Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Breach a 'security disaster' for IEEE

Taylor Armerding | Oct. 1, 2012
Failure to encrypt data, usernames and passwords called 'plain stupid'

The IEEE (Institute of Electrical and Electronics Engineers) describes itself on its website as "the world's largest professional association for the advancement of technology."

But after a data breach that left the usernames and passwords of 100,000 of its members exposed in plain text for a month, some security experts said it is clear both the organization and at least some of its members should also be in the business of the advancement of common sense security.

The breach discovered by an independent security researcher, demonstrates an almost inexplicable lack of basic security protocols, including some of the most vulnerable passwords possible.

Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it "plain stupid."

Paul Ducklin, writing at Sophos' Naked Security blog, called it, "a veritable security disaster for the IEEE."

The IEEE announced the breach earlier this week. Redo Dragusin, a Romanian researcher and now a teaching assistant in the Department of Computer Science at the University of Copenhagen, said he discovered it on Sept. 18, and notified IEEE on Monday, Sept. 24.

"The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery," Dragusin wrote. "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places."

He said the unencrypted passwords were the most "troublesome" element of the breach, but also said, "the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs ..." which included more than 100GB of data containing detailed information on more than 376 million HTTP requests made by IEEE members.

A number of IEEE members were also failing to use basic security. Dragusin found that seven of the top-10 most popular passwords were combinations of the number string "1234567890," in order. Others in the top 20 included "password" and "admin."

IEEE sent a letter to its members the next day, acknowledging the breach, but saying, "This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account."

Because of that, the organization said it had terminated the access of its members under their current passwords, and would have to, "authenticate through a series of personal security questions you set up at the time you opened the account and to change your password."

The IEEE was unresponsive to questions from CSO Online about why the passwords were in plain text, how access to the weblogs was unrestricted and why the group did not discover the breach itself.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.