A Romanian computer scientist discovered that the Institute of Electrical and Electronics Engineers (IEEE) was storing its members’ usernames and passwords in plaint-text on a publically accessible file transfer protocol (FTP) server.
Radu Drăgușin claims the collection of nearly 100,000 credentials had been accessible on the FTP server for at least one month before his discovery. Among those exposed are employees of Google, Apple, IBM, Oracle, Samsung, NASA and Stanford University to name a few. In addition to the username-password combinations, discovered last Tuesday, all visitor activity on the site for logged-in members was publicly available as well.
The IEEE is a professional association “dedicated to advancing technological innovation and excellence for the benefit of humanity.” It is the keeper of the 802.11 wireless networking standard. According to their website, the group boasts 400,000 members from more than 160 countries. Drăgușin reported the flaw to the IEEE and they fixed the problem.
Drăgușin writes that the noticeable failure in this incident belongs to the IEEE’s Web administrators who did not restrict access to the webserver logs on both ieee.org and spectrum.ieee.org. The FTP directory in question contained 100GB worth of logs. Until Monday when the issue was resolved, anyone who happened upon ftp://ftp.ieee.org/uploads/akamai/ could view these webserver logs, which documented more than 376 million HTTP requests.
This is a serious gaffe for a professional association of scientists and engineers, in whose membership is a fairly large number of computer science professionals. As serious as the gaff is, it resulted from an honest albeit careless mistake made by whomever established the access permission settings. The real problem here, and the reason Drăgușin says the problem is only partially solved, is the fact that the IEEE was storing usernames and passwords in plain-text. It almost goes without saying at this point that best practices call for the storage salted, cryptographic hashes of passwords. Drăgușin goes on to criticize the IEEE for keeping passwords with the logs at all, because it makes them available to any employee with access to the logs.
Usually you have wait a few days for any analysis compromised data, but not this time. Drăgușin went ahead and analyzed the data, which will not be made public.
You can find Drăgușin’s complete analysis here, but the top five most popular passwords were: “123456,” “ieee2012,” “12345678,” “123456789,” and, yep, you guessed it, “password.”