It’s just one weekend, dirt cheap, and going to be loads of fun. It’s in Edmonton at the School of Library and Information Studies (University of Alberta).

Taught by Lisa Yeo, formerly of The Alberta Library, now a Ph.D. student, and author of “Personal Firewalls for Administrators and Remote Users” (and very cool person). The bonus is that yours-truely, Cloned Milkmen, will be giving demonstrations. RFID hacking, barcode hacking, wifi man-in-the-middle, and more.

Here’s an excerpt:

To introduce students to the theory and practice of information security – the protection of information and information systems. The course will focus on foundational concepts, assessment and evaluation of information security practices in the library and information studies context.

On October 23, 2008 I gave a talk at Netspeed 2008 titled Hackers in the Library. The talk was designed to build awareness regarding information security threats in libraries and to dispel the myth that “nobody would want to hack a library.”

In this presentation I tell many stories of actual security incidents that I have encountered in various libraries and punctuate these stories with reports from the media of similar events in libraries around the world.

The slides for the presentation are now available for download in MS Powerpoint (PPT) format. The slides include embedded notes covering the content of my speech and additional commentary and links. I have also included some questions and answers that have come up after the talk.

I believe many sysadmins overlook database security believing that “no one knows its there so how could be attacked?” It’s a foolish notion. I think other admins believe that database servers are no vulnerable to attack in the same way that other services are. We hear about worms and trojans targeting desktop users, IM clients, and web applications, but less often we hear about buffer overflows in server applications. However, vulnerabilities in RDBMS services do occur, and often enough to make you worry. Remote code execution is a potential problem for any services that you can connect to directly.

Even if your database server is patched-up you have to worry about accounts on the database server. Do all your database users accounts have passwords? I have seen poor password selection on database accounts far too often. It makes my skin crawl actually. It’s hard to explain to programmers sometimes why password choice is important or sometimes even why passwords are necessary at all.

Many people believe that database servers are “behind the scenes” and inaccessible to Internet. Litchfield’s survey demonstrates how often that assumption is wrong.

Defense-in-depth applies to database security as much as any other network service:

• You need a firewall configured to deny access to your database server except to the few people that really need to connect.
• Ever account on your database should have a non-empty password and it should be a strong password.
• Accounts should have limited access to database. Read-only access should be your default. No account should have access to all your database unless necassary.
• You should monitor database access. Do you have logs showing which users logged in and when and from where?
• When put together, “limiting account access” and “monitoring” mean you should be able to tell who accessed which database from what application. Each web application should use a different account to access your databases (at the very minimum).
• Finally, you should have a process for auditing data integrity. Would you be able to tell if data in a database had been inserted or if data was invalid or inconsistent?

Don’t confuse that vulnerability with another new one that affects Unix only and also affects Thunderbird.

If you are running Firefox, Mozilla, or Thunderbird on Unix (Linux, OpenBSD, MacOS-X, Solaris) you need to upgrade now. According to The SANS Institute, “This vulnerability in Mozilla/FireFox browsers and Thunderbird email client can be exploited to execute arbitrary commands on UNIX systems.” More information is available at SecurityFocus.

Go to http://www.mozilla.org/ for information on how to download the latest versions.

Knoppix is a bootable linux distribution that comes with Clam Anti-virus and support the downloading of anti-virus definitions to a ramdisk. Thus, you can boot from the CDROM which has a complete read-only operating system installed already and then run the included virus-scanner which will get the latest virus updates over the net. This provides you with a safe and easy method to initially respond to suspected infections.

Knoppix can be obtained by direct download from a number of mirror sites or via BitTorrent.

Prior to WPA2 there were WEP and WPA. WEP has many known weaknesses. WPA is improved but it is widely reported that WPA is only secure “if you do it right.” WPA2 is the latest standard and offers improvements over WPA that make it easier to “get it right.”

WPA2 support is available under Windows XP but only if you download an install special software from Microsoft. Microsoft Support has an article that explains the process. You will need to prove that your version of Windows XP is “genuine” before you are allowed to download the WPA2 software. And how do you prove that? You need the Microsoft Genuine Advantage thingy that they recently started forcing users to install in order to get updates.

When I tried to the download the WPA2 software I was asked to copy a code from a windows dialog box into the download page. It was not at all clear what that code meant or what generated it. The bizarre public-relations-speak wording on the download page made me guess that it had something to do with the recent “windows genuine advantage” campaign and the activex control that all Microsoft customers must have in order to get software updates.

After copying the code, I was able to download the WPA2 software and install it. The install went smoothly and after a reboot I was able to switch my laptop and Linksys WRT54G wireless access point over to using WPA2.

One question that comes to mind is: why isn’t the WPA2 software available through windows/microsoft update?! The genuine advantage software seems like a genuine disadvantage if I am going to be required to manually download all software updates myself.

One final note, beyond implementing WPA2 there are others steps you can take. You can enable MAC address filtering, disable SSID broadcasting, change your pre-shared key often, and run an encrypted VPN over your encrypted wireless connection.

The new version can be downloaded from http://www.snort.org/dl/current/snort-2.4.1.tar.gz

The most recently vulnerabilities (idefense IDs: 304, 305, 306, 307, 308) are fairly scary. A remote attacker could overwrite your firmware, change your firewall configuration, download your configuration info without logging in, and a few other slightly less nasty things.

More information is available at the Linksys Info site (not an official Linksys website).

Just last week I noticed that my access point had mysteriously been reconfigured back to factory defaults. The date of the 4.20.7 firmware is the middle of August. That means that these problems have been known for a while. That makes me seriously worry that my firewall might have been compromised. However, I could find no other sign of compromise and there was no unusual activity on my router (of course a fake firmware could disable the blinking lights so I wouldn’t notice).

Note that the WRT54G is actually running the Linux operating system and that linksys has publicly released their source code (as is required by software license). The bug that allows an attacker to overwrite your firmware means that an attacker could build his own customized version of the linksys firmware from source, and then upload it to your router. You would be none the wiser, but the attacker could “own” your network. He could turn your firewall into zombie computer used to attack other networks; he could steal your passwords; he could see all the files on your shared folders; he could attack your LAN that you thought was safely behind your firewall.

Some advice that you should follow after updating the firmware on your linksys device:

• Disable remote admin of the linksys device
• Disable remote admin via wireless
• Change your firewall password
• Make sure you use WPA or WPA2 with TKIP or AES for wireless encryption
• Disable wireless SSID broadcasting (not really helpful, but it is something
• Use wireless MAC address filtering. Permit only those MACs you know.
• Disable Universal Plug and Play (uPnP) unless you are using it.
• Disable SES: SecureEZSetup.