Hackers, cybercriminals and malware are becoming a significant threat for many companies, but, as one recent breach shows, even an organization with the expertise of the technology industry's elite can be vulnerable to security lapses. Radu Dragusin, a graduate student from the University of Copenhagen, uncovered a critical data security breach at the Institute of Electrical and Electronics Engineers (IEEE), an association for technology professionals. Dragusin provided the details of his findings in a blog post, shortly after discovering the problem on September 18.
IEEE web account holders include such high-ranking professionals as Google and IBM analysts, university professors and government contractors, and the security precautions put in place to protect those accounts have fallen under scrutiny. According to Dragusin, the login credentials of approximately 100,000 IEEE.org members were stored in plain text on the website's FTP server for at least one month. Dragusin was also able to view all user activity on the website.
"The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it)," Dragusin wrote. "On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total). Web server logs should never be publicly available, since they usually contain information that can be used to identify users."
The FTP directory contained 100 GB of log data, and while it is reasonable to assume that a simple mistake could have led to it becoming publicly available, Dragusin chastised the organization for storing the data in plain text. Shortly after details of the incident were posted, IEEE released a confirming statement.
"IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords," IEEE said. "We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected."
While the scale of the breach and the suspiciously lax data protection practices exercised by IEEE are significant, individual users may want to take a closer look at their passwords before condemning the organization.
Poor password security practices revealed
Following a security breach like this one, many experts are quick to criticize individuals for using passwords that a simple program can crack in seconds. One might assume that the members of an organization that attracts many high-ranking technology experts would use strong passwords, but the truth is a little more embarrassing.
Dragusin's analysis of the data uncovered the character strings many IEEE members used to protect their accounts. The most commonly employed password revealed in the breach was "123456" – which was also found to be the most common password in the Yahoo data security breach earlier this year. The second and third most common don't fair much better, "ieee2012" and "12345678" respectively.
It may be a little unreasonable to expect any individual to use unique, complex passwords for all of his or her online accounts. However, solutions such as password management software make it possible to follow best practices when it comes to login credentials. As Dragusin's data shows, a significant improvement in account security could be made just by moving away from overly simplistic passwords and leveraging the unique combinations created by software algorithms.
Data Security News from SimplySecurity.com by Trend Micro