Slashdot Mirror

← Back to Stories (view on slashdot.org)

Convicted VoIP Hacker Robert Moore Speaks

Posted by ScuttleMonkey on from the kind-of-thing-an-idiot-would-have-on-his-luggage dept.

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

38 of 183 comments (clear)

  1. Geico commercial filming by camperdave · · Score: 3, Funny

    It's so easy a caveman can do it

    So, not only do cavemen work in video production, they do network admin?

    --
    When our name is on the back of your car, we're behind you all the way!
    1. Re:Geico commercial filming by User+956 · · Score: 4, Funny

      "It's so easy a caveman can do it". So, not only do cavemen work in video production, they do network admin?

      No, read more closely. He wasn't talking about cavemen in general. He was talking about one particular caveman.

      --
      The theory of relativity doesn't work right in Arkansas.
    2. Re:Geico commercial filming by beckerist · · Score: 2, Funny

      As a caveman script kiddie, I take offense to that statement!

  2. Obligatory... by Stormwatch · · Score: 4, Funny

    "So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

    --
    Circumcision is child abuse.
    1. Re:Obligatory... by Zymergy · · Score: 4, Funny

      Remind me to change the combination to my luggage!

  3. Well by El+Lobo · · Score: 5, Insightful

    Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
    1. Re:Well by Joe+The+Dragon · · Score: 3, Informative

      In XP the default blank password does not let you do remote logins so it is some times more gives you more security.

    2. Re:Well by Timmmm · · Score: 5, Insightful

      It *is* a problem with the software. The software is designed for use by *people*. People who may not remember to change the default password.

      Easy solution - disable the product until the password is changed and intercept http connections so you can give people a helpful page saying "The default password is 'password'. This must be changed before this router/switch can be used. Click [here] to do so."

      I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.

    3. Re:Well by nuzak · · Score: 3, Insightful

      It won't feel like you're shoving policy down their throats if you don't have a default password at all, but make it so that it won't function until you complete the setup, which involves setting a password.

      Considering that you get folks like SAC who set the PAL codes for all their nukes to 00000, yeah there will always be people that bypass it. But at least won't be because nobody touched it at all -- someone had to run the setup. And when users get cranky and bypass it, then it's now 100% their problem. Especially when the SOX auditors come knocking.

      --
      Done with slashdot, done with nerds, getting a life.
    4. Re:Well by mcrbids · · Score: 2, Interesting

      The weakest link is often the user: leaving the default password of a router,

      Are you sure it's the user?

      So, let me ask you this - why is the default password on routers all the same? Why isn't it different for each unit, and imprinted on the box or something? Such a trivial thing to do, yet it would do so, so much for improving security, and would have a trivial effect on usability.

      Routers are security devices. Other security devices (such as bike locks) have the default being rather secure, why can't routers?

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    5. Re:Well by freedom_surfer · · Score: 2, Insightful

      Of course you can't stop people from being stupid, but you can design around their stupidity. Why have a password at all if its default? Better to have no password and block remote access until one is set, which is basically what mysql had to do for similiar reasons. What is funny is this is just a new version of old school. Anyone else remember war dialing?

      "Those who cannot learn from history are doomed to repeat it."

      Here's my analogy. What if every lock manufacture sold you house locks with the same key and left it up to the buyer to have it rekeyed after purchase...

    6. Re:Well by BVis · · Score: 2, Insightful

      So we fix the users. I'm really sick of the prevailing attitude that "you're not going to change the users, so we have to accept this." Bullshit. In a civilized society, there must be consequences for stupidity.

      Users must be protected from themselves for the good of the whole. We don't allow people to drive 100MPH on the highway. We don't allow people to shout 'fire' in a crowded theater. What are people going to do, not use their computers? We're way past that point. The PC has become as important to our current way of life as indoor plumbing. We wouldn't tolerate the attitude of "Stupid toilet! Why do I have to flush it?"

      Maybe what we should do is create an anonymous forum for blowing the whistle on people who refuse to take security seriously, with an emphasis on this behavior on the part of officers of publicly traded companies. I bet the stockholders would want to know if the CEO's password is 'password'.

      --
      Never underestimate the power of stupid people in large groups.
  4. he should study more (or moore) by User+956 · · Score: 5, Funny

    Convicted hacker Robert Moore, who will report to federal prison this week

    Apparently Moore's law isn't quite up to snuff.

    --
    The theory of relativity doesn't work right in Arkansas.
  5. Random passwords by MobyDisk · · Score: 3, Interesting

    It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
    - They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
    - You would have to print it on the router, or on a slip of paper
    - If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.

    Even if you don't implement that last bullet, it still seems like it would help a lot.

    1. Re:Random passwords by sam.thorogood · · Score: 3, Insightful

      This moves the burden to the hardware manufacturer. What if this was the case, and network administrators (even good ones) the world over immediately assumed that everything they purchased out of the box was secure - right before a provider had a disgruntled employee upload the default password list for thousands/millions of routers to the internets? ... although that is just the FUD part of my brain talking. I actually like this idea.

    2. Re:Random passwords by chill · · Score: 2, Insightful

      They must run a test suite before shipping them...

      No, they mustn't. Frequently, if your production QA is good you don't do 100% testing before shipping. Random sampling is usually good enough and significantly cheaper. I can't speak to any specific router manufacturer, but this is SOP in manufacturing.

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re:Random passwords by steelshadow · · Score: 2, Interesting

      I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

    4. Re:Random passwords by John_Sauter · · Score: 2, Interesting

      Every device with an Ethernet interface has a 48-bit unique identifier built in. All such devices, in my experience, also have a sticker that displays their Ethernet address. Would it be so difficult to include, at manufacturing time, a small ROM that contained an initial password, unique to each device, and also displayed on a sticker? The additional cost of such a feature needs to be weighed against the additional security provided, but I think in some markets it would be a definite win.

      The manufacturer need not keep a list of which passwords went with which device, only a list of the passwords already issued to ensure the new ones were unique. If uniqueness is not an absolute requirement, only keep the last thousand passwords, and use a good random number generator.

    5. Re:Random passwords by Solra+Bizna · · Score: 4, Funny

      I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

      That's actually not so bad. In order to get on the wireless network to use the admin password in the first place, they would need to guess your SSID and WEP key. And everyone knows that's impossible, right?

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
  6. Ridiculous! by cromar · · Score: 2, Funny

    You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them...

    That's ridiculous. Everyone knows the most commonly used passwords are "love," "secret," and "sex." Oh and don't forget "God." It's that whole male ego thing.

    1. Re:Ridiculous! by wilymage · · Score: 2, Funny

      It's got a 28.8 bps modem!

      --
      The secret to creativity is knowing how to hide your sources. -- Albert Einstein
  7. Re:At least that "Hacker" actually used some skill by WhatAmIDoingHere · · Score: 2, Funny

    So he's a social engineer skript kiddie?

    --
    Not a Twitter sockpuppet... but I wish I was.
  8. Damn... by Cornflake917 · · Score: 3, Funny

    That caveman from the Geico commercials was just starting to make progress with his therapist. Let's hope the poor guy doesn't stumble upon this article. This hacker might get a few unexpected prison visits from whiny cavemen.

    --
    Abaddon: An Xbox 360 Indie game
  9. So easy a caveman could do it by SplatMan_DK · · Score: 3, Insightful

    Mjeah.

    So easy a caveman could do it.

    But apparently not so easy a caveman could avoid getting caught?

    What ever happened to the supercool hacking-thang called "not getting caught"?

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
    1. Re:So easy a caveman could do it by lawpoop · · Score: 4, Funny

      What ever happened to the supercool hacking-thang called "not getting caught"? I'm sure it happens all the time; it just never makes the news...

      It could even be happening right now...
      --
      Computers are useless. They can only give you answers.
      -- Pablo Picasso
  10. Re:Am I missing something? by thatskinnyguy · · Score: 2, Funny

    I believe he more or less falls into the category of a "researcher". You probably could write a master's thesis on the password data/statistics alone!

    --
    The game.
  11. And which heads will roll? by rgaginol · · Score: 3, Informative

    Having these flaws present in a secure system, even for small companies is almost bordering on negligence. It takes 20 seconds to change a password, and god forbid if you've got too many to remember, write it down somewhere and store it in the company safe.

    The REAL problem I see with IT is a combination of inept administrators and an abundance of managers who don't understand the significance of things like this. A mistake like this not only represents a failure of an IT worker, but poor oversight by their manager. I've seen an administrator hired who had no technical competence but was able to talk to the managers about cricket. He was then replaced with a person who was even worse when the first dumb admin did the IT thing and left after making a huge mess. And yeah, a year after I'd left, the second administrator, after purchasing a new Cisco router with zero scoping calls me up and asks, "How do I install a Cisco router".

    There are books out there like "The practice of system and network administration", they help new administrators immeasurably, but so many just don't give a damn. There needs to be more incentive to have serious consequences for sloppy work. If we're ever going to be taken seriously, we need to find and flog administrators who set up a production router/firewall with a default password.

    1. Re:And which heads will roll? by Anonymous Coward · · Score: 4, Insightful

      None. Imagine you have 80,000 switches, routers and other network devices. Some are 15 years old. Some are older and don't allow the password to be changed at all. You have hundreds of network admin folks spread all over the world.

      Now imagine that you want to change the passwords. You can't bring the network down or impact any current work. Networks of this size are constantly being modified. New devices added, routes being updated/refreshed. Redundancy deployed or a failure causing it to be exercised.

      AND you are a business - the people making decisions don't know anything about security - the only question is "what will all this work do to make more money?" Nothing? Then don't do it.

      Tracking 80,000 passwords isn't easy. During emergencies - your phone won't ring - your mother with a pace maker needs 911, not having access to the password in a switch that needs to be reconfigured manually isn't a good excuse.

      Ok, 1 of those hundreds of people leave the company. Do you change all the passwords ... again? Next week or the week after, someone else leaves/retires. Change again? Routers don't have per user accounts, do they?

      I've never seen a switch or router guy that wasn't overworked. Just like security folks.

      Anyway, just a few thoughts. It is never as simple as it seems.

      BTW, I worked at the big telecom company that wasn't hacked. I've since moved to a different telecom that is constantly being hacked and in the news for it. Until a few months ago, they had laughable security standards that seemed left over from 1990 to me and a flat network. Simply stupid, but being secure is a huge undertaking that isn't just network security, as you know. Only security failures get Executive attention, sadly.

  12. Not if he exploited it and kept it hushed up. by Ungrounded+Lightning · · Score: 4, Insightful

    this guy should be congratulated for uncovering such slack security.

    If he told the owner about the insecurity and didn't exploit it himself, yes.

    imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

    Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.

    Wait... That's what he did, isn't it?

    No, he should not be congratulated. He should be convicted and punished as the thief he is.

    Wait... That's what happened, isn't it?

    Isn't it nice

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  13. liability? by jShort · · Score: 2, Insightful

    I'm not a hacker, an IT guy or a lawyer of any sort, but after RTFA, I have a question: Why isn't there some provision under which concerned invididuals can go after lax companies regarding their security? I mean, yes they were 'hacked', but aparenly only becase their IT people were not to be bothered by securing the companies' data. It seems silly to spend time and money going after the hacker, and then letting all the guys who actually compromised the data off the hook.

  14. Wow, what a fall from grace... by Anonymous Coward · · Score: 2, Funny

    ...after playing James Bond in all those movies.

  15. Re:Here's one I do by Destoo · · Score: 4, Interesting

    Why would they care, if it just works?

    I think I had 5 routers in my neighborhood on channel 6, with default passwords.
    I logged on into each and switched them to different channels.

    --
    Nouvelles de jeux et technologies en français. TC
  16. hacking?? by Anonymous Coward · · Score: 2, Funny

    This isn't hacking, this guy isn't a hacker.

    Are we supposed to be impressed by his elite port scanning abilities?

  17. And what is the 1st thing you do by kilodelta · · Score: 3, Informative

    When you setup any new networking gear what is the very first thing you do? I can tell you what mine is, I change usernames and passwords. I even use strong passwords just in case.

    Nice to know telecom companies don't have a clue.

  18. why? by azrin_abbas · · Score: 2, Interesting

    why is he going to prison? why don't make him like a password administrator or something where he finds all the default passwords( seems like he had the time back then) and ask those owners to change them? and of course got paid for that. like that what's-his-name guy in the 'catch me if you can' movie..

    --
    "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe."
  19. How to create a strong password by ery_pk076180_uni10 · · Score: 2, Informative

    To all the computer user all around the world who are still using the "weak" password, here are some tips from my computer security lecturer Mr. Uwe Heinz Rudi Dippel,

    "Make it a combination of capital letters, small letters, numbers and special character but PLEASE remember it! Or I'll fine you $5!! "

    Here you can find some tips on how to create a strong password. http://www.watchingthenet.com/how-to-create-strong-passwordsand-remember-them.html

  20. about the weak link [the users] by cadu · · Score: 2, Interesting

    Even if we try to do the RIGHT thing, we end up punished and bashed for 'doing wrong stuff', when you're dealing with a bunch of joe averages [specially one being your boss], sometimes it's better just watch it crash down and burn than to try to fix/warn the bosses about a potential security breach.

    i used to work as a cybercafe admin in a hotel [ClubMed(R)] and someday, when i was messing with the routers telnet interface, i decided to do a quick check on the pdf manual i had about it and look for the default password,i input the default username and password and bam, got in.... all free for me to change, as it was a leased line, i could give real internet ips to inside machines by just specifying ip+mac, could reflash the whole thing, could destroy it... instead... i've prepared a paper describing the security risks of leaving the main hotel's router [the one that serves both the guests internet access and the company private data system] using the default password, documented everything with screenshots and whatnot, and put it on my boss's desk.

    guess the result!?

    even trying to explain/teach/advise him about the risks , saying that he should call the leased line company and complain about them putting an unsecured device in his network, the retard fired me for 'hacking attempt' and said that i shouldn't be 'trying to sneak in places where i shouldn't' (damn, i just found a BIG flaw and got bashed for finding it!).

    2 days later : the fscker changed the password.

    when i think of it, i regret not arriving at home at that day and reflashing the modem's firmware with zeroes or something and hitting reboot. that would be total chaos and give them a nice big lesson :)

  21. Re:Here's one I do by David_W · · Score: 2, Insightful

    I hope none of them intentionally wanted their router set that way.

    I should hope if they are knowledgeable enough to want their router configured that way they would also know to change the password from the default.