The IEEE, the world’s largest professional association for the advancement of technology, has joined the ranks of the enbreached, following an exposé by Denmark-based Romanian computer scientist Radu Dragusin.
Seems the organisation was using its upload server as a drop location for log files from the websites ieee.org and spectrum.ieee.org (its online magazine).
According to Dragusin, the logs recorded the details of nearly 400,000,000 HTTP requests.
These 400 million log entries included about 400,000 login requests containing the usernames and plaintext passwords of nearly 100,000 unique users.
Unfortunately, the log files were world readable.
When running an upload server, here are some things to consider:
- A world writable upload directory is OK. But make sure it isn’t world readable too.
- Don’t add passwords to your logfile. They’re supposed to be a shared secret between the user and your authentication backend, so they don’t belong anywhere else.
- Consider getting rid of FTP altogether. The uploads can be sniffed. Look at SFTP (or just scp) instead.
As Chester and I argued in Chet Chat 98, “If something is worth encrypting, it’s worth encrypting properly.” And if it’s worth encrypting, it’s worth encrypting all the time.
It’s not just worthwhile to encrypt Personally Identifiable Information (PII). It’s your moral (and in an increasing number of jurisdictions, your legal) duty.
As for Dragusin: by his own account, he got caught up in an agony of indecision.
Dragusin acquired the IEEE’s log data on 18 September 2012. “For a few days,” he writes, “I was uncertain what to do with the information and the data. On September 24, I let them know, and they fixed (at least partially) the problem.”
But his uncertainty didn’t prevent him rushing to register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.
(OK, maybe it was someone else – the registration record is behind the WhoisGuard shield of proxy registrant Namecheap.com, operating out of a serviced “suite” in Los Angeles.)
Nor did it prevent him grabbing and processing 100GB of log data he knew wasn’t supposed to be accessible. Nor preparing from it a raft of colourful maps and charts showing victim counts (and only counts, I must point out) by city worldwide, by email provider, by web browser, and by password.
How is this bad?
It probably isn’t. But it’s more of a “don’t be evil” outlook than one of “actually be good”.
As Dragusin points out, the log data had been publicly available – whether anyone had accessed it or not – for at least a month. On 24 September 2012, he finally informed the IEEE, who closed the hole, By 25 September 2012, IEEE had performed a password reset and notified affected users.
Perhaps another week didn’t matter?
We shall probably never know, but if Dragusin had told the IEEE at once, those dates could have been 19 September and 20 September.
Perhaps another week did matter?
Of course, that would have probably robbed Dragusin of any novelty in his funky charts, and of his moment of fame. And, as a respected triumvirate of security researchers – Charlie Miller, Alex Sotirov, and Dino Dai Zovi – insisted back in 2009, “No more free bugs.”
It’s worth pondering. “Would we all have been better served if Dragusin had told IEEE on the day he found the treasure trove?”
I don’t have the answer – but if you think you do, please leave a comment below!
Oh, while we’re on funky charts: here’s something to look out for when you’re processing IP geolocation records.
See those 302 IEEE members who live in the Atlantic Ocean?
It’s where the Greenwich meridian crosses the Equator. Zero degrees East, Zero degrees South.
Simply put, unless the delegates at a scientific conference on board a conveniently-placed Atlantic cruise ship were geekily showing off (at satellite data rates), it’s dud data.