Compromised IEEE accounts, according to their geographic locations.

The Institute of Electrical and Electronics Engineers (aka IEEE) describes itself as “the world’s largest professional association for the advancement of technology”. The IEEE is not only home to many big names in the scientific and engineering community but many IEEE members are also employees of big tech firms (Google, Apple, IBM, Microsoft, etc. — you name it and the company probably has IEEE members). In fact, the IEEE has such technical expertise that it is well known as a standards setting body when it comes to technology. With such high company, you would think IEEE would employ top-notch security when it comes to safe guarding member information. Eh, not so much.

Radu Dragusin, a Master of Computer Science graduate from University of Copenhagen, is reporting the IEEE stored the login information (username/email and password) for almost 100,000 IEEE members (which is roughly 1/4 of total IEEE members) in plaintext in a log file in an FTP directory on IEEE’s server. This log file was publicly available on IEEE’s server for at least a month, leading to speculations that it could have been downloaded and accessed by anyone that knew about it.

According to Dragusin, the leaked login information was for IEEE accounts belonging to employees of “Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places”.

Now it should be mentioned that the log file contained the login information for IEEE accounts, not the login information for sensitive services such as work or personal e-mail or employee-only sections for the biggest names in tech. So even if an unauthorized person accessed the accounts of IEEE members, there likely aren’t many (if any at all) direct security issues because of the lack of significance of an account belonging to a trade group you subscribe to. There are, however, indirect security concerns.

The obvious indirect security concern is IEEE members using their IEEE login password and maybe username, which is in the form of an email address, for other services. Since almost 100,000 IEEE usernames and passwords are compromised, using the same login information for other services ould lead to the compromise of other accounts, too. We would hope “experts” would know better than to do that (erm… crap…) but it could happen.

Even if IEEE members do not reuse their IEEE passwords for other services, another indirect security concern is gaining access to almost 100,000 username and passwords provides hackers with better password guessing capabilities. This is because hackers now have a baseline they can use to try to guess passwords. For example, as one commentator points out, “ieee2012” (which is used by 270 of the leaked accounts) may be a password that is unique to IEEE accounts but someone who uses “ieee2012” is probably more likely to use “gmail2010” or something similar for their other accounts.

Even if we assume there is no trend-analysis value to the leaked logins, there is still yet another indirect security issue — access to personal data. It has been a long time since I created my IEEE account (I wonder if it is even still there — I should check) but if I remember correctly, one has to enter a good amount of personal information when registering plus provide payment details to pay fees. I have no doubt in my mind that some of this information, if not most of it, was (is) available in plain sight when logged into IEEE accounts. Leaked IEEE logins allows hackers access to this personal information, which can then be used to facilitate infiltration of other more sensitive accounts.

Aside from the indirect security consequence of this leak, this leak puts a huge black mark on the IEEE. Do you really want a group setting standards for your technology, standards that could potentially be related to data security, that cannot even secure the login information for its own members? A group that keeps a publicly available, unencrypted log that contains login information in plaintext? My guess is probably not.

For its part, the IEEE has accepted the security breach occurred and “addressed and resolved” the issue:

IEEE has become aware of an incident regarding inadvertent access to unencrypted log files containing user IDs and passwords. We have conducted a thorough investigation and the issue has been addressed and resolved. We are in the process of notifying those who may have been affected. IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.

Still, a confession of guilt and measures to fix the mistake are not as good as not making the seemingly obvious blunder in the first place. While hindsight is always 20-20, one would expect a trade group filled with technology experts to know better.

[via ArsTechinca, image via IEEElog]