Hackers in the Library

1. Creative Commons License: You are free to share and remix but you must provide attribution and you must share alike. Hackersin theLibrary

2. Library Website Shutdown by Hacker

3. ILS Server Hacked This isn't exactly true: Unix isn't any more or less “hacker friendly” than any other OS (not at this level of discussion). Beware, this opinion is expressed in the L.I.S. literature (but contradicted in I.T. Literature). Don't play the blame game... come up with a defense-in-depth strategy instead.

4. Library Phonelines Hacked

5. Even Library of Congress was Hacked

6. And More...

7. Many Library Hacks: Old & New

8. This talk covers 3 Kinds of Library Cybersecurity Case Study Libraries as unique targets 1 2 Libraries as attractive targets 3 Trends in cybercrime

9. Libraries fit into the 2nd Most Hacked Organization Type Libraries Shezaf (2008)

10. Libraries can be Unique Targets • Public Access Computers • + • Lots of Users • + • Private Records for Large Populations • + • Lots of Bandwidth • + • Access to Valuable Licensed Information

11. PAC Desktop Wallpaper Defacement • A politically motivated defacement of PAC station desktop wallpaper. The regular wallpaper was used to provide instructions for use of the PAC and was “locked down”.

12. Helpful HOWTO on Library Hacking

13. Ezproxy Password “Fans”

14. Academics and Doctors Dedicated to Hacking Libray Proxy Servers

15. Forums show why libraries are being targeted

16. Typosquatting Virtual Reference Typosquatters have websites with popular mispellings for names In 2006 several cybersquatters displayed content from and links back to askaquestion.ab.ca Is that GOOD thing or a BAD thing?

17. Student Sent a Prank Overdue Notice First overdue notice: According to our records, the following library material is overdue. Please renew or return as fines may be accruing. Currently you owe $542.53. If you do not pay by 10/10/2008, your University degree will be immediately revoked. If you wish to renew, you may do so using this link to My Account at http://catalogue.library.ca/myaccount/ Contact the circulation desk at the above library if you have any questions. Thank you. 1 call number:Z 699 A1 A61 v.39 2005 ID:0162022610438 $30.00 Annual review of information science and technology. [Washington, etc.] American Society for Information Science [etc.] due:8/31/2008,23:59 2 call number:Z 699 A1 A61 v.40 2006 ID:0162022610487 $21.00 Annual review of information science and technology. [Washington, etc.] American Society for Information Science [etc.] due:8/31/2008,23:59 ....

18. Library Patron Records Exposed

19. Libraries are Attractive Targets • Lots of Bandwidth • + • Lots of Users • + • Open Networks • + • Weak I.T. Practices

20. Turkish Defacers Attack Museum Greeting Cards

21. Wordpress Spam Link Injection

22. Library GIS Station Hacked

23. Hacked to Serve Illicit French Movies ? An unpatched server was compromised and used to distributed 20 GB of videos with French language titles. The problem was discovered when the server was blocked for excessive bandwidth usage.

24. French Puppet Videos! The server was distributing 20 GB of French Puppet Videos. The cleanup time was 7 hours. If they had just asked we would have probably found someone to host the videos for them!

25. Trends in CybercrimeWill Affect Libraries • Every factor already mentioned • + • Hacker's desire to makemoney

26. Hackers are motivated by Money • Defacement • Propaganda • Bragging Rights • Reputation Hijacking • Ad Revenue Stealing Sensitive Info • Ransom • Direct Financial Gain • Information Leaks • Enable other Attacks Types of Cyberattacks by Volume Shezaf (2008)

27. Library Phonelines Hacked

28. Phishing & Spear-phishing From: anitajohnsonrosjn@gmail.com To: <undisclosed recipients> Subject: (TRANSFER CONTACT) My Dear, It`s me Mrs. Anita Johnson Ross, please I have been waiting for you to contact me regarding your willed fund of ($3,500,000.00) (Three million five hundred thousand dollars) but i did not hear from you since the last time. Well I finally went and deposited the fund in a bank, as I will be going in for an operation any moment from now. I hope you are aware that I have been diagnosed for cancer about 2 years ago, that was immediately after the death of my husband before I was touched by God to donate from what I have inherited from my late husband to you for the good work of God than allow my relatives to use my husband hard earned funds ungodly. What you have to do now is to contact the Bank as soon as possible to know when they will Transfer the money to you to start the good work of the lord as initially arranged, and to help the motherless less privilege also for the assistance of the widows according to (JAMES 1:27). For your information, I have paid all the Charges, Insurance premium and Clearance Certificate showing that it is not a Drug Money or meant to sponsor Terrorism in your Country. The only money you have to send to the Bank is the account opening fee due to my method of deposit. Again, don't be deceived by anybody to pay any other money except account opening charges. Please kindly contact the bank on Tel: +13-162-651-1808 /Fax: +31-847-301-282. OR via E-MAIL: snsregiobktransfers.unit1@hotmail.com with your full names contact telephone/fax number and your full address and tell them that I have deposited the sum of ($3,500,000.00) in the Unit account of the bank and you are the present beneficiary to the sum. I will inform the bank immediately that I have WILL-IN that amount to you for a specific work. Let me repeat again, try to contact the Bank as soon as you receive this mail to avoid any further delay and remember to pay them their account set up fee for their immediate action. I will also appreciate your utmost confidentiality in this matter until the task is accomplished as I don't want anything that will jeopardize my last wish. Also I will be contacting you by email as I don't want my relation or anybody to know because they are always around me. Yours Faithfully, Mrs. Anita Johnson Ross

29. DNS Poisoning The cyberbrowse owner gets paid $$$ when people view or click on ads. We found that Big Public Library's DNS servers were being poisoned to misdirect browsers to the cyberbrowse website

30. How DNS Works Get the webpage from 64.4.33.7 6 Your PC www.hotmail.com 64.4.33.7 What is the IP for www.hotmail.com? 1 The IP for hotmail.com is 64.4.33.7 5 Remember hotmail.com Is 64.4.33.7 DNS Cache Your DNS Server 4 What is the IP for www.hotmail.com? The IP is 64.4.33.7 3 2 Hotmail's DNS Server

31. How DNS Poisoning Works Get the webpage from 69.93.150.59 5 www.hotmail.com 64.4.33.7 Your PC What is the IP for www.hotmail.com? 3 cyberbrowse.com 69.93.150.59 The IP for hotmail.com is 69.93.150.59 4 Remember hotmail.com Is 69.93.150.59 DNS Cache Your DNS Server 2 The IP for www.hotmail.com Is 69.93.150.59!!! 1 Hostile DNS Server Hotmail's DNS Server

32. Cyberbrowse attack was widespread In 2003, others suffered from the cyberbrowse DNS Poisoning Many mistook the attack for a problem with their own computers I spoke with Shaw Bigpipe and confirmed that they were under attack for months but didn't know it was an attack.

33. The Crimeware Supply Chain How SPAM Makes Money Viruses create botnets (networks of thousands of slave computers) Botnet owners pay to have viruses distributed Spammers pay botnet owners to send spam But spamming requires accounts, which are protected by CAPTCHAs Botnet owners pay CAPTCH breakers How Credit Card Theives Work Viruses steal credit card and identity info Card information is sold to others Carders use stolen cards to purchase items Remailers ensure shipped items can be obtain Items may be soldStealing from your Bank Account Banks accounts are broken into “Money Mules” accept payments to their own accounts and then pay the theives

34. Breaking CAPTCHAs Pays This pays about $2/1000 CAPTCHAs broken occording to a presentation at OWASP 3.0 From Dancho Danchev's Blog: http://ddanchev.blogspot.com/2007/09/spammers-and-phishers-breaking-captchas.html

35. Affiliate Marketing Pays for Viruses

36. Cybercrime has grown to includecomplete supply chain management

37. Questions? email me: michael@winterstorm.ca Slides: http://winterstorm.ca/download/

38. No virus news is NOT good news Problems Old anti-virus programs cannot detect the latest types of viruses Viruses released today cannot be detected until tomorrow Viruses come in clusters: you might only detect on when you are infected with 5 No anti-virus program can detect all viruses “Solutions” Update your anti-virus software, not just the definitions Peform a full-antivirus scan every few days Completely reformat any computer on which a virus is detected Scan with several different online scanners (f-secure, trend at home, stinger).

39. Questions Asked 2008-10-23 Questions: What are the top 3 things we can do today to secure our networks Answers: 1) Keep your anti-virus up-to-date (both definitions & software) and do nightly or weekly scans (see next slide) Use “separation of concerns” in your network: separate (physically or virtually) those things that do not need to access each other. Use different passwords for every web application instead of a shared one. Make sure that servers that don't need to connect cannot connect. Automated Monitoring (I failed to give this as an example, but it my biggest ally). This means a lot of things from testing if servers and services are up to monitoring and charting bandwidth, CPU, and RAM usage. Anomolies are a very strong way to determine if you have a security issue