BreachExchange mailing list archives
IEEE Suffers Massive Security Breach
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Tue, 25 Sep 2012 15:34:19 -0500
http://www.esecurityplanet.com/network-security/ieee-suffers-massive-security-breach.html Copenhagen-based programmer Radu Dragusin recently discovered that almost 100,000 user names and plain text passwords for members of the IEEE<http://www.ieee.org/index.html> were made available on the organization's FTP server for at least a month. "IEEE suffered a data breach which I discovered on September 18," Dragusin wrote in a Slashdot post<http://it.slashdot.org/story/12/09/25/1356211/data-breach-reveals-100k-ieeeorg-members-plaintext-passwords?utm_source=rss1.0moreanon&utm_medium=feed>. "For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places." "The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it)," Dragusin wrote in a separate analysis <http://ieeelog.com/>. "While it's too early to fully assess the severity of the data breach, which impacts both ieee.org and spectrum.ieee.org, Dragusin states that the available information exposes these users' activity on these sites," writes Nextgov.com's Leandro Oliva<http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/09/ieee-data-breach-has-global-implications/58344/>. "Malicious parties interested in identifying users could conceivably be assisted in mounting spear phishing attacks on these users, and potentially come up with social engineering exploits." "This is not IEEE’s first breach involving members’ information," DataBreaches.net reports <http://www.databreaches.net/?p=25400>. "A November 2010 hack affecting 828 members was disclosed in February 2011<http://www.esecurityplanet.com/headlines/article.php/3929676/IEEE-Hacked.htm>. And in April 2011, some members who signed up for life insurance underwritten by NY Life Insurance were notified that a mailing error by Marsh U.S. Consumer exposed some of their information to other members."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- IEEE Suffers Massive Security Breach Erica Absetz (Sep 25)