The Trouble with Library Records
by Barrett Brown
Ah, the library: repository of wisdom, friend of the homeless and anonymous computer users.
Libraries everywhere offer a wide variety of services. One of the latent services they provide are the keeping of patron and employee records, with everything from contact information, check-out history, fine management, and, in the worst cases, Social Security numbers and other goodies.
I recently began working at an university library which uses the world's most popular software for managing database information. The front-end of this program is a web-powered and Java-based platform called Millennium which accesses the Innovative Interfaces Incorporated Online Public Access Catalog (INNOPAC) back-end.
INNOPAC was created in 1985 by Innovative Interfaces as a UNIX-based system for public access to catalogues and modules to support cataloging, circulation, serials and acquisitions. In 1993 the first annual INNOPAC Users Group (IUG) conference was held representing over 150 libraries and 300 members. In 1998 Millennium was launched and has continued to expand functionality to include database management, acquisitions, serials, inter-library loan and management reporting functionality. Today there are over 1,200 Innovative Interfaces installations around the world in nearly 20 languages.
What does this mean to us and why do we care? Well, for starters the FBI seems to care and that always makes my ears perk up. As you've surely heard by now the FBI has been trying to use the USA PATRIOT Act to get access to library patron records with mixed success. Besides the FBI, there are terrorists, lawyers, private detectives, and all sorts of other people who may want access to someone's patron record, with or without permission.
The default interface for employee connection to INNOPAC at my library is to Telnet to the INNOPAC server (the same server which is connected to the Internet for public web searches of the library catalogue) and login with a standard username and password.
The first several times I did this I didn't think much of it. But I began to wonder... could I Telnet from a shell account outside the library internal domain and log in using an employee username (thus giving me access to some administrative functions)?
Yep, sure enough, no problem Telneting right in there and getting access from across the country. I wondered if any other systems were still using indiscriminate Telnet.
So I went to Google and searched for [inurl:innopac] and found a virtual plethora of INNOPAC library servers. All the servers that were listed something innopac.xxx.edu were the most obvious choice.
I Telneted into some from all over the country. Some had Telnet disabled, some had just regular public circulation functions enabled, but the others, oh yes, there were many others. They had the same familiar telnet login that I get from my own library.
The implications are that any interloper on a library network can set up a packet sniffer and get admin passwords to the INNOPAC database, then Telnet in from wherever they please.
It's like patron records are easy candy, and remember that this is the most widely used library system in the world. Being the good white hat that I am I reported my concerns to the IT department and got some lackluster response. They just didn't seem to care.
Next, I posted my concern to the IUG mail list and got many responses. The majority of responses were frustrated library employees who have been pushing this issue for years. It is a matter of utter simplicity to disable Telnet access and interface with INNOPAC through SSH, but for some reason it's just not happening.
And so, as my final attempt to help the security of library patron information everywhere I am writing this article for 2600. It is my sincerest hope that this will have a more positive effect than my talks with the IT people.
Hi Ya'll, I am new to this list, but I work at a library which uses INNOPAC and I noticed that it is common practice to telnet into the INNOPAC program in order to manage patron records, fines, and other important secure information. I tested out a random sampling of libraries accross america which also use INNOPAC and most were also open to telnet access from any IP address, not just internal library IP's. I'm no expert, but it seems to me that telnet is an inherently insecure protocol and that any electronic interloper on the libraries network could set up a packet sniffer and easily retrieve INNOPAC passwords from telnet users, thus giving them total access to secure information. With all the recent articles in the news about major companies loosing proprietary information, this struck me as an important issue. Has this issue been addressed already or am I totally incorrect? Thanks for your time, Barrett