100,000 password revelation was a coincidence

He was just trying to make things easier for himself: He needed to read the technology articles on his phone. This, according to Radu Dragusin, the University of Copenhagen, was when he stumbled upon the 100,000 password privacy disaster that hit the world’s IT headlines.

In an exclusive interview with the University Post, Radu Dragusin, a teaching assistant at the Department of Computer Science DIKU, talks about what happened when he discovered the potential security calamity.

See the original story reported by University Post: 100,000 password disaster stopped by UCPH scientist.

‘World’s largest’ embarrassment

»I thought to myself, this is just amazing, this is huge, I have to report this straight away«.

This was Radu Dragusin’s reaction when he first realized that IEEE, which claims to be ‘the world’s largest professional association dedicated to advancing technological innovation’, had inadvertently compromised the personal information of thousands. He was messing around with his phone, when he discovered the breach.

»I wanted to download these articles to my smart phone to read with ease, however this proved quite annoying and somewhat troubling to download, so I accessed the direct files using the FTP server to find the articles to download directly.«

Suddenly, more personal info

An FTP (File Transfer Protocol) is used to transfer files from one host or to another host, such as the Internet. This old system is easily accessible to anyone in the know about how these things work.

»I’m thinking this is a bit of a long shot, but no problem if I try. So I looked for the latest modified folders and discovered a file that actually delivers content to customers worldwide. So I downloaded and decompressed one of the files and the data that was found included IP addresses, which I must say I found a bit weird. I decided to download it all to analyse the data.«

What became clear quite quickly was that the data didn’t just include IP addresses but also much more personal information, such as which Internet browsers users were using, such as Google Chrome and Firefox.

Apple, NASA, US govt.

However, what Radu would stumble upon next really triggered his alarm bells.

»Here we had usernames and passwords of individual users, accessible to anyone who knows how to use an FTP server. I believe there was something like 99,000 unique passwords and usernames compromised.«

»Remember this isn’t just everyday people using this site, it’s big companies, militaries and governments. The e-mail addresses I was seeing ranged from Apple, NASA and the US government.
So now I’m wondering what I should do, because this needs to be taken seriously and needs to be highlighted because these scenarios are happening too often.«

Radu went on to buy a domain and document his data findings via his blog, which you can read here..

Nothing special about him

»When I think about it, I didn’t do anything special. With a bit of knowledge anyone can do these things. It just so happened that it was me who stumbled upon this data.«

A few days later IEEE contacted Radu thanking him for bringing it to their attention, but requested that he take down his information from his website, which they believed was invasive.

»I was amazed by this, by that time there was already press coverage( including the University Post here). There were also requests from the general public wanting passwords, saying things as directly as ‘can I have the passwords’ to ‘I have a nice proposition for you’, of course none of this was ever given out.«

Privacy at stake, transperancy needed

»What I would like to get across is that I believe it is better to be open, and treat such breaches responsibly. Not only is people’s privacy at stake, but there is also the opportunity to make more individuals aware of the security concerns surrounding our online identities.«

»It is not clear what the best approach to treat such a breach would be. Of course the vulnerable entity, IEEE, should be notified to fix it, but this can be also a lesson to system developers and users as well.«

»I strongly believe that it is good if aggregated breached data would be presented in a more meaningful way to users, so people can understand the importance of security, and the amount of information available about them.«

universitypost@adm.ku.dk

Stay in the know about news and events happening in Copenhagen by signing up for the University Post’s weekly newsletter here.