• United States



Decatur library hacked back to the 80s

Dec 15, 20083 mins
Core Java

A poorly conceived incident response often makes things easier for criminals.

Take the Decatur Public library, which was hacked last week.  After finding signs of an intrusion, a technician from the Library Corp., the company that manages Decatur’s library network “

wiped out everything that had been added to the computer.”

Doing this didn’t get the library back online and it hurt investigators.

From this story in the Decatur Daily, written when library employees were checking out books by hand again.

Because the hacker’s data was erased, (library director Sandy) McCandless did not think the library could trace the cyber trail to determine whether the hacker took patron information.

She said she reported the hacking to police. She said officers told her they can’t investigate until the library can show damage or data stolen. Computer and white-collar crime investigators Robert Peete and Justin Lyons were unavailable Tuesday for confirmation.

The library says that repairing and restoring service was job #1, but you’d think that Library Corp., a company that specializes in LIbrary systems, would have the resources  to save this data.

This reminded me of a note from the IC3 today on securing yourself from Web attacks.

I asked rsnake (aka Robert Hansen, CEO of SecTheory) what he thought of these tips and he *hated* #11 saying that it

From the IC3

Recommendation 11: Implement firewall rules to block known malicious IP addresses.


Firewall rule sets designed to block all ingress (incoming) and egress (outgoing) traffic to the known malicious IP addresses have been put in place. Note that traffic violating the rules should be logged and observed in near-real time.

Here’s why rsnake hated this idea (in his own words)

“Let’s say I know a guy named “Bob” was going to come and kick my ass.

So I go into a nightclub and I say “Ask everyone what their name is, and if they say their name is Bob don’t let them in.”

You come in and say “Hey, my name is Bob” sure, they’ll stop you.  So then you put on your fancy wig that you bought and come up again and say, “My name is Frank”

Poof. Now you have done two things: a) you have kicked my ass, and b) learned how I was tracking you. And as a side benefit you now can use it against me in the future by getting other people blocked.

It’s just dumb.  And worse yet, now I can no longer track you instead of passively learning people’s names, alerting me so I could escape and live to fight another day. Meanwhile you’re confused how I knew about it since no one stopped you

Blocking people never worked, ever.”