Thanks very much Nicole - this is really useful. I think we just need to be vigilant and ensure that any generic passwords are securely protected and that they are changed regularly so students don't take them with them when they graduate and pass them on. I'd also argue that you should never share a generic or admin password with anyone other than those directly involved in checking or retrieving usage stats and that these should also be changed on a regular basis.
Our information is all within an intranet so can't be reached by anyone other than staff and students of our University, but it is still the case that a small minority of our users may seek to abuse the authentication system and we should be aware of it.
Best wishes
Louise
-----Original Message-----
From: An informal open list set up by the UK Serials Group [mailto:[log in to unmask]] On Behalf Of Nicole Harris
Sent: 29 May 2009 10:25
To: [log in to unmask]
Subject: Re: [LIS-E-RESOURCES] Bootleg password websites
Hi Melanie
The JISC Access Management team has been looking in to this. Our
general advice would be that if you have any sort of generic username
and password set for your proxy system or SFX / Metalib known by several
people or if you have an obvious generic username and password set (such
as username: metalib password: metalib) you should change them
regardless of whether you can find your institution on any of these
websites. Also do not publicise information on your website such as
'your username is your library barcode and your password is your
surname' as we have seen as an example from one institution affected by
this breach.
If you have single username and password sets for all users (such as via
shibboleth or a link in to your insitutional directory) have a look at
the logs and see if there is any unusual behaviour against a specific
user.
The trouble with proxies is that once a session is open, it is very
difficult to track any unusual behaviour as it would simply appear as
on-campus access from an IP range. For sites using EZProxy, this can be
addressed to some extent by taking advantage of the Shibboleth plug-in
to EZProxy.
I hope this helps but if anyone has any specific concerns please do
contact the access management team and we will be happy to help.
Kind regards
Nicole
---------------
JISC Executive
JISC London office
1st Floor, Brettenham House South
5 Lancaster Place
London WC2N 7EN
tel: +44 (0)20 3006 6035
mobile: +44 (0)7734 058308
fax: +44 (0)20 7240 5377
Melanie Keady wrote:
>
> Hi Louise
> I wondered if you were able to give a little more information as to
> how we can find more information about the breach. We need to know
> how to see if we have been affected by this. It is very difficult to
> find this by following the links you give as this only takes us to the
> home page of the sites.
> Thanks you
> Melanie Keady
> E Resources Development Manager
> University of Derby.
>
> -----Original Message-----
> From: An informal open list set up by the UK Serials Group
> [mailto:[log in to unmask]] On Behalf Of Cole, Louise
> Sent: 27 May 2009 08:43
> To: [log in to unmask]
> Subject: [LIS-E-RESOURCES] Bootleg password websites
>
> A number of websites have recently appeared which give login and
> password details for access to the e-resources of a number of
> University libraries. These sites include
> http://www.journalpassword.com, http://www.passfans.com, and
> http://www.bbs.techyou.org. Often logins given allow access to an
> institution's proxy server and any resources authenticated through
> that route.
>
> The Publishers Association and ALPSP have already been made aware of
> this, and many of you may have seen the recent postings on other
> discussion lists. For universities, if your institution is affected
> then please ensure the login details posted are changed immediately.
> It might also be advisable to remind staff and students that passwords
> are not to be shared with unauthorised users under any circumstances.
>
> Thanks to Kirsty Luff for alerting the list owners to
> journalpassword.com (which now seems to be unavailable), and to Jim
> O'Donnell at Georgetown for posting more information to lib-license-l
> at Yale.
>
> Thanks
> Louise
>
>
> Louise Cole
> Senior Information Advisor (Collections)
> Nightingale Centre, Kingston Hill Campus
> Kingston University
> Kingston upon Thames
> Surrey
> KT2 7LB
>
> Email [log in to unmask]
> Telephone 020 8417 5383
> Fax 020 8417 5312
> Co-list owner lis-e-resources@jiscmail
>
>
>
>
>
> This email has been scanned for all viruses by the MessageLabs Email
> Security System.
>
> lis-e-resources is a UKSG list - http://www.uksg.org/serials
> UKSG groups also available on Facebook and LinkedIn
>
> The University of Derby has a published policy regarding email and
> reserves the right to monitor email traffic. If you believe this email
> was sent to you in error, please notify the sender and delete this
> email. Please direct any concerns to [log in to unmask]
> The policy is available here: http://www.derby.ac.uk/LIS/Email-Policy
>
> lis-e-resources is a UKSG list - http://www.uksg.org/serials
> UKSG groups also available on Facebook and LinkedIn
>
lis-e-resources is a UKSG list - http://www.uksg.org/serials
UKSG groups also available on Facebook and LinkedIn
This email has been scanned for all viruses by the MessageLabs Email
Security System.
This email has been scanned for all viruses by the MessageLabs Email
Security System.
lis-e-resources is a UKSG list - http://www.uksg.org/serials
UKSG groups also available on Facebook and LinkedIn
|