December 10, 2017

Keeping Library Content Secure | From the Bell Tower

Steven BellIllegally breaking into licensed library content doesn’t require sophisticated hacking skills—just a legitimate network account. Higher education recently discovered such accounts for sale on the Internet. Do we have good options for preventing thefts?

We see on a fairly regular basis news reports of the latest mass theft of private information. Most recently it was Home Depot that lost millions of credit card account numbers to hackers. Before that it was Target. We wince when we hear the news and check to determine if we were personally victimized by the attack. The increasing regularity of mass data breaches numbs us to their occurrence. Even if it momentarily captures our attention we are no longer surprised or shocked when it happens. That mindset could easily have applied to me up until a week ago. I’m enrolled in an online course in instruction learning and technology. It isn’t a MOOC (massive open online course). Just a regular old for-credit graduate course. This past week the course covered Internet privacy and data security issues. The readings and activities got me thinking more about the prevalence of data theft. Then some news broke that revealed a disturbing trend in the rise of a black market for higher education network accounts. Academic libraries are particularly vulnerable to being compromised by this turn of events.

Organized Crime

Academic libraries, both large and small, have likely gotten the “call” from a database representative to inform the librarian that an account from his or her college is being used to download massive amounts of database content. It is a fairly rare occurrence, but when it does happen it is typically the result of account abuse: one of our students has shared his network account with a friend or relative. The student may think his action is consequence-free, having little sense his carelessness could jeopardize the library’s access to a particular resource. Once discovered, the offending account is blocked and all is well. Take that scenario and multiply it hundreds of times across dozens of higher education institutions. Now we are talking some serious theft of data. Higher education news sources reported that the Taobao consumer-to-consumer e-commerce search engine was offering stolen university network accounts at bargain basement prices as low as 16 cents. One of the suggested applications was the use of academic databases, as well as research assistance from librarians. The list of compromised U.S. institutions includes mostly big name institutions. Could it happen to more of us?

Constant Threat

As we go about our daily computer and networking activities, checking our email or searching the web, we do so largely unaware that our institution is under constant attack by hackers, scammers, and thieves seeking to break in and gather as much personal data as possible. Higher education institutions are considered primary targets for research information, student data, and even access to expensive databases. The good news, if there is any, is that once obtained, these pirated accounts are typically used to obtain purchasing discounts that require an edu email address. For example, someone may want to obtain an expensive software package that is discounted by hundreds of dollars for college students. Buying an edu account for less than a dollar and using it to save hundreds is a pretty good deal. Less frequently the accounts are used to access the university’s network. That’s because it is riskier for the illegal account owner. A Purdue University IT spokesperson quoted in an Inside Higher Ed article confirmed this but refused to divulge any details on how it might work for fear of giving away any information that could make Purdue more susceptible to network assaults. So I thought I’d check in with my own institution’s computer security expert. Guess what? After confirming that the news of the account theft represents a serious threat to higher education IT, he could offer no additional information because to divulge it could potentially undermine our security protection efforts. Talk about secrecy—but for a good cause. I was told this is a daily battle our universities face, and much of the effort is directed at keeping faculty, students, and staff from falling prey to phishing scams, which is actually how many accounts are compromised, pirated, and then sold in foreign markets. Another problem we cause is failing to safeguard private university information while using unsecured public wireless networks. We’re not giving our IT colleagues much help in the constant struggle to keep our Internet tubes safe for higher education.

Lost Cause?

Who will be next to experience the loss of private information that is then used for theft of services? It could be your college or mine. Even if hijacked accounts are less frequently used to illegally tap into our licensed research databases, we should be concerned that our own networked resources can become the conduit for data theft. There is a certain level of responsibility we all carry to protect other institutions as well as our vendor partners from Internet crime. Is there much we can do, though, to prevent it? If our colleagues in IT security have no surefire ways to safeguard against password theft then that bodes poorly for our own efforts.

Taking a Role in the Battle

There is one area in which academic librarians could make a positive contribution. Since many of the abuses originate with poor security practices, be it weak passwords or falling victim to phishing schemes for network account data, why not use the academic library’s existing information education infrastructure to bring more attention and awareness to the problem? I may be in the minority on this one, but this type of information literacy seems to me just a tad more critical than helping students figure out where the comma goes in a formatted citation. Though you’d think by now that everyone, particularly digitally native college students, would be able to quickly spot a phishing email or avoid account sharing, that’s just not the case. Just last week at my institution, the head of IT had to alert the entire university to a particularly effective phishing scheme that involved a well-crafted email message from our president and a phony, but quite realistic, version of our own website. Multiple individuals had already fallen victim by giving away their personal account data. The situation, unfortunately, is likely to worsen. Academic librarians can begin an awareness and education campaign by starting with themselves, and making sure that we are part of the solution and not the problem.

Steven Bell About Steven Bell

Steven Bell, Associate University Librarian, Temple University, Philadelphia, PA, is the current vice president/president-elect of ACRL. For more from Steven visit his blogs, Kept-Up Academic Librarian, ACRLog and Designing Better Libraries or visit his website.

Share

Comments

  1. One institution I worked at once discovered that a less-than-scrupulous Chinese post-secondary institution had downloaded masses of its content and was using the pirated material as its library! This wasn’t one user – this was actually the institution. Yikes.

  2. Nicholas Allegra is absolutely not the first i –
    OS hacker retained by Apple. Very often in corporate environments it is very easy to walk around an office and gain access to their systems just by looking out for post it notes attached to screens or desks.
    Their hardware seems to be the best quality out there for mainstream computers.