Storied, stolid, serious and scientific?
Adjectives you might well think of applying to the IEEE, by its own account the world’s largest professional association for the advancement of technology.
Sadly, also seriously squirming after a sensational security spill.
[Thanks. That's adequate alliteration already, Ed.]
Yes, the IEEE has joined the ranks of the enbreached, following an exposé by Denmark-based Romanian computer scientist Radu Dragusin.
Seems the organisation was using its upload server as a drop location for log files from the websites ieee.org and spectrum.ieee.org (its online magazine). Ouch.
According to Dragusin, the logs recorded the details of nearly 400,000,000 HTTP requests.
These 400,000 log entries included the usernames and plaintext passwords of nearly 100,000 unique users.
How is this bad?
* A world writable upload server? Maybe. But never world readable.
* Log and all your web traffic? Maybe. But never log plaintext passwords.
* Allow vanilla FTP for uploads? Don’t do that. Use SFTP or scp instead.
As Chester and I argued in Chet Chat 98, “If something is worth encrypting, it’s worth encrypting properly.” And if it’s worth encrypting, it’s worth encrypting all the time.
It’s not just worthwhile to encrypt Personally Identifiable Information (PII). It’s your moral (and in an increasing number of jurisdictions, your legal) duty.
As for Dragusin: by his own account, he got caught up in an agony of indecision.
Dragusin acquired the IEEE’s log data on 18 September 2012. “For a few days,” he writes, “I was uncertain what to do with the information and the data. On September 24, I let them know, and they fixed (at least partially) the problem.”
But his uncertainty didn’t prevent him rushing to register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.
(OK, maybe it was someone else – the registration record is behind the WhoisGuard shield of proxy registrant Namecheap.com, operating out of a serviced “suite” in Los Angeles.)
Nor did it prevent him grabbing and processing 100GB of log data he knew wasn’t supposed to be accessible. Nor preparing from it a raft of colourful maps and charts showing victim counts (and only counts, I must point out) by city worldwide, by email provider, by web browser, and by password.
How is this bad?
It probably isn’t. But it’s more of a “don’t be evil” outlook than one of “actually be good”.
As Dragusin points out, the log data had been publicly available – whether anyone had accessed it or not – for at least a month. On 24 September 2012, he finally informed the IEEE, who closed the hole, By 25 September 2012, IEEE had performed a password reset and notified affected users.
Perhaps another week didn’t matter?
We shall probably never know, but if Dragusin had told the IEEE at once, those dates could have been 19 September and 20 September.
Perhaps another week did matter?
On the other hand, that would have probably robbed Dragusin of any novelty in his funky charts. And, as a respected triumvirate of security researchers – Charlie Miller, Alex Sotirov, and Dino Dai Zovi – insisted back in 2009, “No more free bugs.”
Oh, while we’re on funky charts: here’s something to look out for when you’re processing IP geolocation records. See those 302 IEEE members who live in the Atlantic Ocean?
It’s where the Greenwich meridian crosses the Equator. Zero degrees East, Zero degrees South.
Simply put, unless the delegates at a scientific conference on board a conveniently-placed Atlantic cruise ship were geekily showing off (at satellite data rates), it’s dud data.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wV1tOrhf9tU/