The Synthetic Librarian

Go sign up now for this Information Security course:
http://www.slis.ualberta.ca/springsummer2010workshops.cfm.

It’s just one weekend, dirt cheap, and going to be loads of fun. It’s in Edmonton at the School of Library and Information Studies (University of Alberta).

Taught by Lisa Yeo, formerly of The Alberta Library, now a Ph.D. student, and author of “Personal Firewalls for Administrators and Remote Users” (and very cool person). The bonus is that yours-truely, Cloned Milkmen, will be giving demonstrations. RFID hacking, barcode hacking, wifi man-in-the-middle, and more.

Here’s an excerpt:

To introduce students to the theory and practice of information security – the protection of information and information systems. The course will focus on foundational concepts, assessment and evaluation of information security practices in the library and information studies context.

IT Managers have a hard job. A significant challenge is obtaining good information to guide their management practices. While many established professions have literature to help with this, IT’s professional literature is just emerging. Here are three resources that can help:

The Practice of System and Network Adminstration (2nd Ed.) by Limoncelli, Hogan, and Chalup.

Go by this now. Seriously. By a copy for yourself and your favourite sysadmin. While your at it, buy Limoncelli’s book “Time Management for Systems Administrators”. If you don’t buy this book and read it, your throwing away money. You are probably also losing good people and opportunities as well.

Proceedings of CHIMIT: Symposium on Computer-Human Interaction for Management of Information Technology

The papers from this conference are publicly available. Each year, this conference includes coverage of “Field Studies” where researches observe and study systems administrators and how they work. What makes sysadmins tick? What difficulties do they encounter when they do their jobs? What contributes to their succesess and failures? How do they work together? What can lower the number of mistakes made by sysadmins? The conference also covers how interfaces can be designed to support the work of systems administrators.

Proceedings of the ACM SIGMIS CPR Conference on Computer Personnel Research

This is available from the ACM Digital Library. Members can get access fairly cheap, or your local library may have access for free. This is a conference that disseminates research about IT Professionals (“Computer Personnel Research”). What motivates career decisions and satisfaction in IT? How are IT goals established and achieved? How do you manage IT groups and projects? What makes users accept or resist IT change? How do IT operations generate value? What is the impact of IT skill development? The papers cover a wide-variety of topics and the scope ranges from small to global, with international coverage.

On October 23, 2008 I gave a talk at Netspeed 2008 titled Hackers in the Library. The talk was designed to build awareness regarding information security threats in libraries and to dispel the myth that “nobody would want to hack a library.”

In this presentation I tell many stories of actual security incidents that I have encountered in various libraries and punctuate these stories with reports from the media of similar events in libraries around the world.

The slides for the presentation are now available for download in MS Powerpoint (PPT) format. The slides include embedded notes covering the content of my speech and additional commentary and links. I have also included some questions and answers that have come up after the talk.

On Monday, November 19, 2007, David Litchfield will be releasing the Database Exposure Survey for 2007 on his databasesecurity.com website. According to CIO.com, Litchfield estimates that there are roughly 500,000 database servers on the Internet that are openly accessible (with no firewall protection).

I believe many sysadmins overlook database security believing that “no one knows its there so how could be attacked?” It’s a foolish notion. I think other admins believe that database servers are no vulnerable to attack in the same way that other services are. We hear about worms and trojans targeting desktop users, IM clients, and web applications, but less often we hear about buffer overflows in server applications. However, vulnerabilities in RDBMS services do occur, and often enough to make you worry. Remote code execution is a potential problem for any services that you can connect to directly.

Even if your database server is patched-up you have to worry about accounts on the database server. Do all your database users accounts have passwords? I have seen poor password selection on database accounts far too often. It makes my skin crawl actually. It’s hard to explain to programmers sometimes why password choice is important or sometimes even why passwords are necessary at all.

Many people believe that database servers are “behind the scenes” and inaccessible to Internet. Litchfield’s survey demonstrates how often that assumption is wrong.

Defense-in-depth applies to database security as much as any other network service:

• You need a firewall configured to deny access to your database server except to the few people that really need to connect.
• Ever account on your database should have a non-empty password and it should be a strong password.
• Accounts should have limited access to database. Read-only access should be your default. No account should have access to all your database unless necassary.
• You should monitor database access. Do you have logs showing which users logged in and when and from where?
• When put together, “limiting account access” and “monitoring” mean you should be able to tell who accessed which database from what application. Each web application should use a different account to access your databases (at the very minimum).
• Finally, you should have a process for auditing data integrity. Would you be able to tell if data in a database had been inserted or if data was invalid or inconsistent?

Nearly a year ago I bough a portable wifi router to take with me when I go to conferences etc. When I am in a hotel or at a friend’s house, it is very handy to use secure wifi instead of having to drag around a long ethernet cable to connect my laptop to the Internet. I bought a little Linksys WRT54GC “Compact Wireless-G Broadband Router” for that purpose.

I was disappointed when I could find no place to attach an external antenna. I have a couple of 7db antenna and a directional antenna that I can use the boast the range of wifi, but I couldn’t not find any place to plug it in. Well, the morning I was staring at my WRT54GC and noticed a weird plastic thing that looked out of place. After a few minutes of picking at it, I discovered a secret antenna socket underneath!

If you are looking at the lights on the front of the WRT54GC and holding it horizontally (laying it flat), the plastic cover for the antenna connector is on the right-hand side. If you pry up on the rounded edge of that plastic cover, it will open like a door, and reveal a connector that will pop out. It is a mini-BNC style connector.

Now you can attach the antenna of your choice!

I have posted a complete set of photos on flickr showing in more detail how to reveal the hidden antenna connector.

In my mind this makes the WRT54GC twice as value able as I thought it was. It was a good value for a good price, but now that I know I can put an antenna on it… its an absolute bargain!