IT Security unclothed by “a nerdy hacker”

 

Rober Moore Robert Moore, a 23 year old hacker would be starting his imprisonment in federal prison today (Thursday, 27th Sep) for breaking into 15 telecommunications companies and hundreds of businesses (and individuals) worldwide. He spoke about “how easy it was”. Moore, who describes himself as a “mega geek” is more upset about being banned from using a computer than actually going to prison. Here are few things from his interview which may help IT vendors, users (including the huge IT departments whose “sole” job is to secure the company network and provide the staff with a better service) to know how insecure they are.

 

 

How easy it is?

“It’s so easy. It’s so easy a caveman can do it,” Moore told InformationWeek, laughing. “When you’ve got that many computers at your fingertips, you’d be surprised how many are insecure.”

“what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords”

 

“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0’ as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. … We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I’d write a scanner for Mera boxes and we’d run the password against it to try to log in, and basically we could get in almost every time. Then we’d have all sorts of information, basically the whole database, right at our fingertips.”

How he used to work (hack)?

 

He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn’t find default passwords or easily exploitable bugs, he’d run brute-force or dictionary attacks to try to break the passwords.”We would go to telecom forums and other telecom sites that list company names and where they’re from,” he explained. “We’d look at foreign countries first. We’d take the name and IP range and then dump it into the scanner. … Some of the Cisco versions, like IOS, were old and easier to get into.”

Tips from the hacker?

Moore said it would have been easy for IT and security managers to detect him in their companies’ systems … if they’d been looking. The problem was that, generally, no one was paying attention.

“If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there,” he said, adding that IT could have run its own scans, checking to see logged-in users. “If they had an intrusion detection system set up, they could have easily seen that these weren’t their calls.”

The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. “We came across only two or three boxes that actually had access lists in place,” he added. “The telecoms we couldn’t get into had access lists or boxes we couldn’t get into because of strong passwords.”

 

I have myself seen that even in huge operations, this policy of keeping a company wide (as if that is safe) default password for their servers.

 

Ludicrously this incident has divided the IT industry into two and Enterprises have started a blame war against the vendors for making it a policy that default password is changed before things work. But my question — who will save you when you are attacked with a brute-force dictionary attack ? There is only one fact that there is no one-push-button for security and you have to keep a part of the department busy into logs analysis, password updation and knowledge updation of what is happening around (and this too will make you just ‘more’ secure).

I remember Henry Keller’s say — Security is mostly a superstition. I add “More so for worldwide interconnected computers”. I hope that you too learn from it and atleast personalize your passwords now. Be a Paranoid!

 

to switch-case or not to !

A friend (and colleague) in an attempt to have a long discussion asked me about my preference between cascaded if-else and switch-case statements and which one is better. I could get away (because was caught into some work I didn’t want to lose attention from) by saying that I will certainly be getting back with facts you want to know and my personal preference is switch-case.

Later in the evening (now) I am in front of firefox with almost seventeen tabs open with
links relating to the comparison between if-else and switch-case statements. I think I should share some statements here (sources are documents and forums available on internet).

The switch-case can only used with integral types, and the case values need to be compile-time constants. An if/else cascade is likely to be slower than switch/case.

switch/case is often implemented using a jump table with the case values as index into the table. The if/else is usually implemented using a cascade of conditional jumps. Hence switch/case often will win on time efficiency.

The best construct to use is the one that is the easiest to understand to the reader (and not the more efficient) (obviously, if it is not killing the program).

For the curious,

A jump table is either a table of addresses (pointers) or jump instructions. An index is used to access the appropriate location, then an action is taken. This can be implemented in C++ using an std::map of <key, function_pointer> or an array of similar structures.