Monday, November 10, 2014

Short Answer: Yes, Long Answer: Sooner than you might think.

As a follow up to a blog post I wrote many moons ago (that has got a lot of search traffic—thanks Google!) titled "Really, what's a Gigawatt" here's a post I just found over at that answer the question: Could the Entire World Really Run on Solar Power? Check out the infographic that goes along with it!

Tuesday, November 4, 2014

#LibSec: An Open Letter to Public Libraries

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks.

This week I'm going to talk about NIST's SP 800-116. Well, sort of...

In that document the authors specifically addressing the use of "Personal Identification Verification" (PIV) credentials for physical access control systems (PACS), which doesn't apply 100% to #LibSec but at the same time it's a great run-through of all the reasons why ID cards, like a library card, offer very minimal security. To put it bluntly: "most bar code, magnetic stripe, and proximity cards can be copied easily. The technologies used in these systems may offer little or no authentication assurance"—a direct quote from the executive summary.

Sure, from an IT operations / security standpoint there's little reason to worry about someone borrowing a book under the wrong patron's account and accruing exorbitant late fees. It has undoubtedly happened at some point in human history but no systems librarian is losing sleep over the idea. I've said this before but I'll say it again: it's not about that, it's about ensuring you know who is accessing the library network (internally and externally) with a relative degree of certainty. Quasi-anonymous ID cards and low-threshold passwords do very little to fix this.

As a solution, I propose more libraries universally add 2-factor authentication, at a minimum. It's actually not that difficult to implement and Google even has a fancy new USB key system that doesn't require a smartphone app to use. This community forum post doesn't give a complete rundown of how to do this but definitely offers a starting point on how to add 2-factor on the cheap too.

In the grand scheme of things, and taking into consideration all of the potential cyber security threats a public library might face, this change I'm suggesting may seem largely symbolic. That being said, I would argue it's not only a learning opportunity for patrons (does the general public understand how 2-factor works and why? I think not) but a great marketing opportunity as well.

I want to live in a world where a person can walk down to the public library and have guaranteed privacy. A version of the web without targeted ads and with total intellectual freedom. If the public library could truly promise that, I think that would do a lot in terms of gaining public support against budget cuts. A "win-win" situation for the public and the institution.

Public libraries: I love you, but please change.

Wednesday, October 8, 2014

#LibSec: "Knowing is Half the Battle"

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks.

The irony of cybersecurity research is that the biggest threat to an organization often has nothing to do with firewalls or security updates. It's the people using those computer that are often the weakest "layer" of protection in information systems. The DefCon presentation in the video above is almost a decade old but the type of social engineering attacks described by the presenter do not change.

With that in mind, I thought it might be useful for both librarians and my classmates to take a look at an article I found, published by Association of Computer Machinery titled Understanding Scam Victims: Several Principles of Information Security. The article is behind a paywall but thankfully the University of Cambridge Computer Laboratory has an un-abridged version of the report you can download as a full-text PDF.

I won't go into the full details of the article but rather provide a summary of the "types" or "genres" of attacks described and then place them in a public computer lab setting. My hope is that placing these types of attack in a different setting will make them easier to identify on the job. The following headings are direct from the paper itself but the description is my own:

1. The Distraction Principle

We could rename this category "the art of misdirection". Imagine a scenario where a computer lab user calls your attention to a problem on the other side of the library. While you're away from the desk their partner in crime, the "shill" is copying network information or passwords from your computer station. This is why computer lock screens were invented.

2. The Social Compliance Principle

This type of attack can take several forms. The gist of it is that it's very easy for an attacker to pose as an authority figure, like a police officer, and gain entry to places they should not have access. The authors also note:

"The lesson for the security architect is that training users always to obey commands from certain people (as “system administrators” of all flavours, including government authorities, like to be able to do), can be a double-edged sword. Although people are generally pretty good at recognizing people they already know (by face, by voice, by shared memories. . . ), they are not very good at all at authenticating strangers, whether over a network, over the phone or even in person."
So there's a virtual component happening here as well. The essence of a phishing attack.

3. The Herd Principle

"Hey, install this new software! Everyone's using it!" Does that sound familiar? Much like the social compliance principle, it's important to do independent fact checking. In a computer lab setting this would ring true in both hardware/software configurations (because "but everyone was doing it" isn't a valid excuse when your network security is on the line) and interpersonally as well (for example, imagine these words: "but the person who works here on Thursdays lets me print all I want").

4. The Dishonesty Principle

The gist of this style of attack is that a scammer/attacker can and will use knowledge of illegal activity against you to gain an edge. The best example I found in the article related to cyber security was the idea that unreported system attacks—because victims must admit failure in the process—actually enable more attacks to occur. Honesty is a key factor in improving the overall health of a professional community.

5. The Deception Principle

We could rename this the "malware" principle. Software that claims to do one thing but does something entirely different. In a computer lab setting this usually isn't a problem because users can't download or install software but either way it's important to understand how and why these attacks occur: see principles 2 and 3 above for another take on this idea.

6. The Need and Greed Principle

The quote they use in this article basically says it all: "Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you." If you look back at my first #LibSec article, this is a core component to that debate and the reason why TOR networks can't be 100% trusted. If you know even a small fraction of users are using public library computers to look up questionable material, that's also a very good reason for them to be closely watched. Double-edged sword.

7.  The Time Principle

Much like the the first item in this list, the distraction principle, it's important to understand that attackers can use timing to create a false dilemma, and in the process access information or hardware they wouldn't see otherwise. Perfect example: it's the end of the day, time to close up the computer lab but this person is printing a really long document or their computer is taking a long time to export a video file or something along those lines. Your natural tendency might be to accommodating and continue to close up the lab while they finish up. This creates a scenario however where the person is now in an empty room and could do something malicious like plant a keylogger device with a much lower risk of being caught.


That's the end of this blog post! If you want to learn more check out the National Initiative for Cybersecury Education framework by NIST.

Friday, October 3, 2014

#LibSec - BadUSB: "Our problem right there"

"Didn’t get no sleep last night
I was thinking about today
Try to keep things simple
But my brain gets in the way 
I said you need to rest now
But my big head don’t care
Now I can see
That that’s gonna be
My problem right there"

Check out my first post in this series for context: ACLU Ninja Librarians are Here to Save the Day?

Tuesday, September 23, 2014

Wait, what do you mean by #LibSec?

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks. 

I want to take a moment to clarify why libraries, and especially public libraries, are a worthy topic of study in the realm of cyber security risk and threat management. I've presented this idea to a number of my peers in the MSIT program at Clark University and some seem quick to dismiss the idea.

No, the online catalog of books, DVDs and online journal subscriptions that most people interact with in a library are not what I'm talking about. Although one could make an argument that data leaking from these systems might enable some form of identity theft or user profiling, that seems very unlikely. Not only that but most if not all commercially available library systems obfuscate patron lending history for this very reason (privacy is, after all, a major tenant in the ALA code of ethics) and unless a patron's username and password info was already compromised, there's very little ROI for such an attack.

Instead, I want to point out the fact that most modern libraries offer at least a dozen or so computer stations connected to the internet for general use that, in addition to free public wifi, and a quasi-anonymous environment such as this enables any number of cyber security attacks to take place. The perfect vector. To make the situation even worse, many library patrons use this equipment because they do not have a home computer or ISP—if library staff members do not take cyber security seriously, these patrons then become the most vulnerable computer users in our society because they have no control over the computer systems they're using to access the internet.

So please understand, #LibSec is about cyber security risk and threat management as it relates to state funded public access IT infrastructure in your local community. Hardware that, in the wrong hands, could be used to perform attacks in a variety of ways. And I'm not alone: check out the Sec4Lib listserv for more info. I'll be crawling the archives for the next couple weeks!

Tuesday, September 16, 2014

ACLU Ninja Librarians are Here to Save the Day?

The following is a "Mini Report" written for Clark University's MSIT3710 Cyber Security Risk and Threat Management course. Throughout the Fall 2014 semester I'll be reporting on issues related to my class project about public library cyber security risks. 
When you know that people are recording what you are doing online or if you know cops, the FBI, the DEA, or ICE could access your library or digital history, chances are you are not going to say or research what you might otherwise. Self-censorship ensues because surveillance chills speech. -- Alison Macrina and April Glaser
The above quote is from an article recently published on titled 'Radical Librarianship: how ninja librarians are ensuring patrons' electronic privacy' that describes exactly why data privacy in a public library setting is essential. The post goes into detail about the recent partnership between librarians in Massachusetts and their local American Civil Liberties Union chapter to harden IT security practices within public libraries and protect patron data.

This is not the first time librarians have entered the spotlight in the fight for first amendment rights or information security but it does mark a change in IT policy that I think is worth noting. Computers have been part of the library landscape for a long time but for many years they were an internal resource—not an external one. The cost of computers and difficult UIs in the 60s and 70s made searching the new "digital" card catalog no small task. With the popularity of the internet and need to access electronic resources in-house in the 80s ad 90s this made public access computer stations a no-brainer, but it was not until the 2000s when I think librarians really started to expand their role as organizers of information into digital stewards of the internet age. Should they play this role? I think so. Some might argue otherwise, but the issue of data privacy leaking into the hands of government agencies is such a sensitive issue that I think civil servants like your local librarian are our best protection. 

To take this idea a step further, I suggest public librarians should also begin pooling their resources together towards a security-first open hardware platform for public access computers that will not be subject to the same inherent risks of consumer grade electronics. The education efforts and security hardening mentioned in this article is a great start but as we've learned from recent USB controller chip exploits reported at the Blackhat 2014 conference, there are hardware exploits (or backdoors, depending on your point of view) built in to literally every modern desktop PC. As many countries outside the US have begun to realize, the only path towards total information security is through complete oversight of their computer hardware supply chain, right down to chip design and manufacturing.