Get documents about "hackers_in_the_library
Document Sample
Creative Commons License: You are
free to share and remix but you must
provide attribution and you must share
alike.
Hackers
in the
Library
Michael McDonnell
GIAC Certified Intrusion Analyst
michael@winterstorm.ca
Library Website Shutdown by Hacker
ILS Server Hacked
This isn't exactly true: Unix isn't any more or less “hacker friendly”
than any other OS (not at this level of discussion). Beware, this
opinion is expressed in the L.I.S. literature (but contradicted in
I.T. Literature). Don't play the blame game... come up with a
defense-in-depth strategy instead.
Library Phonelines Hacked
Even Library of Congress was Hacked
And More...
Many Library Hacks: Old & New
This talk covers 3 Kinds of
Library Cybersecurity Case Study
1 Libraries as unique targets
2 Libraries as attractive targets
3 Trends in cybercrime
Libraries fit into the
2nd Most Hacked Organization Type
Libraries
Shezaf (2008)
Libraries can be Unique Targets
Public Access Computers
+
Lots of Users
+
Private Records for Large Populations
+
Lots of Bandwidth
+
Access to Valuable Licensed Information
PAC Desktop Wallpaper Defacement
A politically motivated defacement of PAC station desktop
wallpaper. The regular wallpaper was used to provide
instructions for use of the PAC and was “locked down”.
Helpful HOWTO on Library Hacking
Ezproxy Password “Fans”
Academics and Doctors Dedicated to
Hacking Libray Proxy Servers
Forums show why libraries
are being targeted
Typosquatting Virtual Reference
Typosquatters
have websites
with popular
mispellings for
names
In 2006 several
cybersquatters
displayed content
from and links
back to
askaquestion.ab.ca
Is that GOOD
thing or a
BAD thing?
Student Sent a Prank Overdue Notice
First overdue notice:
According to our records, the following library material is overdue. Please
renew or return as fines may be accruing. Currently you owe $542.53. If you
do not pay by 10/10/2008, your University degree will be immediately
revoked.
If you wish to renew, you may do so using this link to My Account at
http://catalogue.library.ca/myaccount/
Contact the circulation desk at the above library if you have any questions.
Thank you.
1 call number:Z 699 A1 A61 v.39 2005 ID:0162022610438 $30.00
Annual review of information science and technology.
[Washington, etc.] American Society for Information Science [etc.]
due:8/31/2008,23:59
2 call number:Z 699 A1 A61 v.40 2006 ID:0162022610487 $21.00
Annual review of information science and technology.
[Washington, etc.] American Society for Information Science [etc.]
due:8/31/2008,23:59
....
Library Patron Records Exposed
Libraries are Attractive Targets
Lots of Bandwidth
+
Lots of Users
+
Open Networks
+
Weak I.T. Practices
Turkish Defacers Attack
Museum Greeting Cards
Wordpress Spam Link Injection
Library GIS Station Hacked
Hacked to Serve Illicit French Movies
?
An unpatched server was compromised and used to distributed 20 GB
of videos with French language titles. The problem was discovered
when the server was blocked for excessive bandwidth usage.
French Puppet Videos!
The server was distributing 20 GB of French Puppet Videos. The
cleanup time was 7 hours. If they had just asked we would have
probably found someone to host the videos for them!
Trends in Cybercrime
Will Affect Libraries
Every factor already mentioned
+
Hacker's desire to make money
Hackers are motivated by Money
Defacement
– Propaganda
– Bragging Rights
– Reputation Hijacking
– Ad Revenue
Types of Cyberattacks by Volume Stealing Sensitive Info
Shezaf (2008)
– Ransom
– Direct Financial Gain
– Information Leaks
– Enable other Attacks
Library Phonelines Hacked
Phishing & Spear-phishing
From: anitajohnsonrosjn@gmail.com The only money you have to send to the Bank is the account opening fee due to
To: <undisclosed recipients> my method of deposit. Again, don't be deceived by anybody to pay any other
Subject: (TRANSFER CONTACT) money except account opening charges.
My Dear, Please kindly contact the bank on Tel: +13-162-651-1808 /Fax:
+31-847-301-282. OR via E-MAIL: snsregiobktransfers.unit1@hotmail.com with
It`s me Mrs. Anita Johnson Ross, please I have been waiting for you to your full names contact telephone/fax number and your full address and tell
contact me regarding your willed fund of ($3,500,000.00) (Three million five them that I have deposited the sum of ($3,500,000.00) in the Unit account of
hundred thousand dollars) but i did not hear from you since the last time. the bank and you are the present beneficiary to the sum. I will inform the
Well I finally went and deposited the fund in a bank, as I will be going in bank immediately that I have WILL-IN that amount to you for a specific work.
for an operation any moment from now. I hope you are aware that I have been
diagnosed for cancer about 2 years ago, that was immediately after the death Let me repeat again, try to contact the Bank as soon as you receive this mail
of my husband before I was touched by God to donate from what I have to avoid any further delay and remember to pay them their account set up fee
inherited from my late husband to you for the good work of God than allow my for their immediate action. I will also appreciate your utmost
relatives to use my husband hard earned funds ungodly. confidentiality in this matter until the task is accomplished as I don't want
anything that will jeopardize my last wish. Also I will be contacting you by
What you have to do now is to contact the Bank as soon as possible to know email as I don't
when they will Transfer the money to you to start the good work of the lord want my relation or anybody to know because they are always around me.
as initially arranged, and to help the motherless less privilege also for the
assistance of the widows according to (JAMES 1:27). For your information, I Yours Faithfully,
have paid all the Charges, Insurance premium and Clearance Certificate Mrs. Anita Johnson Ross
showing that it is not a Drug Money or meant to sponsor Terrorism in your
Country.
DNS Poisoning
The cyberbrowse
owner gets paid
$$$ when people
view or click on ads.
We found that Big
Public Library's
DNS servers were
being poisoned to
misdirect browsers
to the cyberbrowse
website
How DNS Works
Get the webpage
6
from 64.4.33.7
What is the IP for Your www.hotmail.com
1 PC
www.hotmail.com? 64.4.33.7
The IP for hotmail.com
5 is 64.4.33.7
Remember
Your 4 hotmail.com
DNS DNS Cache
Is 64.4.33.7
Server
What is the IP for 3 The IP is 64.4.33.7
2
www.hotmail.com?
Hotmail's
DNS
Server
How DNS Poisoning Works
5 Get the webpage www.hotmail.com
What is the IP for Your from 69.93.150.59
3 64.4.33.7
www.hotmail.com? PC
cyberbrowse.com
The IP for hotmail.com 69.93.150.59
4 is 69.93.150.59
Remember
Your 2 hotmail.com
DNS Is 69.93.150.59 DNS Cache
Server
The IP for
1
www.hotmail.com
Is 69.93.150.59!!!
Hotmail's Hostile
DNS DNS
Server Server
Cyberbrowse attack was widespread
In 2003, others
suffered from the
cyberbrowse
DNS Poisoning
Many mistook the
attack for a
problem with their
own computers
I spoke with
Shaw Bigpipe
and confirmed
that they were
under attack for
months but didn't
know it was an
attack.
The Crimeware Supply Chain
• How SPAM Makes Money • How Credit Card Theives Work
• Viruses create botnets (networks • Viruses steal credit card and
of thousands of slave computers) identity info
• Botnet owners pay to have • Card information is sold to others
viruses distributed • Carders use stolen cards to
• Spammers pay botnet owners to purchase items
send spam • Remailers ensure shipped items
• But spamming requires accounts, can be obtain
which are protected by • Items may be sold
CAPTCHAs
• Botnet owners pay CAPTCH Stealing from your Bank Account
breakers • Banks accounts are broken into
• “Money Mules” accept payments
to their own accounts and then
pay the theives
Breaking CAPTCHAs Pays
This pays about
$2/1000
CAPTCHAs broken
occording to a
presentation at
OWASP 3.0
From Dancho Danchev's Blog: http://ddanchev.blogspot.com/2007/09/spammers-and-phishers-breaking-captchas.html
Affiliate Marketing Pays for Viruses
Cybercrime has grown to include
complete supply chain management
Questions?
email me:
michael@winterstorm.ca
Slides:
http://winterstorm.ca/download/
No virus news is NOT good news
• Problems • “Solutions”
• Old anti-virus programs cannot • Update your anti-virus
detect the latest types of software, not just the
viruses definitions
• Viruses released today cannot • Peform a full-antivirus scan
be detected until tomorrow every few days
• Viruses come in clusters: you • Completely reformat any
might only detect on when you computer on which a virus is
are infected with 5 detected
• No anti-virus program can • Scan with several different
detect all viruses online scanners (f-secure,
trend at home, stinger).
Questions Asked 2008-10-23
•
• Questions: •
Answers:
1) Keep your anti-virus up-to-date (both
• What are the top 3 definitions & software) and do nightly or
weekly scans (see next slide)
things we can do today • Use “separation of concerns” in your
network: separate (physically or virtually)
to secure our networks those things that do not need to access
each other. Use different passwords for
every web application instead of a shared
one. Make sure that servers that don't
need to connect cannot connect.
• Automated Monitoring (I failed to give this
as an example, but it my biggest ally).
This means a lot of things from testing if
servers and services are up to monitoring
and charting bandwidth, CPU, and RAM
usage. Anomolies are a very strong way
to determine if you have a security issue
Related docs
