Swedish Hacker Accesses Embassy E-Mail Accounts
September 12, 2007 (RFE/RL) -- A 21-year-old Swedish hacker has
confounded some governments with his revelation that a flaw allows easy access
to more than 100 sensitive e-mail accounts at embassies and private
that the only officials who have contacted him from the embassies or
governments involved are Iranians, including the Iranian Embassy in Stockholm.
"They pretty much said, 'Thank you.' The Indians, they were kind of pissed,"
Egerstad says. "No one wanted to talk to me except
Dan Egerstad says
he accidentally stumbled onto the problem and made passwords and other details
of those accounts public to highlight the security risk.
RFE/RL's Uzbek Service that he decided to publicize the problem because
contacting all the affected groups personally would have been a huge task.
He released addresses and passwords on a blog
(http://www.derangedsecurity.com) from the list of easily compromised accounts,
which included accounts from Indian, Pakistani, Uzbek, and Kazakh embassies and
other government institutions.
In fact, the list included 26 embassies
and six consulates of Uzbekistan alone. Ten accounts belonged to the Kazakh
Embassy in Russia, according to a technology-based website, techworld.com, that
covered the story.
They also included Chinese human-rights groups and one
of Tibetan spiritual leader Dalai Lama's liaison offices.
Egerstad says that the only officials who have
contacted him from the embassies or governments involved are Iranians, including
the Iranian Embassy in Stockholm.
"They pretty much said, 'Thank you.'
The Indians, they were kind of pissed," Egerstad says. "No one wanted to talk to
me except Iran."
Egerstad says the affected governments are merely those
using software that is susceptible to the hack that he discovered.
says that after he accidentally uncovered the flaw, those vulnerable accounts
were like an open book.
Egerstad has stressed that he never actually
opened the correspondence, so as to avoid breaking the law. He said he released
the information to shed light on security problems to allow the groups involved
to fix them.
"After they calm down a little bit and get over the first
shock, they will realize I didn't do this to hack into their system or anything
like that, I did it because they have a major problem," Egerstad
Egerstad lives in Malmo, in southern Sweden, and describes himself
as a security specialist who works for Danish and Swedish companies. But he also
says the discovery did not even require much expertise.
"This is very,
very easy," he says. "If only I could do this or the best computer people in the
world could do this, then it wouldn't be a problem. The problem is that anyone
can do this. Give me two minutes [and] I can teach anyone to do
Could Egerstad Face Legal Problems?
It is unclear
whether authorities are considering any measures against Egerstad.
Swedish national security officer who asked not to be identified suggested to
RFE/RL's Uzbek Service that sharing the sensitive information involved in the
hack with other Internet users might be prosecutable.
"It is one thing
to imagine that evil hackers can find information themselves, [and] another
thing [when] somebody publishes it for them," says Per Hellqvift, a security
expert at Symantec AB, a company that specializes in computer-protection
"They can do quite a [lot of] damage with this kind of
information," Hellqvift adds. "They can read the e-mails being sent from this
e-mail address from certain embassies and they can also send the e-mails
[pretending to be] an embassy employee."
Hellqvift warns that Egerstad
might be "heading into trouble" if he continues with such unorthodox techniques.
But Egerstad insists that he simply happened across a problem and acted
in a way that allows the holders of those affected to correct the flaw. He says
he only wants to help people correct a problem that could cause serious damage
to their interests.
Copyright (c) 2007 RFE/RL, Inc. Reprinted with the permission of Radio Free Europe/Radio Liberty, 1201 Connecticut Ave., N.W. Washington DC 20036. www.rferl.org
... Payvand News - 9/14/07 ... --