in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Security: IEEE 100K Username And Password Breach Analyzed By Whistleblower

Radu Dragusin, who on September 24 alerted the IEEE (Institute of Electrical and Electronics Engineers) that they were inadvertently exposing members' unhashed usernames and passwords, has released an analysis of the breached data.  Conclusions based on what I've read:  (1) IEEE members are human, (2) a site's logs should be guarded carefully (and set up correctly), and (3) something's up in Ecuador.

Of course, I'm not listing the biggest, most obvious conclusion: data security tools, such as AlertBoot's Mobile Security, can only do so much.

How the Breach Came To Be

According to Dragusin, he happened on a server log kept by the IEEE:

Due to several undoubtedly grave mistakes, the ieee.org account username and plaintext password of around 100,000 IEEE members were publicly available on the IEEE FTP server for at least one month. Furthermore, all the actions these users performed on the ieee.org website were also available. [ieeelog.com]

In the logs, he found 422,308 entries that showed both the username and password.  Of these, 99,979 were unique.  The directory holding the log files contained 100 GB of data.

As discussed previously, passwords need to be hashed, although this doesn't necessarily mean that passwords cannot be figured out (more on this later).

In essence, the breach occurred due to dumb luck: someone at IEEE forgot to apply the correct restrictions for a directory and a security researched happened on that directory.

I would imagine that the IEEE properly protected their actual list or lists of usernames and passwords (usually, it's only the password that gets hashed).  But, they still had a plaintext password breach because they weren't completely aware of where their data was ending up.

IEEE: Smart People but Still Human

One would imagine that members of the IEEE, who Dragusin points out "are highly [specialized] individuals, many of them working in critical industry, governmental and military projects" would be more security-conscious about, well, about everything.  And yet, an analysis of the top passwords shows that this is not necessarily the case.

According to Dragusin, the top 18 most used passwords are, in descending order:

  1. 123456
  2. ieee2012
  3. 12345678
  4. 123456789
  5. password
  6. library
  7. 1234567890
  8. 123
  9. 12345
  10. 1234
  11. ADMIN123
  12. IEEE2012
  13. student
  14. ieee2011
  15. SUNIV358
  16. Password
  17. abcd1234
  18. admin

With the exception of library, student, and SUNIV358 (the last one being an interesting choice; does it represent a university and course number?) the list of passwords should look familiar to anyone who's taken the time to analyze a password log.  (As an aside: You know what's really interesting?  Some of these passwords used at IEEE are shorter than 6 characters in length).

In fact, it's the power law at work: the top password, 123456, represents 0.3% of the exposed passwords.  If you look at past breaches, like Gawker's, you'll notice that the top password also represents 0.3% of all compromised passwords: around 3,000 out of 1,000,000 were "123456" (the same top password at IEEE's site).

As I noted earlier (and elsewhere), the use of hashed passwords does not mean you get total security -- not that I'm advocating not using hashes.  However, there are limits to the security that hashes provide.  For example, Gawker's data breach shows us a common password is 123456.  This actually corresponds to a password in the top 20 at IEEE.  So, even if the passwords in the logs were hashed (with salt) at IEEE, all a hacker would have to do is count and sum up the number of each repeating hash string; get a list of top 20 hashed passwords; and figure out which one of them is 123456 via trial and error (after all, the usernames are also there).

What's Going on in Ecuador?

This has nothing to do with data security, but I noticed that Ecuador appears to be a hotbed of IEEE member activity: in a map showing the geographic location from where people were logging in to the IEEE site, based on the breached log data, of course, the relatively small South American nation shows up as a hotbed of pink-hot activity in a sea of yellows and blues.

(Why do I mention it?  No reason; just thought it was interesting, that's all.  Personally, I would have expected to see Brazil as another outlier to what I'm calling "the crimson band," but perhaps it's because its numbers are spread out.)


Related Articles and Sites:
http://ieeelog.com/
http://it.slashdot.org/story/12/09/25/1356211/data-breach-reveals-100k-ieeeorg-members-plaintext-passwords

 
<Previous Next>

BYOD Security: Most Samsung Phones Currently Vulnerable To Remote Wipe Hack

Mobile Security: 73 Percent Of SMBs In US Looking To Buy Tablets

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.