A Romanian researcher says he discovered a data breach in an FTP server owned by the Institute of Electrical and Electronics Engineers (IEEE) that exposed usernames and passwords for almost 100,000 members.
The IEEE is a professional association that advocates "technical excellence" and has about 400,000 members, along with a long tradition of building consensus for important technical standards. But its web server maintenance may have had glaring shortcomings. "The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery," states Radu Dragusin, whose resume indicates he works in the Department of Computer Science at the University of Copenhagen as a teaching assistant. "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford, and many other places."
Dragusin indicates in his posting about the IEEE hole that he first discovered it on Sept. 18, and was "uncertain" about what to do with his find. But he says he has shared the information with the IEEE and believes it has "fixed (at least partially) the problem."
The IEEE released a statement: "IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected.
IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused."
According to Dragusin, "the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org, allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai" (though he notes this has now been closed). He adds that laws in the U.S. and Europe suggest that the IEEE may be required to notify users about the data breach.
Dragusin also states in his posting that he does not plan to release the log data to anyone other than the IEEE, and is also going to "give in to the urge to perform a basic analysis of this serendipitously acquired data."
He adds: "Web server logs should never be publicly available," since they usually contain information that can be used to identify users.
Torsten George, vice president of marketing at Agiliance, says the most disturbing part about the breach is that the IEEE apparently was storing the passwords in plaintext instead of some kind of encrypted form. "This is something today that really shouldn't occur," he points out. He also says it was surprising how the IEEE didn't restrict access to the FTP server.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.