Forgot your password?
typodupeerror
Security Stats IT

Data Breach Reveals 100k IEEE.org Members' Plaintext Passwords 160

Posted by timothy
from the pretty-pictures-ugly-facts dept.
First time accepted submitter radudragusin writes "IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available, but I took the liberty to analyse it briefly."
This discussion has been archived. No new comments can be posted.

Data Breach Reveals 100k IEEE.org Members' Plaintext Passwords

Comments Filter:
  • Finally! (Score:5, Insightful)

    by wonkey_monkey (2592601) on Tuesday September 25, 2012 @10:17AM (#41449027) Homepage
    Some actual news for nerds, and from the horse's mouth. And graphs and everything. Love it.
    • Re:Finally! (Score:4, Funny)

      by alphatel (1450715) * on Tuesday September 25, 2012 @10:30AM (#41449175)
      It is obvious based on the geolocation data that Greenland is behind all of this.
      • by Beorytis (1014777)
        The map geolocation data would be more meaningful on a population cartogram.
      • by samkass (174571)

        It is obvious based on the geolocation data that Greenland is behind all of this.

        I dunno... it looks like there's a town in central Russia where the secret cabal hides. That "109" data point north of Mongolia... there's nothing there on Google Maps...

    • Re:Finally! (Score:5, Insightful)

      by Anonymous Coward on Tuesday September 25, 2012 @10:59AM (#41449517)

      Yeah, but the "most used passwords" should really be a bar graph not a line graph. It's not like the midpoint between "ADMIN123" and "IEE2012" makes any sense.

    • by Volanin (935080)

      Not so fast! There is a problem with the analisys. Check the first graph: The 123456789 password appears twice (in the 4th position and in the last shown position). This is a blasphemy to my true nerd beliefs.

      • Looks like it's been fixed. There is still a minor offence in that a bar graph would be more suitable than a line :)
    • Someone should do a comparison in password complexity between this user group and the average user group (LinkedIn, Yahoo). Histograms of entropy in bits will show whether we know better or not.

    • And graphs and everything. Love it.

      Go Here:

      http://www.reddit.com/r/GraphPorn/ [reddit.com]

      Have an orgy :P

      (there must be some cosmic rule, just like there is an xkcd comic for everything, there is a subreddit for everything...)

  • Well... (Score:5, Funny)

    by fuzzyfuzzyfungus (1223518) on Tuesday September 25, 2012 @10:17AM (#41449039) Journal

    Does this make plaintext password storage an IEEE standard now?

    That could save an, er, friend of mine, a lot of work...

    • I was going to make a joke between IEEE and Internet Explorer, but I couldn't think of one. But web browsers do store users' passwords for various sites, which got me thinking:

      For passwords used to authenticate users to this system, hashing should be the standard. But for passwords used to authenticate a system to another system, such as authenticating an online store to its payment processor, the password has to be encrypted reversibly and the key stored somewhere.

      • by X0563511 (793323)

        Which is why real browsers like Firefox support the idea of a "master password" - the key is not stored, you have to enter it. Either that, or the key is itself encrypted and the password unlocks it for use.

        • Do you understand why Chrome doesn't allow a master password that actually obscures the stored passwords? I can't figure it out. I can't use a browser that doesn't do that. That's the only thing holding me back from Chrome.
          • by zindorsky (710179)

            On Windows, Chrome protects its password database with Windows' Data Protection API. The DPAPI has several layers, but at the end its security rests entirely on the Windows account password. So .... you do have a master password in a way, but we all know how easy it is to recover Windows passwords.

            • by X0563511 (793323)

              If I were to use ntpasswd to zap the password, would the DPAPI protected data still be accessible? Or would it be in effect gone, since the password was used to protect it?

              (ntpasswd zapping is effectively the same as removing the hash from /etc/shadow)

              • by zindorsky (710179)

                Sure you can go around Windows' back and directly change the password hash, but the data is still effectively encrypted with the old password, so yeah, it's gone.

        • by tepples (727027)
          I agree with you that encrypting the master key for a reversibly encrypted password store with a function of the user's password such as PBKDF2 is fine for a browser that can interact with the user. But a server may still have to store reversibly encrypted authentication tokens and use them without authenticating with its administrator every time. Is there a best practice to protect the master key used to encrypt such tokens on a server running a LAMP stack?
          • by X0563511 (793323)

            File permissions and, if possible, some kind of MAC such as SELinux will go a long way in protecting that data. Still, if one were to compromise the web server application itself, the application could access it (as it has to have access to function). You can only really protect it from other applications/users on the system.

            You might further protect it by storing this data in a loopback LUKS volume, though this means you'll have to manually (or automatically, thus defeating the purpose) mount this prior to

    • Re:Well... (Score:5, Informative)

      by tangent3 (449222) on Tuesday September 25, 2012 @11:11AM (#41449711)

      Disclaimer: I've RTFA'ed

      The passwords were not stored in plaintext.
      However, the web server access logs logged the passwords entered in plaintext. That was what was downloaded from a publically access ftp folder.

      • by Alef (605149)

        However, the web server access logs logged the passwords entered in plaintext.

        So, in other words, they were stored in plaintext.

        • by achbed (97139)

          However, the web server access logs logged the passwords entered in plaintext.

          So, in other words, they were stored in plaintext.

          No, they were logged as plaintext. This means that all invalid attempts as well as valid ones are stored in the log. The master store that is being used to store and retrieve/compare the final password (or password hash) is not included in the log. There is insufficient data from the breach to determine whether the master store is encrypted or not.

          • Re:Well... (Score:4, Informative)

            by Alef (605149) on Tuesday September 25, 2012 @02:47PM (#41453431)

            Well, so what? The intention may not have been to have the passwords written in plain text to a file, but they were. It doesn't matter how much you salt and encrypt the "master store" if you f*ck up and write them another file in clear text as well. They are there, readable on the disk. The fact that it was a log file doesn't diminish the error the least. In fact makes it even worse, since the security of a log file is likely not looked after to the same degree as a password database (as we can clearly see in this case, where they left it on an ftp). If you write clear text passwords along with user names to an unencrypted file under any circumstance whatsoever, you fail. If you have a clue about security, you simply never, ever do that!

            And for that matter, what has invalid attempts got to do with it? Security through infinitesimal obscurity? Unless you have something like a million times as many invalid attempts as valid ones, it is of no consequence.

  • by Anonymous Coward on Tuesday September 25, 2012 @10:24AM (#41449099)

    Why do we need to learn this from the newspaper?

  • In addition to setting correct permissions, there are several FTP servers that suppress passwords in their logs. (e.g., Serv-U: Server Limits | Password | Mask received passwords in logs)

    Even on anonymous FTP servers, you should hide passwords in the logs; otherwise someone who gets the logs can mine email addresses. (Anonymous users frequently sign on as "anonymous" and are asked for their email address as a password.)

    • by causality (777677)

      (Anonymous users frequently sign on as "anonymous" and are asked for their email address as a password.)

      Which is always root@the.ftp.server's.hostname.com, right?

    • by X0563511 (793323)

      I generally just slap the keyboard and supply whatever results as the password. Using your email as the password was always stupid. Why do you even require a password!?

      • by tqk (413719)

        Using your email as the password was always stupid. Why do you even require a password!?

        Back in the distant past, people ran FTP servers which let anyone grab stuff off them "for the common good" (eg., tsx-11.mit.edu). You logged in as username "anonymous" and password "your email address." It was just the polite thing to do for someone letting you use their ftp server to get neat stuff from them.

        I'm not surprised this's foreign to anyone these days.

    • Yea! I'm one of those that tend to use anonymous ftp access and give my email, which is "Test@example.com". Seems to work quite well for most anonymous access. Of course, the few servers I use no loger require an email address for anon ftp access.

  • I mean, PLAINTEXT passwords AND publicly available on their FTP.

    Does he/still have the job?

  • by Tridus (79566) on Tuesday September 25, 2012 @10:26AM (#41449131) Homepage

    You'd think that people involved with the IEEE are a group that should know better, and yet the most common passwords according to the analysis reads like the usual suspects list from other breaches. They're still common, easily guessable passwords. Hashing wouldn't have protected them very long, as these are on the short list for any cracking program to test.

    It should be a wake up call that our current methods of trying to get users to pick secure passwords are a total failure. We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

    • by MadKeithV (102058) on Tuesday September 25, 2012 @10:32AM (#41449201)

      . We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

      Maybe it would work if we could get a battery-powered horse to staple the correct message to people.

      • by X0563511 (793323)

        Reference. [xkcd.com]

        Amusing anecdote: on the GW2 forums people kept getting password-guessed. I pointed this strip out in a few places as a recommendation.

        Fast forward a week or two and the Arenanet president sends out an email talking about various things... and provides said strip as a suggestion for crafting good passwords! Kudos XKCD! (and possibly myself, as I had not seen anyone else point it out to them)

    • I'd be willing to bet that either some low paid lackey was in charge of the website and built it with no oversight or anyone even asking simple questions about what he/she was doing, or they farmed it out to someone who apparently didn't have a clue, didn't have the time, or simply didn't care.

      It's unbelievable to me that so many don't check their work or verify security settings, or even ask what could possibly go wrong.

      Embarrassing breaches are inevitably the result.

      And yep - whoever uses "passwo
    • by tlhIngan (30335) <<slashdot> <at> <worf.net>> on Tuesday September 25, 2012 @11:32AM (#41450037)

      You'd think that people involved with the IEEE are a group that should know better, and yet the most common passwords according to the analysis reads like the usual suspects list from other breaches. They're still common, easily guessable passwords. Hashing wouldn't have protected them very long, as these are on the short list for any cracking program to test.

      It should be a wake up call that our current methods of trying to get users to pick secure passwords are a total failure. We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

      The question becomes though - what benefit does it do me to have a strong password on sites I don't value?

      Like say, /. - why not use "password" or "123456"? If someone breaks in, BFD.

      Likewise, many forums and blogs require registration to do basic things - seems like "password" or "123456" is useful for a one-time throwaway account.

      The IEEE has a similar problem. Sometimes it protects great assets (member-only access to papers/journals/standards), othertimes, it's used because some guy wanted the 802.x spec (available for free, registration required), in which case they'd just pick some throwaway password because so what if it's compromised?

      And that's the thing - I've seen websites host some files I wanted require changing passwords every 30 days with upper case, lower case, numbers AND symbols. Secure, sure, but everytime I used it (every few months), I needed to reset it. In the end I just ended up using their temporary password, remembered in browser. To me, it wasn't terribly important files (they still needed a license key, available separately). Hell, if I looked, I could've found the same files off a torrent site.

      Oh, and "value" of a site is a personal judgement - if you asked a bunch of websites, you'd find they'd value their content "above average".

    • by Meeni (1815694)

      Nobody cares about having is IEEE account compromised, so everybody uses a bogus password. Rightfully so, it seems.

    • by wisnoskij (1206448) on Tuesday September 25, 2012 @11:38AM (#41450161) Homepage

      I agree, but the graph scale shows that only 300 out of the 100,000 people used those most common passwords.
      I am not sure what the average perentage of users that use horrible passwords are, but .3% is below what I would expect (and you have to think that all of those people probably know better, but just have nothing on their account worth protecting).

    • by Alef (605149)

      You'd think that people involved with the IEEE are a group that should know better, and yet the most common passwords according to the analysis reads like the usual suspects list from other breaches.

      To be fair, there seem to be at most a few percent having lousy passwords. The other 98% or so of users deserve better protection, wouldn't you say?

      Also, if you think about it, looking only at which passwords are the most common isn't a terribly useful metric of anything. If almost everyone choose very strong passwords (meaning few collisions) and 3 people choose "12345", then that would still be the most common password. In part precisely because the rest used strong passwords.

    • by tqk (413719)

      It should be a wake up call that our current methods of trying to get users to pick secure passwords are a total failure.

      You're trying to change human nature. Any time we can get away with being lazy, we will be lazy. It's the law of entropy. You need to come up with something miraculous to get us to stop following it. Good luck with that.

  • by 140Mandak262Jamuna (970587) on Tuesday September 25, 2012 @10:32AM (#41449217) Journal
    The password, log in and authentication methods are secure it looks like. The mistake they did was to allow public access to the log files of their web server. Dumb mistake. And among the log is the log for the authentication request. It contained the user names and passwords in plain text, because that is how the log in data gets "posted" to the web site.

    It is like having super duper security behind the passcode access panel. But leaving a security camera looking at the people using the panel recorded and making it public.

    • by tqk (413719)

      The mistake they did was to allow public access to the log files of their web server.

      It looks to me that the mistake they did was to not peruse their log files. Had they, they'd have noticed that their webserver was logging logins, failed logins, yada, that it shouldn't have been.

      Logs are not kept just because the authoritays may come looking for them. They're also (initially primarily) kept for confirming your software configuration isn't fscked up. IMHO.

      However, having worked with web hosts in the past which were spitting out > 200k errors/day, I can understand they may have been re

  • by nweaver (113078) on Tuesday September 25, 2012 @10:37AM (#41449261) Homepage

    Password hashing doesn't matter when the login password is conveyed in a URL and the URLs fetched are logged.

    From the article, its clear that this is what happened: the login process creates a URL with the username & password in it, and since the URLs were logged and accessible, the login passwords could be obtained in the clear.

    • by cbhacking (979169)

      One of the reasons why sensitive data should *never* be sent over HTTP using using GET, even over encrypted connections. Although in theory GET is no less secure than POST, in practice URLs (and therefore GET parameters) are commonly logged, while HTTP request bodies (and therefore POST parameters) almost never are.

  • by Cow Jones (615566) on Tuesday September 25, 2012 @10:38AM (#41449275)
    From TFA:

    On these logs, as is the norm, every web request was recorded (more than 376 million HTTP requests in total). It is certainly unfortunate this information was leaked out, and who knows who got it before it got fixed.

    You could, you know... look in the logs to find out?

    • by tangent3 (449222)

      Apparently they logged http access but not ftp access....

    • by tqk (413719)

      You could, you know... look in the logs to find out?

      Who reads log files?!? Boring!!!111 :-P /s

  • by 140Mandak262Jamuna (970587) on Tuesday September 25, 2012 @10:41AM (#41449311) Journal
    Breach gives the connotation, some one or something broke into something that was protected. Here it looks like IEEE, quite stupidly, left valuable data unguarded.
    • Whats the difference between breaking into an house and not having to because you find the door is not even locked?
      • All that we know is the house was left unlocked. We don't know if anyone entered, went to the den and copied all the passwords stuck on post-it notes on the monitor. Yet.
  • Maybe this ACM vs. IEEE thing is staring to getting out of hand?

  • Now that you've analysed your copy of the data, please delete it.
    • by tqk (413719)

      Now that you've analysed your copy of the data, please delete it.

      I think you've a shallow definition of "analyse." Analysis can go on forever. Yet another reason to protect your data.

  • After taking a look at the original article (I know, I know) it has an interesting plot about the prevalence of particular browsers. It looks as though there is a clear dip in the use of the site at weekends (at least the two weekends shown), but what's more interesting is that the browser use proportions also seem to change at the weekends, with a drop in the proportion of IE users. Is this a known thing generally?
  • Out of the 100k passwords how many were unique? Could we have a graph of how many passwords were used how many times? Something that could be analysed to say that in your case about 85% of people used a unique password and 10% used a password in the top 10 or top twenty whatever. This could be used to compare to other datasets to extract a level of cluelessness/cluefulness.

  • The IEEE web site has annoyed me for 15 years... it is the lamest, backwardest, hardest to use, most idoidocally designed web site of any of the professional societies involved with computing. It is an embarrassment. Perhaps now the morons that are resposible will be seen for the morons that they are. Or not. I'm not holding my breath. This is the IEEE.

  • "You IEEEdiots!!"
  • Not only this, but IEEE recently change from a system where you had an arbitrary username to go with your password, to a system where you are required to use an email address as your username.

    This was done, according to them, to be more secure. Even before I found out about this nonsense, I told them that tieing a password to a specific identifiable person, using a tag that was nearly publicly accessible, was absolutely less secure than letting someone pick a username that appeared noplace except in the lo

  • Who knew Wichita was such a practical HOTBED of IEEE membership?

If you think the system is working, ask someone who's waiting for a prompt.

Working...