Slashdot Mirror

← Back to Stories (view on slashdot.org)

Convicted VoIP Hacker Robert Moore Speaks

Posted by ScuttleMonkey on from the kind-of-thing-an-idiot-would-have-on-his-luggage dept.

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

11 of 183 comments (clear)

  1. Obligatory... by Stormwatch · · Score: 4, Funny

    "So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

    --
    Circumcision is child abuse.
    1. Re:Obligatory... by Zymergy · · Score: 4, Funny

      Remind me to change the combination to my luggage!

  2. Well by El+Lobo · · Score: 5, Insightful

    Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
    1. Re:Well by Timmmm · · Score: 5, Insightful

      It *is* a problem with the software. The software is designed for use by *people*. People who may not remember to change the default password.

      Easy solution - disable the product until the password is changed and intercept http connections so you can give people a helpful page saying "The default password is 'password'. This must be changed before this router/switch can be used. Click [here] to do so."

      I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.

  3. he should study more (or moore) by User+956 · · Score: 5, Funny

    Convicted hacker Robert Moore, who will report to federal prison this week

    Apparently Moore's law isn't quite up to snuff.

    --
    The theory of relativity doesn't work right in Arkansas.
  4. Re:Geico commercial filming by User+956 · · Score: 4, Funny

    "It's so easy a caveman can do it". So, not only do cavemen work in video production, they do network admin?

    No, read more closely. He wasn't talking about cavemen in general. He was talking about one particular caveman.

    --
    The theory of relativity doesn't work right in Arkansas.
  5. Re:Random passwords by Solra+Bizna · · Score: 4, Funny

    I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

    That's actually not so bad. In order to get on the wireless network to use the admin password in the first place, they would need to guess your SSID and WEP key. And everyone knows that's impossible, right?

    -:sigma.SB

    --
    WARN
    THERE IS ANOTHER SYSTEM
  6. Not if he exploited it and kept it hushed up. by Ungrounded+Lightning · · Score: 4, Insightful

    this guy should be congratulated for uncovering such slack security.

    If he told the owner about the insecurity and didn't exploit it himself, yes.

    imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

    Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.

    Wait... That's what he did, isn't it?

    No, he should not be congratulated. He should be convicted and punished as the thief he is.

    Wait... That's what happened, isn't it?

    Isn't it nice

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  7. Re:So easy a caveman could do it by lawpoop · · Score: 4, Funny

    What ever happened to the supercool hacking-thang called "not getting caught"? I'm sure it happens all the time; it just never makes the news...

    It could even be happening right now...
    --
    Computers are useless. They can only give you answers.
    -- Pablo Picasso
  8. Re:Here's one I do by Destoo · · Score: 4, Interesting

    Why would they care, if it just works?

    I think I had 5 routers in my neighborhood on channel 6, with default passwords.
    I logged on into each and switched them to different channels.

    --
    Nouvelles de jeux et technologies en français. TC
  9. Re:And which heads will roll? by Anonymous Coward · · Score: 4, Insightful

    None. Imagine you have 80,000 switches, routers and other network devices. Some are 15 years old. Some are older and don't allow the password to be changed at all. You have hundreds of network admin folks spread all over the world.

    Now imagine that you want to change the passwords. You can't bring the network down or impact any current work. Networks of this size are constantly being modified. New devices added, routes being updated/refreshed. Redundancy deployed or a failure causing it to be exercised.

    AND you are a business - the people making decisions don't know anything about security - the only question is "what will all this work do to make more money?" Nothing? Then don't do it.

    Tracking 80,000 passwords isn't easy. During emergencies - your phone won't ring - your mother with a pace maker needs 911, not having access to the password in a switch that needs to be reconfigured manually isn't a good excuse.

    Ok, 1 of those hundreds of people leave the company. Do you change all the passwords ... again? Next week or the week after, someone else leaves/retires. Change again? Routers don't have per user accounts, do they?

    I've never seen a switch or router guy that wasn't overworked. Just like security folks.

    Anyway, just a few thoughts. It is never as simple as it seems.

    BTW, I worked at the big telecom company that wasn't hacked. I've since moved to a different telecom that is constantly being hacked and in the news for it. Until a few months ago, they had laughable security standards that seemed left over from 1990 to me and a flat network. Simply stupid, but being secure is a huge undertaking that isn't just network security, as you know. Only security failures get Executive attention, sadly.