Tuesday, September 11, 2007

Observations on Dan Egerstad, and Some Really Funny Passwords

As InfoWorld noted:

Dan Egerstad, a 21-year-old security researcher, revealed on Monday he was able to capture the information by setting up his own node in a peer-to-peer network used by the embassies to make their Internet traffic anonymous.

The embassies relied on a volunteer network of servers using software called Tor (The Onion Router) to hide their Internet traffic and make it anonymous....

But although traffic between nodes in a Tor network is encrypted by default, traffic entering and exiting the system is not, so anyone wanting to hide not only who are they are communicating with, but what they are saying, must apply an extra layer of encryption themselves. Embassies and companies neglected to do this, which left their information open for Egerstad to collect....

Using specially designed software to search that traffic for keywords, Egerstad was soon collecting usernames, passwords, and e-mail sent by embassies around the world, as well as large companies.

Late last month, Egerstad published the usernames and passwords for around 100 embassies.

And that's when the blogosphere decided that Egerstad was evil. Here's what a Trend Micro blog had to say:

While Egerstad’s motive for posting such information is commendable — what with malware and hackers targeting government sites and agencies nowadays — its method or avenue of “informing” these vulnerable embassies is somewhat questionable. Who knows how many hackers are now exploiting the details as of this writing? For a lack of better imagery, isn’t his method reminiscent of a spyware keylogger that uploads stolen information on a server?

Granted, Egerstad claims that he’s “probably not the first one grabbing these passwords”, but if he, as he claims, was the first one to publish them, how many more will be able to access it given that some of the said credentials are still available?

However, you can bet that every company and every consultant that decries Egerstad's techniques is going to make a ton of money off his exploits. I can see it now:


For only $299, John A. Smith will provide you with an in-depth security seminar to make sure that your company is protected from malicious hackers. In the secon d hour of the seminar, noted security expert John A. Smith will explain in detail how Dan Egerstad obtained passwords to embassies and major corporations! And if you pay Smith $299, he'll also tell you that what Egerstad did was wrong. Very wrong.

Well, time for me to cash in - wait, this is a free blog. Whoops. Let's look at some funny passwords. If you really want to see the names of the accounts for which these passwords belong (or belonged - let's hope that they've since been changed), go here.

OK, here are nine passwords that you really, really don't want to use:

(note: this password was NOT used at a Hungarian embassy)
(for an embassy in Ghana)
kenya (guess where this embassy was located?)
(ooh, that one's tricky)

[mrontemp business] | [mrontemp politics] | [mrontemp technology] | [mrontemp del.icio.us tags]

Sphere: Related Content