Havoc

Interview with a VoIP Hacker

12 posts in this topic

http://www.thevoicereport.com/TelecomJunki...VoIPHacker.html

Two-year sentence starts soon for Robert Moore, a Spokane, Wash., man convicted of hacking VoIP service providers to steal 10 million minutes, more than $1 million worth of services, over the course of a year.

Hacker visited vulnerability sites; used “dictionary” attack, firing 400 prefixes per second; targeted Cisco switches.

Boxes found on the Internet. Passwords not changed.

Given seemingly legit telecom work at first, checks got bigger as jobs got dirtier.

0

Share this post


Link to post
Share on other sites

not bad men....

0

Share this post


Link to post
Share on other sites

How much do you want to bet we'll see PDXUSA convicted of the same shit someday? :lol:

0

Share this post


Link to post
Share on other sites

http://seattlepi.nwsource.com/local/6420AP...Wrong_Turn.html

Growing up in rural Lacrosse, Wash., Robert Moore reached adolescence and discovered he was a high school misfit. Suffering from several ailments, including narcolepsy, Moore skipped playing sports, the normal path to small-town popularity.

Instead he dived into computer technology and found his niche, tinkering with software and understanding how computers connect to each other on the Internet. He became a hacker, going by the nickname "mooreR" and running a Web site with samples of software he developed.

"One of reasons I was so addicted to computers was I found I didn't need the real world. I had the online world, where people loved me," he said.

That world eventually led him to international notoriety and a two-year federal prison sentence for his part in a scheme to bilk telecommunications companies out of more than $1 million in stolen service.

Hackers, while portrayed often as bent on harming other computers, also include a middle ground of enthusiasts who test computer security in order to improve it. Moore said he was such an ethical hacker, but he veered toward crime to make easy money.

He moved to Spokane, graduated from North Central High School and became skilled enough to land several jobs, including a project for one firm needing anti-spam software.

In 2005, a Florida man, Edwin Pena, found Moore's site and asked him to create a tool for detecting certain types of network computers that worked with a new technology, Voice over Internet Protocol, or VoIP.

About a year later, FBI agents showed up at Moore's north Spokane home and arrested him, charging him with federal wire fraud and computer hacking. They also arrested Pena in Miami. Pena, 25, jumped bail and fled the country and is believed to be living in South America.

Moore, now 23, was nabbed because he designed the software tools Pena used to bilk Internet phone companies of more than $1 million in unpaid VoIP phone charges.

Next month, Moore will begin serving two years in a federal prison at a site not yet revealed. The New Jersey federal judge who sentenced him also ordered Moore to pay $152,000 in restitution to victims of the scheme.

The case created international attention. It marked the first large-scale hacking of the VoIP system. Moore used his 12 home computers to find vulnerable network doorways, called ports.

He pleaded guilty to the charges, acknowledging his role but saying he was just a provider of information that Pena misused for personal gain.

"What I did was totally wrong, and I have to pay for it," Moore said. "But Edwin was the guy who stole the minutes and resold them. All I did was find passwords for (network computers) that he wanted to use."

Many who wrote about or discussed the VoIP break-in said Moore's use of fairly unsophisticated tools, coupled with some special software he designed, pointed out major security holes in many corporate networks.

In most of the cases when he spotted vulnerable ports, the login password was an easy-to-guess word like "Cisco" or "password." Security experts say network managers should never leave those default passwords in place.

After his arrest, friends of Moore started a site called FreeRobert.com, calling attention to what they felt was heavy-handed federal prosecution.

But federal prosecutors said Moore knew all along that what he was doing constituted theft.

"This is a very serious crime, the first major attack on a new telecommunications infrastructure," said Erez Liebermann, the New Jersey assistant U.S. attorney who handled the case.

"He was a cooperative defendant," said Liebermann. "But apart from telling us how they worked (the plan), nothing he told us led to any other arrests." Moore and others believe at least one other hacker helped Pena but has not been caught.

Moore never attended college and gained most of his skills from Internet discussion groups. His goal, once released from prison, is to earn a certificate in network security and work as a consultant, helping ensure other companies can guard against hackers.

Before being contacted by Pena, whom he only communicated with by e-mail or phone, Moore made a modest amount of money doing odd programming jobs. When Pena offered him money, Moore said, he didn't resist.

He said it took three or four weeks before he was sure the work was illegal. "I wasn't thinking straight. I knew it was wrong, and I knew I would get caught eventually," he said.

Pena paid him $20,000. Part of the reason Moore took the job, he said, was to help pay some of his parents' bills. His father, David, is disabled and suffers from a chronic disease.

"The only big thing I bought for myself was a $2,600 Bowflex home gym. I didn't spend a lot. I kept it in case it was needed," Moore said.

At the time he was arrested, he still had $8,000 from Pena in his bank account, he said.

Since his arrest, Moore has been ordered to stay away from computers. He communicates with his friends by phone. What kept him going during the past year, he added, was the support friends and the hacker community.

"It really helped to have people call me, from all over, telling me they had my back. They say they'll send money to the (prison) commissary in my account. They really give me the confidence to keep on," he said.

0

Share this post


Link to post
Share on other sites

update : http://tiny.pl/bhpz

Just days after his apprehension in Mexico following two years on the run from law enforcement authorities, an alleged hacker was indicted this week by a federal grand jury for hacking into the computer networks of voice-over-IP service providers.
0

Share this post


Link to post
Share on other sites

Really makes you realize the truth in the saying "Everything is on default," especially when the voip hacker was talking about how even telco's voip boxes had default passwords. Also, shit, I feel kind of awful for Robert.

0

Share this post


Link to post
Share on other sites

It comes down to IT departments and Chief Information Officers being overburdened with staff-cuts; simply many of these organizations and people have a hard time just keeping systems up and operational. I'll give you an example; a recent undisclosed telecommunications provider I worked at - wanted me to personally release my mainframe password to a Vice President Administrative assistant at the company. Umm Excuse me A) I don't know you from eve B) with my password and username you can access all systems across the organization and company C) why would you think I am being a little paranoid? Hmm.

I even copied the companies IT security policy verbatim and sent a STRONG message back to this individual. And received a kind response back: 'Well I am the individual that set's up password, ect.' (Hmm... well if that is the case, why don't you just reset my password?? Oh wait that goes back to the fact that I brought up earlier - you have not been properly trained by any of your bosses to protect sensitive information or are indifferent and the sad ironic truth is you are one of the many Vice Presidents that directly result in security and data leaks).

Edited by cyrox33
0

Share this post


Link to post
Share on other sites
It comes down to IT departments and Chief Information Officers being overburdened with staff-cuts; simply many of these organizations and people have a hard time just keeping systems up and operational. I'll give you an example; a recent undisclosed telecommunications provider I worked at - wanted me to personally release my mainframe password to a Vice President Administrative assistant at the company. Umm Excuse me A) I don't know you from eve B) with my password and username you can access all systems across the organization and company C) why would you think I am being a little paranoid? Hmm.

I even copied the companies IT security policy verbatim and sent a STRONG message back to this individual. And received a kind response back: 'Well I am the individual that set's up password, ect.' (Hmm... well if that is the case, why don't you just reset my password?? Oh wait that goes back to the fact that I brought up earlier - you have not been properly trained by any of your bosses to protect sensitive information or are indifferent and the sad ironic truth is you are one of the many Vice Presidents that directly result in security and data leaks).

A chain and its weakest link.. almost always info-sec and an enforced strong password policy.

The reliance on financial and criminal background checks in the work place is the proactive stop-gap we are stuck with. ;)

0

Share this post


Link to post
Share on other sites

Ha! I know both licensed credit unions and National banks that have convicted Felons working in cash handling positions for them. A number of financial institutions do not even send in FBI print cards. So it's more than just a background check, it's about monitoring security, continuously.

A good place to start if you’re interested in this work would be to get the official (ISC2 guide) to the CISSP (certified information systems security professional), from your local library or online. http://www.amazon.com/Official-ISC-Guide-C...m/dp/084931707X - including a peak inside (love Amazon and google for this feature) . B)

Edited by Infinite51
0

Share this post


Link to post
Share on other sites

*Cough* .... I thought the rumor was that phreaking was *dead*... >cough< no wonder it was called a "rumor".

Where there's a will, there's a way.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now