When Log Files Attack: IEEE Data Leak

Friday, September 28, 2012

Tripwire Inc


Article by Ken Westin

This week it was discovered that a large number member passwords and IDs of the Institute of Electrical and Electronics Engineers (IEEE) were exposed on a publicly available server.

Roughly 100GB of log files were discovered by Radu Dragusin a teaching assistant in Denmark on an unsecured FTP server.  

The data compromised included members information from Apple, Google and even NASA. Dragusin notified IEEE before publishing his analysis of the data on IEEElog.org and the security hole was fixed, however it is not known if anyone else has accessed the data.

The IEEE has not yet stated how the oversight occurred, but fingers are pointing to it being the result of a configuration change leading to an access control failure.  

The fact that usernames and passwords were being logged to a plaintext file itself is problematic, even if the passwords are being hashed when stored in a database, if such data is logged in plain text it defeats the entire purpose.

It is critical the organizations pay attention to what information is being logged as well as monitor any configuration changes on servers to protect sensitive data and ensure the privacy and security of their customers.

Had Dragusin not been ethical, the breach could have been a lot worse, as IEEE would not have known about the breach until it was too late and the data collected could have been used to compromise other organizations.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Information Security
Data Loss Encryption Passwords Access Control breach IEEE Hashing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.