Convicted VoIP Hacker Robert Moore Speaks

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

Geico commercial filming

[camperdave]

It's so easy a caveman can do it

So, not only do cavemen work in video production, they do network admin?

Re:

[FauxReal]

No, I think he's calling cavemen script kiddies.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Geico commercial filming

[User 956]

"It's so easy a caveman can do it". So, not only do cavemen work in video production, they do network admin?

No, read more closely. He wasn't talking about cavemen in general. He was talking about one particular caveman. [wikipedia.org]

Re:

[WwWonka]

It's so easy a caveman can do it

I don't think cavemen ever had to deal with the fear of dropping the soap in a federal prison....and for god's sake, don't use the powdered kind.

Re:

[feed_me_cereal]

No, they're talking about caveman hackers. You don't see a lot of them, because apparently "not going to jail" isn't quite as easy.

Cavemen are technology leaders

[Dareth]

Everything I have ever read on cavemen leads me to believe they are big advocates of wireless everything!

Wonder if they had/have blue teeth?

Obligatory...

[Stormwatch]

"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

Re:Obligatory...

[Zymergy]

Remind me to change the combination to my luggage!

Well

[El Lobo]

Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.

Re:Well

[Joe The Dragon]

In XP the default blank password does not let you do remote logins so it is some times more gives you more security.

Re:Here's one I do

[Destoo]

Why would they care, if it just works?

I think I had 5 routers in my neighborhood on channel 6, with default passwords.
I logged on into each and switched them to different channels.

Re:

[David_W]

I hope none of them intentionally wanted their router set that way.

I should hope if they are knowledgeable enough to want their router configured that way they would also know to change the password from the default.

Re:Well

[Timmmm]

It *is* a problem with the software. The software is designed for use by *people*. People who may not remember to change the default password.

Easy solution - disable the product until the password is changed and intercept http connections so you can give people a helpful page saying "The default password is 'password'. This must be changed before this router/switch can be used. Click [here] to do so."

I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.

Re:

[vtcodger]

***I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.***

I suppose that you probably don't. So let me help you out. The first problem you are going to encounter is that something like 15-20% of the customers are goijng to take an utterly irrational "It's MY router. How about you clowns let ME determine how to configure it?" attitude The second is that quite possibly a small percentage of them will actually need to run with default passwords. You can't imagine why.

Re:Well

[nuzak]

It won't feel like you're shoving policy down their throats if you don't have a default password at all, but make it so that it won't function until you complete the setup, which involves setting a password.

Considering that you get folks like SAC who set the PAL codes for all their nukes to 00000, yeah there will always be people that bypass it. But at least won't be because nobody touched it at all -- someone had to run the setup. And when users get cranky and bypass it, then it's now 100% their problem. Especially when the SOX auditors come knocking.

Re:

[ScrewMaster]

Well, to be fair it wasn't as if the permissive-action links were set to zero because that was the manufacturer's default that nobody bothered to change ... they were all deliberately set to the same code to (so the story goes) to improve response time during a conflict. Also, unlike Joe Neighbor's WAP, they had other safeguards.

Plus which I get a sense that the military didn't really trust the things anyway.

The problem with consumer-level equipment is that vendors are terrified that good ol' Joe User

Re:

[BillyBlaze]

I've definately seen people whose opinion on passwords is, "Hey, it's my equipment, why should I ever have to enter a password?"

Not just SOX

[Beryllium Sphere(tm)]

The Payment Card Industry (PCI) standards require you to change default passwords in the part of your network that handles credit card data.

Re:

[vtcodger]

***Considering that you get folks like SAC who set the PAL codes for all their nukes to 00000***

Got a reference on that? The only relevant things I can find on Google are your post and an article in German that credits the story to USA Today which is not my idea of a really reliable news source. Searching the USA Today archives for "pal code" and "pal codes" gets no relevant hits.

I am pretty skeptical that actually happened with a live, deployed nuclear weapon. The reason is that before a nuclear sys

Re:

[nuzak]

Healthy skepticism is a good thing. http://www.cdi.org/blair/permissive-action-links.cfm [cdi.org]

Granted, it's hard to get multiple sourcing on this, but Bruce Blair and the CDI are hardly a bunch of sensationalist muck-rackers. I suspect the audits to which you refer were partly a response to SAC's little maneuver.

Re:

[dgatwood]

Presumably these devices don't route packets, handle VoIP calls, etc. until you've at least put in basic network settings anyway. Seems like all you really need to do is make the device ask you to set an initial password as the very first step in the setup process.... It isn't rocket science. It's like when you get a UNIX account on some university box. They set an initial password based on your student ID/name/whatever. and the very first thing is a prompt that requires you to set a real password....

Re:

[boredMDer]

IME scanning local subnets around me (hey, I get bored) the only routers I have never seen using the default password are Belkins, presumably because one of the first requirements in the 'setup' software (IIRC) is to set the admin password.

Re:

[BVis]

So we fix the users. I'm really sick of the prevailing attitude that "you're not going to change the users, so we have to accept this." Bullshit. In a civilized society, there must be consequences for stupidity.

Users must be protected from themselves for the good of the whole. We don't allow people to drive 100MPH on the highway. We don't allow people to shout 'fire' in a crowded theater. What are people going to do, not use their computers? We're way past that point. The PC has become as important

Re:

[BVis]

I agree. It's a meatspace problem. However, software can go a long way towards improving the situation, if it's allowed to. It shouldn't be possible to weaken security. Shouldn't even have the option. And it should be a terminable offense to attempt to do so, just the same as if you tried to hack your own company's machine.

Re:

[grumbel]

No matter how much you educate, the user is the one piece in the equation that you can't 'fix', at least not on a large scale, which is why software and hardware *must be* designed in such a way that it works in a secure way even with a 'broken' user. The default password thing is easily fixed: don't set the same default one for each device, instead use a random one or none at all if possible (i.e. disable remote login). You don't want users to use 'qwerty' password, so use a function to check that the user

Re:

[mcrbids]

The weakest link is often the user: leaving the default password of a router,

Are you sure it's the user?

So, let me ask you this - why is the default password on routers all the same? Why isn't it different for each unit, and imprinted on the box or something? Such a trivial thing to do, yet it would do so, so much for improving security, and would have a trivial effect on usability.

Routers are security devices. Other security devices (such as bike locks) have the default being rather secure, why can't route

Re:

[alshithead]

"Routers are security devices. Other security devices (such as bike locks) have the default being rather secure, why can't routers?"

I've seen bike locks where the default is the same for all new, same model locks and I'm not sure I've ever seen a briefcase where the default wasn't 000 000. I think many people never change their briefcase combination but everyone changes their bike lock combination if it is a default of 0000 or 1234. I'd say the difference is that a briefcase is rarely left unattended or l

Re:

[BillyBlaze]

If the average TSA employee can't open your briefcase lock with a paper clip, they'll destroy it and leave you a condescending brochure.

Re:

[mcrbids]

If you're paying attention... what actually could possibly go wrong?

If the default password is imprinted on the outside of the equipment (say, on the bottom) and is a relatively good password, how is that not better than "admin" or "Cisco0" as the password?

Re:

[mcrbids]

The guy said "on the box," if you were paying attention.

The guy was me, if you were paying attention. I know what I said. I meant "box" as a synonym for case.

Also, "imprinting" on the outside of the equipment is not exactly trivial and certainly not free, especially if something goes wrong.

Should be rather easy with a smidgeon of WORM Flash memory to set this at the time of imprinting. In other words, the machine that stamps the password is simultaneously burning the password into WORM memory electronically

Re:

[freedom_surfer]

Of course you can't stop people from being stupid, but you can design around their stupidity. Why have a password at all if its default? Better to have no password and block remote access until one is set, which is basically what mysql had to do for similiar reasons. What is funny is this is just a new version of old school. Anyone else remember war dialing?

"Those who cannot learn from history are doomed to repeat it."

Here's my analogy. What if every lock manufacture sold you house locks with the same

he should study more (or moore)

[User 956]

Convicted hacker Robert Moore, who will report to federal prison this week

Apparently Moore's law isn't quite up to snuff.

Re:

[NotBorg]

We're going to federal POUND ME IN THE ASS prison!

Random passwords

[MobyDisk]

It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
- They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
- You would have to print it on the router, or on a slip of paper
- If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.

Even if you don't implement that last bullet, it still seems like it would help a lot.

Re:

[sam.thorogood]

This moves the burden to the hardware manufacturer. What if this was the case, and network administrators (even good ones) the world over immediately assumed that everything they purchased out of the box was secure - right before a provider had a disgruntled employee upload the default password list for thousands/millions of routers to the internets? ... although that is just the FUD part of my brain talking. I actually like this idea.

Re:

[grumbel]

If you argue that way you can never feel safe, since who says that there isn't a hidden backdoor in your otherwise secured router?

Re:

[chill]

They must run a test suite before shipping them...

No, they mustn't. Frequently, if your production QA is good you don't do 100% testing before shipping. Random sampling is usually good enough and significantly cheaper. I can't speak to any specific router manufacturer, but this is SOP in manufacturing.

Re:

[John_Sauter]

Every device with an Ethernet interface has a 48-bit unique identifier built in. All such devices, in my experience, also have a sticker that displays their Ethernet address. Would it be so difficult to include, at manufacturing time, a small ROM that contained an initial password, unique to each device, and also displayed on a sticker? The additional cost of such a feature needs to be weighed against the additional security provided, but I think in some markets it would be a definite win.

The manufactu

Re:

[chill]

Keep in mind, the first half of that 48-bits isn't unique, it identifies the vendor. And they really aren't globally unique, but I'm not sure they have to be.

Either way, this is going about it the long way. The simple solution is to make it so you have to change the default password the first time you config the device. Feel free to leave it "admin" from the factory, as long as it can't be "admin" after it gets configured.

Re:

[irc.goatse.cx troll]

Technically what you'd do is ship it with no password and have the behavior for handling a null password be generate one based on the MAC address, saving you from having to modify every single ROM you make.

Then just need to use the same formula to generate the stickers, which might be a bit harder.

I'd rather just see them take the approach common wireless routers use-- Hold a button down to auth your device to it. Make this the only way to login initially or reset the pass.

Re:

[John_Sauter]

Technically what you'd do is ship it with no password and have the behavior for handling a null password be generate one based on the MAC address, saving you from having to modify every single ROM you make.

The problem with using the MAC address to generate the default password is that it is easy to determine the MAC address from the outside, and therefore the default password.

Re:

[steelshadow]

I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

Re:Random passwords

[Solra Bizna]

I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

That's actually not so bad. In order to get on the wireless network to use the admin password in the first place, they would need to guess your SSID and WEP key. And everyone knows that's impossible, right?

-:sigma.SB

Re:

[theRiallatar]

Pretty sure any quality wireless router won't actually let you do wireless administration of the device. I know the Linksys box I have sitting on my desk requires you do be physically plugged in if you want to do any administration.

Re:

[jombeewoof]

Pretty sure any quality wireless router won't actually let you do wireless administration of the device. I know the Linksys box I have sitting on my desk requires you do be physically plugged in if you want to do any administration.

that's usually a flag you can set. my router (linksys) is setup so that you can do wireless administration of the device.

Re:

[CodeBuster]

Pretty sure any quality wireless router won't actually let you do wireless administration of the device.

It is an option, but it is turned off by default. I actually turned it on for my WRT54G (running Thibor) so that I could access the admin pages from my laptop. However, since I am also using AES [wikipedia.org], HTTPS, MAC whitelist filtering, and strong (not default) admin password the extra risk is very minimal.

Re:

[JonathanR]

I used to think that MAC whitelisting was a useful contribution, from a security viewpoint, except that I think that MACs can be sniffed using netstumbler or the like, so it wouldn't be too difficult to short-list the MAC addresses that connect to your router. MAC address spoofing isn't impossible either.

That leaves you with your WPA-PSK (presumably) and AES encryption as your security measures. Not that these are insignificant hurdles though.

Re:

[CodeBuster]

MAC address spoofing isn't impossible either.

In fact it is quite possible, I do it on my laptop. One of the first things that I did when I configured my XP laptop was override the default MAC address on the wireless card to a different address (random) of my choosing to futher enhance my security and privacy when I connect to public WiFi networks (in the unlikely event that somebody, for whatever reason, would attempt to trace back that MAC address to the laptop and wireless card manufacturer who issued

Re:

[jafac]

I would think that on my system, a visit to that webpage would crash the browser, just like a visit to the router's admin page does.

Crappy WLAN equipment!

[zazzel]

I can't believe they're still selling equipment that is not preconfigured to use WPA1/2 security.

But maybe it's a peculiarity of the German DSL market that AVM (www.avm.de/en) is now the market leader. And they DO provide their Fritz!Box series with preconfigured, random WPA2 keys and an 802.11g USB dongle that syncs the key when it's sticked into the Fritz!Box USB port.

Heck, I tried to find some "free" access in my mother's apartment. ALL her neighbours had some flavour of the Fritz!Box running, ALL were

Re:

[Gordonjcp]

On Cisco wireless access points, the radio is disabled by default until you've either set a WEP key, or manually enabled the radio with no key set. It's not a great leap to make "commodity" routers that don't route until they've been given a new password.

Re:

[mastershake_phd]

It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...

Well they do it for $2 padlocks...

Re:

[Em Adespoton]

Simple solution for ALL hardware: Default password requires you to have a local connection, or anything besides changing the password cannot be done using the default password. Using EITHER of these rules solves the default password problem. Anything that connects to a network should have one of these rules as part of the firmware. After all, it is common knowledge that around 80% of all hardware devices that contain a default password will never have it changed. Get your hands on a manual for the devic

Re:

[Em Adespoton]

How does this solve anything? The crax0r just logs in with the default, changes it to whatever he/she wants, then re-logs with the new password.

It solves anything by preventing the equipment from being deployed with a default password. Without the password changed, the equipment is only useful as a paperweight with blinking lights.

Re:

[CodeBuster]

It would have to imprinted upon the router in such a way that the password could not be easily rubbed off or otherwise made illegible. It would also add more cost than you might think to manufacturing of the router. It would probably be better to place a temporary sticker on the router with the default password printed on it and something along the lines of, "name of company strongly recommends that you change the admin password to something other than the default after configuring this router"

Defaults

[maz2331]

How difficult would it be to make the default something like the unit's serial number, then have the code require a change before even enabling network interfaces?

Re:

[pimpimpim]

What about this: Upon first boot and after a reset, it won't open a connection to the outside world but instead lead you to a homepage on its internal server asking you to change the password. Shouldn't be too hard, and is still relatively user-friendly.

At least that "Hacker" actually used some skill.

[Anonymous Coward]

Maybe not a lot, but more than most of the media's super-hyped so-called "hackers" ever do.

A few years ago a major New Zealand ISP was "hacked" -- or so the media said. The biggest talkshow host of the time interviewed the alleged "h4x0r" live, and proclaimed him to be a "computer genius". We were all in deadly and imminent danger of being hacked by guys like him he said.

The "hacker" in question was a 13 year old whose friend's older brother worked for the ISP. The older brother had stupidly given his staff

Re:At least that "Hacker" actually used some skill

[WhatAmIDoingHere]

So he's a social engineer skript kiddie?

Ridiculous!

[cromar]

You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them...

That's ridiculous. Everyone knows the most commonly used passwords are "love," "secret," and "sex." Oh and don't forget "God." It's that whole male ego thing.

Re:

[wilymage]

It's got a 28.8 bps modem!

Re:

[Xaer0cool]

Hey, be careful what you say, I might get offended, take time off from battling 'the plague' and then you would have to crash override!

(see username)

And yes, it is sad that I have watched that movie enough times to know the 'hackers' handles

Re:

[TerranFury]

Mess with the best, die like the rest!

"Pool on the roof. Sprung a leak."

"And yes, Mom, I'm still a virgin!"

"Crash 'N Burn"

eof.

yet again they shoot the messenger...

[Anonymous Coward]

this guy should be congratulated for uncovering such slack security.

imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

Not if he exploited it and kept it hushed up.

[Ungrounded Lightning]

this guy should be congratulated for uncovering such slack security.

If he told the owner about the insecurity and didn't exploit it himself, yes.

imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.

Wait... That's what he did, isn't it?

No, he should not be congratulated. He should be convicted and punished as the thief he is.

Wait... That's what happened, isn't it?

Isn't it nice

Just because the front door isn't locked...

[WebCowboy]

...doesn't mean it is OK to walk right in and check out what's in the fridge (unless of course it is your home). If the damage was minimal or nonexistent then the punishment should fit the crime of course, but it IS still illegal.

On the other hand, why hasn't anyone thought of launching suit against the VOIP providers over the security breach? Tort law in the good ol' US of A is the most stringent in the world when it comes to "duty of care". Leaving passwords at factory defaults certainly could constitu

Legally they ARE the same.

[WebCowboy]

A router is not a house, a computer is not a car, and if you leave your wifi unsecured that is not mine or anybody else's problem

What sort of messed up logic is THAT? OK lets play with this a bit:

It should NOT be illegal to log into an unprotected router and mess around with it without the owner's permission because the router owner is stupid for not securing his network. This is different--FROM A MORAL STANDPOINT--than entering a private dwelling that is unlocked to explore and mess around inside (an ille

Solution: Eliminate Product-wide Default Passwords

[u0berdev]

The problem in most of these cases is a user with little to no experience in network setup, and who also avoids reading directions, will almost always just "plug it in and go". Most routers that I've used come with a default password that is the same for all similar products that the company makes.

Instead of having a default password, why not have pre-generated passwords that are decently strong that are already on the router when you get the device, and have a sticker on the router with that password. Th

Re:Solution: Eliminate Product-wide Default Passwo

[jbellows_20]

Come on, most already have stickers for the MAC address.

And the managers will say, "Yeah. We have the MAC address on there already. We can use that for the default password."

Re:Solution: Eliminate Product-wide Default Passwo

[slakdrgn]

HP does this on their servers with ILO. The ILO password is a variation of the host name and random alphanumeric characters. Sadly, they don't do this with their procurve line of switches.

Re:

[AJWM]

The ILO password is a variation of the host name and random alphanumeric characters.

That's pretty hard considering the host name isn't assigned until the OS is installed. ;-) It's usually the host serial number plus some alphanumerics, but either way it's unique and is printed on a (removable) tag attached to the server.

Re:

[slakdrgn]

Sorry, brainfart. You are correct, its serialnumber + randomletters & numbers

Re:Solution: Eliminate Product-wide Default Passwo

[Ungrounded Lightning]

Better yet: Why not have a unique default password that's printed on the device, or a function of a unique number that's printed on the device and NOT accessible from the network?

That way the bad guy would need physical access to the particular box to read that label to get what he needs to construct the default password. (Since it's a default password the "view the label" hole could be instantly plugged just by changing it.)

(Not from the MAC address, of course, nor the serial number if that's available i

Wait-that's what you said. Duh...

[Ungrounded Lightning]

Oh, shoot. How did I miss the second part of your posting where you propose the same thing in different words?

Guess it comes from trying to read slashdot in a cave...

Damn...

[Cornflake917]

That caveman from the Geico commercials was just starting to make progress with his therapist. Let's hope the poor guy doesn't stumble upon this article. This hacker might get a few unexpected prison visits from whiny cavemen.

Yay for VPNs

[b0s0z0ku]

on the systems that I manage, no Web/telnet/ssh admin ports get opened to the outside world. If you want in, you'd better have a valid VPN key as well as a password, and VPN logs get checked regularly to prevent abuse. Good defence is multilayered.

-b.

Re:

[thatskinnyguy]

Good defense is multi layered.

I believe the magic buzzwords are "security in depth".

Better he than they

[Yupnik]

Whoever they is. Somebody, please ban default passwords.

Re:

[subl33t]

Won't somebody PLEASE think of the default passwords!?

So easy a caveman could do it

[SplatMan_DK]

Mjeah.

So easy a caveman could do it.

But apparently not so easy a caveman could avoid getting caught?

What ever happened to the supercool hacking-thang called "not getting caught"?

- Jesper

Re:

[Anonymous Coward]

What ever happened to the supercool hacking-thang called "not getting caught"?

Oh like that'll get you a book deal and job in the computer security field.

If you don't get caught you'll never even merit an article on /.

Re:

[SplatMan_DK]

So what you are saying is ...

1.) Hack stuff using script-kiddie techniques
2.) Keep at it until you are caught
3.) Tell everyone the story about you being an idiot who got caught
4.) Do a month of jailtime
5.) $$$!

Is that the kind of people who programmed my personal firewall and my anti virus app.?

(Pleeeease, say "no", pleeeease, pretty-please)

- Jesper

Re:So easy a caveman could do it

[lawpoop]

What ever happened to the supercool hacking-thang called "not getting caught"?

I'm sure it happens all the time; it just never makes the news...

It could even be happening right now...

Re:

[flyingfsck]

Well, that is the whole problem - the *real* hackers don't get caught, it is only the bozos that get caught.

Am I missing something?

[POTSandPANS]

Isn't a hacker usually considered someone who finds a clever way into a system or does "scanning for default passwords" pass as a hack nowadays..

this sounds kinda like "hacking" into your neighbors open wireless network.

He's no hacker, just a nuisance and a thief. This guy deserves jail time.

Re:

[thatskinnyguy]

I believe he more or less falls into the category of a "researcher". You probably could write a master's thesis on the password data/statistics alone!

And which heads will roll?

[rgaginol]

Having these flaws present in a secure system, even for small companies is almost bordering on negligence. It takes 20 seconds to change a password, and god forbid if you've got too many to remember, write it down somewhere and store it in the company safe.

The REAL problem I see with IT is a combination of inept administrators and an abundance of managers who don't understand the significance of things like this. A mistake like this not only represents a failure of an IT worker, but poor oversight by their manager. I've seen an administrator hired who had no technical competence but was able to talk to the managers about cricket. He was then replaced with a person who was even worse when the first dumb admin did the IT thing and left after making a huge mess. And yeah, a year after I'd left, the second administrator, after purchasing a new Cisco router with zero scoping calls me up and asks, "How do I install a Cisco router".

There are books out there like "The practice of system and network administration", they help new administrators immeasurably, but so many just don't give a damn. There needs to be more incentive to have serious consequences for sloppy work. If we're ever going to be taken seriously, we need to find and flog administrators who set up a production router/firewall with a default password.

Re:And which heads will roll?

[Anonymous Coward]

None. Imagine you have 80,000 switches, routers and other network devices. Some are 15 years old. Some are older and don't allow the password to be changed at all. You have hundreds of network admin folks spread all over the world.

Now imagine that you want to change the passwords. You can't bring the network down or impact any current work. Networks of this size are constantly being modified. New devices added, routes being updated/refreshed. Redundancy deployed or a failure causing it to be exercised.

AND you are a business - the people making decisions don't know anything about security - the only question is "what will all this work do to make more money?" Nothing? Then don't do it.

Tracking 80,000 passwords isn't easy. During emergencies - your phone won't ring - your mother with a pace maker needs 911, not having access to the password in a switch that needs to be reconfigured manually isn't a good excuse.

Ok, 1 of those hundreds of people leave the company. Do you change all the passwords ... again? Next week or the week after, someone else leaves/retires. Change again? Routers don't have per user accounts, do they?

I've never seen a switch or router guy that wasn't overworked. Just like security folks.

Anyway, just a few thoughts. It is never as simple as it seems.

BTW, I worked at the big telecom company that wasn't hacked. I've since moved to a different telecom that is constantly being hacked and in the news for it. Until a few months ago, they had laughable security standards that seemed left over from 1990 to me and a flat network. Simply stupid, but being secure is a huge undertaking that isn't just network security, as you know. Only security failures get Executive attention, sadly.

The problem lies with vendors? No!

[bl8n8r]

" Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors."

I don't think so Alan. The means is there for an able bodied person to setup appropriate credentials within a few minutes. Most of these stupid logins are web based anyway. You click "Admin" and then "Change Password" and things are a lot better than they were a couple minutes ago. The biggest problem is unskilled technical people in po

liability?

[jShort]

I'm not a hacker, an IT guy or a lawyer of any sort, but after RTFA, I have a question: Why isn't there some provision under which concerned invididuals can go after lax companies regarding their security? I mean, yes they were 'hacked', but aparenly only becase their IT people were not to be bothered by securing the companies' data. It seems silly to spend time and money going after the hacker, and then letting all the guys who actually compromised the data off the hook.

Wow, what a fall from grace...

[Anonymous Coward]

...after playing James Bond in all those movies.

hacking??

[Anonymous Coward]

This isn't hacking, this guy isn't a hacker.

Are we supposed to be impressed by his elite port scanning abilities?

And what is the 1st thing you do

[kilodelta]

When you setup any new networking gear what is the very first thing you do? I can tell you what mine is, I change usernames and passwords. I even use strong passwords just in case.

Nice to know telecom companies don't have a clue.

why?

[azrin_abbas]

why is he going to prison? why don't make him like a password administrator or something where he finds all the default passwords( seems like he had the time back then) and ask those owners to change them? and of course got paid for that. like that what's-his-name guy in the 'catch me if you can' movie..

How to create a strong password

[ery_pk076180_uni10]

To all the computer user all around the world who are still using the "weak" password, here are some tips from my computer security lecturer Mr. Uwe Heinz Rudi Dippel,

"Make it a combination of capital letters, small letters, numbers and special character but PLEASE remember it! Or I'll fine you $5!! "

Here you can find some tips on how to create a strong password. http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html [watchingthenet.com]

about the weak link [the users]

[cadu]

Even if we try to do the RIGHT thing, we end up punished and bashed for 'doing wrong stuff', when you're dealing with a bunch of joe averages [specially one being your boss], sometimes it's better just watch it crash down and burn than to try to fix/warn the bosses about a potential security breach.

i used to work as a cybercafe admin in a hotel [ClubMed(R)] and someday, when i was messing with the routers telnet interface, i decided to do a quick check on the pdf manual i had about it and look for the defau

Will anyone ever learn?

[flajann]

The approach to this is all wrong. Instead of sending this guy to jail, more of these "caveman hacks" should be encouraged so that corporate gets off their lazy bums and do the mind-numbing simple steps to add a modicum of security to their networks -- like changing out the default passwords already! I am amazed that I am still seeing stories like this 20 years later. Hello! Is anyone paying attention?

On the other hand, e-commerce system are extremely vulnerable if security is this lackluster. I am not su

Security at it's finest...

[Z00L00K]

...and who is to blame?

I would prefer to blame the device manufacturers that allows the use of easy passwords in the wild. It is so outdated by now and any sensitive devices should have a protection that is better than only using a password to protect them. Using a certificate solution (smartcard or similar [aladdin.com]) together with SSH will make things a lot harder for any intruders.

Re:

[flajann]

So he could become world (in)famous for it! Might be worth a 2-year jail term to some...