University Libraries Temporarily Suspend Access to ILLiad Interlibrary Loan Module

On April 20, 2006, access to the public interface to the University Libraries’ ILLiad Interlibrary Loan Request System was suspended when the Ball State Computer Security Response Team determined that the ILLiad authentication process we were using was not secure.

Prior to the suspension of the ILLiad service, the University Libraries served as a vendor-hosted ILLiad site, configured to use the Lightweight Directory Access Protocol (LDAP) for authentication. This means that BSU users’ names and passwords – the same credentials used on campus to access some special types of personal records – were transmitted to the ILLiad web server that was located off-campus.

BSU’s Computer Security Response Team determined that this procedure may not be consistent with Federal and Indiana privacy laws nor with Ball State’s guidelines for personal data. The problem identified was not with the ILLiad/LDAP configuration as such; rather, there were non-University steps involved in the authentication process. A local implementation of ILLiad on a system located on the Ball State campus, or a remote-hosted solution using an ILLiad specific username and password process, would have eliminated the security issue identified recently.

There is no known breach of access or misuse of sensitive data, and Atlas Systems has repeatedly stated that they do not log or otherwise store passwords under any circumstances. Even so, the process that was in place provided the potential for interception of sensitive user data by an unauthorized third party. As a precaution, Ball State’s users of ILLiad have been advised to change their passwords if they have any concerns.

Security experts from University Computing Services and Library Information Technology Services continue to work with Atlas Systems to implement a secure authentication process. We anticipate that the ILLiad public interface will be operational soon.

Until user authentication with ILLiad is resolved, the University Libraries continues to provide Interlibrary Loan Services using techniques and procedures that were in place before ILLiad.

For more information, contact Christy A. Groves, University Libraries’ Head of Access Services, CGroves@bsu.edu, (765) 285-3330.