[ISN] Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services

From: InfoSec News (alerts@private)
Date: Thu Sep 27 2007 - 23:19:07 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=202101781

By Sharon Gaudin
InformationWeek
Sept. 26, 2007

Convicted hacker Robert Moore, who is set to go to federal prison this 
week, says breaking into 15 telecommunications companies and hundreds of 
businesses worldwide was incredibly easy because simple IT mistakes left 
gaping technical holes.

Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit 
computer fraud and is slated to begin his two-year sentence on Thursday 
for his part in a scheme to steal voice over IP services and sell them 
through a separate company. While prosecutors call co-conspirator Edwin 
Pena the mastermind of the operation, Moore acted as the hacker, 
admittedly scanning and breaking into telecom companies and other 
corporations around the world.

"It's so easy. It's so easy a caveman can do it," Moore told 
InformationWeek, laughing. "When you've got that many computers at your 
fingertips, you'd be surprised how many are insecure."

Pena, who is charged with acting as a legitimate wholesaler of 
Internet-based phone services as part of what the government called a 
"sophisticated fraud," fled the country a year ago and is wanted as a 
fugitive. Assistant U.S. Attorney Erez Liebermann said Pena allegedly 
stole and then sold more than 10 million minutes of service at deeply 
discounted rates, netting more than $1 million from the scheme.

Acting as the operation's technical muscle only netted Moore $20,000 of 
the haul, according to Moore.

The government identified more than 15 VoIP service providers that were 
hacked into, adding that Moore scanned more than 6 million computers 
just between June and October of 2005. AT&T reported to the court that 
Moore ran 6 million scans on its network alone.

However, the names of the companies Moore and Pena hacked into don't 
appear in the court documents--aliases are used instead--and Moore said 
he wasn't at liberty to identify them publicly.

Liebermann noted that one small telecom went out of business because of 
expenses the company incurred during the break-in. The company 
legitimately routed its own VoIP traffic through a larger telecom and 
was forced to pay the other company for the calls that Pena and Moore 
fraudulently sent through their network. "They had to eat the bill and 
were unable to remain in business," added Liebermann.


Default Passwords: A Hacker's Dream

Moore said what made the hacking job so easy was that 70% of all the 
companies he scanned were insecure, and 45% to 50% of VoIP providers 
were insecure. The biggest insecurity? Default passwords.

"I'd say 85% of them were misconfigured routers. They had the default 
passwords on them," said Moore. "You would not believe the number of 
routers that had 'admin' or 'Cisco0' as passwords on them. We could get 
full access to a Cisco box with enabled access so you can do whatever 
you want to the box. ... We also targeted Mera, a Web-based switch. It 
turns any computer basically into a switch so you could do the calls 
through it. We found the default password for it. We would take that and 
I'd write a scanner for Mera boxes and we'd run the password against it 
to try to log in, and basically we could get in almost every time. Then 
we'd have all sorts of information, basically the whole database, right 
at our fingertips." Keith Rhodes, chief technologist at the U.S. 
Government Accountability Office, said he's not surprised at all by what 
Moore says he found.

"Default passwords are a silly problem," said Rhodes, who is widely 
considered to be the federal government's top hacker. "But they were 
able to take a silly flaw and turn it into a business. ... It 
disappoints me, but I'm not surprised."

Kenneth van Wyk, principal consultant with KRvW Associates, said leaving 
default passwords up is a widespread and dangerous problem.

"It's a huge problem, but it's a problem the IT industry has known about 
for at least two decades and we haven't made much progress in fixing 
it," said van Wyk. "People focus on functionality when they're setting 
up a system. Does the thing work? Yes. Fine, move on. They don't spend 
the time doing the housework and cleaning things up."

It's also a problem for which the companies themselves are liable, Moore 
said.

"I think it's all their fault," he added. "They're using default 
passwords and their administrators don't even care. ... Anybody who has 
bad security, it's their fault. There are so many people out there who 
are malicious hackers who look for these vulnerable boxes. All this 
information is right on the Web and it's easy to find. They need to get 
more education and security in the VoIP industry. There were thousands 
of routers that were compromised in this, just from my scans alone."

Alan Paller, director of research at the SANS Institute, says it's not 
the companies' fault. He even says it's not IT's fault. The problem, he 
says, lies with the vendors.

"Products should be sold so the default password has to be changed first 
time they use it," said Paller. "It's all on the vendors. It's not about 
the user being careless. It's a silly thing for them to have to know to 
do."

Rhodes, however, says until vendors make it necessary to change the 
default password before a system or product will work, IT departments 
need to be given the time and resources to get it done.

"I have nothing but empathy for all the security personnel I've ever 
worked with," he said. "I've never met one yet who had enough people, 
enough time, enough support. ... It would take nothing to change a 
default password, but you need to actually have people who have the job 
to do that."


The Break In

Moore, who describes himself as a "mega geek" more upset about being 
banned from using a computer than actually going to prison, said his job 
in the operation largely was to write software that ran scans and 
brute-force attacks against Cisco XM routers and Quintum Tenor VoIP 
gateways. To do it, he said he used 2 gigs of information on corporate 
IP ranges that they bought for $800. He explained that he would first 
scan the network looking mainly for the Cisco and Quintum boxes. If he 
found them, he would then scan to see what models they were and then he 
would scan again, this time for vulnerabilities, like default passwords 
or unpatched bugs in old Cisco IOS boxes. If he didn't find default 
passwords or easily exploitable bugs, he'd run brute-force or dictionary 
attacks to try to break the passwords.

"We would go to telecom forums and other telecom sites that list company 
names and where they're from," he explained. "We'd look at foreign 
countries first. We'd take the name and IP range and then dump it into 
the scanner. ... Some of the Cisco versions, like IOS, were old and 
easier to get into."

Liebermann, the prosecutor, also noted that while Moore broke into 
telecoms so they could steal the VoIP service, he also hacked into 
countless other businesses so they could use the hijacked company 
connections to disguise the calls they were sending to the telecoms. 
With the VoIP connections in place, they simply needed corporate 
connections to mask their trail.

"He wanted me to look for [a network] with lots of traffic," said Moore. 
"Even if it was not a telecom, they might be connected to a telecom and 
then you could move through that connection to the telecom. ... [Pena] 
was taking legit calls that he had customers for and then rerouting the 
calls through rogue boxes."

And Moore didn't just focus on telecoms. He said he scanned "anybody" -- 
businesses, agencies and individual users. "I know I scanned a lot of 
people," he said. "Schools. People. Companies. Anybody. I probably hit 
millions of normal [users], too."


Tips From The Hacker

Moore said it would have been easy for IT and security managers to 
detect him in their companies' systems ... if they'd been looking. The 
problem was that, generally, no one was paying attention.

"If they were just monitoring their boxes and keeping logs, they could 
easily have seen us logged in there," he said, adding that IT could have 
run its own scans, checking to see logged-in users. "If they had an 
intrusion detection system set up, they could have easily seen that 
these weren't their calls."

The hacker said IT technicians also could have set up access lists, 
telling the network to only allow their own IP addresses to get in. "We 
came across only two or three boxes that actually had access lists in 
place," he added. "The telecoms we couldn't get into had access lists or 
boxes we couldn't get into because of strong passwords."

The GAO's Rhodes said if companies don't fix the small problems, they 
can open up gaping holes that hackers are ready to jump through.

"All it takes is one bad access point and they're in," he noted. "The 
weak link -- you find that one point and all the security unravels. ... 
I'm not surprised that someone going to prison said 70% are at risk. You 
only have to have one default password and all your security is at 
risk."

Copyright 2007 CMP Media LLC


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Sep 27 2007 - 23:54:13 PDT