Robert Moore, a 23 year old hacker would be starting his imprisonment in federal prison today (Thursday, 27th Sep) for breaking into 15 telecommunications companies and hundreds of businesses (and individuals) worldwide. He spoke about “how easy it was”. Moore, who describes himself as a “mega geek” is more upset about being banned from using a computer than actually going to prison. Here are few things from his interview which may help IT vendors, users (including the huge IT departments whose “sole” job is to secure the company network and provide the staff with a better service) to know how insecure they are.
How easy it is?
“It’s so easy. It’s so easy a caveman can do it,” Moore told InformationWeek, laughing. “When you’ve got that many computers at your fingertips, you’d be surprised how many are insecure.”
“what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords”
“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0’ as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. … We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I’d write a scanner for Mera boxes and we’d run the password against it to try to log in, and basically we could get in almost every time. Then we’d have all sorts of information, basically the whole database, right at our fingertips.”
How he used to work (hack)?
He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn’t find default passwords or easily exploitable bugs, he’d run brute-force or dictionary attacks to try to break the passwords.”We would go to telecom forums and other telecom sites that list company names and where they’re from,” he explained. “We’d look at foreign countries first. We’d take the name and IP range and then dump it into the scanner. … Some of the Cisco versions, like IOS, were old and easier to get into.”
Tips from the hacker?
Moore said it would have been easy for IT and security managers to detect him in their companies’ systems … if they’d been looking. The problem was that, generally, no one was paying attention.
“If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there,” he said, adding that IT could have run its own scans, checking to see logged-in users. “If they had an intrusion detection system set up, they could have easily seen that these weren’t their calls.”
The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. “We came across only two or three boxes that actually had access lists in place,” he added. “The telecoms we couldn’t get into had access lists or boxes we couldn’t get into because of strong passwords.”
I have myself seen that even in huge operations, this policy of keeping a company wide (as if that is safe) default password for their servers.
Ludicrously this incident has divided the IT industry into two and Enterprises have started a blame war against the vendors for making it a policy that default password is changed before things work. But my question — who will save you when you are attacked with a brute-force dictionary attack ? There is only one fact that there is no one-push-button for security and you have to keep a part of the department busy into logs analysis, password updation and knowledge updation of what is happening around (and this too will make you just ‘more’ secure).
I remember Henry Keller’s say — Security is mostly a superstition. I add “More so for worldwide interconnected computers”. I hope that you too learn from it and atleast personalize your passwords now. Be a Paranoid!