Hackers
Creative Commons License: You are
free to share and remix but you must
provide attribution and you must share
alike.
in the
Library
Michael McDonnell
GIAC Certified Intrusion Analyst
michael@winterstorm.ca
Library Website Shutdown by Hacker
ILS Server Hacked
This isn't exactly true: Unix isn't any more or less “hacker friendly”
than any other OS (not at this level of discussion). Beware, this
opinion is expressed in the L.I.S. literature (but contradicted in
I.T. Literature). Don't play the blame game... come up with a
defense-in-depth strategy instead.
Library Phonelines Hacked
Even Library of Congress was Hacked
And More...
Many Library Hacks: Old & New
This talk covers 3 Kinds of
Library Cybersecurity Case Study
1 Libraries as unique targets
2 Libraries as attractive targets
3 Trends in cybercrime
Libraries fit into the
2nd Most Hacked Organization Type
Libraries
Shezaf (2008)
Libraries can be Unique Targets
Public Access Computers
+
Lots of Users
+
Private Records for Large Populations
+
Lots of Bandwidth
+
Access to Valuable Licensed Information
PAC Desktop Wallpaper Defacement
A politically motivated defacement of PAC station desktop
wallpaper. The regular wallpaper was used to provide
instructions for use of the PAC and was “locked down”.
Helpful HOWTO on Library Hacking
Ezproxy Password “Fans”
Academics and Doctors Dedicated to
Hacking Libray Proxy Servers
Forums show why libraries
are being targeted
Typosquatting Virtual Reference
Typosquatters
have websites
with popular
mispellings for
names
In 2006 several
cybersquatters
displayed content
from and links
back to
askaquestion.ab.ca
Is that GOOD
thing or a
BAD thing?
Student Sent a Prank Overdue Notice
First overdue notice:
According to our records, the following library material is overdue.
renew or return as fines may be accruing.
Please
Currently you owe $542.53. If you
do not pay by 10/10/2008, your University degree will be immediately
revoked.
If you wish to renew, you may do so using this link to My Account at
http://catalogue.library.ca/myaccount/
Contact the circulation desk at the above library if you have any questions.
Thank you.
1
call number:Z 699 A1 A61 v.39 2005
ID:0162022610438
$30.00
Annual review of information science and technology.
[Washington, etc.] American Society for Information Science [etc.]
due:8/31/2008,23:59
2
call number:Z 699 A1 A61 v.40 2006
ID:0162022610487
Annual review of information science and technology.
[Washington, etc.] American Society for Information Science [etc.]
due:8/31/2008,23:59
....
$21.00
Library Patron Records Exposed
Libraries are Attractive Targets
Lots of Bandwidth
+
Lots of Users
+
Open Networks
+
Weak I.T. Practices
Turkish Defacers Attack
Museum Greeting Cards
Wordpress Spam Link Injection
Library GIS Station Hacked
Hacked to Serve Illicit French Movies
?
An unpatched server was compromised and used to distributed 20 GB
of videos with French language titles. The problem was discovered
when the server was blocked for excessive bandwidth usage.
French Puppet Videos!
The server was distributing 20 GB of French Puppet Videos. The
cleanup time was 7 hours. If they had just asked we would have
probably found someone to host the videos for them!
Trends in Cybercrime
Will Affect Libraries
Every factor already mentioned
+
Hacker's desire to make money
Hackers are motivated by Money
Defacement
– Propaganda
– Bragging Rights
– Reputation Hijacking
– Ad Revenue
Types of Cyberattacks by Volume
Shezaf (2008)
Stealing Sensitive Info
– Ransom
– Direct Financial Gain
– Information Leaks
– Enable other Attacks
Library Phonelines Hacked
Phishing & Spear-phishing
From: anitajohnsonrosjn@gmail.com
The only money you have to send to the Bank is the account opening fee due to
To: <undisclosed recipients>
my method of deposit. Again, don't be deceived by anybody to pay any other
Subject: (TRANSFER CONTACT)
money except account opening charges.
My Dear,
Please kindly contact the bank on Tel: +13-162-651-1808 /Fax:
+31-847-301-282. OR via E-MAIL: snsregiobktransfers.unit1@hotmail.com with
It`s me Mrs. Anita Johnson Ross, please I have been waiting for you to
your full names contact telephone/fax number and your full address and tell
contact me regarding your willed fund of ($3,500,000.00) (Three million five
them that I have deposited the sum of ($3,500,000.00) in the Unit account of
hundred thousand dollars) but i did not hear from you since the last time.
the bank and you are the present beneficiary to the sum. I will inform the
Well I finally went and deposited the fund in a bank, as I will be going in
bank immediately that I have WILL-IN that amount to you for a specific work.
for an operation any moment from now. I hope you are aware that I have been
diagnosed for cancer about 2 years ago, that was immediately after the death
Let me repeat again, try to contact the Bank as soon as you receive this mail
of my husband before I was touched by God to donate from what I have
to avoid any further delay and remember to pay them their account set up fee
inherited from my late husband to you for the good work of God than allow my
for their immediate action. I will also appreciate your utmost
relatives to use my husband hard earned funds ungodly.
confidentiality in this matter until the task is accomplished as I don't want
anything that will jeopardize my last wish. Also I will be contacting you by
What you have to do now is to contact the Bank as soon as possible to know
email as I don't
when they will Transfer the money to you to start the good work of the lord
want my relation or anybody to know because they are always around me.
as initially arranged, and to help the motherless less privilege also for the
assistance of the widows according to (JAMES 1:27). For your information, I
Yours Faithfully,
have paid all the Charges, Insurance premium and Clearance Certificate
Mrs. Anita Johnson Ross
showing that it is not a Drug Money or meant to sponsor Terrorism in your
Country.
DNS Poisoning
The cyberbrowse
owner gets paid
$$$ when people
view or click on ads.
We found that Big
Public Library's
DNS servers were
being poisoned to
misdirect browsers
to the cyberbrowse
website
How DNS Works
6
1
What is the IP for
www.hotmail.com?
Your
PC
Get the webpage
from 64.4.33.7
www.hotmail.com
64.4.33.7
The IP for hotmail.com
5 is 64.4.33.7
Your
DNS
Server
2
What is the IP for
www.hotmail.com?
4
3
Hotmail's
DNS
Server
Remember
hotmail.com
Is 64.4.33.7
DNS Cache
The IP is 64.4.33.7
How DNS Poisoning Works
3
What is the IP for
www.hotmail.com?
Your
PC
5
Get the webpage
from 69.93.150.59
www.hotmail.com
64.4.33.7
The IP for hotmail.com
4 is 69.93.150.59
Your
DNS
Server
Remember
2 hotmail.com
Is 69.93.150.59
1
Hotmail's
DNS
Server
DNS Cache
The IP for
www.hotmail.com
Is 69.93.150.59!!!
Hostile
DNS
Server
cyberbrowse.com
69.93.150.59
Cyberbrowse attack was widespread
In 2003, others
suffered from the
cyberbrowse
DNS Poisoning
Many mistook the
attack for a
problem with their
own computers
I spoke with
Shaw Bigpipe
and confirmed
that they were
under attack for
months but didn't
know it was an
attack.
The Crimeware Supply Chain
•
How SPAM Makes Money
• Viruses create botnets (networks
of thousands of slave computers)
• Botnet owners pay to have
viruses distributed
• Spammers pay botnet owners to
send spam
• But spamming requires accounts,
which are protected by
CAPTCHAs
• Botnet owners pay CAPTCH
breakers
• How Credit Card Theives Work
• Viruses steal credit card and
identity info
• Card information is sold to others
• Carders use stolen cards to
purchase items
• Remailers ensure shipped items
can be obtain
• Items may be sold
Stealing from your Bank Account
• Banks accounts are broken into
• “Money Mules” accept payments
to their own accounts and then
pay the theives
Breaking CAPTCHAs Pays
This pays about
$2/1000
CAPTCHAs broken
occording to a
presentation at
OWASP 3.0
From Dancho Danchev's Blog: http://ddanchev.blogspot.com/2007/09/spammers-and-phishers-breaking-captchas.html
Affiliate Marketing Pays for Viruses
Cybercrime has grown to include
complete supply chain management
Questions?
email me:
michael@winterstorm.ca
Slides:
http://winterstorm.ca/download/
No virus news is NOT good news
• Problems
• Old anti-virus programs cannot
detect the latest types of
viruses
• Viruses released today cannot
be detected until tomorrow
• Viruses come in clusters: you
might only detect on when you
are infected with 5
• No anti-virus program can
detect all viruses
• “Solutions”
• Update your anti-virus
software, not just the
definitions
• Peform a full-antivirus scan
every few days
• Completely reformat any
computer on which a virus is
detected
• Scan with several different
online scanners (f-secure,
trend at home, stinger).
Questions Asked 2008-10-23
• Questions:
• What are the top 3
things we can do today
to secure our networks
•
Answers:
•
1) Keep your anti-virus up-to-date (both
definitions & software) and do nightly or
weekly scans (see next slide)
•
Use “separation of concerns” in your
network: separate (physically or virtually)
those things that do not need to access
each other. Use different passwords for
every web application instead of a shared
one. Make sure that servers that don't
need to connect cannot connect.
•
Automated Monitoring (I failed to give this
as an example, but it my biggest ally).
This means a lot of things from testing if
servers and services are up to monitoring
and charting bandwidth, CPU, and RAM
usage. Anomolies are a very strong way
to determine if you have a security issue