Slashdot Mirror
Convicted VoIP Hacker Robert Moore Speaks
An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"
It's so easy a caveman can do it
So, not only do cavemen work in video production, they do network admin?
When our name is on the back of your car, we're behind you all the way!
"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"
Circumcision is child abuse.
Damn.... Having a KKK day in Alabamer are we?
Kickass Cheap Web Hosting
Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Convicted hacker Robert Moore, who will report to federal prison this week
Apparently Moore's law isn't quite up to snuff.
The theory of relativity doesn't work right in Arkansas.
It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
- They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
- You would have to print it on the router, or on a slip of paper
- If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.
Even if you don't implement that last bullet, it still seems like it would help a lot.
I was personally responsible for setting up a Nortel VoIP solution for the company for whom I work. The vendor (based in Denver, CO) required that we change default passwords on the end users' routers. Of course, I changed the default password on the VoIP switch as well considering that it is accessible to the public via its WAN port.
DUH!!
So being a hacker is a crime...
Maybe not a lot, but more than most of the media's super-hyped so-called "hackers" ever do.
A few years ago a major New Zealand ISP was "hacked" -- or so the media said. The biggest talkshow host of the time interviewed the alleged "h4x0r" live, and proclaimed him to be a "computer genius". We were all in deadly and imminent danger of being hacked by guys like him he said.
The "hacker" in question was a 13 year old whose friend's older brother worked for the ISP. The older brother had stupidly given his staff login and password to his kid brother, who had, naturally, shared it with his friend, the "genius hacker". This friend then logged in and deleted a bunch of hosted websites.
Pretty frikken 1337, huh?
You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them...
That's ridiculous. Everyone knows the most commonly used passwords are "love," "secret," and "sex." Oh and don't forget "God." It's that whole male ego thing.
Your lazy-ass proposal is half of the problem: Shifting the onus on anyone but the users and administrators. Did you even RTFA? USE DECENT PASSWORDS AND IMPLEMENT ALL POSSIBLE SECURITY MEASURES. Goddamn, I should take some of the jobs you over-paid fuckers have. You don't deserve 'em.
And you wanna complain about not making enough money.
that is some scary shit there
imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....
The problem in most of these cases is a user with little to no experience in network setup, and who also avoids reading directions, will almost always just "plug it in and go". Most routers that I've used come with a default password that is the same for all similar products that the company makes.
Instead of having a default password, why not have pre-generated passwords that are decently strong that are already on the router when you get the device, and have a sticker on the router with that password. Then instead of the manual telling you to type in "admin" for the password, it could tell you to look at a sticker on the router.
Come on, most already have stickers for the MAC address. Another sticker for the password is not a big deal.
So he's a social engineer skript kiddie?
Not a Twitter sockpuppet... but I wish I was.
That caveman from the Geico commercials was just starting to make progress with his therapist. Let's hope the poor guy doesn't stumble upon this article. This hacker might get a few unexpected prison visits from whiny cavemen.
Abaddon: An Xbox 360 Indie game
-b.
Come on, most already have stickers for the MAC address.
And the managers will say, "Yeah. We have the MAC address on there already. We can use that for the default password."
Whoever they is. Somebody, please ban default passwords.
HP does this on their servers with ILO. The ILO password is a variation of the host name and random alphanumeric characters. Sadly, they don't do this with their procurve line of switches.
Mjeah.
So easy a caveman could do it.
But apparently not so easy a caveman could avoid getting caught?
What ever happened to the supercool hacking-thang called "not getting caught"?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Better yet: Why not have a unique default password that's printed on the device, or a function of a unique number that's printed on the device and NOT accessible from the network?
That way the bad guy would need physical access to the particular box to read that label to get what he needs to construct the default password. (Since it's a default password the "view the label" hole could be instantly plugged just by changing it.)
(Not from the MAC address, of course, nor the serial number if that's available in SNMP, etc. Not even from a cryptographic function from such stuff - since that leaves the company using internally a secret that could divulge the default password of all their boxes if it leaked - which it no doubt would, as it get passed around internally so the help center could use it...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
this sounds kinda like "hacking" into your neighbors open wireless network.
He's no hacker, just a nuisance and a thief. This guy deserves jail time.
The ILO password is a variation of the host name and random alphanumeric characters.
;-) It's usually the host serial number plus some alphanumerics, but either way it's unique and is printed on a (removable) tag attached to the server.
That's pretty hard considering the host name isn't assigned until the OS is installed.
-- Alastair
Having these flaws present in a secure system, even for small companies is almost bordering on negligence. It takes 20 seconds to change a password, and god forbid if you've got too many to remember, write it down somewhere and store it in the company safe.
The REAL problem I see with IT is a combination of inept administrators and an abundance of managers who don't understand the significance of things like this. A mistake like this not only represents a failure of an IT worker, but poor oversight by their manager. I've seen an administrator hired who had no technical competence but was able to talk to the managers about cricket. He was then replaced with a person who was even worse when the first dumb admin did the IT thing and left after making a huge mess. And yeah, a year after I'd left, the second administrator, after purchasing a new Cisco router with zero scoping calls me up and asks, "How do I install a Cisco router".
There are books out there like "The practice of system and network administration", they help new administrators immeasurably, but so many just don't give a damn. There needs to be more incentive to have serious consequences for sloppy work. If we're ever going to be taken seriously, we need to find and flog administrators who set up a production router/firewall with a default password.
How about routers that create a random strong password 5 minutes after it has been first started/reset and if someone logs in before that it requires them to set there own password... People who plug in play get a protected router and people who need to change settings can set a password. And for those who plug in play the only need to reset the router to access it again.
this guy should be congratulated for uncovering such slack security.
If he told the owner about the insecurity and didn't exploit it himself, yes.
imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....
Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.
Wait... That's what he did, isn't it?
No, he should not be congratulated. He should be convicted and punished as the thief he is.
Wait... That's what happened, isn't it?
Isn't it nice
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
" Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors."
I don't think so Alan. The means is there for an able bodied person to setup appropriate credentials within a few minutes. Most of these stupid logins are web based anyway. You click "Admin" and then "Change Password" and things are a lot better than they were a couple minutes ago. The biggest problem is unskilled technical people in positions where they are pressured to get grand things accomplished quickly with as little manpower as possible. Many admins I know (at least in the windows realm) are very complacent being getting by with a D- in everything. Very few attempt to strive for excellence. The ones I know recite idealisms all day long and complain about how broken things are but in the long run they consider the state of affairs acceptable because they are "too busy to fuck with it".
If you urinate in the well, don't complain when your coffee smells like piss.
boycott slashdot February 10th - 17th check out: altSlashdot.org
How difficult would it be to make the default something like the unit's serial number, then have the code require a change before even enabling network interfaces?
Oh, shoot. How did I miss the second part of your posting where you propose the same thing in different words?
Guess it comes from trying to read slashdot in a cave...
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm not a hacker, an IT guy or a lawyer of any sort, but after RTFA, I have a question: Why isn't there some provision under which concerned invididuals can go after lax companies regarding their security? I mean, yes they were 'hacked', but aparenly only becase their IT people were not to be bothered by securing the companies' data. It seems silly to spend time and money going after the hacker, and then letting all the guys who actually compromised the data off the hook.
This article brings out a good point... ( or a point I would like to make (i never know if i'm on topic)) Most of today's hacking is allowed by either social engineering or default settings being used. You don't even have to be a "script kiddie" to do the kind of stuff they did. Off topic maybe. I guess this comes from the "know it all's" at work who drop the "script kiddie" dime on anyone and everyone who takes the easy road to accomplishing a task. The one dude who got the code for motorola's phone a while back...he is pretty smart about computer related ideas...but his "hack" was barely anthing to do with using a computer.
"A gentleman never strikes a lady with his hat on." - Fred Allen
Here:
http://newark.fbi.gov/dojpressrel/2006/nk060706.htm
When I run across a wi-fi with the default logon, I change the user/password, set the renew/release to 10 minutes, delete the users if any. HOPEFULLY when the stupid user asks a friend to find out why his/her computer is knocked offline all the time, they will put a user/password, lock it down with MAC addressing and turn on all the security. It just amazes me that people think those fancy do-dad wi-fi boxes are like a toaster. Just plug it in and turn it on.
I recall a similar instance during high school. Telecom switch with the default 'root' UN and PW accessible through the school network. telnet. a friend who thought it was comical to type reset. resulting in a 5 day suspension, 3 days w/o Internet for 5 high schools, and 2 police stations. Wasn't that funny I suppose, until he couldn't touch another computer the rest of his high school career. Ya he thought he was hot shit
this reminds me of the arm wrestling machine that was so easy even a woman could beat it and ended up breaking peoples arms.
...after playing James Bond in all those movies.
On his way to federal prison, the 23-year-old hacker says breaking into computers at telecom companies and major corporations was "so easy a caveman could do it."
Has anyone checked out Moore's photo on the article?
If interest = 1
Then
Moore = Caveman
Else 0
"Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors.
"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."?
Yeah, it's silly for us to know what we're doing!
...doesn't mean it is OK to walk right in and check out what's in the fridge (unless of course it is your home). If the damage was minimal or nonexistent then the punishment should fit the crime of course, but it IS still illegal.
On the other hand, why hasn't anyone thought of launching suit against the VOIP providers over the security breach? Tort law in the good ol' US of A is the most stringent in the world when it comes to "duty of care". Leaving passwords at factory defaults certainly could constitute negligence.
Come on people, seeing how litigious society is today, why not use it constructively? Sometimes the only way companies learn to be responsible is through the bottom line. Did some phone providers not have to be sued into providing 911 service standard after all? I'd say that this guy breaking in so easily should be justification for some legal action towards the VOIP providers.
This guy made $20k in this heist which has now given him a crim. record, fed. prison time, legal bills a lot bigger than $20k, and has destroyed his prospects of future work in the industry. Meanwhile his "partner" made > $1mil from this. This guy would have been better off unemployed, or working and McDs.
Everyone in the computer biz should learn to ask the self-interest questions: What do I get out of this deal? What am I putting into this deal? What am I risking in this deal? Those questions must be asked before even the simplest business transaction occurs. Important sub-questions are, is this legal? If it isn't legal, what are the potential consequences? Important sub-questions of "what do I get" is "how am I getting paid, when, by whom, is the money really there?"
Red flag words: partner, equity, revenue sharing, stock. Those red flag words aren't always bad but they should always be looked at with skepticism. Beyond red flag words: circumventing access control of any kind (electronic or physical) without written authorization from an authorized person, and maybe an opinion letter from a lawyer. That should be an automatic "no".
I mean, these are simple questions. You don't need an MBA to analyze decisions with those questions. Somehow people with their heads in software don't take even a minute to ask these questions, and they should.
So not only did he hack Voip, but he did a spot for Geico in his press conference? F'n sellout!
Ladies and gentlemen of the jury, I'm just a caveman. I fell on some ice and later got thawed out by some of your scientists. Your world frightens and confuses me. Sometimes the honking horns of your traffic make me want to get out of my BMW.. and run off into the hills, or wherever.. Sometimes when I get a message on my fax machine, I wonder: "Did little demons get inside and type it?" I don't know! My primitive mind can't grasp these concepts. But there is one thing I do know - when people leave the default passwords on their routers, they deserve to get pwn3d back to the stone age. Thank you.
This isn't hacking, this guy isn't a hacker.
Are we supposed to be impressed by his elite port scanning abilities?
This should be a loud message to all IT professionals and laymen alike: SET/CHANGE YOUR PASSWORDS!
-TheCreditMaster
Learn how to legally boost your Credit score in days
http://www.Positive-Credit.com
When you setup any new networking gear what is the very first thing you do? I can tell you what mine is, I change usernames and passwords. I even use strong passwords just in case.
Nice to know telecom companies don't have a clue.
I keep on telling my sister to use alphanumerisymbolic passwords for the wpa password and admin password
but no, she won't listen until somebody hacks her network, no matter how much I pressure her
A-Za-Z0-9~!@#$%^&*()_+-=[]{}\|/?,.;: passwords are easy to remember (for me)
So, how the hell did he get caught? I would think any good hacker would insure they were perfectly anonymous and would hide behind Tor or unsecured wireless networks. Then he'd be basically untraceable.
mod parent up (interesting) because that's the reason many companies and sysadmin give to the entire "unmovable" password or SNMP community strings.
But the truth is, first, routers do have per user access control with centralised databases. Ldap, radius, tacacs can be used for that purpose. And have been for years.
Second, having the same password (for when the centralised user authentication service fails (or the network to get there) on 80000 switches is not so much of an issue if it changes every week or so (and that's easy to script...)
He was ratted out by the guy who fled the country... You can read more about his case at www.freerobert.com
seriously, I was just testing to see what the
this guy did do the wrong thing and deserves to be convicted. Not so sure about the penalty though. Jail time for pure economic loss seems a bit harsh.
OTOMH I think this would be a civil offence in Australia with fines only. - but I stand to be corrected on that.
It's a well known problem ! In any company with a security baseline defined, you must change the default password.. and also the default login when it's possible (to decrease the possibility of bruteforce attacks). If it is not done, either you don't have any baseline to follow or they are not applied. In any case, it's work for the security team or the testers !
The Payment Card Industry (PCI) standards require you to change default passwords in the part of your network that handles credit card data.
Who the hell is Robert Moore???
Next your going to tell me he's a world famous hacking caveman!
Sorry, brainfart. You are correct, its serialnumber + randomletters & numbers
This just proves how naive so many people are about security. If people spent a little more time on it, none of this would happen.
why is he going to prison? why don't make him like a password administrator or something where he finds all the default passwords( seems like he had the time back then) and ask those owners to change them? and of course got paid for that. like that what's-his-name guy in the 'catch me if you can' movie..
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."
Enrico
To all the computer user all around the world who are still using the "weak" password, here are some tips from my computer security lecturer Mr. Uwe Heinz Rudi Dippel,
"Make it a combination of capital letters, small letters, numbers and special character but PLEASE remember it! Or I'll fine you $5!! "
Here you can find some tips on how to create a strong password. http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html
But maybe it's a peculiarity of the German DSL market that AVM (www.avm.de/en) is now the market leader. And they DO provide their Fritz!Box series with preconfigured, random WPA2 keys and an 802.11g USB dongle that syncs the key when it's sticked into the Fritz!Box USB port.
Heck, I tried to find some "free" access in my mother's apartment. ALL her neighbours had some flavour of the Fritz!Box running, ALL were WPA2 encrypted. SIX WLANs, none of them unencrypted! For the first time in years I had to use dial-up.
Convicted hacker giving tips/strategy 'How I did it', welldone.. Its superb, maybe i also can have my country's leading companies and corporations secured information right at my fingertips.. I'm grateful to you Mr Moore.. But how it possible to a caveman to do such thing, it must be a very intelligent person like u so called 'caveman'..
Even if we try to do the RIGHT thing, we end up punished and bashed for 'doing wrong stuff', when you're dealing with a bunch of joe averages [specially one being your boss], sometimes it's better just watch it crash down and burn than to try to fix/warn the bosses about a potential security breach.
:)
i used to work as a cybercafe admin in a hotel [ClubMed(R)] and someday, when i was messing with the routers telnet interface, i decided to do a quick check on the pdf manual i had about it and look for the default password,i input the default username and password and bam, got in.... all free for me to change, as it was a leased line, i could give real internet ips to inside machines by just specifying ip+mac, could reflash the whole thing, could destroy it... instead... i've prepared a paper describing the security risks of leaving the main hotel's router [the one that serves both the guests internet access and the company private data system] using the default password, documented everything with screenshots and whatnot, and put it on my boss's desk.
guess the result!?
even trying to explain/teach/advise him about the risks , saying that he should call the leased line company and complain about them putting an unsecured device in his network, the retard fired me for 'hacking attempt' and said that i shouldn't be 'trying to sneak in places where i shouldn't' (damn, i just found a BIG flaw and got bashed for finding it!).
2 days later : the fscker changed the password.
when i think of it, i regret not arriving at home at that day and reflashing the modem's firmware with zeroes or something and hitting reboot. that would be total chaos and give them a nice big lesson
This is how so many idiots in the world think "P@$sW0rD" is a strong password...
The article you linked to isn't the worst I've seen. But they still recommend replacing S with $ and ( with C. Making these simple character substitutions adds little/no extra strength to your password. Password crackers know to look for these substitutions (and can apply them to entire dictionaries).
Even more interesting is what happens when you start looking at letter frequencies. People are more likely to use "a" in a password than "z" and are more likely to follow "s" with a "h" rather than a "q".
Have a look at John the Ripper. When you tell it to brute force passwords it doesn't crack from aaaaaaaa through to ZZZZZZZZ. It has advanced rules which deal with letter frequencies and other interesting probabilities.
The only secure password is no "password". Use digital certificates/PKI instead. The reason is that private keys are randomly generated and have 8 bits of entropy per byte. Passwords on the other hand have a limited character set and therefore have between 1-3 bits of entropy per byte (most passwords are 2). And this assumes the passwords are generated randomly based on those character sets. To recreate the security of a randomly generated 256bit key (32 bytes) using traditional passwords, you'd need a password of more than 128 characters in length!
What I find even more amusing is the use of passwords in encryption schemes. You might be using 256bit encryption keys - which are generated from your password with well under half the entropy of the random 256bit key. Crackers aren't going to try cracking the derived 256bit key - they're going to attack your weak little password. Or more likely, they'll use a keylogger or another "thinking outside the square" method to retrieve your password.
If it's so easy that a caveman can do it, why did he get caught?
Everything I have ever read on cavemen leads me to believe they are big advocates of wireless everything!
Wonder if they had/have blue teeth?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
On the other hand, e-commerce system are extremely vulnerable if security is this lackluster. I am not surprised that millions of credit card numbers aren't posted to the Usenet everyday given these states of affairs.
I say all of this tongue firmly planted in cheek, of course. But really, it grows tiresome hearing about the same lame problems year after year when the fix is so absurdly simple even my 9-year-old could do it.
Ruby Neural Evolution of Augmenting Topologies
I used to work in a MAJOR telecom firm. I had a list of about 10 common passwords which granted me root permissions on 99% of machines. My boss had a similar list for cisco boxes. When we needed to change/check something we just used password after password till we hit the right one.
:D In the even more rare case that the admin didn't want to tell such a sensitive data via phone, we'd just start reciting him our root-password list to prove him we were who we pretend to be. That always did the trick :D
The other option, the proper procedure, was to sent an email to the bureaucrat boss of sysadmins. He then would send order to an admin to temporally change the password for the machine you needed and give you that password. Then when you finished he would change the password again. The problem was the sucker usually just ignore your requests, or take weeks to give you access. So if we wanted to end our job in time, we had no choice.
In 1% the rare cases that the password was different, we just directly phone one of the admins bypassing his boss, and ask him the password
So users are not always the problem. Stupid policies are also to blame.
I would prefer to blame the device manufacturers that allows the use of easy passwords in the wild. It is so outdated by now and any sensitive devices should have a protection that is better than only using a password to protect them. Using a certificate solution (smartcard or similar) together with SSH will make things a lot harder for any intruders.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
"So easy, a caveman can do it"
Hey, stop stealing slogans from the U.S. Army advertisements.
A router is not a house, a computer is not a car, and if you leave your wifi unsecured that is not mine or anybody else's problem
What sort of messed up logic is THAT? OK lets play with this a bit:
It should NOT be illegal to log into an unprotected router and mess around with it without the owner's permission because the router owner is stupid for not securing his network. This is different--FROM A MORAL STANDPOINT--than entering a private dwelling that is unlocked to explore and mess around inside (an illegal act generally thought of as immoral) in what sense? Is it because the contents of the router are not physical in nature? Why is snooping around a network different than snooping around a house? Why don't judges let throw out trespassing cases because "the house was unlocked and you should just expect people will wander in and snoop around and take stuff".
Of course they aren't EXACTLY the same things...but morality universally applies to all of those things. YOU DON'T MESS AROUND WITH OTHER PEOPLE'S STUFF. PERIOD. Yes, if you leave your doors unlocked, keys in the car ignition or your bike sitting out with no lock on it, you can "expect them to be used" because there are people with no morals out there. However, just because it is an expected consequence doesn't make it right.
Once you bought the routers or computers, first change the default password.. and need to change your strengths password regularly at least one time in 3 months.. So, the hackers can gets confused and tired to hack yours....
The problem with that solution is that if you lose the password, you're fsck'd when you clear the config of the router (as in, you can't get it back unless you have someone on site reading the password to you). It's much easier to just change the password when the device is connected to the network.
You can't fix stupidity with software.