By Sharon Gaudin
Sept. 26, 2007
Convicted hacker Robert Moore, who is set to go to federal prison this
week, says breaking into 15 telecommunications companies and hundreds of
businesses worldwide was incredibly easy because simple IT mistakes left
gaping technical holes.
Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit
computer fraud and is slated to begin his two-year sentence on Thursday
for his part in a scheme to steal voice over IP services and sell them
through a separate company. While prosecutors call co-conspirator Edwin
Pena the mastermind of the operation, Moore acted as the hacker,
admittedly scanning and breaking into telecom companies and other
corporations around the world.
"It's so easy. It's so easy a caveman can do it," Moore told
InformationWeek, laughing. "When you've got that many computers at your
fingertips, you'd be surprised how many are insecure."
Pena, who is charged with acting as a legitimate wholesaler of
Internet-based phone services as part of what the government called a
"sophisticated fraud," fled the country a year ago and is wanted as a
fugitive. Assistant U.S. Attorney Erez Liebermann said Pena allegedly
stole and then sold more than 10 million minutes of service at deeply
discounted rates, netting more than $1 million from the scheme.
Acting as the operation's technical muscle only netted Moore $20,000 of
the haul, according to Moore.
The government identified more than 15 VoIP service providers that were
hacked into, adding that Moore scanned more than 6 million computers
just between June and October of 2005. AT&T reported to the court that
Moore ran 6 million scans on its network alone.
However, the names of the companies Moore and Pena hacked into don't
appear in the court documents--aliases are used instead--and Moore said
he wasn't at liberty to identify them publicly.
Liebermann noted that one small telecom went out of business because of
expenses the company incurred during the break-in. The company
legitimately routed its own VoIP traffic through a larger telecom and
was forced to pay the other company for the calls that Pena and Moore
fraudulently sent through their network. "They had to eat the bill and
were unable to remain in business," added Liebermann.
Default Passwords: A Hacker's Dream
Moore said what made the hacking job so easy was that 70% of all the
companies he scanned were insecure, and 45% to 50% of VoIP providers
were insecure. The biggest insecurity? Default passwords.
"I'd say 85% of them were misconfigured routers. They had the default
passwords on them," said Moore. "You would not believe the number of
routers that had 'admin' or 'Cisco0' as passwords on them. We could get
full access to a Cisco box with enabled access so you can do whatever
you want to the box. ... We also targeted Mera, a Web-based switch. It
turns any computer basically into a switch so you could do the calls
through it. We found the default password for it. We would take that and
I'd write a scanner for Mera boxes and we'd run the password against it
to try to log in, and basically we could get in almost every time. Then
we'd have all sorts of information, basically the whole database, right
at our fingertips." Keith Rhodes, chief technologist at the U.S.
Government Accountability Office, said he's not surprised at all by what
Moore says he found.
"Default passwords are a silly problem," said Rhodes, who is widely
considered to be the federal government's top hacker. "But they were
able to take a silly flaw and turn it into a business. ... It
disappoints me, but I'm not surprised."
Kenneth van Wyk, principal consultant with KRvW Associates, said leaving
default passwords up is a widespread and dangerous problem.
"It's a huge problem, but it's a problem the IT industry has known about
for at least two decades and we haven't made much progress in fixing
it," said van Wyk. "People focus on functionality when they're setting
up a system. Does the thing work? Yes. Fine, move on. They don't spend
the time doing the housework and cleaning things up."
It's also a problem for which the companies themselves are liable, Moore
"I think it's all their fault," he added. "They're using default
passwords and their administrators don't even care. ... Anybody who has
bad security, it's their fault. There are so many people out there who
are malicious hackers who look for these vulnerable boxes. All this
information is right on the Web and it's easy to find. They need to get
more education and security in the VoIP industry. There were thousands
of routers that were compromised in this, just from my scans alone."
Alan Paller, director of research at the SANS Institute, says it's not
the companies' fault. He even says it's not IT's fault. The problem, he
says, lies with the vendors.
"Products should be sold so the default password has to be changed first
time they use it," said Paller. "It's all on the vendors. It's not about
the user being careless. It's a silly thing for them to have to know to
Rhodes, however, says until vendors make it necessary to change the
default password before a system or product will work, IT departments
need to be given the time and resources to get it done.
"I have nothing but empathy for all the security personnel I've ever
worked with," he said. "I've never met one yet who had enough people,
enough time, enough support. ... It would take nothing to change a
default password, but you need to actually have people who have the job
to do that."
The Break In
Moore, who describes himself as a "mega geek" more upset about being
banned from using a computer than actually going to prison, said his job
in the operation largely was to write software that ran scans and
brute-force attacks against Cisco XM routers and Quintum Tenor VoIP
gateways. To do it, he said he used 2 gigs of information on corporate
IP ranges that they bought for $800. He explained that he would first
scan the network looking mainly for the Cisco and Quintum boxes. If he
found them, he would then scan to see what models they were and then he
would scan again, this time for vulnerabilities, like default passwords
or unpatched bugs in old Cisco IOS boxes. If he didn't find default
passwords or easily exploitable bugs, he'd run brute-force or dictionary
attacks to try to break the passwords.
"We would go to telecom forums and other telecom sites that list company
names and where they're from," he explained. "We'd look at foreign
countries first. We'd take the name and IP range and then dump it into
the scanner. ... Some of the Cisco versions, like IOS, were old and
easier to get into."
Liebermann, the prosecutor, also noted that while Moore broke into
telecoms so they could steal the VoIP service, he also hacked into
countless other businesses so they could use the hijacked company
connections to disguise the calls they were sending to the telecoms.
With the VoIP connections in place, they simply needed corporate
connections to mask their trail.
"He wanted me to look for [a network] with lots of traffic," said Moore.
"Even if it was not a telecom, they might be connected to a telecom and
then you could move through that connection to the telecom. ... [Pena]
was taking legit calls that he had customers for and then rerouting the
calls through rogue boxes."
And Moore didn't just focus on telecoms. He said he scanned "anybody" --
businesses, agencies and individual users. "I know I scanned a lot of
people," he said. "Schools. People. Companies. Anybody. I probably hit
millions of normal [users], too."
Tips From The Hacker
Moore said it would have been easy for IT and security managers to
detect him in their companies' systems ... if they'd been looking. The
problem was that, generally, no one was paying attention.
"If they were just monitoring their boxes and keeping logs, they could
easily have seen us logged in there," he said, adding that IT could have
run its own scans, checking to see logged-in users. "If they had an
intrusion detection system set up, they could have easily seen that
these weren't their calls."
The hacker said IT technicians also could have set up access lists,
telling the network to only allow their own IP addresses to get in. "We
came across only two or three boxes that actually had access lists in
place," he added. "The telecoms we couldn't get into had access lists or
boxes we couldn't get into because of strong passwords."
The GAO's Rhodes said if companies don't fix the small problems, they
can open up gaping holes that hackers are ready to jump through.
"All it takes is one bad access point and they're in," he noted. "The
weak link -- you find that one point and all the security unravels. ...
I'm not surprised that someone going to prison said 70% are at risk. You
only have to have one default password and all your security is at
Copyright 2007 CMP Media LLC
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com