IEEE Suffers Massive Security Breach

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.esecurityplanet.com/network-security/ieee-suffers-massive-security-breach.html

Copenhagen-based programmer Radu Dragusin recently discovered that almost
100,000 user names and plain text passwords for members of the
IEEE<http://www.ieee.org/index.html> were
made available on the organization's FTP server for at least a month.

"IEEE suffered a data breach which I discovered on September 18,"
Dragusin wrote
in a Slashdot 
post<http://it.slashdot.org/story/12/09/25/1356211/data-breach-reveals-100k-ieeeorg-members-plaintext-passwords?utm_source=rss1.0moreanon&utm_medium=feed>.
"For a few days I was uncertain what to do with the information and the
data. Yesterday I let them know, and they fixed (at least partially) the
problem. The usernames and passwords kept in plaintext were publicly
available on their FTP server for at least one month prior to my discovery.
Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle
and Samsung employees, as well as researchers from NASA, Stanford and many
other places."

"The simplest and most important mistake on the part of the IEEE web
administrators was that they failed to restrict access to their webserver
logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by
anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on
September 24 around 13:00 UTC, after I reported it)," Dragusin wrote in a
separate analysis <http://ieeelog.com/>.

"While it's too early to fully assess the severity of the data breach,
which impacts both ieee.org and spectrum.ieee.org, Dragusin states that the
available information exposes these users' activity on these sites,"
writes Nextgov.com's
Leandro 
Oliva<http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/09/ieee-data-breach-has-global-implications/58344/>.
"Malicious parties interested in identifying users could conceivably be
assisted in mounting spear phishing attacks on these users, and potentially
come up with social engineering exploits."

"This is not IEEE’s first breach involving members’ information,"
DataBreaches.net
reports <http://www.databreaches.net/?p=25400>. "A November 2010 hack
affecting 828 members was disclosed in February
2011<http://www.esecurityplanet.com/headlines/article.php/3929676/IEEE-Hacked.htm>.
And in April 2011, some members who signed up for life insurance
underwritten by NY Life Insurance were notified that a mailing error by
Marsh U.S. Consumer exposed some of their information to other members."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.