Swede Hacks Embassy Account Information From Around the World

paulraps writes "A Swedish IT consultant has caused a stir in diplomatic circles after publishing a list of secret log-in details belonging to 100 embassies, public authorities and political parties around the world. Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles. Instead he claimed that publishing the list was easier than contacting the organizations individually — and that if he had handed it to the Swedish authorities then that would have been spying."

When best intentions go wrong

[Paperghost]

"Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles." ....whoops.

Re:

[aldousd666]

haha i was just thinking the same thing.. I don't understand how he can possibly say that and believe it at the same time. Likely he doesn't.

Re:

[joeldg]

"...easier than handing it to them directly..." ???
wtf, so it is easier to make a post and leave 100+ embassies open to the world or to send mails..
I suppose there are ethics here that I am missing.. saying he was supposedly doing these people a "favor" by publishing this..

I guess at least he didn't try to blackmail them.

Re:

[TeknoHog]

This looks exactly like security flaws in commercial software. Somehow the fixes are always delayed until someone makes a detailed public announcement of the bugs.

Re:

[borodir]

Double oops. What did he think was going to happen?

Not after fame, eh?

[blind biker]

Then why not publish the list anonymously?

Because....

[erareno]

If he DID publish the list anonymously, then the list could just as easily been dismissed (through political agreements) as completely inaccurate/wrong.

Re:Because....

[kevin_conaway]

If he DID publish the list anonymously, then the list could just as easily been dismissed (through political agreements) as completely inaccurate/wrong.

I don't see how having a random strangers name attached to the list makes the data published any more or less accurate.

Re:Because....

[Vellmont]

I don't see how having a random strangers name attached to the list makes the data published any more or less accurate.

It doesn't, obviously. Publishing anonymously makes it easier for governments to simply SAY the published information is inaccurate. Having someone that's standing behind that statement makes it more difficult to play that game. People don't tend to trust anonymous sources. Look no further than slashdot for evidence of that (where anonymous is different from a pseudonym).

Re:

[morgan_greywolf]

Because then no one would search for his LinkedIn account [linkedin.com], thus upping his number of connections from a mere 8.

There is Moral Argument Here...

[Anonymous Coward]

Just because

"Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles..."

and has the technical ability and the altruistic motives doesn't make it right. Yet if the powers that be (pick you favorite governmental agency) can do this at will, that doesn't make it wrong either.

Competent hacker, poor social engineer

[SavvyPlayer]

Anonymously giving the list to a local newspaper would have achieved the stated objective.

Re:

[Opportunist]

...and also would've caused a LOT of trouble for both, him and the newspaper publishing it. Not everywhere on this planet journalists enjoy the right to keep their sources secret.

Re:

[SavvyPlayer]

No editor would outright publish such a list. Of course the proper agencies would be contacted by the paper and a sensationalized story reprimanding the irresponsible gov agencies involved written during the course of the interaction.

Re:

[Ajehals]

Or the paper would have handed it to the correct government agency and that government agency would have been able to (mis)use the information (maybe only for a short time, but still).

I think that this course of action, whilst not the best was probably taken to ensure that he wasn't seen as a spy, or a terrorist. Moreover I assume that once he had this information he had a hell of a time figuring out who he would be able to trust with it. If you don't know who to trust, don't want to start contacting the g

Re:

[SavvyPlayer]

Journalists lack the forensic tools to track down anonymous submissions, especially those of competent security consultants. Sigh.

Re:Competent hacker, poor social engineer

[QuickFox]

Not everywhere on this planet journalists enjoy the right to keep their sources secret.

Here in Sweden he would certainly be well protected. We have strong laws about these things. Not only in the direct relationship with the papers. For instance, a whistleblower in public employ is so well protected that his boss can't even make innocent comments during a break at the coffee table trying to guess who it might be. Any attempt to try to identify a whistleblower, no matter how innocent it might seem, would land the boss in trouble. And the papers of course guard this protection with great fervor, making lots of publicity when any attempt is made.

Re:

[lawpoop]

Yeah right. Newspapers get bogus crap from anonymous 'geniuses' all the time, who claim to have uncovered conspiracies or figured out the secrets of the universe. Another list of startling vulnerabilities in the world's embassies certainly would have gotten the attention of all the editors.

Re:

[SavvyPlayer]

This info can be validated by anyone in 3 minutes. Sigh.

Re:

[lawpoop]

This info can be validated by anyone in 3 minutes. Sigh.

First of all, No, it can't. Investigative journalists are trained to do only two things:

1. Tell when someone's lying or when their story doesn't add up -- a kind of social engineering
2. Follow the money

They can't examine scientific claims or medical breakthroughs or stories about computer technologies. When they are forced to do this, they call a bunch of experts and see what their opinions are, which is basically employing skill #1.

If you can validate this story in 3 minutes, you are a better than average

Re:

[SavvyPlayer]

While one must appreciate another's effort to discuss, I have to abstain from a response until a valid analogue is supplied. Why can't an investigative journalist type a URL and enter a user name and pw when prompted given a few minutes?

Re:

[lawpoop]

If that's all that's required, I have to admit that that level of technical competence is widespread enough that any journalist could do it.

Re:

[lawpoop]

I re-read the article trying to figure out the point you can make. From what I gather, a Swedish 'hacker' -- probably just a computer user -- found a list of valid passwords for the embassies' email websites. It's not like this is a buffer overflow, backdoor, or lousy password policy. They simply didn't protect their passwords, AFAICan tell. So what exactly is the story, or the journalistic angle? "Web email system works as expected, even for Embassies" ? That you can log in, provided you know the userna

Good intentions?

[eln]

I'm not sure what he was thinking when he decided that publishing the list would be the best way to draw the attention of the affected parties. Sure, calling 100 different embassies can be kind of a hassle, but he could just send out an email with a bunch of BCCs. I would assume he has an email address for each of them.

Maybe this guy just doesn't have the same sense of self preservation that I do, but in my work I tend to avoid doing things that have the potential to cause a major international incident.

Re:

[Otter]

Sure, calling 100 different embassies can be kind of a hassle, but he could just send out an email with a bunch of BCCs.

Yeah, you'd think that a guy who is so 1337 that he "accidentally" ran a cracker against 6 different embassies (it's 100 people, not embassies, despite what the submitter and Zonk wrote) wouldn't have trouble cc'ing them. My coworkers don't seem to have any trouble cc'ing a lot more people than that.

Re:

[zyklone]

He did not run a cracker against anything at all.

Re:

[Otter]

Is there some article I'm missing, besides the Ars Technica story and the piece it links? There are things in the blurb that don't appear in either.

At any rate, I'd be curious what this guy did that caused these passwords to "accidentally" fall out.

Re:Good intentions?

[Anonymous Coward]

"he could just send out an email with a bunch of BCCs"

Thats basically what he did. It doesn't sound like this list is very public. Its just making its way around the so-called "diplomatic" circles.

Let's look at this from another angle. He quietly published this list, and probably notified all the affected embassies. Then, at least some of the embassies, and a few news outlets, verify the list. Then, at least some of the embassies change the passwords. Then, those news outlets are able to get comments from the embassies and the guy, and then, publish a story on it. All this happened before YOU found out about it.

I say its a little early to fault the guy, since what he did is working just fine. Had he contacted each embassy individually, he would have had to convince each one over several emails or phone conversations. This way, he probably only had to talk to a few news outlets / embassies. Had he published the list in a local paper (i laughed out loud at this one) as another slasher suggested, the general public would probably have read copies of the emails in the affected accounts before the embassies ever knew there was a problem.

Re:

[LoverOfJoy]

Did he discover them all instantaneously? Why not send a quick email to each one as they become available. He could even do some quick copy/pasting if necessary. Why give the full list to everyone instead of the pertinent parts to each? It seems difficult to believe that he found the time to find all of thesee but couldn't find the time to separate the information to give to each respective office.

The real truth

[paulraps]

Here's a more detailed article [thelocal.se] on the subject, ending with a highly amusing quote from Dan Egerstad about his real reason for releasing the log-in info.

Re:The real truth

[Rob T Firefly]

He said he had published the list because it would have been too time-consuming to contact all 100 organizations named. Had he handed the list to the Swedish Security Service (Säpo), he would have been guilty of spying. He claimed that by publishing the list he saved himself trouble.

"This rescues me from the shit," he said.

Well, I can see how that - huh???

Re:

[Frosty Piss]

He claimed that by publishing the list he saved himself trouble.

Sure it does. Let's watch and learn... I'm not Sweedish, but I feel safe in speculating that even there, hacking someone's email and reading it is illegal.

"I haven't logged in to anyone's account, but I can read their email," he said.

Typical hacker, thinks the authorities are really interested fixing this sort of thing, if only they knew. I'll bet they did know, and now they're more pissed off than ever since their spy agencies can no longer

Uh, email is open not private

[crovira]

"hacking someone's email and reading it is illegal" is not quite accurate since its possible to request emails (and its often done too,) and every sys-admin who's administering email servers know that.

Confidentiality of email does NOT exist. It might exist in some alternate universe but it doesn't exist on this planet.

Thinking that it does gets people in deep do-doo (or even killed [depends who's doing the asking.])

Re:

[Frosty Piss]

Confidentiality of email does NOT exist. It might exist in some alternate universe but it doesn't exist on this planet.

This has nothing to do with the Confidentiality of email, and everything to do with accessing other people's email accounts without authorization.

Re:

[Acer500]

Confidentiality of email does NOT exist. It might exist in some alternate universe but it doesn't exist on this planet.

This has nothing to do with the Confidentiality of email, and everything to do with accessing other people's email accounts without authorization.

Oh, by the way, the US isn't alone in the universe, and in Uruguay at least, it's a crime to read other people's e-mail accounts without permission, punishable with prison, so that might be the law in Sweden too

That law's a bit too strong, and it isn't enforced too often, but it does exist.

Trying to confirm this I came across an article on electronic crime in Argentina where it states that "It will be punishable by up to six months of prision to whomever opens without permission an e-mail or other epis

Re:

[GrievousMistake]

Sweden, Norway and Denmark, at least, have (by American standards hyper-strict) privacy laws concerning among other things reading/monitoring other peoples' private email, and there have been cases where e-mails have been discarded as evidence because they were presumed confidential. (As far as I understand it, that means storing and using your employees private emails, say, in court, would be an offense similar in nature to illegal wiretapping.)

Re:

[Frosty Piss]

And even if it's not strictly "illegal", it's not appropriate or ethical.

Re:

[king-manic]

He said he had published the list because it would have been too time-consuming to contact all 100 organizations named. Had he handed the list to the Swedish Security Service (Säpo), he would have been guilty of spying. He claimed that by publishing the list he saved himself trouble

.

"This rescues me from the shit," he said.
Well, I can see how that - huh???

The publicity makes disappearing in the night conspicuous. He's probably hoping that deters Governments from attempting to prosecute him for blackmail. If he mailed them individually they might indeed take it as a attempt to black mail them.

Re:

[eln]

"This rescues me from the shit," he says. I think he is about to become very familiar with another quote: "Out of the frying pan into the fire".

Now instead of the government accusing him of spying, he'll have a bunch of foreign governments pressuring his government to lock him up for spying. I don't think this guy really thought things through here.

Re:

[SpeedyDX]

Excuse me, but I think my English must not be up to par. I read the article you linked to, but what does "This rescues me from the shit" mean? I suppose it's an amusing quote, but it's gibberish. What is the shit? And why does he feel that he needs rescuing from said shit? It seems like a total non sequitur. Please explain this to me.

Re:

[flimnap]

"Shit" is a fairly mild (and common) word in Swedish. The translator was just a little too literal. (So it's more like "This rescues me from the bother/trouble").

Re:

[Anonymous Coward]

I can't see the problem. He's not American. He's Swedish.

The Swedes don't persecute their citizens. And they don't let other countries like the US persecute them either. So he's quite correct that he's safe.

If this had happened in the US, you would be scared to do anything. What a country! This is what you can do if you're free, but you can't do it in the land of the free!

He wants room and board

[gillbates]

In the local jail. Why else would anyone do something so boneheaded?

Honestly, I can't think of any better way to get jailed than to embarrass and irritate the high-level diplomats of 100 countries.

Yes, it was easier than turning the list over to authorities, or contacting each of the embassies. So what? It could easily be argued that he had a duty of confidentiality with his client that he failed to observe.

Furthermore, he has actually made security worse by disclosing in this matter. Who knows how many embassies were already aware of the problem, and were in the process of tightening security? It is also likely that at least some of the embassies would have discovered the vulnerabilities independently of this consultant through internal audits, and would have fixed them silently.

Now, while this guy has stirred up a hornet's nest, he hadn't really done anything to improve the security of these embassies. Sure, they have to fix it now, but they might have done it anyway.

And what if the Swedes were aware of this and using this information for intel gathering? I don't think anyone is happy he did this.

Re:

[jevring]

Ok, so we are allowed to complain about thiss, but when someone riles about full-disclosure (which this is), everybody gets up in arms.
It's a case of all animals are equal, but some are more equal than others...

Re:

[SL Baur]

What he did is technically international espionage. That's a bird of a very different feather.

Re:

[gillbates]

Yes, they'll tighten up their security, but it is possible that they were going to do it silently, anyway.

I mean, if you're going to do research in this area - that is, expend effort looking at security - it's really a cop out to claim that you can't be bothered to contact the embassies individually. You were neither required, nor asked, to evaluate their security. Instead, you take it upon yourself to expend the effort to do the research, and then claim that you can't expend the additional effort to

Re:

[Stooshie]

... It could easily be argued that he had a duty of confidentiality with his client that he failed to observe. ...

Client? What client?

Re:

[vertinox]

Client? What client?

The one that doesn't have polonium.

Re:

[dintech]

I can't think of any better way to get jailed than to embarrass and irritate the high-level diplomats of 100 countries.

It's also a good way to see 100 countries over your lifetime. However Gary McKinnon [wikipedia.org] recommends leaving the US until last. That stop takes quite a long time.

According to the Swedish Hacker

[Rob T Firefly]

Their security is borked.

Re:

[imbaczek]

More news at 11.

Re:

[Ultra64]

Bork Bork Bork!

----
Signed,
Ze sweedish Chef

Bruce Schneier is still right

[Enlarged to Show Tex]

The weakest link in computer security is still the humans operating within the system...

Safety of the limelight

[Opportunist]

Honestly, should I dig up something like that, I will make it as public as possible, with as much of my name on it as possible as well.

The reason is simple: When you're in the limelight, it doesn't go unnoticed when you suddenly "vanish". Post it anonymously and they will dig you up. Hand it to some journalist and the same will happen (just that one more person goes with you). You can't simply make someone disappear when he's in the center of attention. Unless you're Copperfield and want to vanish, but that's a different matter.

Re:

[Frosty Piss]

You may not "vanish" in the way you think, but when the activity is considered illegal (hacking other people's accounts is generally seen as illegal in most countries), a public outing like this will almost certainly not be taken the way you imply, and the indevidual will end up in jail.

Remember that Brit that hacked Nasa? He's headed to Guantanamo.

Re:

[EllisDees]

Except that he didn't hack anything. Anyone could do this. All you need to do is run tor as an exit node and log all of the traffic going in and out. Mixed in with the piles of useless data are going to be lots of unencrypted user names and passwords. It's only if he actually uses one that he becomes a hacker.

Re:

[DragonWriter]

You can't simply make someone disappear when he's in the center of attention.

You can make them really and verifiably dead, however; perhaps under suspicious circumstances, but you can make it difficult to prove anything and discover or invent material to discredit anyone peddling "conspiracy theories" connecting you to it. Which, ultimately, acheives the same result as the whole disappearing thing.

Re:

[n dot l]

Take a look at all the claims [wikipedia.org] Alexander Litvinenko made against the Russian government. He's written books about his claims. He's been on TV interviews stating his claims. As crazy as the stuff he said sounds, you have to admit it makes for some good headlines: "Former KGB agent says Russian Government the Devil!" All in all I'd say that's pretty public.

So what happened to him? Someone simply waited till he dropped out of the headlines and then gave him one of the most interesting deaths [wikipedia.org] money can buy.

You

Re:Cue Borat Joke Here

[king-manic]

Of the compromised account, ten belong to the Kazakh embassy in Russia. Around 40 belong to Uzbeki embassies and consulates around the world.

So half of the 100 accounts belong to underdeveloped former Soviet republics. It seems unsurprising that many of their staff would be unfamiliar with computer systems and computer security.

Kazakhstan is the greatest country in the world, all other countries are run by little girls. Kazakhstan is number one exporter of internet security, Other Central Asian countries have inferior internet security.

High Five!

Re:

[everphilski]

Around 40 belong to Uzbeki embassies and consulates around the world

Assholes Uzbekistan.

I get computer, Uzbekistan gets computer

I get gmail, Uzbekistan get gmail

I get access to naughty website with Pamela, Uzbekistan cannot afford!

Great success!

More Details and Actual addresses

[Anonymous Coward]

I had posted this yesterday as well for a story.
A more detailed look by Indian express here [indianexpress.com].
Looks like the newspaperguys took due dilligence a bit too far...
from the article
"The email account of the Indian Ambassador to China contained details of a visit by Rajya Sabha member Arjun Sengupta to Beijing earlier this month for an ILO conference. There was also a transcript of a meeting this evening which a senior Indian official had with the Chinese Foreign Minister. Similarly, accounts of NDA and DRD

Exactly the Right approach

[fuzzy12345]

Say he had contacted each embassy individually. Best case, a mid-level functionary would have fixed the one specific problem and not reported it.
This way, media in the affected countries will be asking pointed questions, politicians will be asking questions in parliament, and many countries will improve their security policies at all their embassies worldwide, rather than just at the one with the known exposure.
Why, though, do all recent articles seem to be click-throughs to other articles scant on details,

In the orginal Swedish

[blueZ3]

"A Svedeesh IT cunsooltunt hes coosed a stir in deeplumetic curcles effter poobleeshing a leest ooff secret lug-in deteeels belungeeng tu 100 imbesseees, poobleec oothureeties und puleeticel perties eruoond zee vurld. Dun Igersted seeed he-a vesn't tryeeng tu iern muney, geeen poobleecity oor get a neme-a fur heemselff in heckeeng curcles. Insteed he-a cleeemed thet poobleeshing zee leest ves ieseeer thun cuntecting zee oorguneezeshuns indeefidooelly -- und thet iff he-a hed hunded it tu zee Svedeesh oothur

Re:

[MLease]

Yeah, you're right. Let me try (after all, I am half-Sveedish on my mother's side): "A Svedeesh IT cunsooltunt hes coosed a borking stir in deeplumetic curcles effter poobleeshing a leest ooff bork-secret lug-in deteeels belungeeng tu 100 borked imbesseees, poobleec oothureeties und puleeticel perties eruoond zee borking vurld. Dun Igersted seeed he-a vesn't tryeeng tu iern bork muney, geeen poobleecity oor get a borking neme-a fur heemselff in heckeeng curcles, bork bork. Insteed he-a cleeemed thet poobl

Which hole?

[johkir]

I'm curious as to which security hole or human weakness he used. I see from his site [derangedsecurity.com] and Netcraft [netcraft.com] that a lot of sites were Windows Server 2003 or Windows 2000 running IIS, but there is also Apache on Linux.

Re:

[NilleKopparmynt]

Since it is just passwords to mail accounts I guess he has sniffed the unencrypted POP3 traffic. This is a script kiddy hack. He probably just played with some ARP poisioning tool in the right place and got lucky.

the tip of a much bigger iceberg

[kurmudgeon]

It would appear this problem goes well beyond affecting embassies. According to an article [theregister.com] I just posted for The Register, Egerstad was able to sniff out the login details thanks to the embassies' misuse of a common client-side security application that allows him to perform a man-in-the-middle attack. In all, he's been able to obtain credentials for more than 1,000 email accounts, at least one of which belonged to an employee of a very large company.

Govt security is a joke

[guruevi]

I have access to a (or let's say THE) server from the US Embassy in a certain country because I used to work at the datacenter that hosted them, I do have full administrator rights (still) because the datacenter doesn't ever change all the different passwords and more than once we create administrator accounts for testing purposes, on the other hand, the machine WAS secured and certified by DHS although they missed large portions of scripts and crap that can be ran through port 80 (the website part).

I also