Is new library software unsafe to use?
A reader who seems to know something but won't sign his or her real name lobbed something over the transom earlier today. We'll leave it to the intertube experts out there to tell us if it's worth worrying about.
We've noticed in accessing the Multnomah County Library's website the last few days that they're promising "a new website coming in February." Our reader wonders whether it will be secure enough:
As a daily reader of your blog and a fellow supporter of the Multnomah County library, I wanted to mention a startling security concern that I hope you might make public. For anyone that uses the library, this is a big deal:Something very important and elemental is missing from the library's upcoming redesign: basic web security. The library's web form pages (not the log in page) don't employ the Secure Socket Later (SSL) protocol, leaving users exposed to unnecessary online risk when they fill out the site's online forms.
This means that anyone trying to reach the library through pages in its Contact tab -- including Suggest a purchase, Email a librarian, and Comments and suggestions --- are vulnerable to having their card numbers, PIN numbers, names, emails, phone numbers, etc. exposed. Identity theft crooks look for easy targets first, and this is a day-glow bulls-eye with prison yard spotlighting.
Perhaps this oversight is connected to the offloading of website management to BiblioCommons; that's a whole 'nother issue. But standard online security practices dictate that *any* web page requiring users to provide personal information should employ SSL protocol.
As someone that supports the library through regular use and votes, and who is happy that it now has a permanent (and expensive) source of funding, I have to wonder ... how could someone get this most basic web security issue wrong?
There's likely a personal agenda under that comment, but the reader's motive isn't really the question. Is it a valid concern?
| Posted at 2:46 PM | Permalink |
|
Comments (9)
God what happens in 10 years when 99% of the books are eBooks?
Then again, it'll make it that much easier for big brother to track what you are reading.
Posted by Steve | January 22, 2013 3:57 PM
In a word, yes. I do not post any information of a personal nature on site without SSL. Currently https shows up when you renew etc on the current site. It looks like one will have to do some discovery steps to see if SSL continues. The OP seems to think (or know?) not.
Posted by Starbuck | January 22, 2013 4:00 PM
Is it a valid concern?
Yes, it is a valid concern. As the original author notes, any time any sort of personal information is solicited by a web site with a legitimate (or even illegitimate) reason for doing so, that information should be secured. This includes log-in forms for online services (i.e. forums, blogs, etc., that require users to log in). The amount of unencrypted personal data floating around throughout the ether is amazing. And there are folks (scum mostly) that intentionally purchase server time on mass web hosts with the sole purpose of raking unencrypted data over the intertubes.
SSL certificates are relatively inexpensive these days. There is no excuse for not doing it.
If the online services vendor that the MCL contracts with is not capable of supporting this, they need to find a new vendor that does.
Posted by J S | January 22, 2013 5:15 PM
There is likely (but unseen) a 'personal agenda' at root, because that's LIKE every humanmade (not Act-of-Nature) initiative: Someone has a MOTIVE. Behind it. That MOTIVATES it /action /event.
There is always the inevitable 'Why?' As in Who What Where When WHY (and How)?
As in: a Reader. by Email. (at)Bojack. Today. ... but WHY? Which -- the 'Why' -- is NOT reported in 'news' reports anymore these days. Just sayin'. Why not?
The whole Psychological Inflammation promotion, goes on frightening the public with specious threats -- 'identity theft' 'bank account theft' 'reputation theft' -- as long as computer tech remains a mystery. The ordinary person has no idea of internet's operation and, without knowing better then he or she easily believes anything. Somebody can steal your I.D. - be very afraid!
But WHY? Why would 'who' even want your I.D. If you got Big liquid Bucks stashed away -- you're RICH, then maybe someone faking your I.D. could spend it. But if a bank robber in-person robbed your Big Rich bank account, then the bank replaces the ('your') money and absorbs the loss, (insured). Why not if electronic transfer robs it? Why is that not the bank's liability, (insured); Why is there the saturation fear blared and trumpeted that it is your liability?
And so on, in perhaps partial risk exposure danger maybe somewhat, worrisome possibilities sorta are concoctable maybe, for many other hypothetical special cases, but all in all, as a general truth in-fact: for the 99% of us, NObody tries to steal our I.D. Sorry if that deflates anyone's Self-Important Vanity Bubble.
If anyone is going to pry into your personal information, if anyone is going to make you a victim of data theft, then -- like 97-out-of-every-100 personal crimes -- you KNOW the PERP. Person-crime Victims know the Criminals! Friends and acquaintances are the largest cause of personal crimes. Crimes of passion, crimes of envy, crimes of abuse, and embezzlements -- almost always it is someone you know; people get shot by guns that are already in the house and the victim knew it; almost never do strangers burst in, or rob you, and if they do then probably someone you know put them up to it; (again, statistics are different if you have a million dollar Picasso hanging in plain sight, or you don't notice leaving a trail of benjamins falling out of your purse along the sidewalk leading to your front door ....) Real risk of strangers in the real world targeting YOUR I.D. and life-position is less a real worrying threat than the flying fickle finger of Fate finding you, and that finger is fiction.
Yet hundreds of millions of I.D.s and information files are stolen. So Why? Where? Who is stealing? How?
Whoever it is, the FBI can't seem to ever find them. Or do find them and 'they' pull rank and the FBI lets them go. Either way, catching the thieves or letting them go, the public never hears about it. How do they steal? Physical possession. Laptops and harddrives and memory sticks and CD copies and cellphones -- the physical containers of personal information are stolen by grabbing them. Where? Off the seats of unlocked cars; out of office desks, at work by coworkers (you know), at home by roommates (you know); out of purses and briefcases.
The FEAR! PANIC! WORRY! about your personal private information affairs is all incredibly overblown, if you ask me. Why does anyone want your individual information? Self-flattery is the primary source of paranoia.
On the other hand there ARE some 'entities' desiring to have EVERYbody's information, all in one Big Brother master file. Updated daily, or hourly, if possible. (You 'know' who I mean, but even there it remains reasonable to ask Why? 'entities' do it)
Here's a partial list from a curated archive of news reports of data thefts:
The collection of news items is six or seven years deep. 10s and 100s of millions of personal records are already out the barn door ... so, yeah, maybe they should fortify the Security Lock on the browser software on the machines at the Library. seriously?What, is someone selling security software?
Posted by Tenskwatawa | January 22, 2013 6:12 PM
Clean up on aisle #13, verbal mess spattered all over the place by a drive-by Tenskwat.
Posted by Harry | January 22, 2013 7:02 PM
Yup, I'm guessing it's a problem.
From the "Firesheep" website:
"Firesheep
When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL."
Posted by ITGuy | January 23, 2013 1:31 AM
Sorry -- I meant to add that Firesheep is a Firefox plugin designed to hijack other users accounts that don't use SSL. It was written by Eric Butler in 2010 to point out the widely ignored vulnerability.
Posted by ITGuy | January 23, 2013 1:38 AM
Hi Jack,
The library’s new website (web.multcolib.org) is currently in the beta testing/Quality Assurance phase and we expect a full launch of the new site next month. The new site will provide a much-improved user experience, including more relevant search results, mobile optimization, translation features, improved accessibility standards and expanded features to discover and share your next good read.
We invite all members of our community to provide feedback on the new library website in a short survey so that we can continue to improve, secure and refine. You can find the survey here.
The site incorporates 256-bit encryption and other best practices to ensure patron privacy. We take patron privacy very seriously and appreciate the community’s efforts to help us in that endeavor. (Read our privacy policy here.) Community feedback is an important part of the planning and implementation of any new website and we certainly value it.
Thank you.
Jeremy Graybill
Marketing and Communications Director
Multnomah County Library
503.793.0881
jeremyg@multcolib.org
web.multcolib.org
Posted by Jeremy Graybill | January 23, 2013 3:20 PM
The problem is that the Library website doesn't encrypt ALL the pages you visit while logged in. See the posting above about Firesheep: Once a user is logged in, if that user visits a unencrypted page, their login session cookie is vulnerable to being hijacked.
There's a reason why Facebook, Gmail, Yahoo mail, Amazon and many others moved to 100% SSL in 2010 and 2011. Their users were getting hacked this way. It's not theoretical -- I've seen it in action and helped clean up after.
I urge Mr Graybill to visit this website for info on this simple exploit. http://codebutler.com/firesheep/
Posted by ITGuy | January 23, 2013 9:55 PM