Now on sale in some online marketplaces: cheap, illegal access to SciFinder, an extensive database of scholarly articles and information about chemical compounds run by a division of the American Chemical Society. The sellers are pirates, hawking stolen or leaked SciFinder account information from college students and professors.
“There are reseller Web sites in China where we’ve purchased access to our own products for pennies on the dollar,” says Michael Dennis, vice president for legal administration and applied research at the Chemical Abstracts Service, the division that publishes SciFinder. “We’re shutting down hundreds of these every couple of months,” he says, though in some cases the publisher has trouble taking effective action against sites in other countries.
He says sellers use Taobao, a Chinese service similar to eBay, and other online marketplaces to sell SciFinder access, giving buyers hacked user names and passwords and instructions on how to remotely log in to a college Web site so that they appear to be on the campus. The database is popular with companies as well as with academics, though exactly who is buying the access is not clear.
There is so much unauthorized access through college Web sites that SciFinder has focused antipiracy efforts on higher education. Its leaders have run informational campaigns aimed at college presidents, librarians, and technology officials encouraging them to do more to secure their accounts.
Other scientific publishers have experienced piracy on their online databases as well. One site that gave away hacked journal passwords, called journalpasswords.com, was recently shut down because of the efforts of publishers, according to Edward McCoyd, director of digital policy at the Association of American Publishers.
Most hackers, to be clear, are not after the latest scientific journals when they steal college users’ names and passwords: In many cases, they use the information to send spam e-mails from college accounts, according to campus security officials. But considering the high price of online journal access, and the usefulness of some of the information to industry, some security experts say it is only natural that at least a few clever hackers try selling pirate access to scholarly databases.
“Truthfully, nothing surprises me,” says Jason Franklin, a graduate student at Carnegie Mellon University who researches online identity-theft marketplaces, though he says he had not heard of this practice until being told about it by a reporter. “If you connect something to the Internet, you better believe that thing’s going to get hacked.”
Some college technology officials see the informational campaign by SciFinder’s publisher as a charge that colleges are not vigilant enough about security, and they bristle at that suggestion.
“To imply that we’re disinterested is not correct, because we have our own cyberassets to protect,” says Rodney J. Petersen, who directs cybersecurity efforts at Educause, a higher-education-technology group. In some cases, he argues, the unauthorized access comes when students or professors share their passwords with others—which violates college policies but is difficult to police.
Universities Get Alerts
SciFinder’s publisher first heard of illegal sales of access to its site a few years ago, when “whistle-blowers” alerted the abstracts service, says Mr. Dennis. At the time, the publisher sent alerts to campus technology officials and librarians to be more vigilant. It included an online checklist for colleges to better secure their Web sites, and a video message from Chris McCue, the service’s vice president for marketing.
Since then, the abstracts service regularly looks for unusual traffic patterns, such as the same user logging into the service from different countries on the same day. “We have some other forensic tools that let us look deeper, but we can’t disclose all of the techniques,” Mr. Dennis says. He stressed that China is not the only country where the passwords are sold or shared, and that the company has several legitimate paying clients in the country.
Some recent technical changes, although not made in response to piracy, could make such hacking more difficult. Unfortunately, the changes make legitimate academic use more difficult as well.
The publisher recently changed the rules for gaining remote access to SciFinder. The move eliminated a stand-alone software client called SciFinder Scholar, in favor of reaching SciFinder via the Web from a library’s Web site. All users must now set up a separate account with SciFinder, rather than simply using their existing college login and password, as many other scholarly databases allow. A spokesman says the move is not related to security, but some librarians say that it appears to be an attempt to give the service more control over password access to the database.
For librarians, the changes mean explaining to users why a popular database just got slightly more difficult to use, says Hilary Davis, associate head of collection management at North Carolina State University. It also means that alumni and other visitors can no longer walk into the library to use SciFinder, as they had in the past, because only current students and professors can set up the new SciFinder accounts, she adds.
Though she says she knows of no unauthorized use of the database from her university, she praises the database and says she understands the publisher’s concerns. “They don’t want to give it away for free, that’s for sure,” she says. “They charge us a lot of money for it.”
Spotting Thieves and Hackers
Security experts say it is difficult to determine how often, and how hard, pirates hit scholarly databases. In some cases, unauthorized users have attempted to log in and download vast numbers of articles to their own sites, presumably to resell them, and so some publishers limit the number of downloads one user can make on a given day.
“Every one of the contracts that university libraries have with major database providers have provisions in them on what to do when the algorithm on the system detects what they usually refer to as excess use,” says Ann J. Wolpert, director of libraries at the Massachusetts Institute of Technology. In those cases, the account is automatically deactivated, and someone from the university investigates. In some cases it turns out to be a student testing out a mass-downloading algorithm, she says. “We’re trying hard, and we investigate every incident, and I’m sure all of my colleagues do, too.”
College technology officials say they are seeing increases in so-called phishing attacks, in which malevolent hackers trick users into sharing their logins and passwords. It is unclear what those attackers use the login information for, but many administrators have increased efforts to inform students and professors about guarding their passwords.
Colleges are also doing more to coordinate their response to hackers, says Jack J. Suess, chief information officer at the University of Maryland-Baltimore County. He points to a private e-mail list for campus security officials that was set up a few years ago and has grown to more than 300 participants nationwide.
“This is a proactive response that I think is critical because security is such a dynamic issue,” says Mr. Suess. “The bad people share a lot of information. So if those that are trying to defend themselves are not sharing information, they are really at a loss.”
Many academic publishers are reluctant to talk about the issue publicly. Officials at Elsevier, which publishes several scholarly databases, decline to comment. Officials at Thomson Reuters, another publisher of such databases, did not respond by press time.
Mr. McCoyd, of the publishing association, which in recent years has pushed to stop piracy of e-textbooks and scholarly publications, says that until the past few years, most publishers simply assumed that colleges would manage password access to databases without issue.
“It’s quite unfortunate,” he says, “that a small number of people would engage in this behavior and hamper that otherwise frictionless system.”