Title Text

Securing your Library Management System

Chris Cormack

Who am I?

  • Kāi Tahu, Kāti Mamoe, Waitaha
  • BSc Compsci, BA Maths and Māori Studies
  • One of the original Koha developers
  • Working at Catalyst IT
  • Make my kids dress like me
  • @ranginui
  • chrisc@catalyst.net.nz

Know your attack surface

  • Plain text passwords
  • Dataleak
  • Website
  • Selfcheck
  • 3rd party content vendor
  • Social engineering

Plain text passwords

If you can view yours, or any of your users passwords, you should never ever ever use that system again

- Chris Cormack 2017

Data leak

  • Don't collect what you don't need
  • Don't keep what you no longer need
  • Anonymise where possible

CC-BY Selka


  • OWASP top 10
  • https (tls 1.2)
  • XSS
  • SQLi
  • ssllabs
  • letsencrypt


SIP2 ... it's not cool

NCIP ... it's not cool still, but bloated



- stunnel

- ssh tunnel

- restful api over tls

cc-by-sa Jeffrey Beall

Let's try some stuff

SSID: Anatokai

Pass: SuperSecure


Finding the password

  1. Start wireshark (as root/administrator)
  2. Capture on wlan0 (or equivalent)
  3. Edit->Find Packets
  4. Packet Bytes, String, search for |CP



telnet 6001



2300120170714    004452AOcpl|AAchrisc|ACterm1|AD|

3720170714    0039390100USDBV100|AO|AAchrisc|ACterm1|

2300120170714    004452AOcpl|AAchrisc|ACterm1|AD|


3rd party systems

Often want to use SIP2

Sometimes store stuff

How do we know?


Social Engineering

You just spent a bunch of time attached to

my wifi AP, because I asked you to


Securing your LMS

By Chris Cormack