[CODE4LIB] security and privacy in RFPs



Eric Hellmen recently announced a blog post on the Code4Lib list-serv that’s well worth your time:

I recently wrote a blog post about password security in library subscribed databases based on an RFP by a state agencecy subject to public disclosure laws. The results were very revealing, but it covered only a small set of vendors.
http://go-to-hellman.blogspot.com/2015/02/passwords-are-stored-in-plain-text.html <http://go-to-hellman.blogspot.com/2015/02/passwords-are-stored-in-plain-text.html>

I would be very interested to learn of RFPs for library automation software, ebook delivery platforms, etc. subject to similar public disclosure rules that asked questions relevant to privacy and security in libraries.

Contact me on or off list.

Breaking News: NARA Data Breach

A data breach has taken place at the National Archives, the latest in a string at major U.S. agencies.

Details on the breach were scarce Wednesday, though the incident was confirmed to The Hill by National Archives Acting Inspector General James Springs.

Several officials at the agency acknowledged the breach but would not disclose details.

More info here: http://thehill.com/policy/cybersecurity/233825-national-archives-hit-with-data-breach

Edit: The original article was updated late in the day yesterday with the above quote removed. It’s unclear what actually happened other than a very suspicious YouTube video: http://www.washingtontimes.com/news/2015/feb/26/national-archives-hacked-investigators-kick-into-h/

Cyber Risk Management for Libraries


, , ,

Libraries have unique cyber security risks in relation to their interaction with public data and the private thoughts of their patrons. Developing and delivering a risk management program that addresses every cyber security issue or concern in an environment with limited IT resources is not only impractical to implement, but impossible to maintain—librarians should instead prioritize and focus on high probability cyber risks to guide their cyber defense efforts.

Image Source: Privatewifi.com

Image Source: Privatewifi.com

The field of journalism, which also aims to disseminate unbiased information to the public, provides us with an excellent case study. Most in the field are not especially technology experts, however, even the most prominent journalism companies in the country have faced threats.

For example, in 2013 Chinese hackers obtained the passwords of every New York Times employee while at the same time, the U.S. Justice Department surreptitiously obtained phone records of Associated Press employees. In response to these threats, journalists have been forced to learn how to use public key cryptography, Tor, and other methods to protect their sources. Similarly, in 2015 the DC Public Library began an outreach and education program to teach patrons how to use these tools.

OCTAVE Allegro Workflow

Image Source: ISACA.org

Software tools and training may work well for individuals, but they’re not 100% effective. Establishing clear policies and procedures based on a cyber risk management assessment framework like OCTAVE Allegro help mitigate cyber risks and reduce harm in the event of an attack.

But first, library staff members or 3rd party consultants must step in to identify problem areas. To put it another way—you can’t patch a system without first looking for holes.

If you would like to hear more about cyber risk management for libraries, please comment and/or subscribe! This is the first post in a series about cyber risk management by Chris Markman and I’d love to hear your feedback. Thanks!

This post is about physical security, but still relevant . . .

Best of Publib - Public Library Discussion and Publib Listserve Analysis

Surviving Workplace Violence


On December 13th Library Director Susan Pieperwith the Paulding County Library in Ohio offered this timely post on Publib:

I shared this short video with my staff during a staff meeting this fall.
Homeland Security released it and in light of the recent tragic shootings,
I think every library staff and every citizen should watch it.:


The video was produced with a Department of Homeland Security Grant by the City of Houston Mayor’s Office of Public Safety and Homeland Security. It includes three key concepts ~

RUN – When an active shooter is in your vicinity:

  • If there is an escape path, attempt to evacuate
  • Leave your belongings behind.
  • Help others escape if possible.
  • Prevent others from entering the area.
  • Call 911 when you are safe.

HIDE – When Escape is not possible:

  • Lock and / or blockade the door.
  • Silence your cell phone.
  • Hide behind…

View original post 686 more words

The ‘Official’ Sec4Lib Listserve


, , ,

Reposted from Web4 Lib according to Erin Germ ~

With the help of Eric Lease Morgan, an official *listserv has been created. Blake Carver, Eric, and (Erin Germ) will be managing the listserv to start.

List address:

List archives web page

To join the SEC4LIB listserv please visit the above URL.

If you have already joined the SEC4LIB Google Group, I will be importing those members into the SEC4LIB nd.edu listserv in a week or two. If you do not want your contact information imported into the nd.edu SEC4LIB listserv, please remove yourself from the Google Group by Wednesday, May 16th.

~Erin Germ

* Editors note: LISTSERV is actually the name of a former freeware product that is available for purchase from L-Soft . The term LISTSERV is being used here to generically indicate a discussion group, not necessarily the deployment of a LISTSERV product from L-Soft to facilitate discussion.

Security4Lib and Blake Carver’s List


, ,

I jumped the gun and set up a this  site yesterday at: https://sec4lib.wordpress.com/

I didn’t realize that Blake Carver with http://lisnews.com  already had a sophisticated site and a list with a very similar name up a running.  I am reposting his info here to help advertise his site:

On Thu, May 3, 2012 at 8:43 PM, Blake Carver <lists@lisnews.com> wrote:
Oh! Glad to see so much interest, this has been a big topic for me lately.
I have a new(ish) site and list running at http://security4lib.org/
The list is here:
I set that site up a few months ago, but never had time to finish
things up, so if anyone is interested in contributing to the site or
the wiki or anything else let me know.
I’ve been writing and presenting on IT Security for Libraries for a
while now, you can find my writings and slides on LISNews:
 -Blake Carver

I will be leaving this WordPress site up as a place for contributors who want to publish their thoughts and research on library infosec.  I have a few papers that I have written that I will be sharing soon once I finish out this semester.

Security for Libraries


, , ,

Information Security

Information Security Procedures

Purpose: A SEC4LIB discussion group to discuss and investigate existing security features and shortcomings of library services and applications including:

  • documenting and pen-testing library applications and services
  • bringing attention to the security aspect of library software and services
  • information applicable to library information services professionals on general aspects of library security