Radu Dragusin, who on September 24 alerted the IEEE (Institute of Electrical and Electronics Engineers) that they were inadvertently exposing members’ unhashed usernames and passwords, has released an analysis of the breached data. Conclusions based on what I’ve read: (1) IEEE members are human, (2) a site’s logs should be guarded carefully (and set up correctly), and (3) something’s up in Ecuador.
Of course, I’m not listing the biggest, most obvious conclusion: data security tools, such as AlertBoot’s Mobile Security, can only do so much.
How the Breach Came To Be
According to Dragusin, he happened on a server log kept by the IEEE:
Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month. Furthermore, all the actions these users performed on the ieee.org website were also available. [ieeelog.com]
In the logs, he found 422,308 entries that showed both the username and password. Of these, 99,979 were unique. The directory holding the log files contained 100 GB of data.
In essence, the breach occurred due to dumb luck: someone at IEEE forgot to apply the correct restrictions for a directory and a security researched happened on that directory.
I would imagine that the IEEE properly protected their actual list or lists of usernames and passwords (usually, it’s only the password that gets hashed). But, they still had a plaintext password breach because they weren’t completely aware of where their data was ending up.
IEEE: Smart People but Still Human
One would imagine that members of the IEEE, who Dragusin points out “are highly [specialized] individuals, many of them working in critical industry, governmental and military projects” would be more security-conscious about, well, about everything. And yet, an analysis of the top passwords shows that this is not necessarily the case.
According to Dragusin, the top 18 most used passwords are, in descending order:
With the exception of library, student, and SUNIV358 (the last one being an interesting choice; does it represent a university and course number?) the list of passwords should look familiar to anyone who’s taken the time to analyze a password log. (As an aside: You know what’s really interesting? Some of these passwords used at IEEE are shorter than 6 characters in length).
In fact, it’s the power law at work: the top password, 123456, represents 0.3% of the exposed passwords. If you look at past breaches, like Gawker’s, you’ll notice that the top password also represents 0.3% of all compromised passwords: around 3,000 out of 1,000,000 were “123456” (the same top password at IEEE’s site).
As I noted earlier (and elsewhere), the use of hashed passwords does not mean you get total security — not that I’m advocating not using hashes. However, there are limits to the security that hashes provide. For example, Gawker’s data breach shows us a common password is 123456. This actually corresponds to a password in the top 20 at IEEE. So, even if the passwords in the logs were hashed (with salt) at IEEE, all a hacker would have to do is count and sum up the number of each repeating hash string; get a list of top 20 hashed passwords; and figure out which one of them is 123456 via trial and error (after all, the usernames are also there).
What’s Going on in Ecuador?
This has nothing to do with data security, but I noticed that Ecuador appears to be a hotbed of IEEE member activity: in a map showing the geographic location from where people were logging in to the IEEE site, based on the breached log data, of course, the relatively small South American nation shows up as a hotbed of pink-hot activity in a sea of yellows and blues.
(Why do I mention it? No reason; just thought it was interesting, that’s all. Personally, I would have expected to see Brazil as another outlier to what I’m calling “the crimson band,” but perhaps it’s because its numbers are spread out.)