Me a Surveillance Skeptic

From Marketplace.org: I was at a dinner table about a year ago, right after the first Edward Snowden leaks, when I heard for the first time an argument I've heard many times since.

"Why should I care? I'm not doing anything wrong." This appears to be the opinion of the majority when it comes to the idea of the government using surveillance to fight terrorism. By Pew Research's estimates, 56 percent of Americans support the government listening in while it fights the "bad guys." And it has been this way for something like 12 years -- right after the September 11th attacks and the beginning of the war on terror.

All of this thinking about surveillance, government, and legislation has also reminded me of a chapter in my own history that I haven't thought of in a while. During my junior year of college in 2003, I worked in the D.C. office of a moderate Republican Congressman. My main job was to answer constituent correspondence with letters that represented the Congressman's policy positions, which he would then sign. One day near the end of my spring semester, I had an assignment I couldn't complete: I was supposed to answer a constituent letter about a proposed expansion of the Patriot Act. The letter had been sent, and signed, by librarians throughout the Congressman's home state who were opposed to the Patriot Act's allowance of officials to access library records. They were asking the Congressman to oppose any extension or expansion of the legislation, and really to roll it back entirely. As I was preparing to tell the librarians that the congressman fully supported the legislation, I made a discovery. One of the librarian signatures on the constituent letter was familiar to me. It belonged to my mother.

IT Security for You and Your Library

http://www.infotoday.com/cilmag/jan14/Carver--IT-Security-for-You-and-Your-Library.shtml

STAY SAFE WHILE YOU’RE ONLINE

It’s easy, in theory, to keep your PC safe. It all comes down to three things:

Keep everything patched and updated.
Never trust anything.
Use good passwords.

How To Defend Yourself Against Hacking On Any Device

http://www.businessinsider.com/how-to-defend-yourself-against-hacking-on-any-device-2013-11
If you can plug it in or connect it to a network, your device—no matter what it is—can be harnessed by someone else. And that someone doesn’t have to be a Chinese superhacker to do some serious damage with it, either on purpose or by accident. It can be your Uncle Roger, who doesn’t have his new iPhone figured out and is cluelessly turning your lights on and off via your Belkin WeMo.

LISTen: An LISNews.org Program -- Episode #250

And we're back even though we're now illegal in Vietnam! Then again, so is the rest of LISNews as we discuss in the program. The hiatus is over and normal programming resumes notwithstanding September 2nd being a holiday. In this week's episode we talk about the threat of the Syrian Electronic Army and preparing for it. We also have a unique news miscellany that ends with a fun item from the Jewish Telegraphic Agency.

Related links:

Download here (MP3) (Ogg Vorbis) (Speex) (Extremely Hi-Fidelity Audio via Free Lossless Audio Codec), or subscribe to the podcast (MP3) to have episodes delivered to your media player. We suggest subscribing by way of a service like gpodder.net. New reading material for the Air Staff can be purchased here.

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/.

The Fresh Prince of Bel-Where? Academic Publishing Scams

Phishing attacks targeting academia aren’t the most high-profile of attacks, though they’re more common than you might think. Student populations in themselves constitute a sizeable pool of potential victims for money mule recruitment and other job scams, in fact anything that promises an easy supplemental income, unfeasibly cheap or free trendy gadgetry, and so on. But I’m talking about attacks against the institutions, rather than their ‘customers’: for example, targeted social engineering attacks as a means of accessing intellectual property. Some academic research has appreciable monetary value in its own right, and much of it is developed in partnership with and funded by businesses with a direct interest in monetizing it: that makes it of interest to people with an interest in getting in first.

Pages

Subscribe to RSS - IT Security For Libraries