Swede Hacks Embassy Account Information From Around the World

paulraps writes "A Swedish IT consultant has caused a stir in diplomatic circles after publishing a list of secret log-in details belonging to 100 embassies, public authorities and political parties around the world. Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles. Instead he claimed that publishing the list was easier than contacting the organizations individually — and that if he had handed it to the Swedish authorities then that would have been spying."

When best intentions go wrong

"Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles." ....whoops.

Not after fame, eh?

Then why not publish the list anonymously?

Re:Because....

If he DID publish the list anonymously, then the list could just as easily been dismissed (through political agreements) as completely inaccurate/wrong.

I don't see how having a random strangers name attached to the list makes the data published any more or less accurate.

Re:Because....

I don't see how having a random strangers name attached to the list makes the data published any more or less accurate.

It doesn't, obviously. Publishing anonymously makes it easier for governments to simply SAY the published information is inaccurate. Having someone that's standing behind that statement makes it more difficult to play that game. People don't tend to trust anonymous sources. Look no further than slashdot for evidence of that (where anonymous is different from a pseudonym).

Competent hacker, poor social engineer

Anonymously giving the list to a local newspaper would have achieved the stated objective.

Re:Competent hacker, poor social engineer

Not everywhere on this planet journalists enjoy the right to keep their sources secret.

Here in Sweden he would certainly be well protected. We have strong laws about these things. Not only in the direct relationship with the papers. For instance, a whistleblower in public employ is so well protected that his boss can't even make innocent comments during a break at the coffee table trying to guess who it might be. Any attempt to try to identify a whistleblower, no matter how innocent it might seem, would land the boss in trouble. And the papers of course guard this protection with great fervor, making lots of publicity when any attempt is made.

Good intentions?

I'm not sure what he was thinking when he decided that publishing the list would be the best way to draw the attention of the affected parties. Sure, calling 100 different embassies can be kind of a hassle, but he could just send out an email with a bunch of BCCs. I would assume he has an email address for each of them.

Maybe this guy just doesn't have the same sense of self preservation that I do, but in my work I tend to avoid doing things that have the potential to cause a major international incident.

Re:Good intentions?

"he could just send out an email with a bunch of BCCs"

Thats basically what he did. It doesn't sound like this list is very public. Its just making its way around the so-called "diplomatic" circles.

Let's look at this from another angle. He quietly published this list, and probably notified all the affected embassies. Then, at least some of the embassies, and a few news outlets, verify the list. Then, at least some of the embassies change the passwords. Then, those news outlets are able to get comments from the embassies and the guy, and then, publish a story on it. All this happened before YOU found out about it.

I say its a little early to fault the guy, since what he did is working just fine. Had he contacted each embassy individually, he would have had to convince each one over several emails or phone conversations. This way, he probably only had to talk to a few news outlets / embassies. Had he published the list in a local paper (i laughed out loud at this one) as another slasher suggested, the general public would probably have read copies of the emails in the affected accounts before the embassies ever knew there was a problem.

The real truth

Here's a more detailed article [thelocal.se] on the subject, ending with a highly amusing quote from Dan Egerstad about his real reason for releasing the log-in info.

Re:The real truth

He said he had published the list because it would have been too time-consuming to contact all 100 organizations named. Had he handed the list to the Swedish Security Service (Säpo), he would have been guilty of spying. He claimed that by publishing the list he saved himself trouble.

"This rescues me from the shit," he said.

Well, I can see how that - huh???

He wants room and board

In the local jail. Why else would anyone do something so boneheaded?

Honestly, I can't think of any better way to get jailed than to embarrass and irritate the high-level diplomats of 100 countries.

Yes, it was easier than turning the list over to authorities, or contacting each of the embassies. So what? It could easily be argued that he had a duty of confidentiality with his client that he failed to observe.

Furthermore, he has actually made security worse by disclosing in this matter. Who knows how many embassies were already aware of the problem, and were in the process of tightening security? It is also likely that at least some of the embassies would have discovered the vulnerabilities independently of this consultant through internal audits, and would have fixed them silently.

Now, while this guy has stirred up a hornet's nest, he hadn't really done anything to improve the security of these embassies. Sure, they have to fix it now, but they might have done it anyway.

And what if the Swedes were aware of this and using this information for intel gathering? I don't think anyone is happy he did this.

According to the Swedish Hacker

Their security is borked.

Bruce Schneier is still right

The weakest link in computer security is still the humans operating within the system...

Safety of the limelight

Honestly, should I dig up something like that, I will make it as public as possible, with as much of my name on it as possible as well.

The reason is simple: When you're in the limelight, it doesn't go unnoticed when you suddenly "vanish". Post it anonymously and they will dig you up. Hand it to some journalist and the same will happen (just that one more person goes with you). You can't simply make someone disappear when he's in the center of attention. Unless you're Copperfield and want to vanish, but that's a different matter.

More Details and Actual addresses

I had posted this yesterday as well for a story.
A more detailed look by Indian express here [indianexpress.com].
Looks like the newspaperguys took due dilligence a bit too far...
from the article
  "The email account of the Indian Ambassador to China contained details of a visit by Rajya Sabha member Arjun Sengupta to Beijing earlier this month for an ILO conference. There was also a transcript of a meeting this evening which a senior Indian official had with the Chinese Foreign Minister. Similarly, accounts of NDA and DRDO officials reveal phone numbers, commercial documents, official correspondence and personal mails."
This is probably very illegal, even if the information has been posted for all to see [derangedsecurity.com] actually using this info to access someone else's account should be a no-no.

Exactly the Right approach

Say he had contacted each embassy individually. Best case, a mid-level functionary would have fixed the one specific problem and not reported it.
This way, media in the affected countries will be asking pointed questions, politicians will be asking questions in parliament, and many countries will improve their security policies at all their embassies worldwide, rather than just at the one with the known exposure.
Why, though, do all recent articles seem to be click-throughs to other articles scant on details, ad infinitum. Would a link to the original article, rather than a pointer to another parrot really be so hard? WHERE'S THE BEEF?

In the orginal Swedish

"A Svedeesh IT cunsooltunt hes coosed a stir in deeplumetic curcles effter poobleeshing a leest ooff secret lug-in deteeels belungeeng tu 100 imbesseees, poobleec oothureeties und puleeticel perties eruoond zee vurld. Dun Igersted seeed he-a vesn't tryeeng tu iern muney, geeen poobleecity oor get a neme-a fur heemselff in heckeeng curcles. Insteed he-a cleeemed thet poobleeshing zee leest ves ieseeer thun cuntecting zee oorguneezeshuns indeefidooelly -- und thet iff he-a hed hunded it tu zee Svedeesh oothureeties zeen thet vuoold hefe-a beee spyeeng."

Which hole?

I'm curious as to which security hole or human weakness he used. I see from his site [derangedsecurity.com] and Netcraft [netcraft.com] that a lot of sites were Windows Server 2003 or Windows 2000 running IIS, but there is also Apache on Linux.

the tip of a much bigger iceberg

It would appear this problem goes well beyond affecting embassies. According to an article [theregister.com] I just posted for The Register, Egerstad was able to sniff out the login details thanks to the embassies' misuse of a common client-side security application that allows him to perform a man-in-the-middle attack. In all, he's been able to obtain credentials for more than 1,000 email accounts, at least one of which belonged to an employee of a very large company.

Govt security is a joke

I have access to a (or let's say THE) server from the US Embassy in a certain country because I used to work at the datacenter that hosted them, I do have full administrator rights (still) because the datacenter doesn't ever change all the different passwords and more than once we create administrator accounts for testing purposes, on the other hand, the machine WAS secured and certified by DHS although they missed large portions of scripts and crap that can be ran through port 80 (the website part).

I also have the access to a web server for a fairly small (regional) bank because I programmed their website. Again, poor security practices and audits (actually it's the auditors that only test for external threats, not for inside jobs) make that I still have full access to the machines to the point where I could host a small website using their very own SSL certificates. They are also certified by some government agency and have top-of-the-line firewall with deep packet inspection.

There is Moral Argument Here...

Just because

"Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles..."

and has the technical ability and the altruistic motives doesn't make it right. Yet if the powers that be (pick you favorite governmental agency) can do this at will, that doesn't make it wrong either.

Re:Cue Borat Joke Here

Of the compromised account, ten belong to the Kazakh embassy in Russia. Around 40 belong to Uzbeki embassies and consulates around the world.

So half of the 100 accounts belong to underdeveloped former Soviet republics. It seems unsurprising that many of their staff would be unfamiliar with computer systems and computer security.

Kazakhstan is the greatest country in the world, all other countries are run by little girls. Kazakhstan is number one exporter of internet security, Other Central Asian countries have inferior internet security.

High Five!