Swede Hacks Embassy Account Information From Around the World

paulraps writes "A Swedish IT consultant has caused a stir in diplomatic circles after publishing a list of secret log-in details belonging to 100 embassies, public authorities and political parties around the world. Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles. Instead he claimed that publishing the list was easier than contacting the organizations individually — and that if he had handed it to the Swedish authorities then that would have been spying."

When best intentions go wrong

[Paperghost]

"Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles." ....whoops.

Re:When best intentions go wrong

[aldousd666]

haha i was just thinking the same thing.. I don't understand how he can possibly say that and believe it at the same time. Likely he doesn't.

Re:When best intentions go wrong

[joeldg]

"...easier than handing it to them directly..." ???
wtf, so it is easier to make a post and leave 100+ embassies open to the world or to send mails..
I suppose there are ethics here that I am missing.. saying he was supposedly doing these people a "favor" by publishing this..

I guess at least he didn't try to blackmail them.

Re:When best intentions go wrong

[TeknoHog]

This looks exactly like security flaws in commercial software. Somehow the fixes are always delayed until someone makes a detailed public announcement of the bugs.

Re:When best intentions go wrong

[borodir]

Double oops. What did he think was going to happen?

Not after fame, eh?

[blind+biker]

Then why not publish the list anonymously?

Re:Not after fame, eh?

[morgan_greywolf]

Because then no one would search for his LinkedIn account, thus upping his number of connections from a mere 8.

Re:Not after fame, eh?

Doesn't look like it's doing any good.

Competent hacker, poor social engineer

[SavvyPlayer]

Anonymously giving the list to a local newspaper would have achieved the stated objective.

Re:Competent hacker, poor social engineer

[Opportunist]

...and also would've caused a LOT of trouble for both, him and the newspaper publishing it. Not everywhere on this planet journalists enjoy the right to keep their sources secret.

Re:Competent hacker, poor social engineer

[SavvyPlayer]

No editor would outright publish such a list. Of course the proper agencies would be contacted by the paper and a sensationalized story reprimanding the irresponsible gov agencies involved written during the course of the interaction.

Re:Competent hacker, poor social engineer

[SavvyPlayer]

Journalists lack the forensic tools to track down anonymous submissions, especially those of competent security consultants. Sigh.

Re:Competent hacker, poor social engineer

[QuickFox]

Not everywhere on this planet journalists enjoy the right to keep their sources secret. Here in Sweden he would certainly be well protected. We have strong laws about these things. Not only in the direct relationship with the papers. For instance, a whistleblower in public employ is so well protected that his boss can't even make innocent comments during a break at the coffee table trying to guess who it might be. Any attempt to try to identify a whistleblower, no matter how innocent it might seem, would land the boss in trouble. And the papers of course guard this protection with great fervor, making lots of publicity when any attempt is made.

Re:Competent hacker, poor social engineer

[Ajehals]

Or the paper would have handed it to the correct government agency and that government agency would have been able to (mis)use the information (maybe only for a short time, but still).

I think that this course of action, whilst not the best was probably taken to ensure that he wasn't seen as a spy, or a terrorist. Moreover I assume that once he had this information he had a hell of a time figuring out who he would be able to trust with it. If you don't know who to trust, don't want to start contacting the government then the best course of action is probably to publish anonymously.

Perhaps he thought doing it in a public manner would remove any doubt as to the completeness of the information and ensure that there could be no "NOTICE terrorists/spies have published this information lets arrest someone secretly and ship them to a secret detention centre and torture them...." After all most people get their idea of how government, and especially government security services work from Hollywood (including the government these days one might think).

Re:Competent hacker, poor social engineer

[lawpoop]

Yeah right. Newspapers get bogus crap from anonymous 'geniuses' all the time, who claim to have uncovered conspiracies or figured out the secrets of the universe. Another list of startling vulnerabilities in the world's embassies certainly would have gotten the attention of all the editors.

Re:Competent hacker, poor social engineer

[SavvyPlayer]

This info can be validated by anyone in 3 minutes. Sigh.

Re:Competent hacker, poor social engineer

[lawpoop]

This info can be validated by anyone in 3 minutes. Sigh. First of all, No, it can't. Investigative journalists are trained to do only two things:

1. Tell when someone's lying or when their story doesn't add up -- a kind of social engineering
2. Follow the money

They can't examine scientific claims or medical breakthroughs or stories about computer technologies. When they are forced to do this, they call a bunch of experts and see what their opinions are, which is basically employing skill #1.

If you can validate this story in 3 minutes, you are a better than average computer expert than probably even most tech support people out there -- let alone Joe Blow or any journalist.

Secondly, even if a journalist could validate this in 3 minutes, they shouldn't bother, because 99% percent of the anonymous crapflood would turn out to be completely false and a waste of time. If they bothered to validate this story, they would be looking into water-combusting engines or new evidence of the faked moon landing all the time. And we have enough of those stories already.

Re:Competent hacker, poor social engineer

[SavvyPlayer]

While one must appreciate another's effort to discuss, I have to abstain from a response until a valid analogue is supplied. Why can't an investigative journalist type a URL and enter a user name and pw when prompted given a few minutes?

Re:Competent hacker, poor social engineer

[lawpoop]

If that's all that's required, I have to admit that that level of technical competence is widespread enough that any journalist could do it.

Re:Competent hacker, poor social engineer

[lawpoop]

I re-read the article trying to figure out the point you can make. From what I gather, a Swedish 'hacker' -- probably just a computer user -- found a list of valid passwords for the embassies' email websites. It's not like this is a buffer overflow, backdoor, or lousy password policy. They simply didn't protect their passwords, AFAICan tell. So what exactly is the story, or the journalistic angle? "Web email system works as expected, even for Embassies" ? That you can log in, provided you know the username and password?

Re:Competent hacker, poor social engineer

Hehe:)

Either you were trying to decipher the original Swedish-language article, or you have serious cognitive difficulties. Here is another link to clear up the issue: this Swedish news site states that Dan Egerstad is an IT security researcher and according to them, he published his findings more as a CYA procedure (that's "cover your ass").

The same news website published an unrelated story in December 2006 where Egerstad is also mentioned as IT consultant: http://www.thelocal.se/5749/20061209/

Good intentions?

[eln]

I'm not sure what he was thinking when he decided that publishing the list would be the best way to draw the attention of the affected parties. Sure, calling 100 different embassies can be kind of a hassle, but he could just send out an email with a bunch of BCCs. I would assume he has an email address for each of them.

Maybe this guy just doesn't have the same sense of self preservation that I do, but in my work I tend to avoid doing things that have the potential to cause a major international incident.

Re:Good intentions?

[Otter]

Sure, calling 100 different embassies can be kind of a hassle, but he could just send out an email with a bunch of BCCs.

Yeah, you'd think that a guy who is so 1337 that he "accidentally" ran a cracker against 6 different embassies (it's 100 people, not embassies, despite what the submitter and Zonk wrote) wouldn't have trouble cc'ing them. My coworkers don't seem to have any trouble cc'ing a lot more people than that.

Re:Good intentions?

[zyklone]

He did not run a cracker against anything at all.

Re:Good intentions?

[zzottt]

my coworkers don't seem to have any trouble cc'ing a lot more people than that.

not sure why but that was really funny to me right now

Re:Good intentions?

[Otter]

Is there some article I'm missing, besides the Ars Technica story and the piece it links? There are things in the blurb that don't appear in either.

At any rate, I'd be curious what this guy did that caused these passwords to "accidentally" fall out.

Re:Good intentions?

"he could just send out an email with a bunch of BCCs"

Thats basically what he did. It doesn't sound like this list is very public. Its just making its way around the so-called "diplomatic" circles.

Let's look at this from another angle. He quietly published this list, and probably notified all the affected embassies. Then, at least some of the embassies, and a few news outlets, verify the list. Then, at least some of the embassies change the passwords. Then, those news outlets are able to get comments from the embassies and the guy, and then, publish a story on it. All this happened before YOU found out about it.

I say its a little early to fault the guy, since what he did is working just fine. Had he contacted each embassy individually, he would have had to convince each one over several emails or phone conversations. This way, he probably only had to talk to a few news outlets / embassies. Had he published the list in a local paper (i laughed out loud at this one) as another slasher suggested, the general public would probably have read copies of the emails in the affected accounts before the embassies ever knew there was a problem.

Re:Good intentions?

He did obtain them by actions of his, period. Nobody posted them to him.

Re:Good intentions?

[LoverOfJoy]

Did he discover them all instantaneously? Why not send a quick email to each one as they become available. He could even do some quick copy/pasting if necessary. Why give the full list to everyone instead of the pertinent parts to each? It seems difficult to believe that he found the time to find all of thesee but couldn't find the time to separate the information to give to each respective office.

Re:Good intentions?

here is the website:

http://derangedsecurity.com/

Because....

[erareno]

If he DID publish the list anonymously, then the list could just as easily been dismissed (through political agreements) as completely inaccurate/wrong.

Re:Because....

[kevin_conaway]

If he DID publish the list anonymously, then the list could just as easily been dismissed (through political agreements) as completely inaccurate/wrong.

I don't see how having a random strangers name attached to the list makes the data published any more or less accurate.

Re:Because....

Ummm, so what? This selflessly generous individual with absolutely no interest in publicity would have done his job. "Political agreements" aren't his problem.

Re:Because....

[Vellmont]

I don't see how having a random strangers name attached to the list makes the data published any more or less accurate.

It doesn't, obviously. Publishing anonymously makes it easier for governments to simply SAY the published information is inaccurate. Having someone that's standing behind that statement makes it more difficult to play that game. People don't tend to trust anonymous sources. Look no further than slashdot for evidence of that (where anonymous is different from a pseudonym).

The real truth

[paulraps]

Here's a more detailed article on the subject, ending with a highly amusing quote from Dan Egerstad about his real reason for releasing the log-in info.

Re:The real truth

[Rob+T+Firefly]

He said he had published the list because it would have been too time-consuming to contact all 100 organizations named. Had he handed the list to the Swedish Security Service (Säpo), he would have been guilty of spying. He claimed that by publishing the list he saved himself trouble.

"This rescues me from the shit," he said. Well, I can see how that - huh???

Re:The real truth

[eln]

"This rescues me from the shit," he says. I think he is about to become very familiar with another quote: "Out of the frying pan into the fire".

Now instead of the government accusing him of spying, he'll have a bunch of foreign governments pressuring his government to lock him up for spying. I don't think this guy really thought things through here.

Re:The real truth

[SpeedyDX]

Excuse me, but I think my English must not be up to par. I read the article you linked to, but what does "This rescues me from the shit" mean? I suppose it's an amusing quote, but it's gibberish. What is the shit? And why does he feel that he needs rescuing from said shit? It seems like a total non sequitur. Please explain this to me.

Re:The real truth

I can't see the problem. He's not American. He's Swedish.

The Swedes don't persecute their citizens. And they don't let other countries like the US persecute them either. So he's quite correct that he's safe.

If this had happened in the US, you would be scared to do anything. What a country! This is what you can do if you're free, but you can't do it in the land of the free!

Re:The real truth

[Frosty+Piss]

He claimed that by publishing the list he saved himself trouble.

Sure it does. Let's watch and learn... I'm not Sweedish, but I feel safe in speculating that even there, hacking someone's email and reading it is illegal.

"I haven't logged in to anyone's account, but I can read their email," he said.

Typical hacker, thinks the authorities are really interested fixing this sort of thing, if only they knew. I'll bet they did know, and now they're more pissed off than ever since their spy agencies can no longer access these accounts.

Re:The real truth

[king-manic]

He said he had published the list because it would have been too time-consuming to contact all 100 organizations named. Had he handed the list to the Swedish Security Service (Säpo), he would have been guilty of spying. He claimed that by publishing the list he saved himself trouble .

"This rescues me from the shit," he said.
Well, I can see how that - huh???

The publicity makes disappearing in the night conspicuous. He's probably hoping that deters Governments from attempting to prosecute him for blackmail. If he mailed them individually they might indeed take it as a attempt to black mail them.

Re:The real truth

[flimnap]

"Shit" is a fairly mild (and common) word in Swedish. The translator was just a little too literal. (So it's more like "This rescues me from the bother/trouble").

He wants room and board

[gillbates]

In the local jail. Why else would anyone do something so boneheaded?

Honestly, I can't think of any better way to get jailed than to embarrass and irritate the high-level diplomats of 100 countries.

Yes, it was easier than turning the list over to authorities, or contacting each of the embassies. So what? It could easily be argued that he had a duty of confidentiality with his client that he failed to observe.

Furthermore, he has actually made security worse by disclosing in this matter. Who knows how many embassies were already aware of the problem, and were in the process of tightening security? It is also likely that at least some of the embassies would have discovered the vulnerabilities independently of this consultant through internal audits, and would have fixed them silently.

Now, while this guy has stirred up a hornet's nest, he hadn't really done anything to improve the security of these embassies. Sure, they have to fix it now, but they might have done it anyway.

And what if the Swedes were aware of this and using this information for intel gathering? I don't think anyone is happy he did this.

Re:He wants room and board

[jevring]

Ok, so we are allowed to complain about thiss, but when someone riles about full-disclosure (which this is), everybody gets up in arms.
It's a case of all animals are equal, but some are more equal than others...

Re:He wants room and board

gillbates said, "Now, while this guy has stirred up a hornet's nest, he hadn't really done anything to improve the security of these embassies. Sure, they have to fix it now, but they might have done it anyway."

If he hasn't really done anything, then why do you say "they might have done it anyway" regarding tightening up their internet security? They should definitely tighten it up, and more than likely, now will tighten up their security, therefore, he has accomplished his desired results.

Re:He wants room and board

[Stooshie]

... It could easily be argued that he had a duty of confidentiality with his client that he failed to observe. ...

Client? What client?

Re:He wants room and board

[gillbates]

Yes, they'll tighten up their security, but it is possible that they were going to do it silently, anyway.

I mean, if you're going to do research in this area - that is, expend effort looking at security - it's really a cop out to claim that you can't be bothered to contact the embassies individually. You were neither required, nor asked, to evaluate their security. Instead, you take it upon yourself to expend the effort to do the research, and then claim that you can't expend the additional effort to do responsible disclosure?

This guy had a reasonable expectation that he was going to find vulnerabilities, and should have known from the start that doing the research would incur the responsibility of either keeping them secret, or disclosing them in a responsible way. He did neither.

Re:He wants room and board

Yes, we are happy here in Sweden. And dan Egerstad has done more for embassies security than you have!

This shows that, in a free country, a man can do what he thinks is right. He is not forced to bow down to government like the US are. Information is free in this land, not crippled with big companies like it is the the US.

You should leave your land now, Americans. It is finished. Come to a really free country, where the girls are beautiful, and leave your guns and murderous ways behind you!

Re:He wants room and board

[dintech]

I can't think of any better way to get jailed than to embarrass and irritate the high-level diplomats of 100 countries.

It's also a good way to see 100 countries over your lifetime. However Gary McKinnon recommends leaving the US until last. That stop takes quite a long time.

Re:He wants room and board

This post is true. It shows that Americans measure everywhere by their own standards, which are increasingly fascist.

Why would this guy feel threatened. He's Swedish, for god's sake. He's FREE. They don't have a DMCA or an RIAA in Sweeden, and their version of the CIA works FOR their citizens instead of AGAINST them.

Where did we go wrong?

Re:He wants room and board

If you can show me a way to a work visa and a reasonable job in Sweden, I'll take the next plane NOW!

-Your single American guy

Re:He wants room and board

Some pictures to whet your apetite!

http://www.ifilm.com/video/2879515?cmpnid=800&lkde s=VID_2879515

Re:He wants room and board

[SL+Baur]

What he did is technically international espionage. That's a bird of a very different feather.

Re:He wants room and board

[vertinox]

Client? What client?

The one that doesn't have polonium.

According to the Swedish Hacker

[Rob+T+Firefly]

Their security is borked.

Re:According to the Swedish Hacker

[imbaczek]

More news at 11.

Re:According to the Swedish Hacker

[Ultra64]

Bork Bork Bork!

----
Signed,
Ze sweedish Chef

Bruce Schneier is still right

[Enlarged+to+Show+Tex]

The weakest link in computer security is still the humans operating within the system...

Safety of the limelight

[Opportunist]

Honestly, should I dig up something like that, I will make it as public as possible, with as much of my name on it as possible as well.

The reason is simple: When you're in the limelight, it doesn't go unnoticed when you suddenly "vanish". Post it anonymously and they will dig you up. Hand it to some journalist and the same will happen (just that one more person goes with you). You can't simply make someone disappear when he's in the center of attention. Unless you're Copperfield and want to vanish, but that's a different matter.

Re:Safety of the limelight

[Frosty+Piss]

You may not "vanish" in the way you think, but when the activity is considered illegal (hacking other people's accounts is generally seen as illegal in most countries), a public outing like this will almost certainly not be taken the way you imply, and the indevidual will end up in jail.

Remember that Brit that hacked Nasa? He's headed to Guantanamo.

Re:Safety of the limelight

[DragonWriter]

You can't simply make someone disappear when he's in the center of attention.

You can make them really and verifiably dead, however; perhaps under suspicious circumstances, but you can make it difficult to prove anything and discover or invent material to discredit anyone peddling "conspiracy theories" connecting you to it. Which, ultimately, acheives the same result as the whole disappearing thing.

Re:Safety of the limelight

[n+dot+l]

Take a look at all the claims Alexander Litvinenko made against the Russian government. He's written books about his claims. He's been on TV interviews stating his claims. As crazy as the stuff he said sounds, you have to admit it makes for some good headlines: "Former KGB agent says Russian Government the Devil!" All in all I'd say that's pretty public.

So what happened to him? Someone simply waited till he dropped out of the headlines and then gave him one of the most interesting deaths money can buy.

You want to piss off a foreign government and pretend the media can protect you...be my guest, just warn me ahead of time so I can be somewhere else when the bizarre accident that nobody witnessed takes place.

Re:Safety of the limelight

[EllisDees]

Except that he didn't hack anything. Anyone could do this. All you need to do is run tor as an exit node and log all of the traffic going in and out. Mixed in with the piles of useless data are going to be lots of unencrypted user names and passwords. It's only if he actually uses one that he becomes a hacker.

There is Moral Argument Here...

Just because

"Dan Egerstad said he wasn't trying to earn money, gain publicity or get a name for himself in hacking circles..."

and has the technical ability and the altruistic motives doesn't make it right. Yet if the powers that be (pick you favorite governmental agency) can do this at will, that doesn't make it wrong either.

Cue Borat Joke Here

[borkus]

From the Swedish article -

Of the compromised account, ten belong to the Kazakh embassy in Russia. Around 40 belong to Uzbeki embassies and consulates around the world.

So half of the 100 accounts belong to underdeveloped former Soviet republics. It seems unsurprising that many of their staff would be unfamiliar with computer systems and computer security.

Re:Cue Borat Joke Here

[king-manic]

Of the compromised account, ten belong to the Kazakh embassy in Russia. Around 40 belong to Uzbeki embassies and consulates around the world. So half of the 100 accounts belong to underdeveloped former Soviet republics. It seems unsurprising that many of their staff would be unfamiliar with computer systems and computer security.

Kazakhstan is the greatest country in the world, all other countries are run by little girls. Kazakhstan is number one exporter of internet security, Other Central Asian countries have inferior internet security.

High Five!

Re:Cue Borat Joke Here

[everphilski]

Around 40 belong to Uzbeki embassies and consulates around the world

Assholes Uzbekistan.

I get computer, Uzbekistan gets computer

I get gmail, Uzbekistan get gmail

I get access to naughty website with Pamela, Uzbekistan cannot afford!

Great success!

More Details and Actual addresses

I had posted this yesterday as well for a story.
A more detailed look by Indian express here.
Looks like the newspaperguys took due dilligence a bit too far...
from the article
  "The email account of the Indian Ambassador to China contained details of a visit by Rajya Sabha member Arjun Sengupta to Beijing earlier this month for an ILO conference. There was also a transcript of a meeting this evening which a senior Indian official had with the Chinese Foreign Minister. Similarly, accounts of NDA and DRDO officials reveal phone numbers, commercial documents, official correspondence and personal mails."
This is probably very illegal, even if the information has been posted for all to see actually using this info to access someone else's account should be a no-no.

Exactly the Right approach

[fuzzy12345]

Say he had contacted each embassy individually. Best case, a mid-level functionary would have fixed the one specific problem and not reported it.
This way, media in the affected countries will be asking pointed questions, politicians will be asking questions in parliament, and many countries will improve their security policies at all their embassies worldwide, rather than just at the one with the known exposure.
Why, though, do all recent articles seem to be click-throughs to other articles scant on details, ad infinitum. Would a link to the original article, rather than a pointer to another parrot really be so hard? WHERE'S THE BEEF?

Re:Exactly the Right approach

Why, though, do all recent articles seem to be click-throughs to other articles scant on details, ad infinitum. Would a link to the original article, rather than a pointer to another parrot really be so hard? WHERE'S THE BEEF?

Welcome to the blogosphere!

Re:moron corepirate nazis 'hacking' the weather

No... Actually, I don't see..

Uh, email is open not private

[crovira]

"hacking someone's email and reading it is illegal" is not quite accurate since its possible to request emails (and its often done too,) and every sys-admin who's administering email servers know that.

Confidentiality of email does NOT exist. It might exist in some alternate universe but it doesn't exist on this planet.

Thinking that it does gets people in deep do-doo (or even killed [depends who's doing the asking.])

Re:Uh, email is open not private

[Frosty+Piss]

Confidentiality of email does NOT exist. It might exist in some alternate universe but it doesn't exist on this planet.

This has nothing to do with the Confidentiality of email, and everything to do with accessing other people's email accounts without authorization.

Re:Uh, email is open not private

[Acer500]

Confidentiality of email does NOT exist. It might exist in some alternate universe but it doesn't exist on this planet.

This has nothing to do with the Confidentiality of email, and everything to do with accessing other people's email accounts without authorization.

Oh, by the way, the US isn't alone in the universe, and in Uruguay at least, it's a crime to read other people's e-mail accounts without permission, punishable with prison, so that might be the law in Sweden too

That law's a bit too strong, and it isn't enforced too often, but it does exist.

Trying to confirm this I came across an article on electronic crime in Argentina where it states that "It will be punishable by up to six months of prision to whomever opens without permission an e-mail or other epistolar means" Article 153 of the Argentinean Criminal Code (Penal Code/Código Penal). Source:

http://www.mastermagazine.info/articulo/10697.php

Re:Uh, email is open not private

[GrievousMistake]

Sweden, Norway and Denmark, at least, have (by American standards hyper-strict) privacy laws concerning among other things reading/monitoring other peoples' private email, and there have been cases where e-mails have been discarded as evidence because they were presumed confidential. (As far as I understand it, that means storing and using your employees private emails, say, in court, would be an offense similar in nature to illegal wiretapping.)

Re:Uh, email is open not private

[Frosty+Piss]

And even if it's not strictly "illegal", it's not appropriate or ethical.

Just before a 3 day weekend (USA Labor day)

Guess the hacks in the US Gov get to spend labor Day working....(finally) or maybe not and just ignore it. It will go away eventually. He might need a good lawyer and and find one at http://www.militarylawsuits.com/

nyet

it might have gotten published, past precedent, a glaring one was the pentagon papers.

too much work ... ah, WHAT??

point #1: if he took the trouble to gather or swipe a list in the first place, it makes no sense that he wouldn't have notified them directly.

point #2: if it actually was a list of compromised email accounts, any IT consultant (regardless of nationality) should probably know how to copy and paste. he could have sent them each an email letting them know they'd been compromised.

point #3: not doing one of the above was rude and selfish. in short, he's an a$$hole. and a liar. (not out for fame, fortune, etc... bs.)

-Jamie

In the orginal Swedish

[blueZ3]

"A Svedeesh IT cunsooltunt hes coosed a stir in deeplumetic curcles effter poobleeshing a leest ooff secret lug-in deteeels belungeeng tu 100 imbesseees, poobleec oothureeties und puleeticel perties eruoond zee vurld. Dun Igersted seeed he-a vesn't tryeeng tu iern muney, geeen poobleecity oor get a neme-a fur heemselff in heckeeng curcles. Insteed he-a cleeemed thet poobleeshing zee leest ves ieseeer thun cuntecting zee oorguneezeshuns indeefidooelly -- und thet iff he-a hed hunded it tu zee Svedeesh oothureeties zeen thet vuoold hefe-a beee spyeeng."

Re:In the orginal Swedish

There's no way that could be original sveedish, as it's deceptively free of any bork.

Re:In the orginal Swedish

[MLease]

Yeah, you're right. Let me try (after all, I am half-Sveedish on my mother's side): "A Svedeesh IT cunsooltunt hes coosed a borking stir in deeplumetic curcles effter poobleeshing a leest ooff bork-secret lug-in deteeels belungeeng tu 100 borked imbesseees, poobleec oothureeties und puleeticel perties eruoond zee borking vurld. Dun Igersted seeed he-a vesn't tryeeng tu iern bork muney, geeen poobleecity oor get a borking neme-a fur heemselff in heckeeng curcles, bork bork. Insteed he-a cleeemed thet poobleeshing zee borking leest ves ieseeer thun cuntecting zee borked oorguneezeshuns indeefidooelly -- und thet iff he-a hed hunded it tu zee borking Svedeesh oothureeties zeen thet vuoold hefe-a beee bork-bork spyeeng."

Which hole?

[johkir]

I'm curious as to which security hole or human weakness he used. I see from his site and Netcraft that a lot of sites were Windows Server 2003 or Windows 2000 running IIS, but there is also Apache on Linux.

Re:Which hole?

[NilleKopparmynt]

Since it is just passwords to mail accounts I guess he has sniffed the unencrypted POP3 traffic. This is a script kiddy hack. He probably just played with some ARP poisioning tool in the right place and got lucky.

the tip of a much bigger iceberg

[kurmudgeon]

It would appear this problem goes well beyond affecting embassies. According to an article I just posted for The Register, Egerstad was able to sniff out the login details thanks to the embassies' misuse of a common client-side security application that allows him to perform a man-in-the-middle attack. In all, he's been able to obtain credentials for more than 1,000 email accounts, at least one of which belonged to an employee of a very large company.

Jewstein, schmewstein

And the kids Emmanuel surrounds himself with get _porked_, what a coincidence, Lord 2600..

Re:Jewstein, schmewstein

Did you think that one up all by yourself?

Govt security is a joke

[guruevi]

I have access to a (or let's say THE) server from the US Embassy in a certain country because I used to work at the datacenter that hosted them, I do have full administrator rights (still) because the datacenter doesn't ever change all the different passwords and more than once we create administrator accounts for testing purposes, on the other hand, the machine WAS secured and certified by DHS although they missed large portions of scripts and crap that can be ran through port 80 (the website part).

I also have the access to a web server for a fairly small (regional) bank because I programmed their website. Again, poor security practices and audits (actually it's the auditors that only test for external threats, not for inside jobs) make that I still have full access to the machines to the point where I could host a small website using their very own SSL certificates. They are also certified by some government agency and have top-of-the-line firewall with deep packet inspection.

re: linkedin

yay another social network......
for losers.