Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Convicted VoIP Hacker Robert Moore Speaks

ScuttleMonkey posted more than 6 years ago | from the kind-of-thing-an-idiot-would-have-on-his-luggage dept.

Security 183

An anonymous reader writes "Convicted hacker Robert Moore, who will report to federal prison this week, gives his version of 'How I Did It' to InformationWeek. Breaking into 15 telecom companies and hundreds of corporations was so easy because most routers are configured with default passwords. "It's so easy a caveman can do it," Moore said. He scanned more than 6 million computers just between June and October of 2005, running 6 million scans on AT&T's network alone. 'You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them,' Moore said. 'We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.'"

cancel ×

183 comments

fuck you (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20761513)

niggers

Re:fuck you (1)

MahariBalzitch (902744) | more than 6 years ago | (#20761573)

Damn.... Having a KKK day in Alabamer are we?

sweet honey in your mom (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20761777)

8====D~~~(.(.)

that's her on the right

Geico commercial filming (3, Funny)

camperdave (969942) | more than 6 years ago | (#20761525)

It's so easy a caveman can do it

So, not only do cavemen work in video production, they do network admin?

Re:Geico commercial filming (1)

FauxReal (653820) | more than 6 years ago | (#20761593)

No, I think he's calling cavemen script kiddies.

Re:Geico commercial filming (2, Funny)

beckerist (985855) | more than 6 years ago | (#20761619)

As a caveman script kiddie [cavillconnections.co.uk] , I take offense to that statement!

Re:Geico commercial filming (4, Funny)

User 956 (568564) | more than 6 years ago | (#20761601)

"It's so easy a caveman can do it". So, not only do cavemen work in video production, they do network admin?

No, read more closely. He wasn't talking about cavemen in general. He was talking about one particular caveman. [wikipedia.org]

Re:Geico commercial filming (1)

WwWonka (545303) | more than 6 years ago | (#20761915)

It's so easy a caveman can do it

I don't think cavemen ever had to deal with the fear of dropping the soap in a federal prison....and for god's sake, don't use the powdered kind.

Re:Geico commercial filming (0)

Anonymous Coward | more than 6 years ago | (#20762125)

WHAT!! NOT COOL!

Theory on Moore's Photo (1)

Rudedude69 (1128587) | more than 6 years ago | (#20762501)

On his way to federal prison, the 23-year-old hacker says breaking into computers at telecom companies and major corporations was "so easy a caveman could do it."

Has anyone checked out Moore's photo on the article?

If interest = 1
Then
Moore = Caveman
Else 0

Re:Geico commercial filming (1)

feed_me_cereal (452042) | more than 6 years ago | (#20763061)

No, they're talking about caveman hackers. You don't see a lot of them, because apparently "not going to jail" isn't quite as easy.

Obligatory... (4, Funny)

Stormwatch (703920) | more than 6 years ago | (#20761565)

"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

Re:Obligatory... (4, Funny)

Zymergy (803632) | more than 6 years ago | (#20761587)

Remind me to change the combination to my luggage!

Re:Obligatory... (1)

InvisibleSoul (882722) | more than 6 years ago | (#20763037)

Ha! The joke's on the thief. The lock on my luggage only has one number.

Well (5, Insightful)

El Lobo (994537) | more than 6 years ago | (#20761577)

Once again, the weakest link in security is often NOT the software (which could also have problems). The weakest link is often the user: leaving the default password of a router, not activating encryption for wireless networks, using the same ID and password.... And , no, don't try to educate the masses. I have tries as an administrator of a large network. They never learn. Or they learn and the next day, they change their password to "qwerty" back again.

Re:Well (3, Informative)

Joe The Dragon (967727) | more than 6 years ago | (#20761641)

In XP the default blank password does not let you do remote logins so it is some times more gives you more security.

Re:Well (1)

cstdenis (1118589) | more than 6 years ago | (#20761759)

Or you could do better and set a password and turn off remote logins. Or just put it behind a NAT/Firewall.

Here's one I do (1)

p51d007 (656414) | more than 6 years ago | (#20762449)

When I run across a wi-fi with the default logon, I change the user/password, set the renew/release to 10 minutes, delete the users if any. HOPEFULLY when the stupid user asks a friend to find out why his/her computer is knocked offline all the time, they will put a user/password, lock it down with MAC addressing and turn on all the security. It just amazes me that people think those fancy do-dad wi-fi boxes are like a toaster. Just plug it in and turn it on.

Re:Here's one I do (4, Interesting)

Destoo (530123) | more than 6 years ago | (#20762539)

Why would they care, if it just works?

I think I had 5 routers in my neighborhood on channel 6, with default passwords.
I logged on into each and switched them to different channels.

Re:Well (5, Insightful)

Timmmm (636430) | more than 6 years ago | (#20761861)

It *is* a problem with the software. The software is designed for use by *people*. People who may not remember to change the default password.

Easy solution - disable the product until the password is changed and intercept http connections so you can give people a helpful page saying "The default password is 'password'. This must be changed before this router/switch can be used. Click [here] to do so."

I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.

Re:Well (1)

vtcodger (957785) | more than 6 years ago | (#20762129)

***I fail to see any flaws with this solution. Also read 'The Design of Everyday Things'.***

I suppose that you probably don't. So let me help you out. The first problem you are going to encounter is that something like 15-20% of the customers are goijng to take an utterly irrational "It's MY router. How about you clowns let ME determine how to configure it?" attitude The second is that quite possibly a small percentage of them will actually need to run with default passwords. You can't imagine why. Neither can I. But I learned in 1963 or so that anticipating exactly what customers will do with your product is impossible. Gratuitously jamming 'solutions' down people's throats will NOT earn you friends. If you try it, you will discover that many of the folks you have helped out will be quite ungrateful.

Re:Well (3, Insightful)

nuzak (959558) | more than 6 years ago | (#20762259)

It won't feel like you're shoving policy down their throats if you don't have a default password at all, but make it so that it won't function until you complete the setup, which involves setting a password.

Considering that you get folks like SAC who set the PAL codes for all their nukes to 00000, yeah there will always be people that bypass it. But at least won't be because nobody touched it at all -- someone had to run the setup. And when users get cranky and bypass it, then it's now 100% their problem. Especially when the SOX auditors come knocking.

Re:Well (0)

Anonymous Coward | more than 6 years ago | (#20762947)

I suppose that you probably don't. So let me help you out.

Lookit. The guy spend probably seconds coming up with his solution. This is slashdot, and that the time that is needed to solve all sorts of problems these so-called "engineers" can't figure out. Need proof? Check out any thread that mentions a problem, and you'll find a that a slashdotter will instantly realize something that never occurred to the people actually working on the it. Take this guy [slashdot.org] , for instance.

Re:Well (1)

dgatwood (11270) | more than 6 years ago | (#20762139)

Presumably these devices don't route packets, handle VoIP calls, etc. until you've at least put in basic network settings anyway. Seems like all you really need to do is make the device ask you to set an initial password as the very first step in the setup process.... It isn't rocket science. It's like when you get a UNIX account on some university box. They set an initial password based on your student ID/name/whatever. and the very first thing is a prompt that requires you to set a real password.... Of course, since this is a hardware device that presumably will be configured on a private network, there's not even a reason to have an initial password at all, so long as there's a physical reset button on the device that will reset the password and settings to a factory (nonfunctional) state....

Re:Well (1)

boredMDer (640516) | more than 6 years ago | (#20762885)

IME scanning local subnets around me (hey, I get bored) the only routers I have never seen using the default password are Belkins, presumably because one of the first requirements in the 'setup' software (IIRC) is to set the admin password.

Re:Well (1)

noidentity (188756) | more than 6 years ago | (#20762887)

"The default password is 'password'. This must be changed before this router/switch can be used. Click [here] to do so."

Stupid box! Just work. Fine, change password to "passw0rd" and stop bothering me..

So the software fix is? Reject easy-to-guess passwords? That gets really annoying. It's an arm's race fueled by lazyness on the user's part, and one the software can't win without causing problems for non-lazy users. So I say that it is a user problem, and not easily correctable in software (despite what Java's designers thought when removing features to turn bad programmers into good ones).

Re:Well (1)

grumbel (592662) | more than 6 years ago | (#20762135)

No matter how much you educate, the user is the one piece in the equation that you can't 'fix', at least not on a large scale, which is why software and hardware *must be* designed in such a way that it works in a secure way even with a 'broken' user. The default password thing is easily fixed: don't set the same default one for each device, instead use a random one or none at all if possible (i.e. disable remote login). You don't want users to use 'qwerty' password, so use a function to check that the users password is not a weak one.

Re:Well (0)

Anonymous Coward | more than 6 years ago | (#20762473)

I wonder if he has any relation to Robert Tappan Morris (rtm), the inventor of the Great Worm of 1988. They both used fairly simple methods. rtm used a buffer overflow in finger! And this Robert Moore uses default passwords.

Re:Well (2, Interesting)

mcrbids (148650) | more than 6 years ago | (#20762805)

The weakest link is often the user: leaving the default password of a router,

Are you sure it's the user?

So, let me ask you this - why is the default password on routers all the same? Why isn't it different for each unit, and imprinted on the box or something? Such a trivial thing to do, yet it would do so, so much for improving security, and would have a trivial effect on usability.

Routers are security devices. Other security devices (such as bike locks) have the default being rather secure, why can't routers?

Re:Well (1)

Paradise Pete (33184) | more than 6 years ago | (#20763043)

why is the default password on routers all the same? Why isn't it different for each unit, and imprinted on the box or something?

Yes, what could possibly go wrong?

he should study more (or moore) (5, Funny)

User 956 (568564) | more than 6 years ago | (#20761581)

Convicted hacker Robert Moore, who will report to federal prison this week

Apparently Moore's law isn't quite up to snuff.

Re:he should study more (or moore) (1)

NotBorg (829820) | more than 6 years ago | (#20762019)

We're going to federal POUND ME IN THE ASS prison!

Random passwords (3, Interesting)

MobyDisk (75490) | more than 6 years ago | (#20761623)

It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...
- They must run a test suite before shipping them so it should be easy to make that tool generate a random password and assign it to the router
- You would have to print it on the router, or on a slip of paper
- If it is printed on the router itself then you could make the router's reset button go back to that password, instead of Cisco0.

Even if you don't implement that last bullet, it still seems like it would help a lot.

Re:Random passwords (3, Insightful)

sam.thorogood (979334) | more than 6 years ago | (#20761667)

This moves the burden to the hardware manufacturer. What if this was the case, and network administrators (even good ones) the world over immediately assumed that everything they purchased out of the box was secure - right before a provider had a disgruntled employee upload the default password list for thousands/millions of routers to the internets? ... although that is just the FUD part of my brain talking. I actually like this idea.

Re:Random passwords (1)

grumbel (592662) | more than 6 years ago | (#20762157)

If you argue that way you can never feel safe, since who says that there isn't a hidden backdoor in your otherwise secured router?

Therein lies the problem (0)

Anonymous Coward | more than 6 years ago | (#20761695)

Your lazy-ass proposal is half of the problem: Shifting the onus on anyone but the users and administrators. Did you even RTFA? USE DECENT PASSWORDS AND IMPLEMENT ALL POSSIBLE SECURITY MEASURES. Goddamn, I should take some of the jobs you over-paid fuckers have. You don't deserve 'em.

And you wanna complain about not making enough money.

Re:Therein lies the problem (0)

Anonymous Coward | more than 6 years ago | (#20762025)

Your reasoning would be all right if people who were entrusted with jobs actually deserved them and knew what they were doing. The problem is that you can't count on that. So if you're the one in charge of setting up the router firmware at Cisco, it's not enough to just say, "well, our users will know what to do". Just like if you're working at any other job doing software, you can't assume that the user will provide valid input, click the expected combination of buttons, etc.

Better software is idiot proof. Never mind the idiots --- yes, there are plenty of them in this world, and yes, many of them do get paid for things that they don't know how to do.

Re:Random passwords (2, Insightful)

chill (34294) | more than 6 years ago | (#20761709)

They must run a test suite before shipping them...

No, they mustn't. Frequently, if your production QA is good you don't do 100% testing before shipping. Random sampling is usually good enough and significantly cheaper. I can't speak to any specific router manufacturer, but this is SOP in manufacturing.

Re:Random passwords (2, Interesting)

John_Sauter (595980) | more than 6 years ago | (#20761845)

Every device with an Ethernet interface has a 48-bit unique identifier built in. All such devices, in my experience, also have a sticker that displays their Ethernet address. Would it be so difficult to include, at manufacturing time, a small ROM that contained an initial password, unique to each device, and also displayed on a sticker? The additional cost of such a feature needs to be weighed against the additional security provided, but I think in some markets it would be a definite win.

The manufacturer need not keep a list of which passwords went with which device, only a list of the passwords already issued to ensure the new ones were unique. If uniqueness is not an absolute requirement, only keep the last thousand passwords, and use a good random number generator.

Re:Random passwords (1)

chill (34294) | more than 6 years ago | (#20761975)

Keep in mind, the first half of that 48-bits isn't unique, it identifies the vendor. And they really aren't globally unique, but I'm not sure they have to be.

Either way, this is going about it the long way. The simple solution is to make it so you have to change the default password the first time you config the device. Feel free to leave it "admin" from the factory, as long as it can't be "admin" after it gets configured.

Re:Random passwords (2, Interesting)

steelshadow (586869) | more than 6 years ago | (#20761793)

I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

Re:Random passwords (4, Funny)

Solra Bizna (716281) | more than 6 years ago | (#20761897)

I just received a modem/router from Verizon for DSL access and they had wireless access preset to a "random" SSID and WEP key which was printed on the modem. Of course, they then went and had the administration account be admin/password.

That's actually not so bad. In order to get on the wireless network to use the admin password in the first place, they would need to guess your SSID and WEP key. And everyone knows that's impossible, right?

-:sigma.SB

Re:Random passwords (1)

theRiallatar (584902) | more than 6 years ago | (#20762017)

Pretty sure any quality wireless router won't actually let you do wireless administration of the device. I know the Linksys box I have sitting on my desk requires you do be physically plugged in if you want to do any administration.

Re:Random passwords (1)

jombeewoof (1107009) | more than 6 years ago | (#20762149)

Pretty sure any quality wireless router won't actually let you do wireless administration of the device. I know the Linksys box I have sitting on my desk requires you do be physically plugged in if you want to do any administration.
that's usually a flag you can set. my router (linksys) is setup so that you can do wireless administration of the device.

Re:Random passwords (1)

CodeBuster (516420) | more than 6 years ago | (#20762319)

Pretty sure any quality wireless router won't actually let you do wireless administration of the device.

It is an option, but it is turned off by default. I actually turned it on for my WRT54G (running Thibor) so that I could access the admin pages from my laptop. However, since I am also using AES [wikipedia.org] , HTTPS, MAC whitelist filtering, and strong (not default) admin password the extra risk is very minimal.

Re:Random passwords (0)

Anonymous Coward | more than 6 years ago | (#20762457)

A few years ago a neighbor of mine had a linksys router that you could administer from... my house. :-)

Re:Random passwords (1)

Gordonjcp (186804) | more than 6 years ago | (#20761825)

On Cisco wireless access points, the radio is disabled by default until you've either set a WEP key, or manually enabled the radio with no key set. It's not a great leap to make "commodity" routers that don't route until they've been given a new password.

Re:Random passwords (1)

mastershake_phd (1050150) | more than 6 years ago | (#20761831)

It doesn't seem too hard to ship the routers with random passwords. Is it just cheaper to not bother? Just thinking here...

Well they do it for $2 padlocks...

Re:Random passwords (1)

Em Adespoton (792954) | more than 6 years ago | (#20761839)

Simple solution for ALL hardware: Default password requires you to have a local connection, or anything besides changing the password cannot be done using the default password. Using EITHER of these rules solves the default password problem. Anything that connects to a network should have one of these rules as part of the firmware. After all, it is common knowledge that around 80% of all hardware devices that contain a default password will never have it changed. Get your hands on a manual for the device, and you can gain access to 80% of the devices deployed.

Re:Random passwords (1)

spicate (667270) | more than 6 years ago | (#20762179)

It doesn't seem too hard to ship the routers with random passwords.
Quick! Patent that invention!

Re:Random passwords (1)

CodeBuster (516420) | more than 6 years ago | (#20762249)

It would have to imprinted upon the router in such a way that the password could not be easily rubbed off or otherwise made illegible. It would also add more cost than you might think to manufacturing of the router. It would probably be better to place a temporary sticker on the router with the default password printed on it and something along the lines of, "name of company strongly recommends that you change the admin password to something other than the default after configuring this router"

Defaults (1)

maz2331 (1104901) | more than 6 years ago | (#20762309)

How difficult would it be to make the default something like the unit's serial number, then have the code require a change before even enabling network interfaces?

Re:Random passwords (1)

pimpimpim (811140) | more than 6 years ago | (#20762405)

What about this: Upon first boot and after a reset, it won't open a connection to the outside world but instead lead you to a homepage on its internal server asking you to change the password. Shouldn't be too hard, and is still relatively user-friendly.

Re:Random passwords (1)

nolife (233813) | more than 6 years ago | (#20763083)

HP ships their servers with different passwords for the iLO server remote administration, the login is Administrator and the password is the serial number of the server. This information is attached in plain text and in bar code form to a paper tag tied to the server. You should obviously still change these to something else but at least it is not a single default one across all of the servers.

Who woulda thunk it?! (0)

Anonymous Coward | more than 6 years ago | (#20761639)

I was personally responsible for setting up a Nortel VoIP solution for the company for whom I work. The vendor (based in Denver, CO) required that we change default passwords on the end users' routers. Of course, I changed the default password on the VoIP switch as well considering that it is accessible to the public via its WAN port.
DUH!!

Convicted hacker? (0)

Anonymous Coward | more than 6 years ago | (#20761647)

So being a hacker is a crime...

Re:Convicted hacker? (1)

KudyardRipling (1063612) | more than 6 years ago | (#20762373)

As long as twelve people can be found who are possessed by their possessions, (here comes the 'broken record': cushy jobs, single family homes, SUV's, retirement plans, vacations, entertainment systems, RV's, boats, etc.) there will be convictions.

At least that "Hacker" actually used some skill. (1, Funny)

Anonymous Coward | more than 6 years ago | (#20761653)

Maybe not a lot, but more than most of the media's super-hyped so-called "hackers" ever do.

A few years ago a major New Zealand ISP was "hacked" -- or so the media said. The biggest talkshow host of the time interviewed the alleged "h4x0r" live, and proclaimed him to be a "computer genius". We were all in deadly and imminent danger of being hacked by guys like him he said.

The "hacker" in question was a 13 year old whose friend's older brother worked for the ISP. The older brother had stupidly given his staff login and password to his kid brother, who had, naturally, shared it with his friend, the "genius hacker". This friend then logged in and deleted a bunch of hosted websites.

Pretty frikken 1337, huh?

Re:At least that "Hacker" actually used some skill (0)

Anonymous Coward | more than 6 years ago | (#20761697)

that is some scary shit there

Re:At least that "Hacker" actually used some skill (2, Funny)

WhatAmIDoingHere (742870) | more than 6 years ago | (#20761755)

So he's a social engineer skript kiddie?

Ridiculous! (2, Funny)

cromar (1103585) | more than 6 years ago | (#20761659)

You would not believe the number of routers that had "admin" or "Cisco0" as passwords on them...

That's ridiculous. Everyone knows the most commonly used passwords are "love," "secret," and "sex." Oh and don't forget "God." It's that whole male ego thing.

Re:Ridiculous! (2, Funny)

wilymage (934907) | more than 6 years ago | (#20761675)

It's got a 28.8 bps modem!

Re:Ridiculous! (1)

Xaer0cool (700219) | more than 6 years ago | (#20761827)

Hey, be careful what you say, I might get offended, take time off from battling 'the plague' and then you would have to crash override!

(see username)

And yes, it is sad that I have watched that movie enough times to know the 'hackers' handles

Re:Ridiculous! (1)

TerranFury (726743) | more than 6 years ago | (#20762009)

Mess with the best, die like the rest!

"Pool on the roof. Sprung a leak."

"And yes, Mom, I'm still a virgin!"

"Crash 'N Burn"

eof.

yet again they shoot the messenger... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20761745)

this guy should be congratulated for uncovering such slack security.



imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

Not if he exploited it and kept it hushed up. (4, Insightful)

Ungrounded Lightning (62228) | more than 6 years ago | (#20762291)

this guy should be congratulated for uncovering such slack security.

If he told the owner about the insecurity and didn't exploit it himself, yes.

imagine what havoc he could have made if he had been malicious, or had sold the passwords to Osama....

Or if he kept it quiet and exploited it himself - stealing services and running up bills for the victimized system owners, building a business on it and pocketing money for himself and his co-conspirators.

Wait... That's what he did, isn't it?

No, he should not be congratulated. He should be convicted and punished as the thief he is.

Wait... That's what happened, isn't it?

Isn't it nice

Re:yet again they shoot the messenger... (1)

sgt_doom (655561) | more than 6 years ago | (#20762513)

Too late, dood, George bin Bush and Dick bin Cheney already sold all those passwords to Osama...

Just because the front door isn't locked... (1)

WebCowboy (196209) | more than 6 years ago | (#20762525)

...doesn't mean it is OK to walk right in and check out what's in the fridge (unless of course it is your home). If the damage was minimal or nonexistent then the punishment should fit the crime of course, but it IS still illegal.

On the other hand, why hasn't anyone thought of launching suit against the VOIP providers over the security breach? Tort law in the good ol' US of A is the most stringent in the world when it comes to "duty of care". Leaving passwords at factory defaults certainly could constitute negligence.

Come on people, seeing how litigious society is today, why not use it constructively? Sometimes the only way companies learn to be responsible is through the bottom line. Did some phone providers not have to be sued into providing 911 service standard after all? I'd say that this guy breaking in so easily should be justification for some legal action towards the VOIP providers.

Re:yet again they shoot the messenger... (1)

NemoinSpace (1118137) | more than 6 years ago | (#20762579)

OK. Congratulations Robert! Tell 'em what he's won Johnny... 2 years rent free in the big house!
Messenger? No. How about Co-conspirator, or stooge?
This guy can't even look forward to getting a decent paying job when he gets out, since he really didn't exhibit any special skills during his simple minded thievery.
What part of stealing and putting at least one company out of business isn't malicious?
p.s. my username is admin and my password is blank. and if I catch you in my honeypot I'll ask the Feds to hook you up with an adjoining cell.
p.p.s. I keep my door unlocked at night too.. and if i catch you in my house you'll be picking buckshot out of your ass for a week.
I admit making it easy for guys like this isn't smart, but freedom is about choices and choices have consequences.

Solution: Eliminate Product-wide Default Passwords (1)

u0berdev (1038434) | more than 6 years ago | (#20761751)

The problem in most of these cases is a user with little to no experience in network setup, and who also avoids reading directions, will almost always just "plug it in and go". Most routers that I've used come with a default password that is the same for all similar products that the company makes.

Instead of having a default password, why not have pre-generated passwords that are decently strong that are already on the router when you get the device, and have a sticker on the router with that password. Then instead of the manual telling you to type in "admin" for the password, it could tell you to look at a sticker on the router.

Come on, most already have stickers for the MAC address. Another sticker for the password is not a big deal.

Re:Solution: Eliminate Product-wide Default Passwo (1)

jbellows_20 (913680) | more than 6 years ago | (#20761805)

Come on, most already have stickers for the MAC address.

And the managers will say, "Yeah. We have the MAC address on there already. We can use that for the default password."

Re:Solution: Eliminate Product-wide Default Passwo (1)

slakdrgn (531347) | more than 6 years ago | (#20761833)

HP does this on their servers with ILO. The ILO password is a variation of the host name and random alphanumeric characters. Sadly, they don't do this with their procurve line of switches.

Re:Solution: Eliminate Product-wide Default Passwo (1)

AJWM (19027) | more than 6 years ago | (#20762183)

The ILO password is a variation of the host name and random alphanumeric characters.

That's pretty hard considering the host name isn't assigned until the OS is installed. ;-) It's usually the host serial number plus some alphanumerics, but either way it's unique and is printed on a (removable) tag attached to the server.

Re:Solution: Eliminate Product-wide Default Passwo (1)

Ungrounded Lightning (62228) | more than 6 years ago | (#20762037)

Better yet: Why not have a unique default password that's printed on the device, or a function of a unique number that's printed on the device and NOT accessible from the network?

That way the bad guy would need physical access to the particular box to read that label to get what he needs to construct the default password. (Since it's a default password the "view the label" hole could be instantly plugged just by changing it.)

(Not from the MAC address, of course, nor the serial number if that's available in SNMP, etc. Not even from a cryptographic function from such stuff - since that leaves the company using internally a secret that could divulge the default password of all their boxes if it leaked - which it no doubt would, as it get passed around internally so the help center could use it...)

Wait-that's what you said. Duh... (1)

Ungrounded Lightning (62228) | more than 6 years ago | (#20762311)

Oh, shoot. How did I miss the second part of your posting where you propose the same thing in different words?

Guess it comes from trying to read slashdot in a cave...

Damn... (3, Funny)

Cornflake917 (515940) | more than 6 years ago | (#20761763)

That caveman from the Geico commercials was just starting to make progress with his therapist. Let's hope the poor guy doesn't stumble upon this article. This hacker might get a few unexpected prison visits from whiny cavemen.

Yay for VPNs (1)

b0s0z0ku (752509) | more than 6 years ago | (#20761767)

on the systems that I manage, no Web/telnet/ssh admin ports get opened to the outside world. If you want in, you'd better have a valid VPN key as well as a password, and VPN logs get checked regularly to prevent abuse. Good defence is multilayered.

-b.

Re:Yay for VPNs (1)

thatskinnyguy (1129515) | more than 6 years ago | (#20762079)

Good defense is multi layered.
I believe the magic buzzwords are "security in depth".

Better he than they (1)

Yupnik (5094) | more than 6 years ago | (#20761819)

Whoever they is. Somebody, please ban default passwords.

Re:Better he than they (1)

subl33t (739983) | more than 6 years ago | (#20762089)

Won't somebody PLEASE think of the default passwords!?

So easy a caveman could do it (3, Insightful)

SplatMan_DK (1035528) | more than 6 years ago | (#20761841)

Mjeah.

So easy a caveman could do it.

But apparently not so easy a caveman could avoid getting caught?

What ever happened to the supercool hacking-thang called "not getting caught"?

- Jesper

Re:So easy a caveman could do it (1, Interesting)

Anonymous Coward | more than 6 years ago | (#20761949)

What ever happened to the supercool hacking-thang called "not getting caught"?

Oh like that'll get you a book deal and job in the computer security field.

If you don't get caught you'll never even merit an article on /.

Re:So easy a caveman could do it (1)

SplatMan_DK (1035528) | more than 6 years ago | (#20761983)

So what you are saying is ...

1.) Hack stuff using script-kiddie techniques
2.) Keep at it until you are caught
3.) Tell everyone the story about you being an idiot who got caught
4.) Do a month of jailtime
5.) $$$!

Is that the kind of people who programmed my personal firewall and my anti virus app.?

(Pleeeease, say "no", pleeeease, pretty-please)

- Jesper

Re:So easy a caveman could do it (4, Funny)

lawpoop (604919) | more than 6 years ago | (#20762381)

What ever happened to the supercool hacking-thang called "not getting caught"?
I'm sure it happens all the time; it just never makes the news...

It could even be happening right now...

Re:So easy a caveman could do it (1)

noidentity (188756) | more than 6 years ago | (#20762933)

What ever happened to the supercool hacking-thang called "not getting caught"?

That goes hand-in-hand with "not boasting about not getting caught".

Re:So easy a caveman could do it (1)

flyingfsck (986395) | more than 6 years ago | (#20763049)

Well, that is the whole problem - the *real* hackers don't get caught, it is only the bozos that get caught.

Am I missing something? (1)

POTSandPANS (781918) | more than 6 years ago | (#20762041)

Isn't a hacker usually considered someone who finds a clever way into a system or does "scanning for default passwords" pass as a hack nowadays..

this sounds kinda like "hacking" into your neighbors open wireless network.

He's no hacker, just a nuisance and a thief. This guy deserves jail time.

Re:Am I missing something? (2, Funny)

thatskinnyguy (1129515) | more than 6 years ago | (#20762113)

I believe he more or less falls into the category of a "researcher". You probably could write a master's thesis on the password data/statistics alone!

And which heads will roll? (3, Informative)

rgaginol (950787) | more than 6 years ago | (#20762241)

Having these flaws present in a secure system, even for small companies is almost bordering on negligence. It takes 20 seconds to change a password, and god forbid if you've got too many to remember, write it down somewhere and store it in the company safe.

The REAL problem I see with IT is a combination of inept administrators and an abundance of managers who don't understand the significance of things like this. A mistake like this not only represents a failure of an IT worker, but poor oversight by their manager. I've seen an administrator hired who had no technical competence but was able to talk to the managers about cricket. He was then replaced with a person who was even worse when the first dumb admin did the IT thing and left after making a huge mess. And yeah, a year after I'd left, the second administrator, after purchasing a new Cisco router with zero scoping calls me up and asks, "How do I install a Cisco router".

There are books out there like "The practice of system and network administration", they help new administrators immeasurably, but so many just don't give a damn. There needs to be more incentive to have serious consequences for sloppy work. If we're ever going to be taken seriously, we need to find and flog administrators who set up a production router/firewall with a default password.

Router passwords (0)

Anonymous Coward | more than 6 years ago | (#20762245)

How about routers that create a random strong password 5 minutes after it has been first started/reset and if someone logs in before that it requires them to set there own password... People who plug in play get a protected router and people who need to change settings can set a password. And for those who plug in play the only need to reset the router to access it again.

The problem lies with vendors? No! (1)

bl8n8r (649187) | more than 6 years ago | (#20762299)

" Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors."

I don't think so Alan. The means is there for an able bodied person to setup appropriate credentials within a few minutes. Most of these stupid logins are web based anyway. You click "Admin" and then "Change Password" and things are a lot better than they were a couple minutes ago. The biggest problem is unskilled technical people in positions where they are pressured to get grand things accomplished quickly with as little manpower as possible. Many admins I know (at least in the windows realm) are very complacent being getting by with a D- in everything. Very few attempt to strive for excellence. The ones I know recite idealisms all day long and complain about how broken things are but in the long run they consider the state of affairs acceptable because they are "too busy to fuck with it".

If you urinate in the well, don't complain when your coffee smells like piss.

liability? (2, Insightful)

jShort (1140435) | more than 6 years ago | (#20762315)

I'm not a hacker, an IT guy or a lawyer of any sort, but after RTFA, I have a question: Why isn't there some provision under which concerned invididuals can go after lax companies regarding their security? I mean, yes they were 'hacked', but aparenly only becase their IT people were not to be bothered by securing the companies' data. It seems silly to spend time and money going after the hacker, and then letting all the guys who actually compromised the data off the hook.

"script kiddie" is over-used (1)

deftones_325 (1159693) | more than 6 years ago | (#20762321)

This article brings out a good point... ( or a point I would like to make (i never know if i'm on topic)) Most of today's hacking is allowed by either social engineering or default settings being used. You don't even have to be a "script kiddie" to do the kind of stuff they did. Off topic maybe. I guess this comes from the "know it all's" at work who drop the "script kiddie" dime on anyone and everyone who takes the easy road to accomplishing a task. The one dude who got the code for motorola's phone a while back...he is pretty smart about computer related ideas...but his "hack" was barely anthing to do with using a computer.

hah (1)

d3l33t (1106803) | more than 6 years ago | (#20762453)

I recall a similar instance during high school. Telecom switch with the default 'root' UN and PW accessible through the school network. telnet. a friend who thought it was comical to type reset. resulting in a 5 day suspension, 3 days w/o Internet for 5 high schools, and 2 police stations. Wasn't that funny I suppose, until he couldn't touch another computer the rest of his high school career. Ya he thought he was hot shit

so easy a caveman... (1)

benburned (1091769) | more than 6 years ago | (#20762479)

this reminds me of the arm wrestling machine that was so easy even a woman could beat it and ended up breaking peoples arms.

Wow, what a fall from grace... (2, Funny)

Anonymous Coward | more than 6 years ago | (#20762483)

...after playing James Bond in all those movies.

It's the vendors fault! (0)

Anonymous Coward | more than 6 years ago | (#20762523)

"Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors.

"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."?


Yeah, it's silly for us to know what we're doing!

IT people, think with your brain (0)

Anonymous Coward | more than 6 years ago | (#20762617)

This guy made $20k in this heist which has now given him a crim. record, fed. prison time, legal bills a lot bigger than $20k, and has destroyed his prospects of future work in the industry. Meanwhile his "partner" made > $1mil from this. This guy would have been better off unemployed, or working and McDs.

Everyone in the computer biz should learn to ask the self-interest questions: What do I get out of this deal? What am I putting into this deal? What am I risking in this deal? Those questions must be asked before even the simplest business transaction occurs. Important sub-questions are, is this legal? If it isn't legal, what are the potential consequences? Important sub-questions of "what do I get" is "how am I getting paid, when, by whom, is the money really there?"

Red flag words: partner, equity, revenue sharing, stock. Those red flag words aren't always bad but they should always be looked at with skepticism. Beyond red flag words: circumventing access control of any kind (electronic or physical) without written authorization from an authorized person, and maybe an opinion letter from a lawyer. That should be an automatic "no".

I mean, these are simple questions. You don't need an MBA to analyze decisions with those questions. Somehow people with their heads in software don't take even a minute to ask these questions, and they should.

whaaa? (1)

NetNed (955141) | more than 6 years ago | (#20763151)

So not only did he hack Voip, but he did a spot for Geico in his press conference?
F'n sellout!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...