Making a mockery of the current heightened security scenario across the globe in the post 911 era, Dan Egerstad , a Swedish hacker, recently posted a list with working passwords to 100 email accounts to Embassies and Governments around the world. The list included passwords to email ids of high-ranking executives from the National Defence Academy, the Defence Research & Development Organisation and Indian embassies in eight countries.

Other accounts compromised include those of the embassies of Uzbekistan, Iran, Afghanistan, Pakistan, Japan, China, UK, Russia, the Office of Dalai Lama and various other governmental agencies from around the globe. “The list uploaded is only a fraction of the information that I stumbled upon,” claims Egerstad.

Many enthusiasts have sent mails to check the validity of the posted list to the official email addresses of the Indian ambassadors to Oman and Italy. Using the passwords posted online, they were able to access the mail and send a reply. The email account of the Embassy of India, Rome-Consular wing, contained personal details of numerous Indian citizens, including passport numbers and also contained personal bank account details of the ambassador.

Similar sensitive data was present in the other accounts compromised. Egerstad maintains, “I did not exploit any particular vulnerability, but on the contrary stumbled upon someone who, not knowing how to use an email client properly, had screwed up. Discovering this error I decided to search for more people who had made the same mistake and thus staggered into a minefield.”

“Governments do not realise how serious a security breach this is!” exclaimed Egerstad, who feels that although publicly revealing this sensitive information may not have been appropriate, this was the optimum way to draw attention to the acute lack of security of sensitive data.

He also suggested that it might not be a lack of security infrastructure that is the problem, but the disappointing level of security awareness amongst government employees. Amuleek Bijral, country head, RSA concurs, “This is a people-process failure above anything else and it is imperative for India to ensure that its online information infrastructure and the information that resides in the governments IT setup is totally secure.”

More disturbing than the disclosure is the fact that two days after this incident, more than 20% of the passwords on the list still function, Indian embassies in Italy and Oman included. “This is exactly what I was attempting to demonstrate,” said Egerstad, “This alarming lack of response is the norm rather than an exception. We need to beef up security and incident response times across the globe.”