Convicted VoIP Hacker Robert Moore Speaks

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

Re:Well

[Joe The Dragon]

In XP the default blank password does not let you do remote logins so it is some times more gives you more security.

And which heads will roll?

[rgaginol]

Having these flaws present in a secure system, even for small companies is almost bordering on negligence. It takes 20 seconds to change a password, and god forbid if you've got too many to remember, write it down somewhere and store it in the company safe.

The REAL problem I see with IT is a combination of inept administrators and an abundance of managers who don't understand the significance of things like this. A mistake like this not only represents a failure of an IT worker, but poor oversight by their manager. I've seen an administrator hired who had no technical competence but was able to talk to the managers about cricket. He was then replaced with a person who was even worse when the first dumb admin did the IT thing and left after making a huge mess. And yeah, a year after I'd left, the second administrator, after purchasing a new Cisco router with zero scoping calls me up and asks, "How do I install a Cisco router".

There are books out there like "The practice of system and network administration", they help new administrators immeasurably, but so many just don't give a damn. There needs to be more incentive to have serious consequences for sloppy work. If we're ever going to be taken seriously, we need to find and flog administrators who set up a production router/firewall with a default password.

And what is the 1st thing you do

[kilodelta]

When you setup any new networking gear what is the very first thing you do? I can tell you what mine is, I change usernames and passwords. I even use strong passwords just in case.

Nice to know telecom companies don't have a clue.

How to create a strong password

[ery_pk076180_uni10]

To all the computer user all around the world who are still using the "weak" password, here are some tips from my computer security lecturer Mr. Uwe Heinz Rudi Dippel,

"Make it a combination of capital letters, small letters, numbers and special character but PLEASE remember it! Or I'll fine you $5!! "

Here you can find some tips on how to create a strong password. http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html [watchingthenet.com]