C O M P U T E R S I N L I B R A R I E S

feature: protecting public access computers

HOW YOU CANTEC

By PHIL HUANG

B y providing the public with online comput-ing facilities, librarians make availablea world of information resources beyond

their traditional print materials. Internet-connectedcomputers in libraries greatly enhance the oppor-tunity for patrons to enjoy the benefits of the digitalage. Unfortunately, as hackers become more sophis-ticated and software gets more complex, online se-curity threats escalate as well. Keeping shared pub-lic access computers (PACs) safe has become morechallenging than ever.

While there is no practical way to guaranteethat a computer in a public setting can be im-mune to threats and while no user on sucb a com-puter can surf the Internet risk-free, we do owe itto ourselves and to our patrons to work diligentlyand to be vigilant over the public stations and theirusers' online safety. You can have 100 patrons work-ing on 100 desktops and things may seem hunky-dory,but it only takes a single breach to rapidly compromise theother 99 computers, their users, plus a host of behind-the-scene networks and servers. The stakes are high.

On a brighter note, if you take a proactive approach to protectthe health of your computing system and your users, you can mitigatethe security risk before painful damage occurs. Waging the battle againsthackers'threatscanbedifficult and expensive in terms of hardware and soft-ware costs and personnel resources. But an ounce of prevention—a few relativelysimple steps carried out on a regular basis—can make a big difference.

V.

Protecting the Digital Areas of Your Physical Space

So what can you do to protect your public computers? I've outlined somecommon considerations to tighten up security for a PAC. Of course, each libraryhas its own unique situation, and procedures can vary.

16 I MAY 2007 » www.infotorfay.com

COMPUTERS IN LIBRARIES

feature; protecting public access computers

PUBLIC ACCCOMPUTERSand Their Users

Have a Good First Line of Defense

The first line of defense of a public access workstation is its operating system(OS) and the indispensable security software such as firewalls and software to

fight malware, including viruses, worms, Trojan horses, spyware, etc. Youmust keep your OS and anti-malware up-to-date.

In 2006, Microsoft issued updates to patch 97 "critical" security holes,14 of which were known as "zero-day" threats. This means perpetrators

had been one ytep ahead and had already started exploiting the vul-nerabilities. Microsoft's products remain the most popular targets for

hacker attacks. Internet Explorer attracts about 77 percent of allbrowser attacks. But there is actually no safe haven here, and

threats plague all platforms and major vendors' products. InMarch of 2007, Apple released a security update, the seventh in

3 months, for its Mac OS X to plug 45 security holes, includingseveral zero-day vulnerabilities. Similar stories were reported about

SjTnantec anti virus products and those of otber big-name vendors.You should always enable the auto-update of patches and anti-malware

definitions. As the assaults from cybercrooks intensify, you really need to runupdates and patches as frequently as possible, probably a couple of times a week.

Use Third-Party Utilities

The nature of a computer that is always exposed in a public environmentrequires that it can withstand things ranging from unwitting misuse to delib-erate abuse or hacking. You have to look for third-party utilities that are spe-

cially designed to beef up the security of the workstation. Many libraries useI restriction-based products that disable a number of functions so users can't in-T stall or run unauthorized executable files and such.

Another type of utility allows a person to work on the computer without feel-ing "locked down." With these sorts of tools, users can do a lot of things just asthey would on a private computer, but upon logoff or reboot, everything is restoredto its original state. Note that a hacker can possibly exploit this latitude to breachthe network and to launch an attack on other computers. So you can't really forgo

to maintain a

HEALTHY network.

But you need

PREVENTIVE

medicine too.

www.infotoclay.com « MAY 2007 | 17

iN L i B K A R I E S

feature: proteaing public access computers

the principle of least privilege. (Thatmeans giving each person just enoughaccess to do his or her job, but no more.)So use restraint in conjunction witbtbis more permissive approach.

If a Web browser is the only appli-cation you offer on a public computer,then running in kiosk mode is still agood choice due to its simplicity. (Inkiosk mode, many browser functionsare locked down.) Both IE and Firefoxsupport kiosk mode. With proper con-figuration of the browser, and maybethe help of a third-party program, youcan default the Web to full screen anddisable all menus, toolbars, key com-mands, and the like.

Ciiange Defaults arid Set Controls

After installing the OS, firewall, anti-malware software, and applications, itis necessary to change the out-of-the-box default settings. Default usemame/password (often being "user," "pass-word") must be changed over. As forsetting the security/privacy level ofmajor browsers (IE, Firefox, Safari)and production software like Office, allof them allow you to tune up or downwitb a fair amount of control. For pub-lic computers, "high" is your best bet.Block pop-ups, which are often used byhackers to trick users into allowingtheir malware to slip in. Be particu-larly wary of the use of Active X, Java-Script, and sample macro on public sta-tions. Disable them, or, at minimum,make the application warn the user ofthe security implication before a Website downloads, installs, and runs pro-grams on the computer.

A simple and effective way to betterprotect user privacy is to use cleanupsoftware, which can be set to frequentlyget rid of unwanted files (including thosesaved in the temporary folder by users),and those generated by Web browsersand other applications such as Word.Some libraries activate the cleanup atthe end of each user session. That is agood practice if conditions allow.

Perform Regular Monitoring

Monitoring and scanning for mal-ware on a routine basis will expose mi-nor problems before they turn into ma-jor incidents. Cbcck logs often; theymight reveal things that are indicativeof suspicious activities on computersand may hint where vulnerabilities are.With a list of potential trouble spots inhand, you can take steps to address,patch, and fix.

Do Physical hspections

Librarians should physically checkpublic computers on a periodic basisfor unauthorized hardware tampering.What's the need? Adetermined identitythief can use a hardware-based key log-ger. He or she could attacb a camou-flaged, compact device tbat looks justlike an ordinary keyboard plug to theback of a workstation within seconds.Undetectable by software scanners andunnoticeable to people like you and me.it can quietly record approximately 12months'worth of typing, with date/timestamps. Sound outlandish? Key loggersare sold on the Internet and they canmake their way to your library.

iHave a Use and Security Policy

Last and certainly not tbe least im-portant is that a library must have acomputer use and security policy inplace, and staffers have to make the pol-icy abundantly clear to the patrons. Thepolicy should include the acceptable andunacceptable uses, users' responsibility,how the library enforces the policy, safe-ty cautions, and a disclaimer.

Pointers for Patrons' Health

User security education is vital inhelping patrons stay digitally safe. Nomatter bow tightly a workstation isconfigured for security, ultimately it isthe user's knowledge and actions thatwill steer him or her clear of the In-

ternet pitfalls. Use signage, on-screenmessages, fliers, and personal remind-ers to warn them about viruses, spy-ware, online scams, and other threats,Explain the measures tbey can take toavoid or mitigate risks in 15-minutewalk-in workshops. These will helppeople maintain a keen awareness ofsecurity issues and be safer users ofInternet resources. The following area few points worth repeating to peoplewho use your public access computers.

Don't Enter Sensitive Info on PACs

There should be no e-banking, onlineshopping with a credit card, or stocktrading. Despite the implementation ofthe latest crime-fighting technology, thereisn't complete protection on any PC, letalone a computer in a public setting. De-termined crooks can unleasb spywareon a public computer or install thingslike key loggers to catch each and everykeystroke, including your password,name, address, Social Security number,and even credit card numbers.

Beware of Snoops

Never leave a session unattendedwbile logged in, and always be on thelookout for "over-the-shoulder surfers"in a public environment.

Do Secure Login and Logout

When people log in to a secure site,make sure tbey see the padlock, and thatthey later log out properly. People shouldnot use email without a secure sign-inmechanism. If the URL area where youtype in tbe Web address does not startwith https:// (the "s" before the colon in-dicates it is secure), and you don't see apadlock near the URL area or the bottomarea of the browser, then do not enteryour password. Tb be extra careful, youcan click the lock icon to bring up infor-mation on the security certificate, whichshould bear the name of the site con-sistent with the site name on the URL.

18 MAY 2007 •> .iitfoiDday.com

COMPUTERS IN LIBRARIESfeature: protecting public access computers

It's important for people to knowthat if they just close up a Web windowwithout clicking the "Sign off' or "Logout" button, their sessions can still beactive. So the next person to jump ontothe same computer can continue fromexactly where they left off, and can digout a lot of private information.

Do Not Open Email Attachments

The bad guys often use attachmentswith email or instant messaging (IM)to spread a virus or worm. If an attach-ment is a simple text file with a .txt fileextension, it's probably safe. TVeat every-thing else, including picture files andmusic files, with caution. Watch for dou-ble extensions like "fun.txt.exe," whichcan slip through virus detection soft-

ware. If you see those, you can almostbe certain it is a virus. Tell your patronsthat an innocent click can vireak havocon them and all of the friends in theiraddress books. Open an attachment onlywhen you know the sender well and youare expecting such an attachment.

Use a Temporary Password

On a public workstation, since peoplehave no way of knowing for sure if a keylogger or other tracking software is lun-ning on the machine, their passwordsare subject to theft, no matter howstrong they are. If a person does want tocheck email, one workaround is to usea temporary password, then change ithack as soon as the person gets back tohis or her private computer. Better still.

create a secondary email account forcasual usage on a public station.

Cover Your Tracks

Some libraries use permissive secu-rity control software, opting for a moreliberal approach to patrons' latitudein using applications on PACs. Suchconfigurations can leave more of thesafety-related responsibility on theshoulders of the user. In such cases, thelibrarians should remind users to do anumber of things when they're finishedwith the computer:

1. Uncheck the "Remember meon this computer" option whenentering username and password.

2. Remove cookies and caches.

HELP I EXIT I OPAG

Knawt^tedge Center™far -"

Cataloying Serials Acquisitions Circulation Requests Management

Announcing a new web-hased ILSfor managing traditionaland electronic collections

from the company with 25 yearsof experience in..

YaurVl/arld of

InfarmatianCall Cuadra Associates at 800/366-1390 or visit www.cuadra.com/skcl

TM

www,liifDtoday,tom « MAY 2007 19

C O M P U T E R S IN L I B R A R I E S

feature: protecting public access computers

3. Delete any saved name andpassword files.

4. Erase the browser history,search entries, etc.

"Monitoring and scanning

for malware on a routine

basis will expose minor

problems before they

turn into major incidents."

If patrons do this when ending asession, then snoopers can't use specialtools to track innocent people's surfingrecords or collect their temporarilysaved data (including passwords).

Preventive Tips for OtherPotential Danger Zones

There are a few more areas where apublic computer is riskier than a pri-vate one, but a few warnings from thelibrarians can help users steer clear ofthe danger. Tell people these things:

Beware Chat-Room

and Social Networking Sites

If you want to avoid falling preyto online predators and harassment,be very careful about giving out yourpersonal information or making yourprofile public.

Ignore Pop-Ups

Malicious attackers can alter con-tent in a legitimate Web site's pop-upwindows and do damage when you clickon pop-ups. Stay away from pop-upwindows unless it's a trustworthy site.

Learn MoreAbout Security

Library Computer andNetwork Security: IntroductionJeff Eisenberg and Connie Lawthers,

last updated March 31,2005

www.infopeople.org/resources/security

The Ten Most Important SecurityTrends of the Coming YearSANS Institute. 2006

www.sans.org/resources/

I O_security_trends.pdf

5 safety tips for using a public computer

Microsoft Corp., Sept. 29, 2006

www.microsoft.com/athome/security/privacy/publiccomputer.mspx

"The 10 Biggest Security Risks You Don't Know About"Andrew Brandt, June 22, 2006

www,pcworld.com/article/id, i 26083-page, I /articie.htmi#

Watch for Phishing Scams

Phishing scams can take manyforms, but they usually start with anemail, instant message, or pop-up win-dow asking you to update your per-sonal information. They use real-look-ing (but pbony) bank or credit cardcompany sites to lure you into givingout your sensitive information.

Use Wi-Fi with Caution

Increasingly, libraries offer wirelessconnections to their authenticated usersand/or to unauthenticated "guests."However, due to high costs, many li-braries are unable to provide data en-cryption. So data that is travelingacross the airwaves, but is not travel-ing through otherwise-secure applica-tions such as https and SSH, can eas-ily be picked up by hackers outside theboundary of the library.

Also, if you want to use a publicWi-Fi network, make sure you have afirewall functioning in your laptop.Windows XP (Service Pack 2), Win-dows Vista, and Mac OS X run a fire-wall hy default, but you need to verifyit before going ahead. If you are in aWi-Fi zone and you do not intend to goonline, disconnect the Wi-Fi communi-

cation to minimize the possibility ofhacker intrusion. The convenience ofwireless comes with a higher level ofrisk, which requires extra precaution.

I

Who Will Win in the End?

Keeping our public access computerssecure and providing our users with asafe Internet experience are daunting,long-term tasks. In the end, criminalswill continue their attacks, and we wantto fight back hard. The battle may neverbe won, but with maturing security tech-nology and heightened vigilance on thepart of librarians and their users, thereis reason for optimism. M

Phil Huang is systems coordinator forthe library of California State Univer-sitySonoma, where his work is primar-ily system management/administration,working with various departments insupport of the library's computing sys-tems. Prior to that, he worked as a pro-grammer/analyst writing and develop-ing ILS and other infonnation retrievalsystems for several years. He holds aB.A. from Fudan University in Chinaand an M.L.S. from SUNY-Buffalo inNew York. His email address is phil.huang@sonoma.edu.

2 0 MAY 2007 » ,intcitoci.