A Swedish security expert released last week the addresses and passwords for 100 e-mail accounts, claiming that he has uncovered a flaw that exposes more than a thousand sensitive e-mail accounts at government agencies, such as embassies, and corporations.
The e-mail account information appeared on the DerangedSecurity blog, run by Swedish hacker Dan Egerstad, and listed the e-mail server IP addresses, e-mail addresses, and passwords for accounts at numerous embassies, including the Russian, Indian, and Iranian embassies in various countries. Other accounts belonged to government officials and civil-rights workers. While Egerstad released the information for 100 accounts, he told Wired News that he had collected more than 1,000.
"Here is everything you need to read classified email and f**k up some serious international business," wrote Egerstad on his blog. "Hopefully this will put light on the security problems that are never talked about and get at least this fixed with a speed that you never seen your government work before."
Outing the poor security of government agencies has its risks. In 2006, the FBI raided the home of a security researcher that pointed out the insecurities in boarding pass checks, and created a Web site to allow people to print out their own passes. In 2003, authorities arrested Brett E. O'Keefe, president of California start-up ForensicTec, after he demonstrated the insecurities in several U.S. military networks by hacking into them. Two years later, O'Keefe was sentenced to 60 days in a work release program.
In the latest incident, Egerstad decided not to notify each organization because he did not believe that they would listen. He also admitted to viewing thousands of classified e-mails.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos