By Taylor Armerding
CSO— The IEEE (Institute of Electrical and Electronics Engineers) describes itself on its website as “the world’s largest professional association for the advancement of technology.”
But after a data breach that left the usernames and passwords of 100,000 of its members exposed in plain text for a month, some security experts said it is clear both the organization and at least some of its members should also be in the business of the advancement of common sense security.
The breach discovered by an independent security researcher, demonstrates an almost inexplicable lack of basic security protocols, including some of the most vulnerable passwords possible.
Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it “plain stupid.”
Paul Ducklin, writing at Sophos’ Naked Security blog, called it, “a veritable security disaster for the IEEE.”
The IEEE announced the breach earlier this week. Redo Dragusin, a Romanian researcher and now a teaching assistant in the Department of Computer Science at the University of Copenhagen, said he discovered it on Sept. 18, and notified IEEE on Monday, Sept. 24.
“The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery,” Dragusin wrote. “Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places.”
He said the unencrypted passwords were the most “troublesome” element of the breach, but also said, “the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs …” which included more than 100GB of data containing detailed information on more than 376 million HTTP requests made by IEEE members.
[CSO Disclosure Series: User education – How to respond to a data breach disclosure]
A number of IEEE members were also failing to use basic security. Dragusin found that seven of the top-10 most popular passwords were combinations of the number string “1234567890,” in order. Others in the top 20 included “password” and “admin.”
IEEE sent a letter to its members the next day, acknowledging the breach, but saying, “This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account.”
Because of that, the organization said it had terminated the access of its members under their current passwords, and would have to, “authenticate through a series of personal security questions you set up at the time you opened the account and to change your password.”
The IEEE was unresponsive to questions from CSO Online about why the passwords were in plain text, how access to the weblogs was unrestricted and why the group did not discover the breach itself.
Adrienne McGarr, a public relations spokeswoman, emailed a copy of the statement IEEE had already posted on its website, saying the issue was addressed and resolved and members were being notified.
“IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused,” the statement said.
George said the group has not taken the privacy of member information seriously, adding that the IEEE is not alone — that this is somewhat typical of too many organizations.
“This illustrates a check-box mentality of compliance,” he said. “It is looking at security as a necessary evil, but only to fulfill a regulatory mandate.”
The failure to encrypt the data is especially mystifying, he said, “especially after the LinkedIn breach,” a reference to the breach in June of the professional networking site that led to the posting of 6.5 million member passwords on a Russian hacking site. At the time LinkedIn was not using the preferred encryption method called salted hashing.
Following the breach, LinkedIn was hit with a $5 million class-action lawsuit.
George said it looks like the failure to restrict access to the webserver logs at IEEE was human error. “Somebody must have changed the access and forgot to change it back,” he said. “It’s a human mistake that’s made very easily. But if they had done continuous monitoring, they would have noticed the restriction was not in place.
“You can’t rely on humans,” he said. “You have to automate the process.”
Dragusin made it clear in his post that he did not intend to use the information for malicious means. Besides notifying IEEE, “I did not, and plan not to release the raw log data to anyone else,” he wrote.
But that does not make him a hero to Paul Ducklin’s, who mocked Dragusin’s professed “uncertainty” about what to do with the information. Ducklin noted that Dragusin waited a week from the time he discovered the breach to notify IEEE, but still found time to “register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.
“Nor did it prevent him grabbing and processing 100GB of log data he knew wasn’t supposed to be accessible,” he wrote. “How is this bad? It probably isn’t. But it’s more of a ‘don’t be evil’ outlook than one of ‘actually be good.'”
George said that the IEEE, in addition to improving its own security standards, should force its members to have more rigorous passwords.
“You can mandate password policies,” he said. “You can require that they include a combination of characters and digits. You can require that they be changed every 30 days. There is a lot of room for improvement.”