...SSH clients with StrictHostKeyChecking set to "off" (I'm sure these people have some kind of VPN in front of the IMAP/POP account)? But then you will still have to take over the DNS server of the Grand Hotel Eden du Lac to have your victim connect to your server first instead of the embassy (assuming the embassy worker does not have a DNS cache on his portable). So, you have to bribe the porter.

Expect Dick Cheney to call for an immediate strike against Iran "before even more passwords are exposed".

+OK Hello there.

user galikhin@kazembassy.ru

+OK Password required.

aGC4jyf

-ERR Invalid command.

Pass aGC4jyf

+OK logged in.

Lol

quote: while one for an Indian embassy was simply "1234."

Dark Helmet: That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

President Skroob: That's amazing! I have the same combination on my luggage!

Once again, life imitates art.

...refers to "recent racial abuse cases in West Germany."

*West* Germany? Perhaps we should send them a copy of "Good Bye Lenin", bring them up to speed.

Passwords as a security feature have a well earned, bad rep. I've overtly, watched bank tellers and financial advisers type in their passwords and elicited, at most, a wry smile. The security context for one person may be totally different than that of another, and, overall, the requirement to memorize a handful of passwords for different programs with different security contexts is daunting in the face of all the other attendant demands. If there's not a gun pointing at someone's head, in the form of some sort of dire consequence for failure to comply, then the likelihood is there'll be any number of weak links. OTOH if any one individual is targeted then it's likely their passwords can be had. I routinely use, short lived, passwords of 11 digits, but, at least once a month, in an uncaffeinated daze, I'll logon to a networked box then bring up a web, mailbox requiring little or no security and retype my computer logon password rather than the maybe, 6 digit silly password the mailbox requires and send my logon password over the net unencrypted. If smart, bad guys target you it's likely all the security you can muster won't stand the test.

During WWII, the American author Ernest Hemingway was sharing dinner with a few American Army officers when a German artillery barrage started raining down hard. The Army officers ran for the basement, Hemingway stayed at the table, drinking wine. An officer came back up to coax Hemingway to safety but he steadfastly refused to leave the table, insisting that as long as they're not shooting specifically at you, you were as safe in one spot as another. Hemingway and the officer stayed at the table drinking and debating Hemingway's theory throughout the artillery barrage.

Quote:

"We weren't willing to risk getting a one-way ticket to the gulag, so we haven't actually validated the authenticity of the credentials by trying to log in to an account."

Jeeze, El Reg - you are so chicken! With a few creative emails, you guys could have started a major conflict! "Drew Cullen launches world war three" - now THAT would have been a newsgrabbing IT story...

...what serious "security consultant" does a stupid thing like publishing lists of usernames and passwords?

My guess at the exploit used is the local hotel's to the nearest busy embassy wireless has just been sniffed and sniffed, lets face it, wireless is a joke security wise and you bypass the whole need to hack the network when you stay there and have unlimited access...

There is a BIG difference between full disclosure of a bug/vulnerability and posting the passwords for government officials' email addresses. Do people choose stupid passwords? All the time. Is it a real program? It certain can be. But posting the passwords means any idiot with a computer can log into those email accounts and: a) cause serious international turmoil by sending mail appearing to be from the victim, b) gain access to information they certainly should not have, and c) use that information for illegal means (such as identity fraud in the cause of passport information).

This jackass has the gall to say "I'm probably going to get charged for helping to commit a crime. I don't really care." No, he didn't HELP commit a crime, he DID commit a crime. And the whole "I don't have time calling all over the world to tell them something they won't understand or listen to" is pure bullshit. For fucks sake, if you're not even going to warn the people, then don't be surprised when you're on multiple hitlists after posting these people's passwords. This is not a security researcher or anything similar. This is a script kiddie wanting to be "elite" and show his "skillz". Fucking retard.

I hear they've been getting $50 million per year for intercepting embassy communications. Now that their secret is out of the bag say goodbye to all those *awesome* pizza and beer parties.

Its Microsoft of course! For all I know outlook express!

HAH!

: O P

I feel sorry for all those embassy workers, for the next six months they will have to remember complex and obscure passwords.

But there is a light at the end of the tunnel for them.

Cause as anyone who works for the gov will know, once things have blown over and the minister for whatever has had to call the hell desk to have the password reset for the umpteenth time, it will be business as usual.

LOL

The article did say it's a known bug which the vendors have advised all users to avoid so really they've had there warning which they've evidentially not heeded.

I'm not condoning his actions - but I bet they're more effective than than the vendors.

I concur with Chris, although I'd probably use a somewhat more diplomatic language. (Being a kazakhstani diplomat and all...)

Last time I checked the "Manual of common decency" it said that you at least TRY to catch the unfortunate people's attention, and only if they can't/won't react within some reasonable time frame you can take it a step further and begin consider publishing details.

This Dan Egerstad won't ever get a job where I work. (Not that he'd want that anyway...)

/Peter

As someone already pointed out, disclosing a security hole and disclosing information that can be gathered using that security hole are two different things.

What the security consultant SHOULD have done with the information he stumbled upon is to have gone to the Swedish national CERT, SITIC (http://www.first.org/members/teams/sitic/ and http://www.sitic.se/). *They* would have understood the problem *and* would have taken care of warning all those involved in the incident. Contacting the right people at other governments is what these government CERTs are there for.

Whilst I accept that he may not feel it sufficiently rewarding to run-up a phone bill calling each of the embassies, he could have simply emailed them all to say A) You have a security exploit, and B) This is your password : 1234 to prove it.

I think that would have been more helpful than what he has chosen to do.

I work for a government agency with strict rules for enforcing "good" passwords: at least 8 chars; must have a mix of upper and lower letters and digits; must change monthly; cannot reuse an old one for a year.

Does that lead to good passwords?

I suspect at least 80% of the office is using a variant on

August2007

or

Sept2007

as their current password. How else can you think up yet another one that you will remember on a Monday morning?

that embassy staff, being the vetted 'investments' that they are, and being part of such a sensitive day-to-day business, are using passwords at all.

Surely a hardware verified system would be better? I'm no security tech but really: they use *passwords*?

Nothing like realising you give people too much credit for being posted in important jobs. I've just realised I kind of think of diplomatys as clever... my bad.

> he could have simply emailed them all to say

> A) You have a security exploit, and B) This is your password : 1234

But that wouldn't have enabled him to wave his willy publicly and say gosh what a clever boy I am...

It may just be coincidental but if you access the web site of the Hong Kong Liberal party and guess a likely name for their web mail server - such as https://mail.liberal.org.hk/webmail/ Then you are presented with a Horde login.

The HK liberal party is listed as a site that has been exploited by the unreleased script. Horde has a reputation for being exploited.

Is this just a simple script attack against Horde?

Jeremy

Hardly a surprise than some part of the Indian government uses '1234' as a password. A couple of years ago the state owned ISP, sancharnet, had an email broadcast alias of "allusers" that allowed anyone, connected to their network or not, to send spam to their 10 million or so users.

that's 12345 :)

Some years ago I worked as an administrator in a spanish bank. We had to change our passwords each week, have a different password for each system (!!), and when accesing hosts as superuser, the password had to be changed at logout. All passwords where software scanned so you just could not reuse more that 50% of the letters, and they could not contain any english, spanish, french, german or italian word...

We also had to connect through secure channels, and the datacenter was itself physically secure: strong steel doors, radio insulation, huge ups, cameras all over the building, secure access cards with different access levels...

Solution: most of us had our password written on a paper near the computer... or on an excel spreadsheet, text file.... I prefered to have them on a noteblock, just in case I had to use a terminal in the datacenter... As you could not take data from our pcs (no CD, no usb device..), we just plugged our devices to the servers instead.. as we where the administrators... so we ended up mounting usb devices to unix servers because of "security".

It's not the lame passwords, that are the problem, it's the yawning security lapse that makes them accessible, that's the problem. Issuing newer, stricter rules for email logins isn't going to help. 'Islomobod y7j2l3b8h1' is just as useful, when available in plain text, as 'twk@dphk.org password'.

Also, who is this 'security consultant' we hear about? The story appears to be about some guy who posts stuff under the name 'DEranged'. If he was a 'security consultant' his actions would be unsupportable (mind you, if he was a paid 'security consultant', he'd probably just tell everyone to use stricter passwords and charge ten grand for the service).

Since he's just some 'young guy sitting in his apartment, nothing more', however, I think he's been quite restrained: being given the email address of the clerk of stationary at Ulan Bataar, is not nearly as dangerous as having the means of obtaining it (which clearly still exists).

The more complex a password the more likely someone will just write it down.

Networks are actually more securely with less complex passwords through 1234 or password is maybe a little too simple

Why not just write them on a postcard? Although I suppose transmitting them in clear text over the internet to a specific recipient would still have been better than actually *publishing* them...

No, I think it's fair to tell people they have a problem but if they don't listen it's still not appropriate to make that problem significantly worse for them.

Oh, and re: the anonymous "It's Microsoft of course!" poster above: can't have been, he said it was 'security' software. MS can barely spell security. :)

Fair shout to him, I say. It may seem irresponsible for him to have published the passwords, but clearly the people responsible for these systems are incompetent; they've been told not to expose this vulnerability, and they still do. These are government agencies, their security failures could have serious consequences for ordinary folk. They don't listen to warnings, so better that this guy publishes the passwords now, it causes a big stink and maybe things get better than just waiting for a malicious user to exploit the vulnerability; they won't be letting the world know via news sites such as the register that there's been a security breach. The diplomats can take steps to minimise the damage that may be caused by people using these passwords, which is a much smaller risk than ignoring the vulnerability itself. It's calling the kind of action taken by this security guy things like "irresponsible" that ensures nobody bothers to do anything about these kinds of security risk.

Surprise, surprise.

DEranged Security

6 September 2007

Where did we go?

Our site got shut down and we stood there not knowing why, couldn't get any information from anyone. You aren't going to like the answer we just dug up.

* American law enforcement officials requested DEranged Security to be taken down *

Woho, we pissed the US of! But hey, why? Millions of people have already read the story and tens of thousands have those passwords. Monsters don't go away when you close your eyes. Security by obscurity in its finest hour, staring the US law enforcment!

Say hi to Bubba for me.