Ew, malware! Why public computers at libraries are dirty in more ways than one.
As librarians, we all know the kind of grossness that must be residing on our public computers' keyboards. It's better just not to think about it. Unfortunately, the contents of our computers are just as unclean.
This is a hypothesis in need of a research study and I don't have stats to give you. I am just a single paranoid librarian who considers doing your online banking on a public network akin to lending your credit card to somebody you don't know in a shopping mall. It would certainly be interesting to survey public computers at a number of libraries both public and academic to see how insecure they really are.
Here are some reasons why I worry about the security around our library computers:
- Public wifi means it is very easy to "overhear" other people's behaviour on the network
- Software is slow to be updated/patched
- Our most vulnerable patrons are largely the kind of people targeted by phishing and malware schemes
- Insufficient expertise or initiative to recognize and deal with problems
I've broken this up into a few posts addressing each of these points and ways to deal with them.
As a library, we obviously want to offer open and free internet access, but allowing anybody and everybody to access our network can be a negative as well as a positive. Packet sniffers are trivially easy to find on the internet (just try googling it) and allow one person on an open network to see all the activity of all the other computers connected to the network. So if I, for example, visit a porn site on the library's wifi a person running a packet analyzer will see that.
This is why TCP/SSL security is so important -- this is encryption enabled on most sites now when it comes to passwords, log-in details, banking, and email. When you see a little lock in your address bar or it says https:// instead of http:// you are encrypted. The fact that people normally rely on this ecryption to keep things like their banking information private is the reason why it was such a big deal when it turned out Apple's iOS and OS X 10.9 weren't encrypting things with SSL properly. Do you loan out iPads at your library? And do your patrons sometimes use them to buy things online? Well, anybody else in your library running a packet sniffer would have been able to see all their credit card information as they sent it. This is, again, almost trivial to learn how to do; a well-motivated teenager could figure this stuff out.
What can you do?
- Install on all your computers HTTPS Everywhere, a piece of software designed by the EFF to turn on SSL encryption where it's not turned on by default
- Warn your patrons about how vulnerable their data may be when they send it over an open network
- Make sure your library's software (catalogue, discovery layer, ebook service, in-house app...) is configured to use SSL for passwords and personal information
- Check the apps installed on any devices you loan out to make sure they are also encrypting personal information sent over the network (especially if any part of it involves banking information)
- Remember that if you share something unencrypted over an open network you might as well be shouting it to the whole room!
If your library is large enough to have a bank of computers for public use and a desktop PC for all of your staff you are probably leasing these computers from someone like Bell or Toshiba. After 2-4 years you return your old computers and get new ones. The standard way of making sure all your computers have the same software and the same default settings without going in and clicking individual buttons over and over again is to create a boot image. This way you set it up once and burn it to a CD and then go and copy it to every other computer. This is a very efficient way of doing things, but predisposes IT admin to putting off updates because they will have to change the boot image and then install it again on all the computers. While you can tell staff members to keep their comptuer software up to date, public library computers often use a piece of software to "freeze" the contents and lock down areas like the Control Panel.
Admit it, how many times have you thought "I just need to do this one thing, I don't have time to run an update now" and told it to "Remind Me Later"? Now imagine you're on a public library computer and it gives you that notification -- you're certainly not going to run the update. And if there is a piece of "freezing" software in place, the update won't install anyway until it's unfrozen by an admin. The next patron will get the exact same message to update! I am suspicious that some IT departments may even turn off update notifications for this reason.
Adobe Flash and Microsoft Internet Explorer are noctorious for having terrible vunerabilities and get patched seemingly every week. If your IT department only updates the software on your computers once every year (an optimistic estimate) you are leaving your patrons wide open to well-known attacks that could have been prevented.
As a bonus, sometimes other reasons necessitate keeping a computer on older software. If your public scanner still works, but the software it came with only works on Windows XP then you're probably going to keep that computer running Windows XP even though it stopped being updated in 2010. Are the risks worth the money you would spend getting a new scanner?
What can you do?
- Understand that sometimes getting the latest software isn't just a want, but a need. The older something is, the more known vulnerabilities it's going to have.
- Don't ignore updates on your own computer and encourage your co-workers to do the same. Do you really want patron, financial, or HR information out in the wild?
- Update all computers running Windows XP ASAP. Windows 7 is a much more secure and stable option.
- Ensure that things like browsers, plug-ins, and software known to be targeted by hackers are updated every time there's a major patch.
- Try to keep away from buying proprietary software that the vendor may stop supporting in a few years. If something hasn't been updated in over a year, it's probably dead and you need to find another option.
- Demand that your vendors provide evidence of their commitment towards security.
- Remember, there are two types of organizations: those who have been hacked, and those who haven't realized that they've been hacked.
Libraries, public libraries especially, try to be open and accepting places for human interaction. We try to encourage those who have been marginalized to participate. We have loads of children and seniors. We are an organization that is trusted for that reason. So, as a trusted authority, we are responsible for protecting our patrons.
Part of this is the psychology of the internet versus previous media. For most people they implicitly trust that what is said on the evening news isn't an outright lie. On the internet, you have to assume that anything could be a scam. Patrons need to be taught that they're in hostile territory when they're online. Just because something says it's coming from your bank and asks you to click a button doesn't mean you should, even though your bank is normally a trusted source.
This comes down to "information literacy", that thing we're always talking about. Personal security online is fundamentally critical thinking, but also requires the knowledge of the tricks of the trade. Most modern malware doesn't involve targeted hacking, it's just a little social engineering, faking an authoritative source to get someone to voluntarily give up their information. Sometimes you click on an ad and press "Yes" by default and suddenly you're getting pop-ups asking you to buy a piece of virus software that won't go away.
What can you do?
- Educate yourself on the best ways to detect a fraud, then pass that knowledge to your patrons
- When you teach new technologies, make sure you include information about how people need to protect themselves while using it
- Change the settings on your browsers to not download things without asking and never to install/run software without admin priveleges.
- Forbid access to porn sites on your public computers (they are the #1 source of malware online)
- Install ad-blockers and tracker-blocking add-ons to your browsers
- Install and run a malware scan (not the same as a virus scan!) on your computers at least once a month
It's really not enough to rely on your IT department to handle these things for you. On a day-to-day basis it's the frontline staff who deal with troubleshooting computers and helping patrons. Security is a very dynamic area, every day something new is discovered or tried. I recently read a paper (OpenAccess!) on how easy it is to literally rewrite someone's wifi router to make it send all the data flowing through it to a third party. Now, I'm not saying this is something somebody is going to try at your local public library, but it's worth it to know that it's possible.
There's a phrase used in tech circles that says that the worst security is "security by obscurity". There are two ways this can be interpreted: The first is the situation where a company totally locks down their product and refuses to let anybody try to hack it because that's how they think they'll maintain security. A better way to maintain security is to encourage white-hat hacking, through which you will find flaws and repair them before somebody nefarious uses them. This is familiar to everybody used to how locked-down vendor products can be. The moral of the story here is that you should be suspicious of the strength of anything you can't test out yourself.
The second interpretation of "security by obscurity" is more individual, and appears when someone makes poor security choices in public, but assumes because of the vastness of the internet or their own insignificance it won't ever become a problem. This is the "But nobody cares about me!" excuse. Lots and lots of people make the mistaken assumption that because information is hard to find it will never become public. This is untrue for a number of reasons, but mostly because people underestimate how easy it is to gather tons and tons of data and summarize it in dangerous ways. Following from this, even if you are insignificant, that doesn't matter to most nefarious people on the internet. Malware makers can send out near-infinite numbers of their product with minimal effort, and it only takes a few gullable clicks to make a return on their investment. Nobody has to even know you exist to profit off your lapses in security. Having your credit card stolen, your personal information for sale on a website somewhere (including SIN and possible answers to bank security questions), and your computer turned into a bot might be the worst-case scenario. If someone did actually try to take advantage of you it could be much, much worse.
For a nice takedown of the "nothing to hide" excuse for poor security, you can read this article in the Chronicle of Higher Ed.
What can you do?
- Follow tech blogs like BoingBoing.net to get early notice of big hacks
- If you want to get really into the technical aspects, start reading the blogs of Bruce Schneier, Threat Level, and Brian Krebs
- Start using a strong password system right now.
- Always be aware that any information you put on the internet, even give to companies under the understanding that it's private, could land in the wrong hands at any time
- When helping patrons set up an account for something, use it as a chance to encourage them to use best practises for privacy online
- Start thinking like a hacker -- how could you cheat the system? -- Then act to plug those holes.
It's possible I'm too paranoid, too privacy conscious, but I'll err on the side of safety. There are certainly costs to being more secure, sometimes in straight-up cash, and given the fact that the internet is currently run on advertising dollars privacy will always be a trade-off for free or cheap services. If our patrons are in our space, using our stuff, I think we have a responsibility to keep them safe however possible, and inform them of risks where we can't avoid them. Maybe you already integrate security into your instructional sessions and this is all old news! But I wouldn't be a librarian if I didn't believe that more information is always better.
Do you have other ideas of how we could improve library information security? Have you ever experienced a library-related breach of information? How savvy are your patrons when it comes to privacy online?
(Originally posted on tumblr, March 16th 2014)