This Week In Cybercrime: Big Brother Gets Hacked?

—On 4 September, the New York Times reported that members of a hacking group known as AntiSec posted information online that it says is evidence that the government regularly uses cellular handsets as tracking devices. The file AntiSec uploaded contains a million unique device identifiers (UDIDs) for Apple iPhone, iPad, and iPod Touch devices, plus phone numbers and other personal data on the owners of these devices. AntiSec, a joining of forces between the hacker collectives known as Anonymous and LulzSec, says it obtained the information—which it claims is but a small sample of the 12 million UDIDs it has in its possession—by hacking into the computer of an FBI agent who is a member of the bureau’s Cyber Action Team.

The FBI quickly responded with a statement saying that “At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data”—which is an extremely artful way of avoiding making an admission or denial. Apple immediately chimed in with a denial that it has been helping the government spy on its customers. Security experts said that the released information wouldn’t necessarily put the Apple customers at risk. But according to the Times article, a security researcher from New Zealand showed last year that the 40-character UDIDs, in combination with other data, could be used to discover the device owners’ user names, e-mail, addresses, and Facebook profiles, and to track their locations. Still, despite the FBI’s and Apple’s protestations that they haven’t the foggiest notion of how this could have happened, the data has been shown to be legitimate. 

—Feeling confident that your laptop secured by a fingerprint reader will discourage thieves from taking your machine—or at least keep them from gaining access to sensitive data? Ars Technica reported on 4 September that Elcomsoft, a Russian developer of password-cracking software, has pinpointed a weakness in fingerprint reading software used by Dell, Sony, IBM/Lenovo, and 13 other computer makers. It turns out that the software in question, UPEK Protector Suite, makes computers less secure than if they didn’t require a finger swipe. When the software is activated, it automatically writes Windows account passwords to a registry and encrypts them with a relatively weak key. According to an advisory issued by Elcomsoft, a hacker with physical access to a laptop running the UPEK software could acquire passwords to all user accounts on a machine in a matter of minutes. By contrast, a machine not running the fingerprint-reading software leaves hackers with access only to one-way password hashes; if they’re based on a strong password, brute force cracking could take years.

—Ars Technica reports that the U.S. Department of Homeland Security has issued a notice to power utilities, railroad companies, and other large industrial firms there, warning them of a feature/flaw in a widely used line of mission-critical network routers. The GarrettCom routers, hardened against dust and extremes in temperature and moisture, each contain a so-called “factory account” with a default password; anyone able to figure out the password would have greatly enhanced access and control privileges. DHS is concerned that even a user authenticated as “guest”—in a worst-case scenario, a terrorist or a disgruntled former employee—could have the power to sabotage a power plant or a rail system. The vulnerability was discovered by Justin W. Clarke, a self-schooled expert in industrial control system security. Clarke, who told Ars Technica that he bought one of the routers on eBay for US $12 and noticed the undocumented account during his analysis of the way the router works, found the same type of account with a default password in switches made by GarrettCom rival RuggedCom. A cursory search turned up nine such devices connected to the Internet with U.S.-based IP addresses.