IT Security For Librarians
Blake Carver LYRASIS Systems Administrator
Week One: IntroWho and How and WhatPrivacy & Security in generalWhy this is all important5 Basic Things
Week Two: Outrunning The BearPrivacyPasswordsSecuring Devices Web BrowsersEmailStaying Safe On-line (General Tips)
Week Three: Outrunning The Bear @ Your LibraryTraining: Thinking & BehaviorThreat modelingHardware and networks
Week Four: Websites & Everything Else!Web Servers and NetworksBackupsDrupal and Wordpress and JoomlaServers in general
Everything You Need To Know• Use Good Passwords• Stay Paranoid & Vigilant• Use Routine Backups• Keep Everything Patched / Updated• Think Before You Share Or Connect
Intro
Other Thingsl Install Updates NOWl Passwords are Keyl ALL Software Has Flawsl Security Is Complicatedl Everyone Plays A Part
Common Security Myths• You have nothing worth stealing • Patches and updates make things worse and
break them • You can look at a web site and know it's safe • No one will guess this password• Social Media Sites Are Safe• I’m safe! I use Anti-virus / firewall• There’s only malware on Desktops not phones• If I'm compromised I will know it • I'm too smart to get infected
Intro
Common Security Excuses
• But nobody would do that [Exploit Method/Thing]• I can't remember all these passwords.• Firewalls / AV / Security just gets in the way• They won't be able to see that; it's hidden.• It's safe because you have to log in first.
Intro
So What Are We Talking About● ● ● ● ● ● ● ●
Intro
The Way Things Are Vs.The Way Things Oughtta Be
But the state argued that because cell phones constantly reveal their locations to carriers by pinging nearby cell towers, Andrews “voluntarily shared this information with third
parties,” including the police, merely by keeping his phone on.
In other words, if you don't shut off your phone, you're asking to be tracked.
“While cell phones are ubiquitous, they all come with 'off' switches,” the state responded in the brief. “Because Andrews chose to keep his cell phone on, he was voluntarily sharing
the location of his cell phone with third parties.”
“The government has indeed repeatedly argued that there is no [reasonable expectation of privacy] in cell phone location information, in court and
out,” Nathan Wessler, a staff attorney with the ACLU's speech, privacy and technology project, told Motherboard in an email. “In cases involving historical cell site location
information, the government has danced around this argument, arguing that phone users give up their expectation of privacy in their location information merely by making and
receiving calls.”
State of MD Vs Kerron Andrews
If Vs.
When
Somethings are IFs, somethings are WHENs
Perhaps things are Likely and Possible
● ● ● ● ● ● ● ●
Bad Guys? Hackers?Crackers?Criminals?
Intro
● ● ● ● ● ● ● ●
Security
Cyber Security?IT Security?Safety?Information Security?
Information Literacy?The Digital Divide?
Intro
“Security is two different things: It's a feeling &It's a reality ”
Bruce Schneier – TedxPSU
Intro
Security isn’t either/or
Intro
● ● ● ● ● ● ● ●
Privacy
Cyber Privacy?IT Privacy?Online Privacy?
Information Literacy?The Digital Divide?
Intro
What will be the consequences of participation in this data set?
https://github.com/frankmcsherry/blog/blob/master/posts/2016-02-06.md
Are we helping people avoid being added to more and more datasets?
Are we increasing their digital foot prints?
Security & Privacy are, Getting Better, But they're Getting
Worse Faster
Intro
Why does this keep happening?
The Internet was built for openness and speed
More Things Online – More Targets
Old, out-of-date systems and budget shortfalls
New poorly designed systems
Surveillance is the business of the Internet
Why?
Professionals
Intro
And Everyone Else
Good Guys
Bad Guys
SkillFocusToolsTime
Training
Not much of this crime is new
AutomationDistance "Technique Propagation"
(“Only the first attacker has to be skilled; everyone else can use his software.”)
Intro
The technology of the internet makes the bad guys vastly more efficient.
Intro
It's Safe Behind The Keyboard
Hacking is a really safe crime. Comparatively. To other real life crime
Intro
Where Are They Working?
• Social Networks• Search Engines• Advertising• Email• Web Sites• Web Servers• Home Computers• Mobile Devices
Intro
This is the work of a rogue industry, not a roguish teenager
Intro
*Thanks to Brian Krebs for sharing screenshots: krebsonsecurity.com
And to Dr. Mark Vriesenga, BAE systems
Examples
Intro
What Are They After?
• PINs• Passwords• Credit Cards• Bank Accounts• Usernames• Contact Lists• Emails• Phone Numbers• Your Hardware...
Intro
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/?utm_source=feedburn
Personal information is the currency of the underground
economy
Intro
Personal information is the currency of the entire Internet
economy
Intro
What's It Worth?Credit Cards: $5-$30 Basic or “Random” $5-$8 With Bank ID# $15 With Date of Birth $15 With Fullzinfo $30
Payment service accounts: $20-$300 containing from US$400 to $1,000 between $20 and $50 containing from $5,000 to $8,000 range from $200 to $300
Bank login credentials: $190-$500 A $2,200 balance account selling for $190. $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
Online premium content services: $.55-$15 Online video streaming($0.25 to $1) premium cable channel streaming services ($7.50) premium comic book services ($0.55) professional sports streaming ($15)
Loyalty, community accounts: $20-$1400 A major hotel brand loyalty account with 100,000 points for sale for $20 An online auction community account with high reputation marks priced at $1,400
"The Hidden Data Economy" study by MacAfee October 2015
http
://w
ww
.sym
ante
c.co
m/c
onne
ct/b
logs
/net
flix-
mal
war
e-an
d-ph
ishi
ng-c
ampa
igns
-hel
p-bu
ild-e
mer
ging
-bla
ck-m
arke
t
The Era Of Steal EverythingEverything has some value
Intro
Against a sufficiently motivated and equipped adversary, no
device is impenetrable.
Intro
There is no such thing as a secure computer
Intro
We are making things safER
Intro
"None of this is about being "unhackable"; it’s about making
the difficulty of doing so not worth the effort."
Intro
Intro
https://www.teachprivacy.com/the-health-data-breach-and-id-theft-epidemic/
Think Different…
Have A Hacker Mindset
Have A Security Mindset
Intro
http://www.pewinternet.org/files/2015/09/2015-09-15_libraries_FINAL.pdf
Offer Training At Your Library
Everything You Need To Know
Use Great PasswordsStrong (Long, Complex)Unique
Stay Paranoid & Vigilant
Never Trust Anything or AnyoneAlways Double Check
Intro
http://r20.rs6.net/tn.jsp?f=001jvkK1lqM8L-mnPV6fw1piqSVbRdreWE37hHyBgaBTEokTgb93wOt2pbbtbQeU8ZfnvfAHeCyovnJECU5iJW3x398D3y1CUWJo46vMRcq7SmXgKmSTao6BDOeyWbDL098sbwrd31tthC8vO7UtQTs-Dpvy-FzQNF8eg9jznIRCSheKjBy-NLYkve-ICGa8tQ94XTqTWvGIpCDN4R19rUWnlnGVgKhMnf6ra5h0mxYKyiVl8mVbH5rVzEHGnmC_tqm&c=2qp8OI_b_ky3yXFryCYkU3XkJehYbiMxoRoM7KwW5ZK0JPs92OvKVQ==&ch=o2igILcTd7vZdRH-EcEq6-ka5CvKEHvNx7yRl6qNWfAO-PA3NbzvPA==
Everything You Need To Know
Use Great PasswordsStrong (Long, Complex)Unique
Stay Paranoid & Vigilant
Never Trust Anything or AnyoneAlways Double Check
Think Before You Click
Use Routine Backups
Keep Everything Patched / Updated
Think Before You Share
Intro
Avoid The Worstest Things
• Moving Slow on updates• Thoughtlessness
Surfing/Clicking/Following/Sharing• Over Sharing• Reusing Weak Passwords• Not Backing Up• Thinking It Can’t Happen To You
Week One: IntroWho and How and WhatPrivacy & Security in generalWhy this is all important5 Basic Things
Week Two: Outrunning The BearPasswordsSecuring Devices Browsers & TorEmailStaying Safe On-line (General Tips)
Week Three: Outrunning The Bear @ Your LibraryTraining: Thinking & BehaviorThreat modelingHardware and networks
Week Four: Websites & Everything ElseWeb Servers and NetworksBackupsDrupal and Wordpress and JoomlaServers in general
IT Security For Librarians
Blake CarverLYRASIS Systems Administrator