Convicted VoIP Hacker Robert Moore Speaks

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

Well

[El Lobo]

Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.

Re:Random passwords

[sam.thorogood]

This moves the burden to the hardware manufacturer. What if this was the case, and network administrators (even good ones) the world over immediately assumed that everything they purchased out of the box was secure - right before a provider had a disgruntled employee upload the default password list for thousands/millions of routers to the internets? ... although that is just the FUD part of my brain talking. I actually like this idea.

Re:Random passwords

[chill]

They must run a test suite before shipping them...

No, they mustn't. Frequently, if your production QA is good you don't do 100% testing before shipping. Random sampling is usually good enough and significantly cheaper. I can't speak to any specific router manufacturer, but this is SOP in manufacturing.

yet again they shoot the messenger...

[Anonymous Coward]

this guy should be congratulated for uncovering such slack security.

imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

So easy a caveman could do it

[SplatMan_DK]

Mjeah.

So easy a caveman could do it.

But apparently not so easy a caveman could avoid getting caught?

What ever happened to the supercool hacking-thang called "not getting caught"?

- Jesper

Re:Well

[Timmmm]

It *is* a problem with the software. The software is designed for use by *people*. People who may not remember to change the default password.

Easy solution - disable the product until the password is changed and intercept http connections so you can give people a helpful page saying "The default password is 'password'. This must be changed before this router/switch can be used. Click [here] to do so."

I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.

Re:Well

[nuzak]

It won't feel like you're shoving policy down their throats if you don't have a default password at all, but make it so that it won't function until you complete the setup, which involves setting a password.

Considering that you get folks like SAC who set the PAL codes for all their nukes to 00000, yeah there will always be people that bypass it. But at least won't be because nobody touched it at all -- someone had to run the setup. And when users get cranky and bypass it, then it's now 100% their problem. Especially when the SOX auditors come knocking.

Not if he exploited it and kept it hushed up.

[Ungrounded Lightning]

this guy should be congratulated for uncovering such slack security.

If he told the owner about the insecurity and didn't exploit it himself, yes.

imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.

Wait... That's what he did, isn't it?

No, he should not be congratulated. He should be convicted and punished as the thief he is.

Wait... That's what happened, isn't it?

Isn't it nice

liability?

[jShort]

I'm not a hacker, an IT guy or a lawyer of any sort, but after RTFA, I have a question: Why isn't there some provision under which concerned invididuals can go after lax companies regarding their security? I mean, yes they were 'hacked', but aparenly only becase their IT people were not to be bothered by securing the companies' data. It seems silly to spend time and money going after the hacker, and then letting all the guys who actually compromised the data off the hook.

Re:And which heads will roll?

[Anonymous Coward]

None. Imagine you have 80,000 switches, routers and other network devices. Some are 15 years old. Some are older and don't allow the password to be changed at all. You have hundreds of network admin folks spread all over the world.

Now imagine that you want to change the passwords. You can't bring the network down or impact any current work. Networks of this size are constantly being modified. New devices added, routes being updated/refreshed. Redundancy deployed or a failure causing it to be exercised.

AND you are a business - the people making decisions don't know anything about security - the only question is "what will all this work do to make more money?" Nothing? Then don't do it.

Tracking 80,000 passwords isn't easy. During emergencies - your phone won't ring - your mother with a pace maker needs 911, not having access to the password in a switch that needs to be reconfigured manually isn't a good excuse.

Ok, 1 of those hundreds of people leave the company. Do you change all the passwords ... again? Next week or the week after, someone else leaves/retires. Change again? Routers don't have per user accounts, do they?

I've never seen a switch or router guy that wasn't overworked. Just like security folks.

Anyway, just a few thoughts. It is never as simple as it seems.

BTW, I worked at the big telecom company that wasn't hacked. I've since moved to a different telecom that is constantly being hacked and in the news for it. Until a few months ago, they had laughable security standards that seemed left over from 1990 to me and a flat network. Simply stupid, but being secure is a huge undertaking that isn't just network security, as you know. Only security failures get Executive attention, sadly.

Re:Well

[freedom_surfer]

Of course you can't stop people from being stupid, but you can design around their stupidity. Why have a password at all if its default? Better to have no password and block remote access until one is set, which is basically what mysql had to do for similiar reasons. What is funny is this is just a new version of old school. Anyone else remember war dialing?

"Those who cannot learn from history are doomed to repeat it."

Here's my analogy. What if every lock manufacture sold you house locks with the same key and left it up to the buyer to have it rekeyed after purchase...

Re:Here's one I do

[David_W]

I hope none of them intentionally wanted their router set that way.

I should hope if they are knowledgeable enough to want their router configured that way they would also know to change the password from the default.

Re:Well

[BVis]

So we fix the users. I'm really sick of the prevailing attitude that "you're not going to change the users, so we have to accept this." Bullshit. In a civilized society, there must be consequences for stupidity.

Users must be protected from themselves for the good of the whole. We don't allow people to drive 100MPH on the highway. We don't allow people to shout 'fire' in a crowded theater. What are people going to do, not use their computers? We're way past that point. The PC has become as important to our current way of life as indoor plumbing. We wouldn't tolerate the attitude of "Stupid toilet! Why do I have to flush it?"

Maybe what we should do is create an anonymous forum for blowing the whistle on people who refuse to take security seriously, with an emphasis on this behavior on the part of officers of publicly traded companies. I bet the stockholders would want to know if the CEO's password is 'password'.