Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.

Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell them through a separate company. While prosecutors call co-conspirator Edwin Pena the mastermind of the operation, Moore acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world.

"It's so easy. It's so easy a caveman can do it," Moore told InformationWeek, laughing. "When you've got that many computers at your fingertips, you'd be surprised how many are insecure."

Pena, who is charged with acting as a legitimate wholesaler of Internet-based phone services as part of what the government called a "sophisticated fraud," fled the country a year ago and is wanted as a fugitive. Assistant U.S. Attorney Erez Liebermann said Pena allegedly stole and then sold more than 10 million minutes of service at deeply discounted rates, netting more than $1 million from the scheme.

Acting as the operation's technical muscle only netted Moore $20,000 of the haul, according to Moore.

The government identified more than 15 VoIP service providers that were hacked into, adding that Moore scanned more than 6 million computers just between June and October of 2005. AT&T reported to the court that Moore ran 6 million scans on its network alone.

However, the names of the companies Moore and Pena hacked into don't appear in the court documents--aliases are used instead--and Moore said he wasn't at liberty to identify them publicly.

Liebermann noted that one small telecom went out of business because of expenses the company incurred during the break-in. The company legitimately routed its own VoIP traffic through a larger telecom and was forced to pay the other company for the calls that Pena and Moore fraudulently sent through their network. "They had to eat the bill and were unable to remain in business," added Liebermann.

Default Passwords: A Hacker's Dream

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

"I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore. "You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. ... We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips." Keith Rhodes, chief technologist at the U.S. Government Accountability Office, said he's not surprised at all by what Moore says he found.

"Default passwords are a silly problem," said Rhodes, who is widely considered to be the federal government's top hacker. "But they were able to take a silly flaw and turn it into a business. ... It disappoints me, but I'm not surprised."

Kenneth van Wyk, principal consultant with KRvW Associates, said leaving default passwords up is a widespread and dangerous problem.

"It's a huge problem, but it's a problem the IT industry has known about for at least two decades and we haven't made much progress in fixing it," said van Wyk. "People focus on functionality when they're setting up a system. Does the thing work? Yes. Fine, move on. They don't spend the time doing the housework and cleaning things up."

It's also a problem for which the companies themselves are liable, Moore said.

"I think it's all their fault," he added. "They're using default passwords and their administrators don't even care. ... Anybody who has bad security, it's their fault. There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find. They need to get more education and security in the VoIP industry. There were thousands of routers that were compromised in this, just from my scans alone."

Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors.

"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."

Rhodes, however, says until vendors make it necessary to change the default password before a system or product will work, IT departments need to be given the time and resources to get it done.

"I have nothing but empathy for all the security personnel I've ever worked with," he said. "I've never met one yet who had enough people, enough time, enough support. ... It would take nothing to change a default password, but you need to actually have people who have the job to do that."

The Break In

Moore, who describes himself as a "mega geek" more upset about being banned from using a computer than actually going to prison, said his job in the operation largely was to write software that ran scans and brute-force attacks against Cisco XM routers and Quintum Tenor VoIP gateways. To do it, he said he used 2 gigs of information on corporate IP ranges that they bought for $800.

He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn't find default passwords or easily exploitable bugs, he'd run brute-force or dictionary attacks to try to break the passwords.

"We would go to telecom forums and other telecom sites that list company names and where they're from," he explained. "We'd look at foreign countries first. We'd take the name and IP range and then dump it into the scanner. ... Some of the Cisco versions, like IOS, were old and easier to get into."

Liebermann, the prosecutor, also noted that while Moore broke into telecoms so they could steal the VoIP service, he also hacked into countless other businesses so they could use the hijacked company connections to disguise the calls they were sending to the telecoms. With the VoIP connections in place, they simply needed corporate connections to mask their trail.

"He wanted me to look for [a network] with lots of traffic," said Moore. "Even if it was not a telecom, they might be connected to a telecom and then you could move through that connection to the telecom. ... [Pena] was taking legit calls that he had customers for and then rerouting the calls through rogue boxes."

And Moore didn't just focus on telecoms. He said he scanned "anybody" -- businesses, agencies and individual users. "I know I scanned a lot of people," he said. "Schools. People. Companies. Anybody. I probably hit millions of normal [users], too."

Tips From The Hacker

Moore said it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.

"If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion detection system set up, they could have easily seen that these weren't their calls."

The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. "We came across only two or three boxes that actually had access lists in place," he added. "The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords."

The GAO's Rhodes said if companies don't fix the small problems, they can open up gaping holes that hackers are ready to jump through.

"All it takes is one bad access point and they're in," he noted. "The weak link -- you find that one point and all the security unravels. ... I'm not surprised that someone going to prison said 70% are at risk. You only have to have one default password and all your security is at risk."