Fighting Cyber pirates and winning:

1
Fighting Cyber pirates and winning

• Securing EZProxy Using PHP, XML, the Voyager
  Patron Database and Active Directory

Tracy Farmer Arkansas State University
2
Students at Arkansas State University

• Student demographics
• 8,589 FTE (Fall 2006)
• 88.2 of students are from Arkansas
• Majority (10.6) of remaining students are from
  closely neighboring southern states Missouri,
  Tennessee, Texas, Mississippi, etc.
• International students only 1.2 of total
  enrollment

3
Dean B. Ellis Library

• Building Library occupies approximately 200,000
  sq. ft. across 7 floors
• Holdings 1 million volumes
• Serials Holdings Approximately 31,000 electronic
  and print

4
Dean B. Ellis Librarys Systems Department

• Staff
• 3 full-time employees
• Two professional Systems Librarian and Web
  Services Librarian
• One paraprofessional
• One part-time staff member
• Responsibilities
• Manage and maintain approximately 200
  workstations (PACs and staff machines)
• Manage and maintain 10 servers (Windows, Linux
  and Solaris based)
• Manage and maintain all peripherals in the
  library
• Maintain the librarys web presence
• Troubleshoot staff and patron technical issues
• Maintain electronic databases and e-journals

5
EZProxy at ASU
6
EZProxy at ASU

• Prior to the summer of 2006
• Login to EZProxy required only a current ASU ID
  number
• This configuration was easy for patrons to use
  and seemed adequate for years

7
myusers.txt

• myusers.txt is a simple text file
• In the past we would query our patron load each
  semester and extract ID numbers to load into the
  myusers.txt file.
• EZProxy login authenticated against the
  myusers.txt file of ID numbers
• We knew our setup wasnt the most secure, but it
  worked for usuntil.

8
Wake-up Call
9
July 2006 JSTOR Sends us a Wake-up Call

• Email from JSTOR arrives
• we have been forced to deny access to JSTOR
  from a computer at Arkansas State University due
  to excessive downloading of PDF files of
  articles. The IP address of computer in question
  is the IP address of our EZProxy server.

10
JSTOR Wake-up Call
On 07.19.06, 1143 articles from the Journal of
Parasitology (including all of the full-length
articles from 6 issues) were downloaded by a user
or users at this IP address. It appears from the
extent of the activity that the intention was to
obtain a significant portion of this
journal. Because this is explicitly prohibited
in our agreement, when we become aware of such
instances of downloading significant portions of
our archive, we must take action.
11
Server Activity Examined

• We searched the EZProxy Log Files and located the
  abusive JSTOR activity
• This led us to the intruder IP addresses and,
  subsequently, the ASU ID numbers being used by
  the intruders

12
Taking Action Short-term Fixes

• We identified the IP addresses used by the
  intruders
• (multiple IPs from overseas)
• We located the ASU ID numbers being used in our
  Voyager patron database and determined that the
  patrons were inactive (no longer enrolled)
• ID numbers deleted from myusers.txt

13
Long-term solutions

• Now that weve taken care of the immediate
  threat.

14
How can we prevent future attacks?

• Upgrade to the latest version of EZProxy
• Recent versions provide security features not
  available in the version of EZProxy we were using
  prior to July 2006.

As of EZProxy version 3.0a GA (2004-08-02),
Intruder detection features were
available. Lets just say we had not upgraded
EZProxy in awhile
15
Security Features in EZProxy

• The Audit directive
• Option StatusUser
• UsageLimit
• Option LogSession
• Intruder IP
• Intruder User

16
Our EZProxy Security Configuration

• Audit Most
• AuditPurge 365
• UsageLimit enforce MB100 expires1440
  interval180 Global
• Option LogSession
• IntruderIPAttempts interval5 expires15
  reject10 10

• Option StatusUser
• We do NOT user StatusUser due to patron privacy
  concerns
• We record the user status in a separate file

17
What we gained

• Ability to track details on user login attempts
• Aids troubleshooting of patron login problems
• Easier to read logs of patron login information,
  IP address, and session ID
• Intruder blocking protects our server by
  automatically blocking suspected intruders
• UsageLimits protects us by inhibiting excessive
  downloading of material

18
More long-term solutions
19
Securing the login process

• Active Directory
• EZProxy can authenticate against LDAP
• We hoped for a single sign-on solution
• Not a viable option for us at that time
• Relying solely on the Voyager patron database
  using email and patron ID number
• Would not work because not all patron records
  contain email addresses
• Patron records that contained email addresses not
  necessarily ASU email addresses

20
Securing the login process

• Opted for a hybrid solution of using both the
  campus Active Directory and the Voyager Patron
  Database
• Why?
• Active Directory
• Allows us to authenticate all valid ASU accounts
• Does not allow us to determine if the patron is
  currently enrolled or employed. (This has since
  changed).
• Voyager Patron Database
• Allows us to determine enrollment/employment
  status of patron ID number

21
Securing the login process

• The program
• The program we designed to secure the login
  process is divided into four main parts
• Validate the email address and ID number formats
• Query the Active Directory to determine if the
  email address is a valid ASU email address
• Query the Voyager patron database using the
  patron ID number to determine if the patron is
  currently enrolled and/or employed
• Update the authentication log file with the user
  name, patron ID number, IP address and login
  status

22
Why additional logging?

• EZProxy log files are difficult to browse
• The program creates a new log file for every day
• EZProxy logs do not capture the password, in our
  case the patron ID number. This piece of
  information is useful when trying to troubleshoot
  login errors

23
The Code

• If you would like more details on the PHP code
  used in our login process, email us
  (tfarmer_at_astate.edu).

24
Unexpected Findings
25
Unexpected Findings

• After implementing our secured login process, a
  review of the log files relieved the following
• Intruders are still trying multiple times each
  day to guess a valid login
• As of April, 2007, no successful unauthorized
  logins had occurred since July, 2006 when the
  process was put in place
• Even after so much time had passed and thousands
  of failed login attemptsthey still try
• Using the SAME several student ID numbers
• Every. Single. Day.

26
Unexpected Findings

• Audit log feature and PHP logging of form input
  assists in troubleshooting user login problems
• Eliminated the need to create a file of valid
  users at the beginning of each new semester

27
Unexpected Findings

• Increasing security against unauthorized users
  also means sometimes inadvertently blocking valid
  users.
• Hurried patrons who do not read login
  instructions will have too many login attempts in
  a short period of time and get blocked as an
  intruder.

28
Unexpected Findings

• During ILS upgrades, off-campus access to
  databases not available.

29
myusers.txt

• Do we still maintain a myusers.txt file?

30
The answer is
?
Sort of
31
Sort ofThen

• Yes, originally we did
• When the login script failed to authenticate a
  patron, EZProxy would try to authenticate against
  the myuser.txt file.
• Why did we need the myuser.txt file?
• For patron with special status, such as
• Retired faculty and/or other faculty not on the
  ASU payroll
• Students working on a dissertation
• Students who registered late and were left out of
  our patron load

32
Sort ofNow

• Now we do not maintain the myusers.txt
• Instead we maintain a usr.xml and blocked.xml
  file.
• Usr.xml replaced the myuser.txt
• Blocked.xml contains a list of all blocked
  emailID combinations
• EZProxy has been removed complete from the
  authentication process, thus relying completely
  on the custom login script

33
Why the same ID numbers?
34
Same ID numbers?

• The intruders are repeatedly trying to use the
  same ID numbers used during the original attack.
• These numbers were removed as soon as we
  discovered them.
• How did the intruders come in possession of these
  numbers? This question bothered us more and more.

35
Where are the ID numbers coming from?

• Just as a curiosity, we searched Google for one
  of the ID numbers.
• What we found blew our minds!

36
What We Discovered

• Numerous websites in Chinese listing ASU ID
  numbers
• Links to our EZProxy login form page and a list
  of ID numbers with comments about the last date
  and time the ID number worked.

37
readfree.net

• Google search lawrence library astate edu 2048
  login siteastate.edu

38
Future Plans

• So whats next for us?

39
Future Plans

• Move to single sign-on
• The campus Active Directory now includes
  information on enrollment status
• This allows us to authenticate EZProxy login
  against only the Active Directory.
• Problem
• Currently, the login form passes information in
  plan text.
• Must implement SSL before converting to single
  sign-on
• In order to implement SSL, we must rebuild our
  web server (currently in the works).

40
Questions?
41
Special Thanks
Wendy Crist Web Services Librarian Arkansas State
University Dean B. Ellis Library
42
Tracy Farmer Systems Librarian Dean B. Ellis
Library Arkansas State University PO Box
2040 State University, AR 72467 870.680.4312 tfar
mer_at_astate.edu