Security for Libraries (SEC4LIB)

Bob Stromberg bob.stromberg at GMAIL.COM
Thu May 3 16:23:51 EDT 2012 

I'm also interested. I think that the "stories" -- the narrative
descriptions of what might happen as patrons use libraries -- help clarify
security issues.

For example, to install the FireSheep add-on for Firefox, all a user needs
to do is restart Firefox (not reboot the computer). What access does this
action give the user to other computers on the same network?

Another: Faronics Deep Freeze resets the computer to a preferred state when
the computer is rebooted. But if the computer is running with downlevel
software, such as Java, Flash, or Adobe Reader, which see very frequent
security updates, is that user vulnerable to drive-by downloads for the
duration of his/her session?

What advice can (and should) libraries give to patrons who are using
public-access PCs to do online shopping and online banking? Or, for that
matter, their own laptops while connected to the library WiFi. Just
watching for https in the address bar (and other patrons shoulder-surfing)
might not be sufficient.

Many Windows 7 PCs have network discovery turned on in the "Public"
location. Whoops.

And Mac OS X computers have sharing options turned on by default, not only
in System Preferences but also in iTunes, iPhoto, or iChat preferences.
Whoops again.

Smartphones can be set up to connect to WiFi networks.

WiFi networds can be set to turn on "wireless isolation" or "AP isolation"
to prevent device-to-device connection. This would prevent wireless access
to printers, and wireless access to patrons' own devices (for example, for
copying photos from a smartphone to a computer).

Lots of topics here....

Bob Stromberg
Round Lake, NY


On Thu, May 3, 2012 at 3:10 PM, Erin Germ <erinlovestechno at gmail.com> wrote:

> I thought I would extend this to the WEB4LIB listserv.
>
> Would anyone be interested in forming an informal SEC4LIB discussion
> group. This would be an informal group to discuss and investigate existing
> security features and shortcomings of library services and applications.
> This would essentially include documenting and pen-testing library
> applications and services.
>
> As background, I'm finishing a second Masters in Cybersecurity and have
> been "investigating" various library software and services. I've been do
> white-hat investigating on library software and services for about a year
> and reporting discoveries to vendors and sites. My goal is to bring
> attention to the security aspect of library software and services while
> working with vendors/providers to secure their products, services,
> applications, and solution. If your interested in the same, please contact
> me.
>
> V/R
>
> Erin Germ
> ============================
>
> To unsubscribe: http://bit.ly/web4lib
>
> Web4Lib Web Site: http://web4lib.org/
>
> 2012-05-03
>
>

============================

To unsubscribe: http://bit.ly/web4lib

Web4Lib Web Site: http://web4lib.org/

2012-05-03
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listserv.nd.edu/pipermail/web4lib/attachments/20120503/f1aa40d8/attachment.htm>

More information about the Web4lib mailing list