Security breach exposes roughly 100,000 IEEE members’ User IDs and Passwords
On Sept. 24 2012 the Institute of Electrical and Electronics Engineers (IEEE) confirmed that nearly 100,000 of its members User Names and Passwords were publicly exposed from a computer security breach.
It seems that the Password and User Name files on an FTP server were left open for at least a month. According to Radu Dragusin, a teaching assistant at the University of Copenhagen, Denmark, “The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees.”
Dragusin goes on to say, “The simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs for both ieee.org and spectrum.ieee.org allowing these to be viewed by anyone going to the address ftp://ftp.ieee.org/uploads/akamai/ (closed on September 24 around 13:00 UTC, after I reported it). “On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total). Web server logs should never be publicly available, since they usually contain information that can be used to identify users.”
What makes this story even more troubling is when Mr. Dragusin discovered the security breach on Sept. 18 he stated, “For a few days I was uncertain what to do with the information and the data. On September 24, I let them [IEEE] know, and they fixed (at least partially) the problem.
Mr. Dragusin and the IEEE are also missing the gravest of all errors: the time it took to report the breach. While excuses can be given as to why the security breach happened, the delay in notification suggests that IEEE has not properly trained its people on what to do when a security breach is discovered. The longer it takes to fix the problem the more damage is done and the liabilities increase.
Don’t let your company fall victim to the secondary security breach of inactivity. Here are four tips every company and organization must put in place.
- Prepare. An attack or security breach is going to occur. The best way to mitigate the damage is to react fast and have a pre-defined action plan in place. Do a Risk Assessment before and not affter the breach.
- Categorize. Like the military, categorize every data file as being “Non-classified”, “Classified”, “Secret” or “Top secret”. This will determine the best place to store this data and where it should be saved (public or private cloud).
- Encrypt: Once data has been classified then those files that are deemed sensitive to exposure must be encrypted. Get a data encryption program or hard drives, use email encryption solutions, etc.
- Authenticate. Companies already authenticate an employee before they enter the physical office with their ID badge. The same thing must be done before someone enters the “virtual” office. User Names and Passwords alone are not secure. Get a multifactor authentication solution like Power LogOn.
About Access Smart, LLC: Headquartered in Ladera Ranch, California, Access Smart, LLC is dedicated to empowering businesses, agencies and institutions to securely regain control over their computer network authentication and data access authorization. Security does not have to be cumbersome to be effective. That is why our products are designed using state-of-the-art security technologies while focusing on ease-of-use and low-cost-of-ownership. Security should never be a luxury, especially with rampant data breaches and privacy regulations.
For more information about Access Smart, please visit www.Access-Smart.com.
