Tuesday, September 04, 2007
Login Details for Foreign Embassies in the Wild
Login details for international embassies have been in the wild since August 30th in a full disclosure style :
"Here is a list with working passwords to exactly 100 email-accounts to Embassies and Governments around the world. Yes it’s the real deal and still working when we are posting this. So why in the world would anyone publish this kind of information? Because seriously, I’m not going to call the president of Iran and tell him that I got access to all their embassies. I’m DEranged, not suicidal! He has bombs and stuff…"
The researcher's main motivation behind releasing these is that there's no point in contacting the email owners directly as no one would take his emails seriously enought and change them, so by going full disclosure it would prompt the embassies in question to change the passwords. Dan Egerstad may be quite right, at least on the passwords changing issue. Could these email accounts be accessed globally and if yes why? For instance, could Uzbekistan's embassy in London successfully login into Uzbekistan's embassy in Moscow, and even worse, could a host not belonging to the embassy's network access these mailboxes for flexibility? If yes, there're way too many ways this data could have been obtained. While going through the accounting data, we could both confirm that best practices for strong passwords are place at some embassies, and also question the lack of such best practices at certain ones, a security measure that works against brute forcing attempts, but is totally irrelevant when it comes to keylogging and sniffing.
Many people would logically consider the possibility of abusing these login details by obtaining the content of the mailboxes. However, another perspective worth keeping in mind is the use of this login data as the foundation for targeted attacks on a embassy-to-embassy basis, the way we've seen it happen before.