This page contains a single entry from the blog posted on January 22, 2013 2:46 PM. The previous post in this blog was For the "lowest of the low," a new landlord. The next post in this blog is Streetcar lemon guy gets deal for Admiral Randy Memorial Boathouse. Many more can be found on the main index page or by looking through the archives.

E-mail, Feeds, 'n' Stuff

Tuesday, January 22, 2013

Is new library software unsafe to use?

A reader who seems to know something but won't sign his or her real name lobbed something over the transom earlier today. We'll leave it to the intertube experts out there to tell us if it's worth worrying about.

We've noticed in accessing the Multnomah County Library's website the last few days that they're promising "a new website coming in February." Our reader wonders whether it will be secure enough:

As a daily reader of your blog and a fellow supporter of the Multnomah County library, I wanted to mention a startling security concern that I hope you might make public. For anyone that uses the library, this is a big deal:

Something very important and elemental is missing from the library's upcoming redesign: basic web security. The library's web form pages (not the log in page) don't employ the Secure Socket Later (SSL) protocol, leaving users exposed to unnecessary online risk when they fill out the site's online forms.

This means that anyone trying to reach the library through pages in its Contact tab -- including Suggest a purchase, Email a librarian, and Comments and suggestions --- are vulnerable to having their card numbers, PIN numbers, names, emails, phone numbers, etc. exposed. Identity theft crooks look for easy targets first, and this is a day-glow bulls-eye with prison yard spotlighting.

Perhaps this oversight is connected to the offloading of website management to BiblioCommons; that's a whole 'nother issue. But standard online security practices dictate that *any* web page requiring users to provide personal information should employ SSL protocol.

As someone that supports the library through regular use and votes, and who is happy that it now has a permanent (and expensive) source of funding, I have to wonder ... how could someone get this most basic web security issue wrong?

There's likely a personal agenda under that comment, but the reader's motive isn't really the question. Is it a valid concern?

Comments (9)

God what happens in 10 years when 99% of the books are eBooks?

Then again, it'll make it that much easier for big brother to track what you are reading.

In a word, yes. I do not post any information of a personal nature on site without SSL. Currently https shows up when you renew etc on the current site. It looks like one will have to do some discovery steps to see if SSL continues. The OP seems to think (or know?) not.

Is it a valid concern?

Yes, it is a valid concern. As the original author notes, any time any sort of personal information is solicited by a web site with a legitimate (or even illegitimate) reason for doing so, that information should be secured. This includes log-in forms for online services (i.e. forums, blogs, etc., that require users to log in). The amount of unencrypted personal data floating around throughout the ether is amazing. And there are folks (scum mostly) that intentionally purchase server time on mass web hosts with the sole purpose of raking unencrypted data over the intertubes.

SSL certificates are relatively inexpensive these days. There is no excuse for not doing it.

If the online services vendor that the MCL contracts with is not capable of supporting this, they need to find a new vendor that does.

There is likely (but unseen) a 'personal agenda' at root, because that's LIKE every humanmade (not Act-of-Nature) initiative: Someone has a MOTIVE. Behind it. That MOTIVATES it /action /event.
There is always the inevitable 'Why?' As in Who What Where When WHY (and How)?
As in: a Reader. by Email. (at)Bojack. Today. ... but WHY? Which -- the 'Why' -- is NOT reported in 'news' reports anymore these days. Just sayin'. Why not?

The whole Psychological Inflammation promotion, goes on frightening the public with specious threats -- 'identity theft' 'bank account theft' 'reputation theft' -- as long as computer tech remains a mystery. The ordinary person has no idea of internet's operation and, without knowing better then he or she easily believes anything. Somebody can steal your I.D. - be very afraid!

But WHY? Why would 'who' even want your I.D. If you got Big liquid Bucks stashed away -- you're RICH, then maybe someone faking your I.D. could spend it. But if a bank robber in-person robbed your Big Rich bank account, then the bank replaces the ('your') money and absorbs the loss, (insured). Why not if electronic transfer robs it? Why is that not the bank's liability, (insured); Why is there the saturation fear blared and trumpeted that it is your liability?

And so on, in perhaps partial risk exposure danger maybe somewhat, worrisome possibilities sorta are concoctable maybe, for many other hypothetical special cases, but all in all, as a general truth in-fact: for the 99% of us, NObody tries to steal our I.D. Sorry if that deflates anyone's Self-Important Vanity Bubble.

If anyone is going to pry into your personal information, if anyone is going to make you a victim of data theft, then -- like 97-out-of-every-100 personal crimes -- you KNOW the PERP. Person-crime Victims know the Criminals! Friends and acquaintances are the largest cause of personal crimes. Crimes of passion, crimes of envy, crimes of abuse, and embezzlements -- almost always it is someone you know; people get shot by guns that are already in the house and the victim knew it; almost never do strangers burst in, or rob you, and if they do then probably someone you know put them up to it; (again, statistics are different if you have a million dollar Picasso hanging in plain sight, or you don't notice leaving a trail of benjamins falling out of your purse along the sidewalk leading to your front door ....) Real risk of strangers in the real world targeting YOUR I.D. and life-position is less a real worrying threat than the flying fickle finger of Fate finding you, and that finger is fiction.

Yet hundreds of millions of I.D.s and information files are stolen. So Why? Where? Who is stealing? How?
Whoever it is, the FBI can't seem to ever find them. Or do find them and 'they' pull rank and the FBI lets them go. Either way, catching the thieves or letting them go, the public never hears about it. How do they steal? Physical possession. Laptops and harddrives and memory sticks and CD copies and cellphones -- the physical containers of personal information are stolen by grabbing them. Where? Off the seats of unlocked cars; out of office desks, at work by coworkers (you know), at home by roommates (you know); out of purses and briefcases.

The FEAR! PANIC! WORRY! about your personal private information affairs is all incredibly overblown, if you ask me. Why does anyone want your individual information? Self-flattery is the primary source of paranoia.

On the other hand there ARE some 'entities' desiring to have EVERYbody's information, all in one Big Brother master file. Updated daily, or hourly, if possible. (You 'know' who I mean, but even there it remains reasonable to ask Why? 'entities' do it)

Here's a partial list from a curated archive of news reports of data thefts:

Personal data thefts February 2009 - December 2010

Target | Date | Number of persons affected | Type of data | Method

Dean Health Systems, Madison, WI Dec, 2010 3,288 Med data, DOBs Physical theft
Mountain View Medical Center Dec 2010 2,200 Med data, DOBs Physical theft
University of Alberta Dec 2010 2,700 Med data, DOBs Physical theft
University of Arizona Dec 2010 8,300 SSNs, DOBs Physical theft
University of Wisconsin-Madison Dec 2010 60,000 SSNs, DOBs Physical theft
Henry Ford Health System, Detroit Nov 2010 3,700 DOBs, Medical data Physical theft
Messiah College, PA Nov 2010 43,000 SSNs, DOBs Physical theft
Accomack County Virginia Oct 2010 35,000 SSNs, DOBs Physical theft
Keystone Mercy Health Plan Oct 2010 280,000 SSNs, DOBs Physical theft
University of California Davis
Oct 2010 900 SSNs, DOBs Physical theft
City University of New York Sep 2010 7,000 SSNs, DOBs Physical theft
St. Vincent Hospital, Indianapolis
Sep 2010 1,200 SSNs, DOBs Physical theft
Martin Luther King, Jr. Multi-Service Ambulatory Care Center, L.A. Sep 2010 33,000 Medical, DOBs Physical theft
Rice University Sep 2010 7,250 Financial, DOBs Physical theft
Fraser Health Authority (BC) Sep 2010 600 SINs, DOBs Physical theft
City University of New York Sep 2010 7,000 SSNs, DOBs Physical theft
University of Florida Aug 2010 8,300 SSNs, DOBs Physical theft
Yale School of Medicine Aug 2010 1,000 Med data Physical theft
Cook County Health & Hospitals System Aug 2010 7,000 SSNs, DOBs Physical theft
University of Connecticut Aug 2010 10,174 SSNs, DOBs Physical theft
University of Kentucky Aug 2010 2.027 SSNs, DOBs Physical theft
Eastmoreland Surgical Clinic & Vein Center (Portland, OR) Aug 2010 unknown SSNs, DOBs Physical theft
Aultman Health Foundation (OH) Aug 2010 13,800 SSNs, DOBs Physical theft
Oregon Health & Science University Aug 2010 4,000 SSNs, DOBs Physical theft
Portland Community College (OR) Aug 2010 2,900 SSNs, DOBs Physical theft
Fort Worth Allergy and Asthma Associates Aug 2010 25,000 SSNs, DOBs Physical theft
Montefiore Medcial Center, NY Jul 2010 23,000 SSNs, DOBs Physical theft
Texas Children's Hospital Jul 2010 1,600 Med data, DOBs Physical theft
American Airlines Jul 2010 79,000 SSNs, DOBs Physical theft
Prince William County, VA Jul 2010 669 SSNs, DOBs Physical theft
South Shore Hospital, MA Jul 2010 800,000 SSNs, DOBs, med. data Physical theft
Connecticut Dept. of Labor Jul 2010 5,000 SSNs, DOBs Physical theft
Cooper University Hospital, Camden, NJ Jul 2010 unknown SSNs, DOBs Physical theft
Thomas Jefferson University Hospitals Jul 2010 21,000 SSNs, DOBs Physical theft
Rainbow Hospice & Palliative Care, Chicago Jun 2010 unknown SSNs, DOBs Physical theft
West Berkshire Council (UK) Jun 2010 unknown data on children Physical theft
Safe Harbor Med Evaluations Jun 2010 unknown SSNs, DOBs, med. data Physical theft
University of Maine Jun 2010 4,585 SSNs Physical theft
A4e (UK) Jun 2010 24,000 NINs, DOBs Physical theft
Lincoln Medical and Mental Health Center Jun 2010 130,000 Med. data Physical theft
University Hospital (Augusta, GA) Jun 2010 13,000 Med. data Data "Loss"
Caritas Medical Center Jun 2010 3,000 Med. data Physical theft
Oregon National Guard Jun 2010 unknown# SSNs, DOBs Physical theft
Bank of America Jun 2010 unknown SSNs, Tax ID nos, DOBs Physical theft
Safe Harbor Med Evaluations Jun 2010 unknown SSNs, DOBs Physical theft
West Berkshire Council (UK) Jun 2010 unknown "sensitive data" on children Physical theft
Rainbow Hospice and Palliative Care Jun 2010 unknown SSNs, DOBs Physical theft
Cincinnati Children's Hospital Medical Center May 2010 61,027 DOBs, med. data Physical theft
Curtin Manufacturing May 2010 1,990 SSNs, tax data Physical theft
City of Charlotte May 2010 5,220 SSNs, DOBs "Loss"
Peterborough District Hospital (UK) May 2010 1,100 DOBs, med. nos. Physical theft
Oconee Heart Center (SC) May 2010 600 DOBs, Med. nos. Physical theft
New Mexico Human Services Department May 2010 9,500 SSNs, DOBs Physical theft
Dept. of Veterans Affairs May 2010 644 SSNs, DOBs Physical theft
US Army Reserve May 2010 207,000 SSNs, DOBs Physical theft
John Muir Health Apr 2010 5,450 DOBs, Med. nos. Physical theft
LPL Financial Apr 2010 unknown SSNs, DOBs Physical theft
Mass. Eye and Ear Infirmary Apr 2010 3,526 DOBs, Med. nos. Physical theft
Medical Center of Bowling Green Apr 2010 5,416 DOBs, Med. nos. Physical theft
St Jude Medical Heritage Center Apr 2010 20,000 SSNs, DOBs Physical theft
United Imaging Apr 2010 1,700 SSNs, DOBs "Loss"
Massachusetts Eye and Ear Infirmiry Apr 2010 3,526 DOBs, Med data Physical theft
LPL Financial Apr 2010 unknown SSNs, DOBs Physical theft
John Muir Health Apr 2010 5,450 DOBs, Med data Physical theft
Educational Credit Management Corp. Mar 2010 3,300,000 SSNs, DOBs Physical theft
Griffin Hospital Mar 2010 @ 1,000 Radiological data Physical theft
Proxima Alfra Investments LLC Mar 2010 Unknown SSNs, DOBs, tax nos. bank nos. copies of passports Physical theft
Shands Healthcare Mar 2010 12,500 SSNs, DOBs Physical theft
Arrow Electronics, Inc. Mar 2010 4.004 SSNs, DOBs Physical theft
Vanderbilt University Mar 2010 7,174 SSNs, DOBs Physical theft
California State Univ. Los Angeles Mar 2010 232 SSNs, DOBs Physical theft
Connecticut Office of Policy and Management Mar 2010 11,000 SSNs, DOBs Physical theft

The collection of news items is six or seven years deep. 10s and 100s of millions of personal records are already out the barn door ... so, yeah, maybe they should fortify the Security Lock on the browser software on the machines at the Library. seriously?

What, is someone selling security software?

Clean up on aisle #13, verbal mess spattered all over the place by a drive-by Tenskwat.

Yup, I'm guessing it's a problem.

From the "Firesheep" website:


When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.

It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL."

Sorry -- I meant to add that Firesheep is a Firefox plugin designed to hijack other users accounts that don't use SSL. It was written by Eric Butler in 2010 to point out the widely ignored vulnerability.

Hi Jack,

The library’s new website (web.multcolib.org) is currently in the beta testing/Quality Assurance phase and we expect a full launch of the new site next month. The new site will provide a much-improved user experience, including more relevant search results, mobile optimization, translation features, improved accessibility standards and expanded features to discover and share your next good read.

We invite all members of our community to provide feedback on the new library website in a short survey so that we can continue to improve, secure and refine. You can find the survey here.

The site incorporates 256-bit encryption and other best practices to ensure patron privacy. We take patron privacy very seriously and appreciate the community’s efforts to help us in that endeavor. (Read our privacy policy here.) Community feedback is an important part of the planning and implementation of any new website and we certainly value it.

Thank you.

Jeremy Graybill
Marketing and Communications Director
Multnomah County Library

The problem is that the Library website doesn't encrypt ALL the pages you visit while logged in. See the posting above about Firesheep: Once a user is logged in, if that user visits a unencrypted page, their login session cookie is vulnerable to being hijacked.

There's a reason why Facebook, Gmail, Yahoo mail, Amazon and many others moved to 100% SSL in 2010 and 2011. Their users were getting hacked this way. It's not theoretical -- I've seen it in action and helped clean up after.

I urge Mr Graybill to visit this website for info on this simple exploit. http://codebutler.com/firesheep/

Clicky Web Analytics