Hacking: So Easy, a Cave Man Can Do It

Think security on government networks is inferior to the security found on corporate networks? Well, you may want to consider this article posted by InformationWeek, in which convicted hacker Robert Moore talks about how easy it was to hack into 15 telecommunications companies and hundreds of businesses. The 23-year-old hacker was able to get into the systems through well known security holes. Most of the holes could have been plugged with available patches or by following basic security practices taught in any information security introductory course.

Hacking into these business systems was “so easy, a cave man can do it,” Moore said. Moore found that 70 percent of all corporations he scanned had a known security vulnerability that would allow him into a network. Moore was looking for ways into networks to steal voice over IP services.

The No. 1 security hole Moore found? Companies using default passwords. A quote from the interview:

“I'd say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box. We also targeted Mera, a Web-based switch. It turns any computer basically into a switch so you could do the calls through it. We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips.

Not managing known security holes is among the top security mistakes organizations make. Government Executive magazine recently published a series of articles on the subject: here, here and here.