United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

"Caveman hacker" reveals his secret: you're dumber than he is

Information Week posted a good article interviewing Robert Moore, a 23-year-old hacker convicted of intruding on the networks of at least 15 Voice over Internet Protocol (VoIP) providers in an effort to re-sell illegally obtained telephone connections. The scheme allowed Moore's partner to resell more than 10 million minutes of service at deeply discounted rates, netting the crooks a million bucks -- and driving some smaller VoIP providers out of business.

And what incredible l33t technique did Moore use to break into the routers and switches he had to control to make the scam work? He picked a model of Cisco router and started scanning the Internet for it. When he found the router in use, he sent it the default, Cisco-issued password. According to Moore, that granted him administrative access far more often than not. (His estimate, which I take with a grain of salt, is "85% of the time.") The article's writer, Sharon Gaudin, quotes Moore as saying, "It's so easy, a caveman could do it."

So if a caveman can break through your network defenses, what does that make you? My guess: a slacker caveman. All security practitioners have preached for years that when you drop a new device into your network, you should change the manufacturer's default password automatically. It's too easy and too brief a step to skip. Any admin who does not know that default password lists litter the Internet is not paying attention; in fact, is putting effort into not paying attention.

One other point of interest in the Moore interview: when the default password didn't work, he'd try brute forcing the password and/or applying a rainbow table. In a year when so many security "experts" are crying that passwords no longer constitute any defense, it turns out long passwords still work. Or at least, they stop caveman hackers.

The moral of the story is obvious: change the password of every device on your network. Make each new password at least 14 characters long. The only alternative is to face extinction.   -- D. Scott Pinzon, CISSP

Copyright© 2010 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.