Tuesday, September 23, 2014

Wait, what do you mean by #LibSec?

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks. 

I want to take a moment to clarify why libraries, and especially public libraries, are a worthy topic of study in the realm of cyber security risk and threat management. I've presented this idea to a number of my peers in the MSIT program at Clark University and some seem quick to dismiss the idea.

No, the online catalog of books, DVDs and online journal subscriptions that most people interact with in a library are not what I'm talking about. Although one could make an argument that data leaking from these systems might enable some form of identity theft or user profiling, that seems very unlikely. Not only that but most if not all commercially available library systems obfuscate patron lending history for this very reason (privacy is, after all, a major tenant in the ALA code of ethics) and unless a patron's username and password info was already compromised, there's very little ROI for such an attack.

Instead, I want to point out the fact that most modern libraries offer at least a dozen or so computer stations connected to the internet for general use that, in addition to free public wifi, and a quasi-anonymous environment such as this enables any number of cyber security attacks to take place. The perfect vector. To make the situation even worse, many library patrons use this equipment because they do not have a home computer or ISP—if library staff members do not take cyber security seriously, these patrons then become the most vulnerable computer users in our society because they have no control over the computer systems they're using to access the internet.

So please understand, #LibSec is about cyber security risk and threat management as it relates to state funded public access IT infrastructure in your local community. Hardware that, in the wrong hands, could be used to perform attacks in a variety of ways. And I'm not alone: check out the Sec4Lib listserv for more info. I'll be crawling the archives for the next couple weeks!

Tuesday, September 16, 2014

ACLU Ninja Librarians are Here to Save the Day?

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks. 
When you know that people are recording what you are doing online or if you know cops, the FBI, the DEA, or ICE could access your library or digital history, chances are you are not going to say or research what you might otherwise. Self-censorship ensues because surveillance chills speech. -- Alison Macrina and April Glaser
The above quote is from an article recently published on BoingBoing.net titled 'Radical Librarianship: how ninja librarians are ensuring patrons' electronic privacy' that describes exactly why data privacy in a public library setting is essential. The post goes into detail about the recent partnership between librarians in Massachusetts and their local American Civil Liberties Union chapter to harden IT security practices within public libraries and protect patron data.

This is not the first time librarians have entered the spotlight in the fight for first amendment rights or information security but it does mark a change in IT policy that I think is worth noting. Computers have been part of the library landscape for a long time but for many years they were an internal resource—not an external one. The cost of computers and difficult UIs in the 60s and 70s made searching the new "digital" card catalog no small task. With the popularity of the internet and need to access electronic resources in-house in the 80s ad 90s this made public access computer stations a no-brainer, but it was not until the 2000s when I think librarians really started to expand their role as organizers of information into digital stewards of the internet age. Should they play this role? I think so. Some might argue otherwise, but the issue of data privacy leaking into the hands of government agencies is such a sensitive issue that I think civil servants like your local librarian are our best protection. 

To take this idea a step further, I suggest public librarians should also begin pooling their resources together towards a security-first open hardware platform for public access computers that will not be subject to the same inherent risks of consumer grade electronics. The education efforts and security hardening mentioned in this article is a great start but as we've learned from recent USB controller chip exploits reported at the Blackhat 2014 conference, there are hardware exploits (or backdoors, depending on your point of view) built in to literally every modern desktop PC. As many countries outside the US have begun to realize, the only path towards total information security is through complete oversight of their computer hardware supply chain, right down to chip design and manufacturing.