Convicted VoIP Hacker Robert Moore Speaks 183
An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"
Random passwords (Score:4, Interesting)
- They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
- You would have to print it on the router, or on a slip of paper
- If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.
Even if you don't implement that last bullet, it still seems like it would help a lot.
Re:Random passwords (Score:2, Interesting)
Re:Random passwords (Score:3, Interesting)
Every device with an Ethernet interface has a 48-bit unique identifier built in. All such devices, in my experience, also have a sticker that displays their Ethernet address. Would it be so difficult to include, at manufacturing time, a small ROM that contained an initial password, unique to each device, and also displayed on a sticker? The additional cost of such a feature needs to be weighed against the additional security provided, but I think in some markets it would be a definite win.
The manufacturer need not keep a list of which passwords went with which device, only a list of the passwords already issued to ensure the new ones were unique. If uniqueness is not an absolute requirement, only keep the last thousand passwords, and use a good random number generator.
Re:So easy a caveman could do it (Score:1, Interesting)
Oh like that'll get you a book deal and job in the computer security field.
If you don't get caught you'll never even merit an article on
Re:Here's one I do (Score:5, Interesting)
I think I had 5 routers in my neighborhood on channel 6, with default passwords.
I logged on into each and switched them to different channels.
Re:Well (Score:3, Interesting)
Are you sure it's the user?
So, let me ask you this - why is the default password on routers all the same? Why isn't it different for each unit, and imprinted on the box or something? Such a trivial thing to do, yet it would do so, so much for improving security, and would have a trivial effect on usability.
Routers are security devices. Other security devices (such as bike locks) have the default being rather secure, why can't routers?
why? (Score:2, Interesting)
about the weak link [the users] (Score:2, Interesting)
i used to work as a cybercafe admin in a hotel [ClubMed(R)] and someday, when i was messing with the routers telnet interface, i decided to do a quick check on the pdf manual i had about it and look for the default password,i input the default username and password and bam, got in.... all free for me to change, as it was a leased line, i could give real internet ips to inside machines by just specifying ip+mac, could reflash the whole thing, could destroy it... instead... i've prepared a paper describing the security risks of leaving the main hotel's router [the one that serves both the guests internet access and the company private data system] using the default password, documented everything with screenshots and whatnot, and put it on my boss's desk.
guess the result!?
even trying to explain/teach/advise him about the risks , saying that he should call the leased line company and complain about them putting an unsecured device in his network, the retard fired me for 'hacking attempt' and said that i shouldn't be 'trying to sneak in places where i shouldn't' (damn, i just found a BIG flaw and got bashed for finding it!).
2 days later : the fscker changed the password.
when i think of it, i regret not arriving at home at that day and reflashing the modem's firmware with zeroes or something and hitting reboot. that would be total chaos and give them a nice big lesson
Go tell... (Score:1, Interesting)
The other option, the proper procedure, was to sent an email to the bureaucrat boss of sysadmins. He then would send order to an admin to temporally change the password for the machine you needed and give you that password. Then when you finished he would change the password again. The problem was the sucker usually just ignore your requests, or take weeks to give you access. So if we wanted to end our job in time, we had no choice.
In 1% the rare cases that the password was different, we just directly phone one of the admins bypassing his boss, and ask him the password
So users are not always the problem. Stupid policies are also to blame.