dslreports logo
site
spacer

spacer
 
   
spc
VoIP Thief Brags On Way To Prison
Says default passwords provided keys to the kingdom...
by Karl Bode 11:01AM Thursday Sep 27 2007
A 23-year-old hacker named Robert Moore hacked into 15 telecommunications companies and hundreds of businesses worldwide in order to net free VoIP minutes, which he and a partner then sold at highly discounted rates for a million in profit. Moore, set to head to prison, brags to Information Week that hacking into the systems of major VoIP carriers was "so easy a caveman could do it." From the interview:
quote:

"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to aCisco box with enabled access so you can do whatever you want to the box. ... We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time."
Apparently, Moore wasn't all that bright -- considering he made only $20,000 out of the more than one million dollars in illegal profit, the majority of which went to 23-year-old mastermind Edwin Pena. Pena, a Miami "consultant," secretly routed some 500,000 calls through compromised Net2Phone systems, then buried profits in luxury cars, real estate and a 40-foot motorboat.

view:
topics flat nest 

Transmaster
Don't Blame Me I Voted For Bill and Opus

join:2001-06-20
Cheyenne, WY

1 recommendation

What is with these.....

Penis heads, do they honestly think they are not going to get caught. Well now he is going to be a fresh morsel for the butt pirates in prison.
--
Eat a BLT for Iran
jc100

join:2002-04-10

Re: What is with these.....

Well no one said criminals were smart. The mastermind had someone do his dirty work, and paid him like crap. Maybe he was, but surely not this guy.

Plasticman
Will Work For Bandwidth
Premium
join:2002-09-06
Johnston, RI
said by Transmaster:

Penis heads, do they honestly think they are not going to get caught. Well now he is going to be a fresh morsel for the butt pirates in prison.
Yup he has that baby face look..... I am sure somebody will play doctor with him and say open wide, saw ahhh...

Plasticman
--
Grant me the serenity to accept the things I cannot change, the courage to change the things I cannot accept, and the wisdom to hide the bodies of those people I had to kill today because they pissed me off
moonpuppy

join:2000-08-21
Glen Burnie, MD
That's not their concern. Many do it for the thrill and excitement. Many have egos bigger than a city. It's not even about the money. It's all about that they can do it.

Too bad he ruined a good portion of his life while the real winner is a fugitive from justice.
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3
Is he a criminal? or did he do these VOIP companies a favor?

Yes, obviously he's a criminal, and was an idiot for getting caught... but what should have simply happened is when they found out what was going on, change the dang passwords and secure the networks.

It's one thing to hear about home WAP's getting leached off of, but we all should certainly expect FAR more out of companies who take out money and provide service.. at minimum I would expect them to secure their networks and change their default passwords.

I hope that some IT people are standing in an unemployment line as well.
--
"Complaining is the least path of resistance for the self-serving, the lazy, and I’m told it’s a woman’s prerogative..."
Jerkface

join:2005-06-05
Hackettstown, NJ

Wow.

He's probably going to end up like most of the hackers that goto jail for this kind of stuff-- Get a job in silicon valley...

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ

Re: Wow.

said by Jerkface:

He's probably going to end up like most of the hackers that goto jail for this kind of stuff-- Get a job in silicon valley...
Like who? Most are usually denied access to computers when released. How many "hackers" were even arrested last year?
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

1 edit

Re: Wow.

What.... you don't know that ex-hackers, those who have hacked into M/S systems and those at the pentagon are now working for the very companies and agencies they hacked? It does happen. They're hired to find more holes in the system so they can be secured.

However, for this guy, it would be a minimum wage job.. he'd be the guy who heads up the "change the default password department"..

--
"Complaining is the least path of resistance for the self-serving, the lazy, and I’m told it’s a woman’s prerogative..."

HDGGHFG

@comcast.net
good example : KEVIN MITNICK
nutcr0cker

join:2003-04-02
Chandler, AZ
kudos:2
WTH makes him even an hacker all he did was to exploit the laziness of the installers. He is not even a script kiddie just a plain dumb crook. Hacking involves some circumventing knowledge but his feat lacked any stereotypical hackers. The only thing this guy is fit for is to sell used car. The height of stupidity is that he only made 20,000

cork1958
Cork
Premium
join:2000-02-26

Re: Wow.

said by nutcr0cker:

WTH makes him even an hacker all he did was to exploit the laziness of the installers. He is not even a script kiddie just a plain dumb crook. Hacking involves some circumventing knowledge but his feat lacked any stereotypical hackers. The only thing this guy is fit for is to sell used car. The height of stupidity is that he only made 20,000
Just trying to butter the story up, it would seem.

Modus
I hate smartassery on forums
Premium
join:2005-05-02
us
yep you are so right

I bet that's what going to happen too...
--
Think Ahead. Learn More. Solve Now!
Badonkadonk
Premium
join:2000-12-17
Naperville, IL
kudos:5

Caveman

More importantly, he put down cavemen again.
fiberguy
My views are my own.
Premium
join:2005-05-20
kudos:3

Re: Caveman

Watch for the lawsuit from Geico for his abusing their rights to the cavemen.

tomkb
Premium
join:2000-11-15
Tampa, FL
kudos:5
Reviews:
·Verizon FiOS

hmm

what's stupid is that he is giving away his secrets instead of using his knowledge to negotiate no jail time, or to teach the good guys how to do things.

Also, you gotta get your $ offshore as soon as possible. If you gotta go to jail, you might as well have the money too.

jester121
Premium
join:2003-08-09
Lake Zurich, IL

Re: hmm

said by tomkb:

what's stupid is that he is giving away his secrets instead of using his knowledge to negotiate no jail time, or to teach the good guys how to do things.
You mean his l337 knowledge of default passwords and the dangers of not changing them?

Anyone who isn't up to snuff on that doesn't count as a "good guy".

insomniac84

join:2002-01-03
Schererville, IN
I doubt you're going to negotiate a deal by telling people to change their default passwords. It's probably step one in the instruction booklet that comes with the device.
In the end I would argue anyone leaving the password as the default invited people to use their devices. No crime was committed here.

Nice, lets give this jerk publicity too...

Could we take his picture down. Makes him look like he's a pompous saint.

Nothing like saying, "Hey, be a criminal and become famous!"
Meanwhile, the dope's master is off and hiding.

What get's me is the arrogance. And only two years? If he were remorseful or even, "I was coerced to do this for Pena. I was, you, addicted to gambling and had, well, a lot of debt..." Instead only two years? Please, I rob a bank of $1m and the fed put me away for atleast 10 (with maybe 5 for good PMITA behavior).

Too lenient. Too stupid.

cypherstream
Premium,MVM
join:2004-12-02
Reading, PA
kudos:3

The voip companies should be held partially responsible

Seriously, who leaves default passwords on all of their routers and such?

So this guy takes the fall for it, but the admins of these companies should be canned.

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ

Re: The voip companies should be held partially responsible

said by cypherstream:

So this guy takes the fall for it, but the admins of these companies should be canned.
Twice even. Regardless of what the passwords were, there's absolutely no reason that they should be allowing random IP addresses on the internets to talk to their administrative interfaces.
amungus
Premium
join:2004-11-26
America
Reviews:
·Cox HSI
·KCH Cable
Yeah, and this part of the story is just finger pointing...

"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."

Rhodes, however, says until vendors make it necessary to change the default password before a system or product will work, IT departments need to be given the time and resources to get it done."
Sure, good idea, but it is most certainly not ALL on the vendors. It IS about the "user" (um, Administrator?) being careless. That's one of the most obvious things to do, changing the password. It is by no means "silly" for someone to "know to do." It is one of the very first things I learned about how to set up a router... if you set it up from scratch, or are recovering one, you change the freaking password(s).

Give IT time and ...RESOURCES???... to change a password?

Well I hope it was fun for this guy, but what about the "mastermind" guy? No fun times in the slammer for him??? Just fast cars, boats, and whatever else? That makes no sense.

tcharp
T C
Premium
join:2002-10-23
Lubbock, TX
I don't know about responsible, but certainly stupid at least. Who is in charge of security at these joints?

-TC
--
"It's hard to leave when you can't find the door." - Joe Walsh
GeekBigboy

join:2007-07-21
Moreno Valley, CA

Re: The voip companies should be held partially responsible

guys like him later on in life half the security people are criminals to

grobinette
Southeast of disorder
Premium,Mod
join:2001-01-27
Springfield, VA
kudos:2

Routers

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
--
Team Discovery

PeteC2
Got Mouse?
Premium,MVM
join:2002-01-20
Bristol, CT
kudos:6
Reviews:
·Comcast

Re: Routers

said by grobinette:

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
Couldn't agree more. Sure, end users ought to take even a tiny bit of effort and thought to protect themselves, but it is no different than with anything else, folks just do not believe that "they" will be hit...

It would be very easy, and makes sense for the vendor to simply supply a limited usage password that expires and then must be changed.
--
...something is happening here but you don't know what it is...do you, Mr. Jones?

sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ

1 recommendation

said by grobinette:

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
We're talking about so-called MCSEs IT Professionals here, they should not need this kind of hand-holding. They should not even have this equipment accessible to the outside world.

RARPSL

join:1999-12-08
Suffern, NY
said by grobinette:

The router manufacturers could easily fix this. Force a user name and password change when logging in to a router for the first time.
I also agree. I work in an IBM Mainframe environment and the security software there has the ability to expire a password (require a new one to be supplied) after the current one has been in use for a designated period of time. While this feature does not need to be activated, the "password expired and must be replaced" designation is forced to be on whenever the Administrator has altered it. IOW: If a user forgets his/her password, the Administrator resets it and tells the user what it has been reset to. When the user attempts to then use it, the password is accepted BUT (since it has been flagged as expired) the user is then prompted to supply a new password (which the Administrator does not know). This type of thing can be done with routers. Ship it with a single use password that must be reset when used. If you want to allow the Router's Administrator to reset the password without knowledge of the current (reset) one, you can allow the original one-time password to be used BUT then require the same replace the password procedure (a security hole if this is allowed remotely but you can't have everything unless you require physical access [so you can press a button or something] to the device to change the password without knowledge of the current one).

ftthz
If love can kill hate can also save

join:2005-10-17

rofl

someone doesn't do security checks...
russotto

join:2000-10-05
West Orange, NJ

*sigh*

Even in crime, it's the business guys who get all the money and the tech guys who get the shaft.
dogo88

join:2001-09-24
Old Bridge, NJ

priceless

Forest Gump was right. "Stupid is as stupid does"

aztecnology
O Rly?
Premium
join:2003-02-12
Murrieta, CA

Re: priceless

said by dogo88:

Forest Gump's mama was right. "Stupid is as stupid does"
Fixed...
dogo88

join:2001-09-24
Old Bridge, NJ

Re: priceless

Thanks, I knew it was one of the Gump family.

jgkolt
Premium
join:2004-02-21
Avon, OH

money

so how did they make money off of it? What was the name of their company etc.

ropeguru
Premium
join:2001-01-25
Mechanicsville, VA

Re: money

Here ya go.. Did the googling for ya...

Pena operated two telecommunications companies, Fortes Telecom Inc. and Miami Tech & Consulting Inc., according to federal prosecutors. The companies, acting as wholesalers, sold more than 10 million minutes of Internet telephone service for as little as 0.4 cents a minute.

»www.boston.com/business/technolo···p_calls/
--
FWD#: 223611

jgkolt
Premium
join:2004-02-21
Avon, OH
thanks. on my phone reading this so it isnt that easy. kudos

cableties
Premium
join:2005-01-27

Dummy

If this were me, I would have changed their passwords. Teach them a lesson, albeit less harmful but more amusing.


brooklynman4

join:2004-09-07
Brewster, NY

Re: Dummy

Hackers dont go to jail they join the goverment lol.

hangemhigh

@static.qsc.de

Good to get another scumbag off the streets

The world can do without these scumbags. Let em rot in prison.

snipper_cr
Premium
join:2002-01-22
Wheaton, IL

Cavemen?

Click for full size
Hacking VOIP... so easy a caveman can do it!

KAD Imaging
Just Shoot It
Premium
join:2002-09-21
Hialeah, FL

Re: Cavemen?

said by snipper_cr:

Hacking VOIP... so easy a caveman can do it!
"Grabbing your ankles in prison...So easy, a caveman could do it...(IF he were THAT stupid!!)"


AnonProxy
Premium
join:2001-05-12

$20K for two years in jail

and about $2MM in fines and pending lawsuits and the chance to get the HIV in prison. That guys really smart!

natedj
Elected
Premium
join:2001-06-06
Columbia, SC

Re: $20K for two years in jail

Yeah 20k for 2 years... if he was a greeter at wal-mart he would have cleared more than 10k a year. He went from hacker to (prison) housewife. He better hope no one in prison hacks into his butt.
--
Good judgement comes with experience...Experience comes after bad judgements

SandShark
Long may you run
Premium,MVM
join:2000-05-23
Santa Fe, TX
kudos:3

Don't drop the soap...

...sweetheart.
sailor
Premium
join:2003-10-21
Long Island
kudos:6

2 Years is the problem

"Liebermann noted that one small telecom went out of business because of expenses the company incurred during the break-in. The company legitimately routed its own VoIP traffic through a larger telecom and was forced to pay the other company for the calls that Pena and Moore fraudulently sent through their network. "They had to eat the bill and were unable to remain in business," added Liebermann."

2 years little slap on the wrist..Give em 50 years with no parole and you'll see this shit come to an abrupt stop.

AnonProxy
Premium
join:2001-05-12

Re: 2 Years is the problem

Two years is a lot of time for that dough boy. Especially if he does it in a REAL prison, not a white collar crime type prison.

One of the problems with going big on some of this stuff, it just makes the need to do MORE just that...a need.

If I know I'm facing 50 years or 100 years, then I'll do whatever...because I'm gone for good.
Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1
gotta remember prison space isnt unlimited so gotta cycle people like this in long enough to learn a lesson but not overly strain the system.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports