Swedish hacker accesses embassy e-mail accounts
Sunday, 23 September 2007
Alisher Sidikov
A 21-year-old Swedish hacker has confounded some governments with his revelation that a flaw allows easy access to more than 100 sensitive e-mail accounts at embassies and private companies.
Dan Egerstad says he accidentally stumbled onto the problem and made passwords and other details of those accounts public to highlight the security risk.
Egerstad told RFE/RL's Uzbek Service that he decided to publicize the problem because contacting all the affected groups personally would have been a huge task.
He released addresses and passwords on a blog (http://www.derangedsecurity.com) from the list of easily compromised accounts, which included accounts from Indian, Pakistani, Uzbek, and Kazakh embassies and other government institutions.
In fact, the list included 26 embassies and six consulates of Uzbekistan alone. Ten accounts belonged to the Kazakh Embassy in Russia, according to a technology-based website, techworld.com, that covered the story.
They also included Chinese human-rights groups and one of Tibetan spiritual leader Dalai Lama's liaison offices.
Egerstad says that the only officials who have contacted him from the embassies or governments involved are Iranians, including the Iranian Embassy in Stockholm.
"They pretty much said, 'Thank you.' The Indians, they were kind of pissed," Egerstad says. "No one wanted to talk to me except Iran."
Egerstad says the affected governments are merely those using software that is susceptible to the hack that he discovered.
He says that after he accidentally uncovered the flaw, those vulnerable accounts were like an open book.
Egerstad has stressed that he never actually opened the correspondence, so as to avoid breaking the law. He said he released the information to shed light on security problems to allow the groups involved to fix them.
"After they calm down a little bit and get over the first shock, they will realize I didn't do this to hack into their system or anything like that, I did it because they have a major problem," Egerstad says.
Egerstad lives in Malmo, in southern Sweden, and describes himself as a security specialist who works for Danish and Swedish companies. But he also says the discovery did not even require much expertise.
"This is very, very easy," he says. "If only I could do this or the best computer people in the world could do this, then it wouldn't be a problem. The problem is that anyone can do this. Give me two minutes [and] I can teach anyone to do this."
Could Egerstad Face Legal Problems?
It is unclear whether authorities are considering any measures against Egerstad.
But a Swedish national security officer who asked not to be identified suggested to RFE/RL's Uzbek Service that sharing the sensitive information involved in the hack with other Internet users might be prosecutable.
"It is one thing to imagine that evil hackers can find information themselves, [and] another thing [when] somebody publishes it for them," says Per Hellqvift, a security expert at Symantec AB, a company that specializes in computer-protection software.
"They can do quite a [lot of] damage with this kind of information," Hellqvift adds. "They can read the e-mails being sent from this e-mail address from certain embassies and they can also send the e-mails [pretending to be] an embassy employee."
Hellqvift warns that Egerstad might be "heading into trouble" if he continues with such unorthodox techniques.
But Egerstad insists that he simply happened across a problem and acted in a way that allows the holders of those affected to correct the flaw. He says he only wants to help people correct a problem that could cause serious damage to their interests.
.............
RFE/RL
A 21-year-old Swedish hacker has confounded some governments with his revelation that a flaw allows easy access to more than 100 sensitive e-mail accounts at embassies and private companies.
Dan Egerstad says he accidentally stumbled onto the problem and made passwords and other details of those accounts public to highlight the security risk.
Egerstad told RFE/RL's Uzbek Service that he decided to publicize the problem because contacting all the affected groups personally would have been a huge task.
He released addresses and passwords on a blog (http://www.derangedsecurity.com) from the list of easily compromised accounts, which included accounts from Indian, Pakistani, Uzbek, and Kazakh embassies and other government institutions.
In fact, the list included 26 embassies and six consulates of Uzbekistan alone. Ten accounts belonged to the Kazakh Embassy in Russia, according to a technology-based website, techworld.com, that covered the story.
They also included Chinese human-rights groups and one of Tibetan spiritual leader Dalai Lama's liaison offices.
Egerstad says that the only officials who have contacted him from the embassies or governments involved are Iranians, including the Iranian Embassy in Stockholm.
"They pretty much said, 'Thank you.' The Indians, they were kind of pissed," Egerstad says. "No one wanted to talk to me except Iran."
Egerstad says the affected governments are merely those using software that is susceptible to the hack that he discovered.
He says that after he accidentally uncovered the flaw, those vulnerable accounts were like an open book.
Egerstad has stressed that he never actually opened the correspondence, so as to avoid breaking the law. He said he released the information to shed light on security problems to allow the groups involved to fix them.
"After they calm down a little bit and get over the first shock, they will realize I didn't do this to hack into their system or anything like that, I did it because they have a major problem," Egerstad says.
Egerstad lives in Malmo, in southern Sweden, and describes himself as a security specialist who works for Danish and Swedish companies. But he also says the discovery did not even require much expertise.
"This is very, very easy," he says. "If only I could do this or the best computer people in the world could do this, then it wouldn't be a problem. The problem is that anyone can do this. Give me two minutes [and] I can teach anyone to do this."
Could Egerstad Face Legal Problems?
It is unclear whether authorities are considering any measures against Egerstad.
But a Swedish national security officer who asked not to be identified suggested to RFE/RL's Uzbek Service that sharing the sensitive information involved in the hack with other Internet users might be prosecutable.
"It is one thing to imagine that evil hackers can find information themselves, [and] another thing [when] somebody publishes it for them," says Per Hellqvift, a security expert at Symantec AB, a company that specializes in computer-protection software.
"They can do quite a [lot of] damage with this kind of information," Hellqvift adds. "They can read the e-mails being sent from this e-mail address from certain embassies and they can also send the e-mails [pretending to be] an embassy employee."
Hellqvift warns that Egerstad might be "heading into trouble" if he continues with such unorthodox techniques.
But Egerstad insists that he simply happened across a problem and acted in a way that allows the holders of those affected to correct the flaw. He says he only wants to help people correct a problem that could cause serious damage to their interests.
.............
RFE/RL