At the start of a very long day, I awoke to the sight of some cute ducks on my patio. I blogged pretty heavily about my sessions yesterday, so I won’t go into detail about that. Around the sessions, though, I did a lot of chatting with other library types about a lot of different things that they are doing. I did sort of crap out in the afternoon and ended up skipping a session to hang in my room and do some requested web updates for work. I was getting burned out on all the socializing, if you can imagine…
The library round table in the evening was great (big kudos to Lee Cushing for suggesting it). There were a lot of folks, including some relevant Morenet folks, who had a lot to say. Again, I blogged about that (though now I’m wondering if I posted it – if not, it will show up soon).
Network backup from Morenet
This session will be about something I’m very interested in – network backups. Since a lot of this will be kind of specific, I plan to do a lot of summarizing. He started with network storage, which I don’t need. The network backup, though, I do. They have set it up so that it’s not going across the general Internet. This is nice! Beyond that, it’s all encrypted, both in transit and on the server. Dedups and compression are done before the data leaves the library. Nice! Agentless backups mean that only one backup client necessary. All major OSs are supported, databases are supported. Cost is per GB stored, client included in service. Client statistical mode-we can figure backup size precisely before committed to the service. Data is stored outside MO. Pricing info should be available in a couple of weeks.
Overdrive and MOLib2go
It started with Kyle presenting an overview of Overdrive. One question was about the customization options for a library’s OD site. Kyle said it’s pretty customizable. Another question was about using the OD software on public computers. There was discussion of how various libraries manage that. Kara followed with a discussion of the MOLib2go service. The first question was about the benefits of joining the consortium -getting access to all the books purchased by all the 22 libraries in the consortium. She followed up with stats about MOLib2go’s books. She also mentioned the #hcod issue – MOLib 2 go is boycotting Harper Collins books for now. That started some discussion, to put it mildly.
She mentioned the links to Project Gutenburg from our homepage.we then had much more discussion of #hcod. Strong opinions abound.
Mike talked about training and demo’d My Help and talked about flyers and other resources that he’ll make use of Webjunction to post those for staff.
Mark Monroe, from UMSL, started with a discussion of what social media is. He started with Tufts University using YouTube videos as a replacement for application essays – the dean of undergrad admissions didn’t realize how public and followed these applications would be. He talked about other social media missteps, then went into TOS’s of Facebook and Twitter. He then talked about FB’s ownership grab of user photos over 2009’s Valentines day.
He discussed the idea of cyber-bullying and policies – his school has no specific policies, but the activities are covered by code of conduct policies.
Much of the discussion was very educational institution oriented, so I’m skipping a lot…
The upshot of the discussion was that teachers are asking students to post homework assignments on Facebook and this is probably a bad idea. I’m in agreement, but not for the same reasons – Mark said that students uploading writing or photos to FB as part of an assignment are giving up their copyrights to that work. This is not exactly true – but they are putting that stuff up in a much more public place than their teacher’s desk, so there may be issues with privacy that are more pressing than IP issues, really. There were several questions from the crowd about impersonation accounts, but not a lot of advice – FB is notoriously bad about getting back to folks about issues, though they are getting better at getting rid of accounts that impersonate someone.
The Connections conference started with a keynote from SANS about securing the human part of your network. Lance started talking about his background in Info Security, honeypots and work with Sun Microsystems (starting originally with work in tanks in the military). “the simplest way to steal your password is to ask for it – the simplest way to infect your computer is to ask you to do it”. Technology has been very well secured – its MUCH easier to get the human users to do the work for the bad guys. The change began in August 2004 – when Service Pack 2 was release for XP with the firewall being turned on by default. This started the drop of technology based hacking and began the era of human hacking. The human OS – you have Windows, Linux and human OS’s in your network. We’ve done nothing to secure that human OS (my note: why training is so very important – it’s updating and patching the human OS in your network).
90% of malware requires human interaction (Symantec)
100% of successful APT attacks compromised the human (Mandiant)
Humans have to click a link, install a program, insert a USB stick or interact in some way to make the malware work.
Humans are bad at judging risk – we overestimate visual risks (lions and tigers, as opposed to something we can’t see) and overestimate risks when we aren’t in control (flying as opposed to driving).
“If it’s on the news, it’s probably really safe, because it almost never happens – or else it wouldn’t be news”
Social engineering – we surf and feel like we are in control (and the hack is silent and not visual at all), we underestimate the risks of getting hacked because of those two factors. You check into your hotel room, get a call from front desk to clarify a problem with your card, you give them your card number, they’ve hacked you. (real problem at Disney World resorts)
Some worms now check keyboard settings before they send out their phishy emails so that they can send out a virus email to your friends in the language that you usually use (if your keyboard is set to Spanish, they send the spanish version of the bad email to your contacts, in order to increase the likelihood that your friends will click on the link in the email).
Many trojans disguise themselves as anti-virus programs so that you not only infect yourself, but you pay $100 or so for the privilege of doing so.
Twitter and Facebook make malicious social engineering attacks easy – Twitter bots search for keywords and respond to any tweet using that keyword with a “discount” link for that particular item.
Goals of Awareness training – compliance and changing behavior. Lance concentrates on changing behavior (more powerful than mindless compliance).
The Plan: who, what and how? Who do you target for training? (employees, admin staff especially, management, IT staff (privileged access to lots of resources – make sure they don’t post router configs (for example) on public listservs, use the same password for servers that they use for their Facebook account) What do you train about? (You are the target, social engineering, email and IM, browsers, etc.). Teach people that it’s not all just about protecting the organization, it’s about protecting the employee. How to train? Use imagery, videos, newsletters – make it as fun as marketing is these days. He showed an example video that promotes security awareness (social engineering, specifically).
SANS has a video awareness library – info in handouts. Newsletters are like patches – they have to be done regularly or people forget.
Inoculation – used to measure end user awareness, used to get their attention and reinforce training. Launch a phishing email of your own (benign, of course) and see who clicked and how many were fooled. Keep doing it as your awareness campaign continues and see how the numbers go down. Start with basic email and work up to targeted emails to test users.
Presentation and newsletters that can be redistributed are available on Lance’s blog.
Security symposium wrap-up; day 1
I started off the morning with YET ANOTHER fall, this time on my outside steps which were icy, but much shorter than the basement steps I fell down last month. Besides a honkin’ big bruise on my hip, I’m all right.
The conference began with a keynote which I’ve already summarized and posted about, so I won’t do that to you again – other than to note that keeping a machine that is used *only* for online banking duties is a great idea, but I’m wondering about the software we use and if a Linux machine (which we could keep safe) will work with the software. Something I need to check into when I get back home.
I also blogged about the morning’s session – centralized logging with Windows – so I won’t go into that either.
Lunch was excellent – just sandwiches and cole slaw, but I was ready for it when it came – and the conversation at my table was better. We began with discussions of the state of cartoons and the fact that cartoons today are so much worse than those of years ago (and I think someone actually said “get off my lawn” at one point, too… Even though it may be considered violent, who can forget Elmer Fudd singing about killing a rabbit to the tune of Wagner’s operatic compositions? This segued (somehow) into the #hcod (the issue of Harper Collins capping ebook checkouts at 26 – do a quick search on the #hcod tag if you aren’t familiar) problem and then into the fact that librarians often act as the copyright police, even when we often disagree with the rules (this last bit may just be my opinion…). It was an excellent discussion that ran into the next session, so I ended up missing that one.
The geek out at the conference session has also been blogged about here, so I won’t say much other than it was an interesting idea – get everyone into a single room to discuss any issues they are having while a very knowledgable MORENet employee (Randy Raw) introduced us to people who could help us with that issue or were going through the same thing and would commiserate with us. It was assisted networking and it was a really good idea!
The exhibit/reception was nice – I got to talking to Lee Cushing during the geek out session and we continued the conversation in the exhibit hall. We decided to sign up for a “librarian issues” roundtable tomorrow night as a way to get the few library types who come to this conference together to talk about the stuff that effects us. I’m looking forward to it. Mike showed up during the reception and we walked around the exhibits together before heading outside to talk and wait for Jason Long – the IT person for the local library system – to join us.
Jason is just starting to offer Overdrive (as in, it goes live on Monday) and he had questions. He’s been using Centurion for a while and I had questions. It was a great conversation and a nice way to catch up on what we’ve been doing since last chatting at MLA (though he reads this blog – Hi, Jason! – so he has some idea of what I’ve been doing).
Now it’s time to start to hunt down dinner, as soon as Mike finishes his meeting with his co-presenters and wind down for the day – ready to start all over again at the 7am breakfast tomorrow!
Geek out at the conf
Geek out – short talks, comments on what’s going on at our orgs, questions to geeks who are doing the same sort of stuff.
First – thin apps on VMWare View for virtualized desktops
New MS licensing for edu, not sure about libraries
Moodle – provisioning second pipe to Morenet to keep from using all the bandwidth of main pipe for hosted stuff like Moodle
Discussion of burstable bandwidth from Morenet
Talked about what’s coming from Morenet -lots of cool stuff…
Replacements to illuminate – Morenet is looking at big blue button, an open source adobe connect type of content presentation software
Moving from Novell to Windows
Question about filtering mergers and how it’s going to work
Discussion of packet shaping vendors
IPv6 issues – remember logging software (and other software) needs to be able to parse it, too, so check both hardware & software purchases.
With Steve Massman and Travis Reddick
KiwiSyslog and SNARE client as well as Logcheck & other open source utilities.
Could get emails every 30 mins that you have to read. Download and read OS security guides!
Log everything – everything. Success and failures both.
Use 2003 or 2008 and use an existing machine if it’s not heavily used, use a software firewall allow only your machine to RDP, lock down ports to only logging servers. No virus software necessary.
Kiwisyslog -$300ish – separate log files by machine
SNARE – free, log sys and security, domain controllers add directory service, DNS and file replication logs, look for new events in Kiwi
Log check – for 2003, logcheck.ignore is what you use to filter your logs to keep from being overwhelmed, examples of what goes into logcheck.ignore file, Case matters, be specific
Configuring scheduled task – in 2008, disable “network access: do not allow storage of passwords and credentials for network authentication” or the task won’t run.
Splunk? Can manage ASA files – useful for us!
Downloads – FTP://FTP.more.net/pub/s_P/massmans
Demo time!
Security symposium keynote
Brian Krebs (http://www.krebsonsecurity.com/) talked about bank fraud and security. This generally starts with an email attachment (ZeuS) and ends with a company’s money in the Ukraine or Russia. Brian talked about both the computer issues and the human issues – with a fascinating discussion of the mules used to move the money.
Some of the common attacks (in Europe, at least, not seeing it in the US yet) include form field injection, session riding, balance manipulation, and attacks hitting consumers, rather than heavily secured commercial accounts.
Red flags for banks – 10-20 new employees added to payroll, IP address weirdness.
Advice – disallow batches that deviate from standard format (revise banking contract), request low-tech verification, access accounts only from non-windows machine (excellent idea-get a dedicated Netbook with Mac or Linux installed), get involved and write your lawmaker, require 2 signoffs for wire transfers.
What’s coming? more litigation between banks & victims, lots of smaller cases coming up, guidance from FFIEC on transaction monitoring/analysis guidelines, Bill from Rep. Schumer -S3898 to offer schools & consumers same protections as companies.
Online banking is not secure for small organizations. Banks need to inform customers of risks and sell risk mitigation services.
The Tech Set won an award!
Wow – the Tech Set just won the Greenwood Publishing Group Award for the Best Book in Library Literature. This is the set of books that includes my Microblogging and Lifestreaming in Libraries!! Congrats to my fellow authors and to Elyssa Kroski for pulling this all together!