Librarylopnik, Information Insecurity Edition

Kinja'd!!! "ITA97, now with more Jag @ opposite-lock.com" (ita97)
07/11/2019 at 12:06 • Filed to: None

Kinja'd!!!1 Kinja'd!!! 9

I ’ve written on Oppo previously a bit about some of our IT challenges in a state university library, like up until late last year working on a Dell SFF pc rocking an Intel Q6400 and 4GB of DDR2 ram (and only because I had scavenged sticks of RAM from machines in vacant offices), and finally getting a “new” pc in the form of a refurbished 3rd gen Core I5 machine rocking 8GB of DDR3. Yesterday I checked out a short-term use faculty/staff laptop for a project outside my usual work area. It turns out our six short term use laptops are actually decent (for a state government operation) in the form of Dell XPS machines running 6th-gen Core i7, 8gb of DDR4 and 500gb ssd. I was disappointed the systems folks told me I couldn’t just keep it as my primary machine docked at my desk with a monitor and real keyboard/mouse. As a side note, this thing is rocking Widows 10 1511 build.

Being me, I had to fire it up and see what it was, and what was on it. This lead to first interested discovery a previous users leaving files in the clear in the downloads folder. The bounty included a faculty member’s promotion and tenure dossier, an employment contract, a spouse’s employment contract, some bank statements and a copy of a credit report. These files had been left by multiple previous users. Being a nice guy, I loaded a file shredder app on the laptop and securely deleted these files. I also broke out the windex and gave the whole thing a much needed cleaning.

Kinja'd!!!

After finding those previous files sitting in the clear, I couldn’t help but be curious about what else might be out there on it since we’ve clearly got some folks here who aren’t techies. A basic file recovery program pulled up 100GB of files people thought they had deleted files by emptying the recycle bin... It recovered 9,997 images, which caused me ponder whether I might incur some kind of a reporting obligation and how much I really wanted to know about my coworkers.

I ended up settling on a spot check of the recovered files, which revealed pretty innocuous stuff like expense reports from travel, teaching materials for ironically enough information literacy classes (thankfully nothing FERPA related), spreadsheets for research projects, a turbo tax return, lots of ring tones, promotional images for the university and library, a bunch of stock photos and the occasional (clothed) selfie. After unofficially consulting with our systems folks, they unofficially agreed with my plan of a disk clean up and defrag, and then letting the machine sit overnight and overwrite the free space on the drive.

While nothing was too far outside our permissible personal use policy, it was still a bit surprising. Hopefully our systems folks will put out a gentle reminder, and maybe we’ll do a little infosec professional development at some point like teaching folks how to securely delete a file... They might also consider having the kids on circulation desk wiping the free space on them when they’re checked back in occasionally.


DISCUSSION (9)


Kinja'd!!! facw > ITA97, now with more Jag @ opposite-lock.com
07/11/2019 at 12:17

Kinja'd!!!0

That’s pretty bad. I worked at a university l ibrary (nearly two decades ago), and our public machines (we didn’t have laptops people could check out then) were set up to reimage themselves on every boot to help protect against this sort of thing. I’m sure there are even better solutions now. If nothing else, some sort of Citrix type solution to give the user a clean VM every time they log in would be possible, though that’s not always cost efficient. Still, it should be possible to set something up to clean the machines, and I image there’s some sort of group policy you could apply that would only let people download to USB or something. Alternatively, maybe force users to log in to their own account, so at least if they download things they would be segregated to their profile?


Kinja'd!!! functionoverfashion > ITA97, now with more Jag @ opposite-lock.com
07/11/2019 at 12:19

Kinja'd!!!1

I don’t know all the back-end details but when you check out a loaner machine here, you have to login with university credentials and you’re not an admin on the machine, so you can’t access anyone else’s stuff if they’ve been on it. Shared devices like in labs will wipe your profile when you logoff too so you can save local files all you want, but they get wiped every time. Or, they’re thin client / virtual machines anyway, which means there ARE no local files.

Anyway, holy hell people are careless! 


Kinja'd!!! ITA97, now with more Jag @ opposite-lock.com > facw
07/11/2019 at 12:22

Kinja'd!!!1

Our public machines are deep frozen and re-image themselves after every log-off (users have to get a one-time log-in for each visit). These laptops are only for faculy/staff short term use. They’re intended for being taken along to a conference or something like that. Since they don’t require a unique log-in, they only connect to the campus wide- wifi. They’re not allowed to access our library domain, or to connect to any internal servers. That has to be done with either office machines or permanently issued laptops requiring user credentials and all that.


Kinja'd!!! facw > ITA97, now with more Jag @ opposite-lock.com
07/11/2019 at 12:24

Kinja'd!!!1

Hmm, yeah seems like for employee loaners, you’d just want them on the domain and requiring a login...


Kinja'd!!! ITA97, now with more Jag @ opposite-lock.com > functionoverfashion
07/11/2019 at 12:26

Kinja'd!!!1

These don’t require credentials, and they only access the campus- wide wifi. Our public computers are locked down and wipe profiles after every log off. These laptops are  not allowed to access our library domain server or any other internal systems. They’re meant for taking to conference, or thing s like that.


Kinja'd!!! ITA97, now with more Jag @ opposite-lock.com > functionoverfashion
07/11/2019 at 12:33

Kinja'd!!!1

Interestingly enough, on our office machines and/or permanently issued laptops every user is set up as a local admin. I’m not sure I’d do that were I the one making the decision (cool, I’ll run bit locker on my machine with a unique password... ) My guess is they do that to minimize the amount of service tickets for things like “user needs new app installed,” or whatever.


Kinja'd!!! facw > ITA97, now with more Jag @ opposite-lock.com
07/11/2019 at 12:39

Kinja'd!!!1

When we upgraded to Windows 10, my company switched us from being admins on our machines to limited user accounts, and it’s a huge pain in the ass. I can understand not wanting users to run as admin, but at least give me an account for when I need to install things, especially for those of us who are IT proficient (make me take training or a test if you must). Now it’s a massive pain to get anything installed and no one is willing to put pressure on a security people when they literally block me from doing my job by denying me the tools I need.


Kinja'd!!! functionoverfashion > ITA97, now with more Jag @ opposite-lock.com
07/11/2019 at 12:43

Kinja'd!!!1

We set up every user as an admin, too. I think it really would get out of hand having to make office calls for every time an admin needed to login. As it is, sometimes new employees are issued machines by a depart ment directly (they’re not supposed to), and we find out when we get a call for “admin login required” - it’s usually within a week of someone being issued a machine.

Funny you use the bitlocker example, we already have that on every machine. 


Kinja'd!!! ITA97, now with more Jag @ opposite-lock.com > facw
07/11/2019 at 12:49

Kinja'd!!!1

I agree. Our IT set up has always been a bit interesting here. We have a stand-alone IT operation within the library, which is now the only such arrangement of its type on campus still standing . Everything else goes through the campus- wide IT folks. There’s always been a unique domain and local servers, but still some connectivity with campus wide stuff.

For the most part it works well, as they tend to not know much about what we do and are happy not to. Having our own PC support person is also awesome. Instead of submitting tickets that get answered in line with the rest of the university, we call that person and they usually show up 10 minutes later to fix whatever.  The downside is t hat it has  led to differing standards and practices.

Some functions have started to standardize . The campus folks are taking over the library domain server , which has finally forced us to upgrade all the non-staff office machines that were still running Widows 7, Vista or in some cases XP. The campus IT folks won’t deal with anything not running 10.