Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11] Updated IEEE Statement on Security Incident

--- This message came from the IEEE 802.11 Working Group Reflector ---

Dear 802.11,

We were all alarmed by the announcement earlier this week about an IEEE account password breach. While I do not have a list of affected accounts the story below indicates that those involved were already notified directly by the IEEE.

I can assure you we will continue to discuss this within the IEEE-SA and 802 and I will provide additional information as it becomes available.

 

Bruce Kraemer

Chair 802.11

 

Updated IEEE Statement on Security Incident

27 September – We deeply regret the exposure of user IDs and passwords that we became aware of on 24 September 2012. We would like to take this opportunity to explain to our members and customers the circumstances under which the exposure occurred and provide assurances with respect to IEEE’s security processes and policies.

IEEE follows security best practices based on ISO and NIST standards. We review these standards to ensure that we follow a certain security methodology in our practices and processes. Notwithstanding our precautions, the exposure of the user IDs and passwords nevertheless did occur and we have thoroughly investigated how it happened.

We have found the following:

The incident related to the communication of user IDs and passwords between two specific applications within our internal network resulting in the inclusion of such data in web logs.

An anomaly occurred with a process executed in coordination with a proxy provider of IEEE, with the result that copies of some of the logs were placed on our public FTP server. These communications affected approximately two percent of our users. The log files in question contained user IDs and accompanying passwords that matched our directory. The primary logs were, and are, stored in protected areas.

Upon discovering this exposure, IEEE immediately removed those files, ceased receiving those log files from the proxy provider, and corrected the interapplication communication that resulted in the logs containing user IDs and passwords.

The affected user accounts were locked down, and only affected users were notified that IEEE is requiring that each affected user change his or her password. Institutional account information was, and remains, unaffected.

IEEE does not store its corporate directory information in the clear, does not expose it to the public, nor was the corporate directory compromised.

We thank IEEE’s more than 2.5 million global users for their continuing support. IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused.

Contact

Francine Tardo
1 732 465 5865
f.tardo@xxxxxxxx

Rodney Spady
1 732 562 6822
r.b.spady@xxxxxxxx

 

_______________________________________________________________________________

If you wish to be removed from this reflector, do not send your request to this reflector - it will have no effect.

Instead, go to http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11 and then press the LEAVE button.

If there is no LEAVE button here, try http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-RO.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html _______________________________________________________________________________