Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Breach a 'security disaster' for IEEE

Taylor Armerding | Oct. 1, 2012
Failure to encrypt data, usernames and passwords called 'plain stupid'

Adrienne McGarr, a public relations spokeswoman, emailed a copy of the statement IEEE had already posted on its website, saying the issue was addressed and resolved and members were being notified.

"IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused," the statement said.

George said the group has not taken the privacy of member information seriously, adding that the IEEE is not alone -- that this is somewhat typical of too many organizations.

"This illustrates a check-box mentality of compliance," he said. "It is looking at security as a necessary evil, but only to fulfill a regulatory mandate."

The failure to encrypt the data is especially mystifying, he said, "especially after the LinkedIn breach," a reference to the breach in June of the professional networking site that led to the posting of 6.5 million member passwords on a Russian hacking site. At the time LinkedIn was not using the preferred encryption method called salted hashing.

Following the breach, LinkedIn was hit with a $5 million class-action lawsuit.

George said it looks like the failure to restrict access to the webserver logs at IEEE was human error. "Somebody must have changed the access and forgot to change it back," he said. "It's a human mistake that's made very easily. But if they had done continuous monitoring, they would have noticed the restriction was not in place.

"You can't rely on humans," he said. "You have to automate the process."

Dragusin made it clear in his post that he did not intend to use the information for malicious means. Besides notifying IEEE, "I did not, and plan not to release the raw log data to anyone else," he wrote.

But that does not make him a hero to Paul Ducklin's, who mocked Dragusin's professed "uncertainty" about what to do with the information. Ducklin noted that Dragusin waited a week from the time he discovered the breach to notify IEEE, but still found time to "register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.

"Nor did it prevent him grabbing and processing 100GB of log data he knew wasn't supposed to be accessible," he wrote. "How is this bad? It probably isn't. But it's more of a 'don't be evil' outlook than one of 'actually be good.'"

George said that the IEEE, in addition to improving its own security standards, should force its members to have more rigorous passwords.

"You can mandate password policies," he said. "You can require that they include a combination of characters and digits. You can require that they be changed every 30 days. There is a lot of room for improvement."

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.