Slashdot Mirror
Convicted VoIP Hacker Robert Moore Speaks
An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"
It's so easy a caveman can do it
So, not only do cavemen work in video production, they do network admin?
When our name is on the back of your car, we're behind you all the way!
"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"
Circumcision is child abuse.
Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Convicted hacker Robert Moore, who will report to federal prison this week
Apparently Moore's law isn't quite up to snuff.
The theory of relativity doesn't work right in Arkansas.
It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
- They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
- You would have to print it on the router, or on a slip of paper
- If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.
Even if you don't implement that last bullet, it still seems like it would help a lot.
Maybe not a lot, but more than most of the media's super-hyped so-called "hackers" ever do.
A few years ago a major New Zealand ISP was "hacked" -- or so the media said. The biggest talkshow host of the time interviewed the alleged "h4x0r" live, and proclaimed him to be a "computer genius". We were all in deadly and imminent danger of being hacked by guys like him he said.
The "hacker" in question was a 13 year old whose friend's older brother worked for the ISP. The older brother had stupidly given his staff login and password to his kid brother, who had, naturally, shared it with his friend, the "genius hacker". This friend then logged in and deleted a bunch of hosted websites.
Pretty frikken 1337, huh?
You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them...
That's ridiculous. Everyone knows the most commonly used passwords are "love," "secret," and "sex." Oh and don't forget "God." It's that whole male ego thing.
imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....
The problem in most of these cases is a user with little to no experience in network setup, and who also avoids reading directions, will almost always just "plug it in and go". Most routers that I've used come with a default password that is the same for all similar products that the company makes.
Instead of having a default password, why not have pre-generated passwords that are decently strong that are already on the router when you get the device, and have a sticker on the router with that password. Then instead of the manual telling you to type in "admin" for the password, it could tell you to look at a sticker on the router.
Come on, most already have stickers for the MAC address. Another sticker for the password is not a big deal.
So he's a social engineer skript kiddie?
Not a Twitter sockpuppet... but I wish I was.
That caveman from the Geico commercials was just starting to make progress with his therapist. Let's hope the poor guy doesn't stumble upon this article. This hacker might get a few unexpected prison visits from whiny cavemen.
Abaddon: An Xbox 360 Indie game
-b.
Come on, most already have stickers for the MAC address.
And the managers will say, "Yeah. We have the MAC address on there already. We can use that for the default password."
Whoever they is. Somebody, please ban default passwords.
HP does this on their servers with ILO. The ILO password is a variation of the host name and random alphanumeric characters. Sadly, they don't do this with their procurve line of switches.
Mjeah.
So easy a caveman could do it.
But apparently not so easy a caveman could avoid getting caught?
What ever happened to the supercool hacking-thang called "not getting caught"?
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Better yet: Why not have a unique default password that's printed on the device, or a function of a unique number that's printed on the device and NOT accessible from the network?
That way the bad guy would need physical access to the particular box to read that label to get what he needs to construct the default password. (Since it's a default password the "view the label" hole could be instantly plugged just by changing it.)
(Not from the MAC address, of course, nor the serial number if that's available in SNMP, etc. Not even from a cryptographic function from such stuff - since that leaves the company using internally a secret that could divulge the default password of all their boxes if it leaked - which it no doubt would, as it get passed around internally so the help center could use it...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
this sounds kinda like "hacking" into your neighbors open wireless network.
He's no hacker, just a nuisance and a thief. This guy deserves jail time.
The ILO password is a variation of the host name and random alphanumeric characters.
;-) It's usually the host serial number plus some alphanumerics, but either way it's unique and is printed on a (removable) tag attached to the server.
That's pretty hard considering the host name isn't assigned until the OS is installed.
-- Alastair
Having these flaws present in a secure system, even for small companies is almost bordering on negligence. It takes 20 seconds to change a password, and god forbid if you've got too many to remember, write it down somewhere and store it in the company safe.
The REAL problem I see with IT is a combination of inept administrators and an abundance of managers who don't understand the significance of things like this. A mistake like this not only represents a failure of an IT worker, but poor oversight by their manager. I've seen an administrator hired who had no technical competence but was able to talk to the managers about cricket. He was then replaced with a person who was even worse when the first dumb admin did the IT thing and left after making a huge mess. And yeah, a year after I'd left, the second administrator, after purchasing a new Cisco router with zero scoping calls me up and asks, "How do I install a Cisco router".
There are books out there like "The practice of system and network administration", they help new administrators immeasurably, but so many just don't give a damn. There needs to be more incentive to have serious consequences for sloppy work. If we're ever going to be taken seriously, we need to find and flog administrators who set up a production router/firewall with a default password.
this guy should be congratulated for uncovering such slack security.
If he told the owner about the insecurity and didn't exploit it himself, yes.
imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....
Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.
Wait... That's what he did, isn't it?
No, he should not be congratulated. He should be convicted and punished as the thief he is.
Wait... That's what happened, isn't it?
Isn't it nice
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
" Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors."
I don't think so Alan. The means is there for an able bodied person to setup appropriate credentials within a few minutes. Most of these stupid logins are web based anyway. You click "Admin" and then "Change Password" and things are a lot better than they were a couple minutes ago. The biggest problem is unskilled technical people in positions where they are pressured to get grand things accomplished quickly with as little manpower as possible. Many admins I know (at least in the windows realm) are very complacent being getting by with a D- in everything. Very few attempt to strive for excellence. The ones I know recite idealisms all day long and complain about how broken things are but in the long run they consider the state of affairs acceptable because they are "too busy to fuck with it".
If you urinate in the well, don't complain when your coffee smells like piss.
boycott slashdot February 10th - 17th check out: altSlashdot.org
How difficult would it be to make the default something like the unit's serial number, then have the code require a change before even enabling network interfaces?
Oh, shoot. How did I miss the second part of your posting where you propose the same thing in different words?
Guess it comes from trying to read slashdot in a cave...
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm not a hacker, an IT guy or a lawyer of any sort, but after RTFA, I have a question: Why isn't there some provision under which concerned invididuals can go after lax companies regarding their security? I mean, yes they were 'hacked', but aparenly only becase their IT people were not to be bothered by securing the companies' data. It seems silly to spend time and money going after the hacker, and then letting all the guys who actually compromised the data off the hook.
As long as twelve people can be found who are possessed by their possessions, (here comes the 'broken record': cushy jobs, single family homes, SUV's, retirement plans, vacations, entertainment systems, RV's, boats, etc.) there will be convictions.
Submission as evidence constitutes plaintiff and/or prosecutorial misconduct.
I recall a similar instance during high school. Telecom switch with the default 'root' UN and PW accessible through the school network. telnet. a friend who thought it was comical to type reset. resulting in a 5 day suspension, 3 days w/o Internet for 5 high schools, and 2 police stations. Wasn't that funny I suppose, until he couldn't touch another computer the rest of his high school career. Ya he thought he was hot shit
this reminds me of the arm wrestling machine that was so easy even a woman could beat it and ended up breaking peoples arms.
...after playing James Bond in all those movies.
On his way to federal prison, the 23-year-old hacker says breaking into computers at telecom companies and major corporations was "so easy a caveman could do it."
Has anyone checked out Moore's photo on the article?
If interest = 1
Then
Moore = Caveman
Else 0
...doesn't mean it is OK to walk right in and check out what's in the fridge (unless of course it is your home). If the damage was minimal or nonexistent then the punishment should fit the crime of course, but it IS still illegal.
On the other hand, why hasn't anyone thought of launching suit against the VOIP providers over the security breach? Tort law in the good ol' US of A is the most stringent in the world when it comes to "duty of care". Leaving passwords at factory defaults certainly could constitute negligence.
Come on people, seeing how litigious society is today, why not use it constructively? Sometimes the only way companies learn to be responsible is through the bottom line. Did some phone providers not have to be sued into providing 911 service standard after all? I'd say that this guy breaking in so easily should be justification for some legal action towards the VOIP providers.
Why would they care, if it just works?
I think I had 5 routers in my neighborhood on channel 6, with default passwords.
I logged on into each and switched them to different channels.
Nouvelles de jeux et technologies en français. TC
So not only did he hack Voip, but he did a spot for Geico in his press conference? F'n sellout!
This isn't hacking, this guy isn't a hacker.
Are we supposed to be impressed by his elite port scanning abilities?
This should be a loud message to all IT professionals and laymen alike: SET/CHANGE YOUR PASSWORDS!
-TheCreditMaster
Learn how to legally boost your Credit score in days
http://www.Positive-Credit.com
When you setup any new networking gear what is the very first thing you do? I can tell you what mine is, I change usernames and passwords. I even use strong passwords just in case.
Nice to know telecom companies don't have a clue.
mod parent up (interesting) because that's the reason many companies and sysadmin give to the entire "unmovable" password or SNMP community strings.
But the truth is, first, routers do have per user access control with centralised databases. Ldap, radius, tacacs can be used for that purpose. And have been for years.
Second, having the same password (for when the centralised user authentication service fails (or the network to get there) on 80000 switches is not so much of an issue if it changes every week or so (and that's easy to script...)
Beyond red flag words: circumventing access control of any kind (electronic or physical) without written authorization from an authorized person, and maybe an opinion letter from a lawyer. That should be an automatic "no".
I mean, these are simple questions. You don't need an MBA to analyze decisions with those questions. Somehow people with their heads in software don't take even a minute to ask these questions, and they should.
I'm sure he understood implicitly that it was illegal. It isn't that people "don't ask these questions," it's just that they're willing to break the law to get ahead.
It's a well known problem ! In any company with a security baseline defined, you must change the default password.. and also the default login when it's possible (to decrease the possibility of bruteforce attacks). If it is not done, either you don't have any baseline to follow or they are not applied. In any case, it's work for the security team or the testers !
The Payment Card Industry (PCI) standards require you to change default passwords in the part of your network that handles credit card data.
Who the hell is Robert Moore???
Next your going to tell me he's a world famous hacking caveman!
Sorry, brainfart. You are correct, its serialnumber + randomletters & numbers
This just proves how naive so many people are about security. If people spent a little more time on it, none of this would happen.
He got $20k out of it. That's not getting ahead.
Breaking the law willfully, and breaking the law willfully with wisdom and skill, are two different things.
why is he going to prison? why don't make him like a password administrator or something where he finds all the default passwords( seems like he had the time back then) and ask those owners to change them? and of course got paid for that. like that what's-his-name guy in the 'catch me if you can' movie..
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."
Enrico
To all the computer user all around the world who are still using the "weak" password, here are some tips from my computer security lecturer Mr. Uwe Heinz Rudi Dippel,
"Make it a combination of capital letters, small letters, numbers and special character but PLEASE remember it! Or I'll fine you $5!! "
Here you can find some tips on how to create a strong password. http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html
But maybe it's a peculiarity of the German DSL market that AVM (www.avm.de/en) is now the market leader. And they DO provide their Fritz!Box series with preconfigured, random WPA2 keys and an 802.11g USB dongle that syncs the key when it's sticked into the Fritz!Box USB port.
Heck, I tried to find some "free" access in my mother's apartment. ALL her neighbours had some flavour of the Fritz!Box running, ALL were WPA2 encrypted. SIX WLANs, none of them unencrypted! For the first time in years I had to use dial-up.
Convicted hacker giving tips/strategy 'How I did it', welldone.. Its superb, maybe i also can have my country's leading companies and corporations secured information right at my fingertips.. I'm grateful to you Mr Moore.. But how it possible to a caveman to do such thing, it must be a very intelligent person like u so called 'caveman'..
Even if we try to do the RIGHT thing, we end up punished and bashed for 'doing wrong stuff', when you're dealing with a bunch of joe averages [specially one being your boss], sometimes it's better just watch it crash down and burn than to try to fix/warn the bosses about a potential security breach.
:)
i used to work as a cybercafe admin in a hotel [ClubMed(R)] and someday, when i was messing with the routers telnet interface, i decided to do a quick check on the pdf manual i had about it and look for the default password,i input the default username and password and bam, got in.... all free for me to change, as it was a leased line, i could give real internet ips to inside machines by just specifying ip+mac, could reflash the whole thing, could destroy it... instead... i've prepared a paper describing the security risks of leaving the main hotel's router [the one that serves both the guests internet access and the company private data system] using the default password, documented everything with screenshots and whatnot, and put it on my boss's desk.
guess the result!?
even trying to explain/teach/advise him about the risks , saying that he should call the leased line company and complain about them putting an unsecured device in his network, the retard fired me for 'hacking attempt' and said that i shouldn't be 'trying to sneak in places where i shouldn't' (damn, i just found a BIG flaw and got bashed for finding it!).
2 days later : the fscker changed the password.
when i think of it, i regret not arriving at home at that day and reflashing the modem's firmware with zeroes or something and hitting reboot. that would be total chaos and give them a nice big lesson
I should hope if they are knowledgeable enough to want their router configured that way they would also know to change the password from the default.
Everything I have ever read on cavemen leads me to believe they are big advocates of wireless everything!
Wonder if they had/have blue teeth?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
So he could become world (in)famous for it! Might be worth a 2-year jail term to some...
Ruby Neural Evolution of Augmenting Topologies
On the other hand, e-commerce system are extremely vulnerable if security is this lackluster. I am not surprised that millions of credit card numbers aren't posted to the Usenet everyday given these states of affairs.
I say all of this tongue firmly planted in cheek, of course. But really, it grows tiresome hearing about the same lame problems year after year when the fix is so absurdly simple even my 9-year-old could do it.
Ruby Neural Evolution of Augmenting Topologies
I used to work in a MAJOR telecom firm. I had a list of about 10 common passwords which granted me root permissions on 99% of machines. My boss had a similar list for cisco boxes. When we needed to change/check something we just used password after password till we hit the right one.
:D In the even more rare case that the admin didn't want to tell such a sensitive data via phone, we'd just start reciting him our root-password list to prove him we were who we pretend to be. That always did the trick :D
The other option, the proper procedure, was to sent an email to the bureaucrat boss of sysadmins. He then would send order to an admin to temporally change the password for the machine you needed and give you that password. Then when you finished he would change the password again. The problem was the sucker usually just ignore your requests, or take weeks to give you access. So if we wanted to end our job in time, we had no choice.
In 1% the rare cases that the password was different, we just directly phone one of the admins bypassing his boss, and ask him the password
So users are not always the problem. Stupid policies are also to blame.
I would prefer to blame the device manufacturers that allows the use of easy passwords in the wild. It is so outdated by now and any sensitive devices should have a protection that is better than only using a password to protect them. Using a certificate solution (smartcard or similar) together with SSH will make things a lot harder for any intruders.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
A router is not a house, a computer is not a car, and if you leave your wifi unsecured that is not mine or anybody else's problem
What sort of messed up logic is THAT? OK lets play with this a bit:
It should NOT be illegal to log into an unprotected router and mess around with it without the owner's permission because the router owner is stupid for not securing his network. This is different--FROM A MORAL STANDPOINT--than entering a private dwelling that is unlocked to explore and mess around inside (an illegal act generally thought of as immoral) in what sense? Is it because the contents of the router are not physical in nature? Why is snooping around a network different than snooping around a house? Why don't judges let throw out trespassing cases because "the house was unlocked and you should just expect people will wander in and snoop around and take stuff".
Of course they aren't EXACTLY the same things...but morality universally applies to all of those things. YOU DON'T MESS AROUND WITH OTHER PEOPLE'S STUFF. PERIOD. Yes, if you leave your doors unlocked, keys in the car ignition or your bike sitting out with no lock on it, you can "expect them to be used" because there are people with no morals out there. However, just because it is an expected consequence doesn't make it right.
Once you bought the routers or computers, first change the default password.. and need to change your strengths password regularly at least one time in 3 months.. So, the hackers can gets confused and tired to hack yours....
The problem with that solution is that if you lose the password, you're fsck'd when you clear the config of the router (as in, you can't get it back unless you have someone on site reading the password to you). It's much easier to just change the password when the device is connected to the network.
You can't fix stupidity with software.