The Institute of Electrical and Electronics Engineers (IEEE) stored usernames and passwords for its users in a plain-text file on a publically accessible server, a Romanian computer scientist has claimed.
A plaintext file containing nearly 100,000 credentials were accessible on an IEEE.Org FTP server for at least one month before it was discovered on Sept. 18, Radu Drăgușin, a teaching assistant in the computer science department at the University of Copenhagen, Denmark, wrote on the IEEElog.com site Tuesday. The file contained users who were employees at companies such as Apple, Google, IBM, Oracle, and Samsung, as well as researchers from NASA, Stanford University, and other institutions, Dragusin wrote.
In addition to exposing username and passwords for IEEE members, the FTP server contained the ieee.org Website logs and visitor activity log for spectrum.ieee.org, Dragusin said. It appears the IEEE Web administrators "failed to restrict access" to theWeb server logs for both sites, allowing anyone to view the contents. Every Web request to the Web sites, or more than 376 million HTTP requests, were recorded in those files, Dragusin wrote.
Web server logs should never be publicly accessible as the files generally contain information that can be used to identify users and correlate their browsing activity. It appears that IEEE has closed that security hole, as the files are no longer available.
"If leaving an FTP directory containing 100GB of logs publicly open could be a simple mistake in setting access permissions, keeping both usernames and passwords in plaintext is much more troublesome," Dragusin wrote.
Security experts have stressed time and time again that best practices call for storing salted cryptographic hashes of passwords, using an algorithm that hasn't already been cracked. For a professional association which includes computer science professionals and publishes security publications, keeping passwords in plaintext, and then storing them in the same location as the server logs is a colossal, and baffling, mistake to make.
It's not known at this time whether the file was accessed before Dragusin found it. If someone else got to the file first, those users are at risk for spear phishing attacks or other targeted campaigns. If the IEEE has access logs for its FTP server, the organizations would be able to determine the extent of the damage, Dragusin speculated.
According to Dragusin's Twitter and Google+ posts, IEEE has yet to notify users, but the organization had posted a note to its website Tuesday afternoon, acknowledging a "security incident".
"We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected," the IEEE wrote in the statement.
"It would be reasonable to assume, that an organization publishing leading security-focused publications, would value the privacy of its members, and be proactive in keeping their data secure," Dragusin wrote.
Dragusin analyzed the raw data to figure out where the users were based, what email domains they were using, and common passwords. His analysis of common passwords was particularly disappointing. The top five most popular passwords in the IEEE file turned out to be "123456," "ieee2012," "12345678," "123456789," and "password. Considering many of IEEE members are security professionals and the organization has worked on various encryption and key management standards, the lack of password sophistication is worrisome.
There's one positive thing to note, however, since it appears that a majority of the users are using unique passwords. It appears that the top five passwords are being used by only one percent of the affected users, and the top 18 passwords were used by less than two percent of users, according to Dragusin's analysis. IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords.