dslreports logo
VoIP Thief Brags On Way To Prison
Says default passwords provided keys to the kingdom...
A 23-year-old hacker named Robert Moore hacked into 15 telecommunications companies and hundreds of businesses worldwide in order to net free VoIP minutes, which he and a partner then sold at highly discounted rates for a million in profit. Moore, set to head to prison, brags to Information Week that hacking into the systems of major VoIP carriers was "so easy a caveman could do it." From the interview:
quote:

"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to aCisco box with enabled access so you can do whatever you want to the box. ... We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time."
Apparently, Moore wasn't all that bright -- considering he made only $20,000 out of the more than one million dollars in illegal profit, the majority of which went to 23-year-old mastermind Edwin Pena. Pena, a Miami "consultant," secretly routed some 500,000 calls through compromised Net2Phone systems, then buried profits in luxury cars, real estate and a 40-foot motorboat.
view:
topics flat nest 

Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY

1 recommendation

Transmaster

Member

What is with these.....

Penis heads, do they honestly think they are not going to get caught. Well now he is going to be a fresh morsel for the butt pirates in prison.
jc10098
join:2002-04-10

jc10098

Member

Re: What is with these.....

Well no one said criminals were smart. The mastermind had someone do his dirty work, and paid him like crap. Maybe he was, but surely not this guy.

Plasticman
Will Work For Bandwidth
Premium Member
join:2002-09-06
Johnston, RI

Plasticman to Transmaster

Premium Member

to Transmaster
said by Transmaster:

Penis heads, do they honestly think they are not going to get caught. Well now he is going to be a fresh morsel for the butt pirates in prison.
Yup he has that baby face look..... I am sure somebody will play doctor with him and say open wide, saw ahhh...

Plasticman
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned) to Transmaster

Member

to Transmaster
That's not their concern. Many do it for the thrill and excitement. Many have egos bigger than a city. It's not even about the money. It's all about that they can do it.

Too bad he ruined a good portion of his life while the real winner is a fugitive from justice.
fiberguy2
My views are my own.
Premium Member
join:2005-05-20

fiberguy2 to Transmaster

Premium Member

to Transmaster
Is he a criminal? or did he do these VOIP companies a favor?

Yes, obviously he's a criminal, and was an idiot for getting caught... but what should have simply happened is when they found out what was going on, change the dang passwords and secure the networks.

It's one thing to hear about home WAP's getting leached off of, but we all should certainly expect FAR more out of companies who take out money and provide service.. at minimum I would expect them to secure their networks and change their default passwords.

I hope that some IT people are standing in an unemployment line as well.
Jerkface
join:2005-06-05
Hackettstown, NJ

Jerkface

Member

Wow.

He's probably going to end up like most of the hackers that goto jail for this kind of stuff-- Get a job in silicon valley...

sporkme
drop the crantini and move it, sister
MVM
join:2000-07-01
Morristown, NJ

sporkme

MVM

Re: Wow.

said by Jerkface:

He's probably going to end up like most of the hackers that goto jail for this kind of stuff-- Get a job in silicon valley...
Like who? Most are usually denied access to computers when released. How many "hackers" were even arrested last year?
fiberguy2
My views are my own.
Premium Member
join:2005-05-20

1 edit

fiberguy2

Premium Member

Re: Wow.

What.... you don't know that ex-hackers, those who have hacked into M/S systems and those at the pentagon are now working for the very companies and agencies they hacked? It does happen. They're hired to find more holes in the system so they can be secured.

However, for this guy, it would be a minimum wage job.. he'd be the guy who heads up the "change the default password department"..

HDGGHFG
@comcast.net

HDGGHFG to sporkme

Anon

to sporkme
good example : KEVIN MITNICK
nutcr0cker
join:2003-04-02
Chandler, AZ

nutcr0cker to Jerkface

Member

to Jerkface
WTH makes him even an hacker all he did was to exploit the laziness of the installers. He is not even a script kiddie just a plain dumb crook. Hacking involves some circumventing knowledge but his feat lacked any stereotypical hackers. The only thing this guy is fit for is to sell used car. The height of stupidity is that he only made 20,000

cork1958
Cork
Premium Member
join:2000-02-26

cork1958

Premium Member

Re: Wow.

said by nutcr0cker:

WTH makes him even an hacker all he did was to exploit the laziness of the installers. He is not even a script kiddie just a plain dumb crook. Hacking involves some circumventing knowledge but his feat lacked any stereotypical hackers. The only thing this guy is fit for is to sell used car. The height of stupidity is that he only made 20,000
Just trying to butter the story up, it would seem.

Modus
I hate smartassery on forums
Premium Member
join:2005-05-02
us

Modus to Jerkface

Premium Member

to Jerkface
yep you are so right

I bet that's what going to happen too...
67845017 (banned)
join:2000-12-17
Naperville, IL

67845017 (banned)

Member

Caveman

More importantly, he put down cavemen again.
fiberguy2
My views are my own.
Premium Member
join:2005-05-20

fiberguy2

Premium Member

Re: Caveman

Watch for the lawsuit from Geico for his abusing their rights to the cavemen.

tomkb
Premium Member
join:2000-11-15
Tampa, FL

tomkb

Premium Member

hmm

what's stupid is that he is giving away his secrets instead of using his knowledge to negotiate no jail time, or to teach the good guys how to do things.

Also, you gotta get your $ offshore as soon as possible. If you gotta go to jail, you might as well have the money too.

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121

Premium Member

Re: hmm

said by tomkb:

what's stupid is that he is giving away his secrets instead of using his knowledge to negotiate no jail time, or to teach the good guys how to do things.
You mean his l337 knowledge of default passwords and the dangers of not changing them?

Anyone who isn't up to snuff on that doesn't count as a "good guy".

insomniac84
join:2002-01-03
Schererville, IN

insomniac84 to tomkb

Member

to tomkb
I doubt you're going to negotiate a deal by telling people to change their default passwords. It's probably step one in the instruction booklet that comes with the device.
In the end I would argue anyone leaving the password as the default invited people to use their devices. No crime was committed here.

accountability

Anon

Nice, lets give this jerk publicity too...

Could we take his picture down. Makes him look like he's a pompous saint.

Nothing like saying, "Hey, be a criminal and become famous!"
Meanwhile, the dope's master is off and hiding.

What get's me is the arrogance. And only two years? If he were remorseful or even, "I was coerced to do this for Pena. I was, you, addicted to gambling and had, well, a lot of debt..." Instead only two years? Please, I rob a bank of $1m and the fed put me away for atleast 10 (with maybe 5 for good PMITA behavior).

Too lenient. Too stupid.

cypherstream
MVM
join:2004-12-02
Reading, PA

cypherstream

MVM

The voip companies should be held partially responsible

Seriously, who leaves default passwords on all of their routers and such?

So this guy takes the fall for it, but the admins of these companies should be canned.

sporkme
drop the crantini and move it, sister
MVM
join:2000-07-01
Morristown, NJ

sporkme

MVM

Re: The voip companies should be held partially responsible

said by cypherstream:

So this guy takes the fall for it, but the admins of these companies should be canned.
Twice even. Regardless of what the passwords were, there's absolutely no reason that they should be allowing random IP addresses on the internets to talk to their administrative interfaces.
amungus
Premium Member
join:2004-11-26
America

amungus to cypherstream

Premium Member

to cypherstream
Yeah, and this part of the story is just finger pointing...
"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."

Rhodes, however, says until vendors make it necessary to change the default password before a system or product will work, IT departments need to be given the time and resources to get it done."
Sure, good idea, but it is most certainly not ALL on the vendors. It IS about the "user" (um, Administrator?) being careless. That's one of the most obvious things to do, changing the password. It is by no means "silly" for someone to "know to do." It is one of the very first things I learned about how to set up a router... if you set it up from scratch, or are recovering one, you change the freaking password(s).

Give IT time and ...RESOURCES???... to change a password?

Well I hope it was fun for this guy, but what about the "mastermind" guy? No fun times in the slammer for him??? Just fast cars, boats, and whatever else? That makes no sense.

tcharp
T C
Premium Member
join:2002-10-23
Lubbock, TX

tcharp to cypherstream

Premium Member

to cypherstream
I don't know about responsible, but certainly stupid at least. Who is in charge of security at these joints?

-TC
GeekBigboy
join:2007-07-21
Moreno Valley, CA

GeekBigboy

Member

Re: The voip companies should be held partially responsible

guys like him later on in life half the security people are criminals to

grobinette
Southeast of disorder
MVM,
join:2001-01-27
22152-1106

grobinette

MVM,

Routers

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.

PeteC2
Got Mouse?
MVM
join:2002-01-20
Bristol, CT

PeteC2

MVM

Re: Routers

said by grobinette:

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
Couldn't agree more. Sure, end users ought to take even a tiny bit of effort and thought to protect themselves, but it is no different than with anything else, folks just do not believe that "they" will be hit...

It would be very easy, and makes sense for the vendor to simply supply a limited usage password that expires and then must be changed.

sporkme
drop the crantini and move it, sister
MVM
join:2000-07-01
Morristown, NJ

1 recommendation

sporkme to grobinette

MVM

to grobinette
said by grobinette:

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
We're talking about so-called MCSEs IT Professionals here, they should not need this kind of hand-holding. They should not even have this equipment accessible to the outside world.

RARPSL
join:1999-12-08
Suffern, NY

RARPSL to grobinette

Member

to grobinette
said by grobinette:

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
I also agree. I work in an IBM Mainframe environment and the security software there has the ability to expire a password (require a new one to be supplied) after the current one has been in use for a designated period of time. While this feature does not need to be activated, the "password expired and must be replaced" designation is forced to be on whenever the Administrator has altered it. IOW: If a user forgets his/her password, the Administrator resets it and tells the user what it has been reset to. When the user attempts to then use it, the password is accepted BUT (since it has been flagged as expired) the user is then prompted to supply a new password (which the Administrator does not know). This type of thing can be done with routers. Ship it with a single use password that must be reset when used. If you want to allow the Router's Administrator to reset the password without knowledge of the current (reset) one, you can allow the original one-time password to be used BUT then require the same replace the password procedure (a security hole if this is allowed remotely but you can't have everything unless you require physical access [so you can press a button or something] to the device to change the password without knowledge of the current one).

ftthz
If love can kill hate can also save
join:2005-10-17

ftthz

Member

rofl

someone doesn't do security checks...
russotto
join:2000-10-05
West Orange, NJ

russotto

Member

*sigh*

Even in crime, it's the business guys who get all the money and the tech guys who get the shaft.
dogo88
join:2001-09-24
Old Bridge, NJ

dogo88

Member

priceless

Forest Gump was right. "Stupid is as stupid does"

aztecnology
O Rly?
Premium Member
join:2003-02-12
Murrieta, CA

aztecnology

Premium Member

Re: priceless

said by dogo88:

Forest Gump's mama was right. "Stupid is as stupid does"
Fixed...
dogo88
join:2001-09-24
Old Bridge, NJ

dogo88

Member

Re: priceless

Thanks, I knew it was one of the Gump family.

jgkolt
Premium Member
join:2004-02-21
Avon, OH

jgkolt

Premium Member

money

so how did they make money off of it? What was the name of their company etc.

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru

Premium Member

Re: money

Here ya go.. Did the googling for ya...

Pena operated two telecommunications companies, Fortes Telecom Inc. and Miami Tech & Consulting Inc., according to federal prosecutors. The companies, acting as wholesalers, sold more than 10 million minutes of Internet telephone service for as little as 0.4 cents a minute.

»www.boston.com/business/ ··· p_calls/

jgkolt
Premium Member
join:2004-02-21
Avon, OH

jgkolt

Premium Member

thanks. on my phone reading this so it isnt that easy. kudos

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

Dummy

If this were me, I would have changed their passwords. Teach them a lesson, albeit less harmful but more amusing.


brooklynman4
join:2004-09-07
Brewster, NY

brooklynman4

Member

Re: Dummy

Hackers dont go to jail they join the goverment lol.

hangemhigh
@static.qsc.de

hangemhigh

Anon

Good to get another scumbag off the streets

The world can do without these scumbags. Let em rot in prison.

snipper_cr
Premium Member
join:2002-01-22
Wheaton, IL

snipper_cr

Premium Member

Cavemen?

Click for full size
Hacking VOIP... so easy a caveman can do it!

KAD Imaging
Just Shoot It
Premium Member
join:2002-09-21
Hialeah, FL

KAD Imaging

Premium Member

Re: Cavemen?

said by snipper_cr:

Hacking VOIP... so easy a caveman can do it!
"Grabbing your ankles in prison...So easy, a caveman could do it...(IF he were THAT stupid!!)"


AnonProxy
Premium Member
join:2001-05-12

AnonProxy

Premium Member

$20K for two years in jail

and about $2MM in fines and pending lawsuits and the chance to get the HIV in prison. That guys really smart!

natedj
Elected
Premium Member
join:2001-06-06
Irmo, SC

natedj

Premium Member

Re: $20K for two years in jail

Yeah 20k for 2 years... if he was a greeter at wal-mart he would have cleared more than 10k a year. He went from hacker to (prison) housewife. He better hope no one in prison hacks into his butt.

SandShark5
Long may you run
Premium Member
join:2000-05-23
Santa Fe, TX

SandShark5

Premium Member

Don't drop the soap...

...sweetheart.
sailor
Premium Member
join:2003-10-21
Long Island

sailor

Premium Member

2 Years is the problem

"Liebermann noted that one small telecom went out of business because of expenses the company incurred during the break-in. The company legitimately routed its own VoIP traffic through a larger telecom and was forced to pay the other company for the calls that Pena and Moore fraudulently sent through their network. "They had to eat the bill and were unable to remain in business," added Liebermann."

2 years little slap on the wrist..Give em 50 years with no parole and you'll see this shit come to an abrupt stop.

AnonProxy
Premium Member
join:2001-05-12

AnonProxy

Premium Member

Re: 2 Years is the problem

Two years is a lot of time for that dough boy. Especially if he does it in a REAL prison, not a white collar crime type prison.

One of the problems with going big on some of this stuff, it just makes the need to do MORE just that...a need.

If I know I'm facing 50 years or 100 years, then I'll do whatever...because I'm gone for good.
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd to sailor

Premium Member

to sailor
gotta remember prison space isnt unlimited so gotta cycle people like this in long enough to learn a lesson but not overly strain the system.