SUBSCRIBE NOW!

Vol. 37 No. 1 — January/February 2017

FEATURE

What Does Hacking Entail?

Hacking includes denial of service (DoS) and SQL injection. It involves the following:

• Finding an open port in the system
• Cracking the password
• Creating a buffer overflow
• “Backdooring” an important system service, such as the SSH server
• Surreptitiously manipulating material or content stored online
• Avoiding detection and
• covering tracks

What Has Been Hacked?

Breaches are a statistical certainty for organizations, including the Pentagon, Twitter, the FBI, the U.S. Senate, the International Monetary Fund (IMF), Google, and Visa.The threat of ebooks and/or born-digital material being hacked is not as weird as reports of people hacking into baby monitors. Another hacker, a 15-year-old known as “Mafiaboy,” was responsible for the largest DoS attack at the time. In 2000, he targeted eBay, Yahoo, and CNN—just to see if he could shut them down. Current library security measures tend to focus on combating unauthorized access and transfer of content. This article is concerned with born-digital material and/or ebooks and their unique vulnerability to hackers.

Can Ebooks Be Hacked?

There is a precedent for libraries being hacked. Aaron Swartz, an internet activist, allegedly downloaded more than 4 million academic documents from the Massachusetts Institute of Technology (MIT) by hacking into its JSTOR archive. Federal prosecutors charged him with two counts of wire fraud and 11 violations of the Computer Fraud and Abuse Act (CFAA). This carried a cumulative maximum penalty of $1 million in fines, 35 years in prison, asset forfeiture, supervised release, and restitution. Two years later, after the prosecution denied his request for a plea deal, Swartz hanged himself.

Swartz’s story highlights the complex relationship among hackers, the government, libraries, and cybersecurity. Supporters argue that he was justified in his act of civil disobedience. The American Library Association posthumously awarded Swartz the 2013 James Madison Award for his dedication to promoting and protecting public access to research. This is an example of differing opinions surrounding libraries and cybersecurity. Both Mafiaboy and Swartz show that not all hackers have malicious intent. Some are hacker activists (hacktivists). Some are script kiddies, which are youngsters who hack networks just because it is fun.

An African proverb provides some insight: “Until lions have their own historians, tales of the hunt shall always glorify the hunter.” It is conceivable that born-digital textbooks may have their content manipulated by hacktivists, who edit material to glorify tales of their past. Recent debates over the Confederate flag show that people’s perceptions of past events differ greatly and passionately. It is conceivable that a hacker could revise content in library material for the purpose of changing historical accounts. Libraries rely on primary documents for representation of events, at the time they occurred. However, if a primary document is born-digital, a hacker could change the historical record, especially if he or she is successful and goes undetected.

A new kind of digital textbook—Principles of Biology—isn’t simply a digitization of a print book, but something that is born-digital. The PBS documentary, The Revisionaries, shows how the Texas State Board of Education shoehorned ideas into national textbooks that changed the way we teach science and social studies. In 2015, the board voted to change the official nomenclature regarding slavery. So instead of students being taught that slaves were kidnapped and exploited against their will, the slaves will be referred to simply as “unpaid interns.” Also in 2015, McGraw-Hill was forced to apologize for referring to slaves as “workers” in its textbooks. McGraw-Hill was able to correct the egregious error immediately in its online version of the textbook. So it stands to reason that a hacker could also edit digital textbooks, such as Principles of Biology, which are unquestionably vulnerable.

Libraries use electronic archives, such as the LOCKSS (lots of copies keep stuff safe) program for preservation and security. LOCKSS is a secured, peer-to-peer network consisting of a large number of independent web caches that cooperate to detect and repair damage to their content. Unfortunately, not every ebook will have “lots of copies” archived in different locations and be protected by similarly elaborate security measures.  

How Should Libraries Respond If Hacked?

After an attack, there is a radical response option, which is to “hack back” in retaliation. “Hacking back” refers to victims creating disincentives to cyber­attacks by sending the message that such attacks would be returned in kind. Hacking back, also known as “cyber-vigilantism,” remains illegal under the CFAA. It should be noted that even taking back your companies’ stolen data stored on an unprotected third-party server is a violation.

It is generally accepted that physical attacks (not online) cannot legally be resolved using vigilante justice. However, society seems headed on a trajectory of increasingly escalating retaliation. For example, Stand Your Ground laws have redefined the concept of self-defense. These types of laws allow people to meet force with force. Keeping this in mind, some people believe that a compromise solution would be to retrieve your copyrighted material from a hacker without trying to destroy his or her computer. Even so, if a burglar breaks into your home and steals your property, it is illegal to break into the burglar’s home and retrieve it.

Some companies are viewed as freedom fighters against hackers and are lauded for returning fire, virtually. This was the case when the World Trade Organization (WTO) was hacked by a group calling itself electrohippies (e-hippies). Conxion, the WTO hosting service, successfully reversed the attack, which originated from a single IP address that belonged to the e-hippies’ server. It instructed its filtering software to redirect any packets coming from the intruder’s server to go back to the e-hippies’ server. The service was comfortable taking an eye-for-an-eye stance because it was confident it had accurately traced the perpetrator’s identity.

Unfortunately, it is not always possible to accurately identify the attacker. This was the case in a more complicated tale involving attacks against Yahoo and eBay. Hackers used innocent zombie computers to attack these two companies. Most experienced hackers can surreptitiously use several ISPs to telnet from one to the next, thus creating a nearly untraceable trail through zombie computers dispersed throughout the internet. Luckily, these two companies did not retaliate by volleying the packets back to the source IP address. If they had redirected these packets, they would have shut down the servers of the unsuspecting businesses that were also victims of the same hacker.

There is an array of new reactive or attack-reversing technologies that are increasingly available online. Some are legitimate intrusion-detection tools that can be configured to reverse an attack. Some, called “honey pots,” are designed to attract and trap hackers. Still others use Trojan horses (hidden executable files) running on the attackers’ machines to redirect at the hacker’s computer any actions the hacker attempted. Not all anti-hacking tools adhere to the eye-for-an-eye theory. Some try to find a compromise or a middle ground between being non-responsive and aggressively vengeful.

A well-known reactive tool is called Zombie Zapper. Instead of returning the DoS attack to the hacker’s computer, this tool impersonates the “master” of the hacked zombie computer and commands the zombie to simply stop sending DoS packets. Zombie Zapper is clearly appealing, since it was downloaded more than 7,000 times in its first 2 weeks. This compromise approach reduces collateral casualties of cyber-war. Even so, companies trying to trace or direct packets on zombie servers are trespassing without authorization—the same as the hackers they chase.

In today’s “stand your ground/don’t back down” society, recent events prove that such stances sometimes lead to tragic results. As discussed, hacking back can involve trying to fight an active attack against your system or trying to steal back the online property that was stolen from your system by hackers. Using digital retribution is fraught with potential pitfalls, both moral and legal, as well as strategic.

A sample warning is referred to as “not poking the cyber bear.” It is a safe bet that the hackers are highly skilled adversaries, and any attempts to hack back may escalate their attacks with more brute force than the initial attack. One cautionary tale is that of Blue Security. This company was applauded for hacking back by clogging its hackers’ systems and stopping its spam operations. Unfortunately, the victory was fleeting as the hackers unleashed an even more fierce attack in retaliation. The hackers’ secondary attack caused collateral damage on the internet, and Blue Security eventually closed.

The legal perspective is clear. Hacking back is illegal and therefore unadvised. However, it is important to add that these issues are being hotly debated in some circles so there may come a time when stand-your-cyber-ground laws do exist. Pondering the benefits, challenges, and opportunities may be advantageous in the event this approach becomes a legal option.  

Libraries Are Exposed

It is a statistical certainty that libraries will be hacked. They face unique cybersecurity challenges for preserving born-digital material. Consider the aforementioned correction by McGraw-Hill. It stands to reason that malicious actors could do something similar to make a political statement. As Twitter activists proclaim, #AllLivesMatter. Therefore, preserving accurate historical accounts of those lives matters. Ensuring that the increasingly born-digital library collections are secured is part of this preservation. After these online items are secured, it is important to formulate contingency plans to enact if (or when) they are attacked.

I find it odd that people reflexively dismiss the “unheard of” idea that hackers would care about altering or deleting ebooks. But, as a modus oper­andi, they find an area that is least suspected, making it most vulnerable to attack. If no one foresees altering or deleting ebooks as a serious threat, that could entice a hacker to make people understand that it is. Hackers may try to change or delete ebooks simply to be the first to accomplish it. Their motivation could be to revise content now that will be used by future generations. They could be motivated by activism, without malicious intent—or they could be motivated by the mere challenge. No matter the motives, the threat is possible. Libraries charged with preserving content need to at least consider the possibility before dismissing the threat outright. 

If hackers can attack Google and the Pentagon, they can surely attack libraries. Interestingly, the Pentagon’s Cyber Command shares the sports philosophy that the best defense is a good offense. Seriously considering all future legal options is part of a good offense.

With the irreversible trend of born-digital materials and/or ebooks, it is conceivable that someday soon, an FBI director will deliver a speech admonishing the audience this way: “There are two types of ebooks—those that have been hacked and those that will be.”

Note: The views expressed in this article are the author’s own and do not reflect the views of Stanford University Libraries.