hackers_in_the_library

Document Sample
hackers_in_the_library Powered By Docstoc
					                               Creative Commons License: You are
                               free to share and remix but you must
                               provide attribution and you must share
                               alike.




 Hackers
        in the
  Library

Michael McDonnell
GIAC Certified Intrusion Analyst

      michael@winterstorm.ca
Library Website Shutdown by Hacker
ILS Server Hacked




     This isn't exactly true: Unix isn't any more or less “hacker friendly”
     than any other OS (not at this level of discussion). Beware, this
     opinion is expressed in the L.I.S. literature (but contradicted in
     I.T. Literature). Don't play the blame game... come up with a
     defense-in-depth strategy instead.
Library Phonelines Hacked
Even Library of Congress was Hacked
And More...
Many Library Hacks: Old & New
     This talk covers 3 Kinds of
 Library Cybersecurity Case Study


1 Libraries as unique targets

2 Libraries as attractive targets

3 Trends in cybercrime
        Libraries fit into the
2nd Most Hacked Organization Type




                Libraries



                            Shezaf (2008)
Libraries can be Unique Targets

        Public Access Computers
                     +
              Lots of Users
                     +
  Private Records for Large Populations
                     +
            Lots of Bandwidth
                     +
 Access to Valuable Licensed Information
PAC Desktop Wallpaper Defacement




A politically motivated defacement of PAC station desktop
  wallpaper. The regular wallpaper was used to provide
  instructions for use of the PAC and was “locked down”.
Helpful HOWTO on Library Hacking
Ezproxy Password “Fans”
Academics and Doctors Dedicated to
   Hacking Libray Proxy Servers
Forums show why libraries
    are being targeted
Typosquatting Virtual Reference
                          Typosquatters
                          have websites
                          with popular
                          mispellings for
                          names

                          In 2006 several
                          cybersquatters
                          displayed content
                          from and links
                          back to
                          askaquestion.ab.ca


                          Is that GOOD
                             thing or a
                           BAD thing?
Student Sent a Prank Overdue Notice
    First overdue notice:
    According to our records, the following library material is overdue.     Please
    renew or return as fines may be accruing.    Currently you owe $542.53. If you
    do not pay by 10/10/2008, your University degree will be immediately
    revoked.


    If you wish to renew, you may do so using this link to My Account at
    http://catalogue.library.ca/myaccount/


    Contact the circulation desk at the above library if you have any questions.
    Thank you.


     1     call number:Z 699 A1 A61 v.39 2005                     ID:0162022610438    $30.00
           Annual review of information science and technology.
           [Washington, etc.] American Society for Information Science [etc.]
           due:8/31/2008,23:59


     2     call number:Z 699 A1 A61 v.40 2006                     ID:0162022610487    $21.00
           Annual review of information science and technology.
           [Washington, etc.] American Society for Information Science [etc.]
           due:8/31/2008,23:59
    ....
Library Patron Records Exposed
Libraries are Attractive Targets


        Lots of Bandwidth
                 +
          Lots of Users
                 +
         Open Networks
                 +
        Weak I.T. Practices
Turkish Defacers Attack
Museum Greeting Cards
Wordpress Spam Link Injection
Library GIS Station Hacked
Hacked to Serve Illicit French Movies




                               ?
An unpatched server was compromised and used to distributed 20 GB
of videos with French language titles. The problem was discovered
when the server was blocked for excessive bandwidth usage.
            French Puppet Videos!




The server was distributing 20 GB of French Puppet Videos. The
cleanup time was 7 hours. If they had just asked we would have
probably found someone to host the videos for them!
   Trends in Cybercrime
    Will Affect Libraries



Every factor already mentioned
                +
Hacker's desire to make money
Hackers are motivated by Money

                                       Defacement
                                   – Propaganda
                                   – Bragging Rights
                                   – Reputation Hijacking
                                   – Ad Revenue

Types of Cyberattacks by Volume   Stealing Sensitive Info
Shezaf (2008)
                                   – Ransom
                                   – Direct Financial Gain
                                   – Information Leaks
                                   – Enable other Attacks
Library Phonelines Hacked
                          Phishing & Spear-phishing
From: anitajohnsonrosjn@gmail.com                                               The only money you have to send to the Bank is the account opening fee due to
To: <undisclosed recipients>                                                    my method of deposit. Again, don't be deceived by anybody to pay any other
Subject: (TRANSFER CONTACT)                                                     money except account opening charges.


My Dear,                                                                        Please kindly contact the bank on Tel: +13-162-651-1808 /Fax:
                                                                                +31-847-301-282. OR via E-MAIL: snsregiobktransfers.unit1@hotmail.com with
It`s me Mrs. Anita Johnson Ross, please I have been waiting for you to          your full names contact telephone/fax number and your full address and tell
contact me regarding your willed fund of ($3,500,000.00) (Three million five    them that I have deposited the sum of ($3,500,000.00) in the Unit account of
hundred thousand dollars) but i did not hear from you since the last time.      the bank and you are the present beneficiary to the sum. I will inform the
Well I finally went and deposited the fund in a bank, as I will be going in     bank immediately that I have WILL-IN that amount to you for a specific work.
for an operation any moment from now. I hope you are aware that I have been
diagnosed for cancer about 2 years ago, that was immediately after the death    Let me repeat again, try to contact the Bank as soon as you receive this mail
of my husband before I was touched by God to donate from what I have            to avoid any further delay and remember to pay them their account set up fee
inherited from my late husband to you for the good work of God than allow my    for their immediate action. I will also appreciate your utmost
relatives to use my husband hard earned funds ungodly.                          confidentiality in this matter until the task is accomplished as I don't want
                                                                                anything that will jeopardize my last wish. Also I will be contacting you by
What you have to do now is to contact the Bank as soon as possible to know      email as I don't
when they will Transfer the money to you to start the good work of the lord     want my relation or anybody to know because they are always around me.
as initially arranged, and to help the motherless less privilege also for the
assistance of the widows according to (JAMES 1:27). For your information, I     Yours Faithfully,
have paid all the Charges, Insurance premium and Clearance Certificate          Mrs. Anita Johnson Ross
showing that it is not a Drug Money or meant to sponsor Terrorism in your
     Country.
DNS Poisoning

                The cyberbrowse
                owner gets paid
                $$$ when people
                view or click on ads.

                We found that Big
                Public Library's
                DNS servers were
                being poisoned to
                misdirect browsers
                to the cyberbrowse
                website
                         How DNS Works
                                           Get the webpage
                                       6
                                           from 64.4.33.7
    What is the IP for     Your                                    www.hotmail.com
1                           PC
    www.hotmail.com?                                                  64.4.33.7

                                       The IP for hotmail.com
                                     5 is 64.4.33.7


                                           Remember
                          Your        4    hotmail.com
                          DNS                                DNS Cache
                                           Is 64.4.33.7
                         Server


    What is the IP for                3     The IP is 64.4.33.7
2
    www.hotmail.com?

                         Hotmail's
                           DNS
                          Server
            How DNS Poisoning Works
                                     5     Get the webpage                     www.hotmail.com
    What is the IP for    Your             from 69.93.150.59
3                                                                                 64.4.33.7
    www.hotmail.com?       PC
                                                                                cyberbrowse.com
                                       The IP for hotmail.com                     69.93.150.59
                                     4 is 69.93.150.59

                                           Remember
                          Your           2 hotmail.com
                          DNS              Is 69.93.150.59     DNS Cache
                         Server


                                                          The IP for
                                                      1
                                                          www.hotmail.com
                                                          Is 69.93.150.59!!!
                         Hotmail's                 Hostile
                           DNS                      DNS
                          Server                   Server
Cyberbrowse attack was widespread

                          In 2003, others
                          suffered from the
                          cyberbrowse
                          DNS Poisoning

                          Many mistook the
                          attack for a
                          problem with their
                          own computers


                          I spoke with
                          Shaw Bigpipe
                          and confirmed
                          that they were
                          under attack for
                          months but didn't
                          know it was an
                          attack.
       The Crimeware Supply Chain
•    How SPAM Makes Money            • How Credit Card Theives Work
• Viruses create botnets (networks   • Viruses steal credit card and
  of thousands of slave computers)     identity info
• Botnet owners pay to have          • Card information is sold to others
  viruses distributed                • Carders use stolen cards to
• Spammers pay botnet owners to        purchase items
  send spam                          • Remailers ensure shipped items
• But spamming requires accounts,      can be obtain
  which are protected by             • Items may be sold
  CAPTCHAs
• Botnet owners pay CAPTCH             Stealing from your Bank Account
  breakers                           • Banks accounts are broken into
                                     • “Money Mules” accept payments
                                       to their own accounts and then
                                       pay the theives
Breaking CAPTCHAs Pays

                                                                                 This pays about
                                                                                    $2/1000
                                                                              CAPTCHAs broken
                                                                                occording to a
                                                                               presentation at
                                                                                 OWASP 3.0




 From Dancho Danchev's Blog: http://ddanchev.blogspot.com/2007/09/spammers-and-phishers-breaking-captchas.html
Affiliate Marketing Pays for Viruses
 Cybercrime has grown to include
complete supply chain management
         Questions?

           email me:

   michael@winterstorm.ca
             Slides:

http://winterstorm.ca/download/
   No virus news is NOT good news

        • Problems                         • “Solutions”
• Old anti-virus programs cannot   • Update your anti-virus
  detect the latest types of         software, not just the
  viruses                            definitions
• Viruses released today cannot    • Peform a full-antivirus scan
  be detected until tomorrow         every few days
• Viruses come in clusters: you    • Completely reformat any
  might only detect on when you      computer on which a virus is
  are infected with 5                detected
• No anti-virus program can        • Scan with several different
  detect all viruses                 online scanners (f-secure,
                                     trend at home, stinger).
     Questions Asked 2008-10-23
                           •
• Questions:               •
                               Answers:
                               1) Keep your anti-virus up-to-date (both
• What are the top 3           definitions & software) and do nightly or
                               weekly scans (see next slide)
  things we can do today   •   Use “separation of concerns” in your
                               network: separate (physically or virtually)
  to secure our networks       those things that do not need to access
                               each other. Use different passwords for
                               every web application instead of a shared
                               one. Make sure that servers that don't
                               need to connect cannot connect.
                           •   Automated Monitoring (I failed to give this
                               as an example, but it my biggest ally).
                               This means a lot of things from testing if
                               servers and services are up to monitoring
                               and charting bandwidth, CPU, and RAM
                               usage. Anomolies are a very strong way
                               to determine if you have a security issue

				
DOCUMENT INFO