Passwords of 100k IEEE members lie bare on FTP server
Radu Dragusin isn't a member of the Institute of Electrical and Electronics Engineers (IEEE), but he enjoys reading the organization's journals.
So last week, he visited IEEE's FTP site, hoping to discover more articles, but instead found something far more alarming: the clear-text usernames and passwords of roughly 100,000 members from around the world.
Dragusin, a computer science researcher at the University of Copenhagen in Denmark, told SCMagazineUS.com on Tuesday that he opened a number of ZIP log files -- 100 gigabytes in total -- inside a folder labeled "Akamai," a company that IEEE uses for content delivery. The files chronicled whenever a member entered their username and password on the IEEE site, meaning they contained, among other things, the credentials, IP addresses and HTTP requests of the visitors. He estimates this information was publicly available for at least a month.
"Anybody could do it," Dragusin said of his discovery, which he detailed in a comprehensive blog post that he wrote over the weekend. "It's not very sophisticated."
He said the IEEE failed on two fronts. For starters, the access preferences on the FTP server incorrectly were entered, leading to a misconfiguration that allowed the logs to be publicly available. The directory should have been restricted to administrators only.
Secondly, and perhaps more worrying, is that the IEEE apparently makes it a practice to store passwords in logs, which should be avoided, Dragusin said. Not to mention, they were captured and kept in clear text without any encryption.
Dragusin has no plans of sharing the data with anyone. He notified IEEE about the issue last week, and the problem files since have been taken offline. But it's likely the group still is maintaining passwords in its activity logs.
The breach is particularly notable, considering many of IEEE's members are security professionals, and the organization has devised security standards, including ones that cover encryption and key management. The victims work in companies like Apple, Google, IBM, Oracle, Samsung and NASA, he said.
"It's not an organization in which you can just be a member, like a social website," Dragusin said. "They must have a specific type of training. These members are highly skilled individuals."
A call and email to IEEE were not returned on Tuesday.