Hackers in the_library

48
Michael McDonnell GIAC Certified Intrusion Analyst [email protected] Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike. Hackers Hackers in the in the Library Library Version 3

description

Hackers in the Library is a review of the Information Security threats that are unique to libraries. Interspersed in the presentation are my own stories of security issues I have encountered while working in libraries and stories "ripped from the headlines".

Transcript of Hackers in the_library

Page 1: Hackers in the_library

Michael McDonnellGIAC Certified Intrusion Analyst

[email protected]

Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike.

HackersHackersin thein the

LibraryLibraryVersion 3

Page 2: Hackers in the_library

Library Website ShutdownWebsite Shutdown by Hacker

Page 3: Hackers in the_library

ILS ServerILS Server Hacked

This isn't exactly true: Unix isn't any more or less “hacker friendly”than any other OS (not at this level of discussion). Beware, this opinion is expressed in the L.I.S. literature (but contradicted in I.T. Literature). Don't play the blame game... come up with a defense-in-depth strategy instead.

Page 4: Hackers in the_library

Library PhonelinesPhonelines Hacked

Page 5: Hackers in the_library

Even Library of CongressLibrary of Congress was Hacked

Page 6: Hackers in the_library

And MoreMore...

Page 7: Hackers in the_library

ManyMany Library Hacks: Old & New

Page 8: Hackers in the_library

This talk covers 3 Kinds of Library Cybersecurity Case Study

Libraries as unique targetsLibraries as unique targets

Libraries as attractive targetsLibraries as attractive targets

Trends in cybercrimeTrends in cybercrime

11

22

33

Page 9: Hackers in the_library

Shezaf (2008)

LibrariesLibraries fit into the 22ndnd Most Most Hacked Organization Type

Libraries

Page 10: Hackers in the_library

Libraries can be UniqueUnique Targets

Public Access ComputersPublic Access Computers+

Lots of UsersLots of Users+

Private Records for Large PopulationsPrivate Records for Large Populations+

Lots of BandwidthLots of Bandwidth+

Access to Valuable Licensed InformationAccess to Valuable Licensed Information

Page 11: Hackers in the_library

PAC Desktop Wallpaper DefacementDefacement

A politically motivated defacementdefacement of PAC stationPAC station desktop wallpaper. The regular wallpaper was used to provide instructions for use of the PAC and was “locked down”.

Page 12: Hackers in the_library

Helpful HOWTOHOWTO on Library Hacking

Page 13: Hackers in the_library

Ezproxy Password “Fans”

Page 14: Hackers in the_library

Academics and DoctorsAcademics and Doctors Dedicated to Hacking Libray ProxyProxy Servers

Page 15: Hackers in the_library

Forums show whywhy libraries are being targeted

Page 16: Hackers in the_library

Typosquatting Virtual Reference

Typosquatters have websites with popular popular mispellingsmispellings for names

In 2006 several cybersquatters displayed content content fromfrom and links back to askaquestion.ab.caaskaquestion.ab.ca

Is that Is that GOODGOOD thing thing

or a or a BADBAD thing?thing?

Page 17: Hackers in the_library

Student Sent a Prank Overdue NoticeOverdue Notice

First overdue notice:

According to our records, the following library material is overdue. Please

renew or return as fines may be accruing. Currently you owe $542.53. If you

do not pay by 10/10/2008, your University degree will be immediately

revoked.

If you wish to renew, you may do so using this link to My Account at

http://catalogue.library.ca/myaccount/

Contact the circulation desk at the above library if you have any questions.

Thank you.

1 call number:Z 699 A1 A61 v.39 2005 ID:0162022610438 $30.00

Annual review of information science and technology.

[Washington, etc.] American Society for Information Science [etc.]

due:8/31/2008,23:59

2 call number:Z 699 A1 A61 v.40 2006 ID:0162022610487 $21.00

Annual review of information science and technology.

[Washington, etc.] American Society for Information Science [etc.]

due:8/31/2008,23:59

....

Page 18: Hackers in the_library

Stephen Abram on the Security of the ILS

To date the ILS has not been a target for security threats, although associated systems for servers and communication have. This may change if a large installed base of open source ILS platforms emerges.

Abram, Stephen (2009). “Integrated Library System Platforms on Open Source”

Does the OPAC count? Or is that an “associated system”

Page 19: Hackers in the_library

National Library of Maldives

http://jadecrew.org/blog/?p-34http://www.nlm.gov.mv

Page 20: Hackers in the_library

Open Library beta

http://openlibrary.org/beta?m=view&v=28

Page 21: Hackers in the_library

OpenBiblio ILS

http://elibrarycatalog.com/qcshsopenbiblio/opac/index.php

Page 22: Hackers in the_library

Mary Couts Burnett Library

http://defaced.zone-h.net/defaced/2009/06/01/lib.tcu.edu/resguides/Resguide.asp%3FID=4

Page 23: Hackers in the_library

Dynix as Past Target

http://store.2600.com/fall2002.html

Page 24: Hackers in the_library

SirsiDynix as a Current Target

http://www.daveyp.com/blog/archives/467

Oct 9, 2008

Page 25: Hackers in the_library

Hackers *do* Notice Libraries

http://it.toolbox.com/blogs/securitymonkey/when-libraries-are-vulnerable-25847

Page 26: Hackers in the_library

Library Patron RecordsPatron Records Exposed

Page 27: Hackers in the_library

Marshall Breeding on ILS Security

So while we're seldom prime targets, we aren't totally bypassed either.

Breeding, M. (2003). Defending your ILS against security threats. Information Today.

Page 28: Hackers in the_library

Libraries are AttractiveAttractive Targets

Lots of BandwidthLots of Bandwidth+

Lots of UsersLots of Users

++

Open NetworksOpen Networks

++

Weak I.T. PracticesWeak I.T. Practices

Page 29: Hackers in the_library

Turkish DefacersDefacers Attack MuseumMuseum Greeting Cards

Page 30: Hackers in the_library

Wordpress Spam Link InjectionSpam Link Injection

Page 31: Hackers in the_library

Library GIS Station Hacked

Page 32: Hackers in the_library

An unpatched server was compromised and used to distributed 20 GB of videos with French language titles. The problem was discovered when the server was blocked for excessive bandwidthexcessive bandwidth usage.

??

Hacked to Serve Illicit French Movies

Page 33: Hackers in the_library

French Puppet Videos!

The server was distributing 20 GB of French Puppet VideosFrench Puppet Videos. The cleanup time was 7 hours. If they had just asked we would have probably found someone to host the videos for them!

Page 34: Hackers in the_library

Trends in CybercrimeCybercrimeWill Affect Libraries

Every factor already mentionedEvery factor already mentioned

++

Hacker'sHacker's desire desire to make to make moneymoney

Page 35: Hackers in the_library

Hackers are motivated by MoneyMoney

DefacementDefacement– Propaganda– Bragging Rights– Reputation HijackingReputation Hijacking– Ad RevenueAd Revenue

Stealing Sensitive InfoStealing Sensitive Info– RansomRansom– Direct Financial GainDirect Financial Gain– Information Leaks– Enable other Attacks

Types of Cyberattacks by VolumeShezaf (2008)

Page 36: Hackers in the_library

Library PhonelinesPhonelines Hacked

Page 37: Hackers in the_library

PhishingPhishing & Spear-phishingphishing

From: [email protected]

To: <undisclosed recipients>

Subject: (TRANSFER CONTACT)

My Dear,

It`s me Mrs. Anita Johnson Ross, please I have been waiting for you to

contact me regarding your willed fund of ($3,500,000.00) (Three million five

hundred thousand dollars) but i did not hear from you since the last time.

Well I finally went and deposited the fund in a bank, as I will be going in

for an operation any moment from now. I hope you are aware that I have been

diagnosed for cancer about 2 years ago, that was immediately after the death

of my husband before I was touched by God to donate from what I have

inherited from my late husband to you for the good work of God than allow my

relatives to use my husband hard earned funds ungodly.

What you have to do now is to contact the Bank as soon as possible to know

when they will Transfer the money to you to start the good work of the lord

as initially arranged, and to help the motherless less privilege also for the

assistance of the widows according to (JAMES 1:27). For your information, I

have paid all the Charges, Insurance premium and Clearance Certificate

showing that it is not a Drug Money or meant to sponsor Terrorism in your Country.

The only money you have to send to the Bank is the account opening fee due to

my method of deposit. Again, don't be deceived by anybody to pay any other

money except account opening charges.

Please kindly contact the bank on Tel: +13-162-651-1808 /Fax:

+31-847-301-282. OR via E-MAIL: [email protected] with

your full names contact telephone/fax number and your full address and tell

them that I have deposited the sum of ($3,500,000.00) in the Unit account of

the bank and you are the present beneficiary to the sum. I will inform the

bank immediately that I have WILL-IN that amount to you for a specific work.

Let me repeat again, try to contact the Bank as soon as you receive this mail

to avoid any further delay and remember to pay them their account set up fee

for their immediate action. I will also appreciate your utmost

confidentiality in this matter until the task is accomplished as I don't want

anything that will jeopardize my last wish. Also I will be contacting you by

email as I don't

want my relation or anybody to know because they are always around me.

Yours Faithfully,

Mrs. Anita Johnson Ross

Page 38: Hackers in the_library

The cyberbrowse owner gets paid $$$gets paid $$$ when people view or click on ads.

We found that Big Public Library's DNS serversDNS servers were being poisonedpoisoned to misdirect browsers misdirect browsers to the cyberbrowse website

DNS PoisoningDNS Poisoning

Page 39: Hackers in the_library

How DNS Works

YourPC

YourDNS

Server

www.hotmail.com64.4.33.7

Hotmail'sDNS

Server

What is the IP forwww.hotmail.com?

What is the IP forwww.hotmail.com?

Get the webpage from 64.4.33.7

11

22 33 The IP is 64.4.33.7

66

55The IP for hotmail.com is 64.4.33.7

DNS Cache44

Remember hotmail.comIs 64.4.33.7

Page 40: Hackers in the_library

How DNS Poisoning Works

YourPC

YourDNS

Server

www.hotmail.com64.4.33.7

HostileHostileDNSDNS

ServerServer

What is the IP forwww.hotmail.com?

The IP forwww.hotmail.comIs 69.93.150.59!!!

Get the webpage from 69.93.150.5933

11

55

44The IP for hotmail.com is 69.93.150.59

DNS Cache22

Remember hotmail.comIs 69.93.150.59

Hotmail'sDNS

Server

cyberbrowse.com69.93.150.59

Page 41: Hackers in the_library

Cyberbrowse attack was widespread

In 2003, others others sufferedsuffered from the cyberbrowse DNS Poisoning

Many mistook the mistook the attackattack for a problem with their own computers

I spoke with Shaw Bigpipe and confirmed that they were under attack for under attack for monthsmonths but didn't know it was an attack.

Page 42: Hackers in the_library

The Crimeware Supply Chain

• How SPAM Makes MoneyHow SPAM Makes Money

• Viruses create botnets (networks of thousands of slave computers)

• Botnet owners pay to have viruses distributed

• Spammers pay botnet owners to send spam

• But spamming requires accounts, which are protected by CAPTCHAs

• Botnet owners pay CAPTCH breakers

• How Credit Card Theives WorkHow Credit Card Theives Work

• Viruses steal credit card and identity info

• Card information is sold to others

• Carders use stolen cards to purchase items

• Remailers ensure shipped items can be obtain

• Items may be sold

Stealing from your Bank AccountStealing from your Bank Account

• Banks accounts are broken into

• “Money Mules” accept payments to their own accounts and then pay the theives

Page 43: Hackers in the_library

Breaking CAPTCHAsCAPTCHAs Pays

From Dancho Danchev's Blog: http://ddanchev.blogspot.com/2007/09/spammers-and-phishers-breaking-captchas.html

This pays about

$2/1000$2/1000 CAPTCHAs broken

occording to a presentation at

OWASP 3.0

Page 44: Hackers in the_library

Affiliate MarketingAffiliate Marketing Pays for Viruses

Page 45: Hackers in the_library

Cybercrime has grown to includecomplete supply chain management

Page 46: Hackers in the_library

Questions?

email me:

[email protected]

Slides:

https://staff.library.ualberta.ca/blog/mmcdonne

Page 47: Hackers in the_library

Questions Asked 2008-10-23

• Questions:• What are the top 3

things we can do today to secure our networks

• Answers:

• 1) Keep your anti-virus up-to-date (both definitions & software) and do nightly or weekly scans (see next slide)

• Use “separation of concerns” in your network: separate (physically or virtually) those things that do not need to access each other. Use different passwords for every web application instead of a shared one. Make sure that servers that don't need to connect cannot connect.

• Automated Monitoring (I failed to give this as an example, but it my biggest ally). This means a lot of things from testing if servers and services are up to monitoring and charting bandwidth, CPU, and RAM usage. Anomolies are a very strong way to determine if you have a security issue

Page 48: Hackers in the_library

No virusvirus news is NOTNOT good news

• ProblemsProblems

• Old anti-virus programs cannot detect the latest types of viruses

• Viruses released today cannot be detected until tomorrow

• Viruses come in clusters: you might only detect on when you are infected with 5

• No anti-virus program can detect all viruses

• ““Solutions”Solutions”

• Update your anti-virus software, not just the definitions

• Peform a full-antivirus scan every few days

• Completely reformat any computer on which a virus is detected

• Scan with several different online scanners (f-secure, trend at home, stinger).