The InformationWeek -- Blogs
Welcome Guest. | Log In| Register | Membership Benefits

CIOs Uncensored

Topics:   CIOs Uncensored

  • Email this page E-mail this page
  • Print this page Print this page
  • Bookmark and Share
  • icon

CIOs Should Be Fired For Foolish Security Breaches


Posted by Bob Evans, Oct 3, 2007 04:46 PM

Imprisoned hacker Robert Moore says it was child's play to hack into thousands of corporate systems because most IT groups don't follow basic hygiene such as resetting default passwords and keeping logs. While one security researcher says it's the vendors' fault, I lay the blame squarely on CIOs: if they don't allocate resources and enforce behavior that promotes airtight cybersecurity, they should be fired.


My colleague Sharon Gaudin broke this story and brought to light the passive complicity of IT in these highly preventable break-ins via a series of exclusive conversations with Robert Moore, the convicted cyberpunk. Moore revealed to Sharon an astonishing variety of anecdotes about how and why it was so easy for him to penetrate thousands of supposedly secure databases, and for your reading pleasure -- or disgust -- here are some of the highlights as reported earlier by Sharon:

  • "Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords."

  • "I'd say 85% of them were misconfigured routers. They had the default passwords on them... You would not believe the number of routers that had 'admin' or 'Cisco0' as passwords on them. We could get full access to a Cisco box with enabled access so you can do whatever you want to the box... "

  • "We found the default password for it. We would take that and I'd write a scanner for Mera boxes and we'd run the password against it to try to log in, and basically we could get in almost every time. Then we'd have all sorts of information, basically the whole database, right at our fingertips."

  • "I think it's all their (the hacked companies') fault," he added. "They're using default passwords and their administrators don't even care... There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find... There were thousands of routers that were compromised in this, just from my scans alone."

  • "If they (the hacked companies) were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion-detection system set up, they could have easily seen that these weren't their calls."
  • Well, that's pretty nauseating stuff. And what's particularly disturbing about it is Moore's repeated refrain that IT is his indispensable co-dependent -- without IT doing its part in his crimes by failing to fully secure corporate systems, then I guess he'd have nothing to do but look at porn all day instead of cracking into your customer data and costing you time, money, trust, and soiled reputation.

    If CIOs want to be seen as top-level executives, they need to lead the fight to change policies, processes, and behavior so that none of the pathetic opportunities described above by Moore can occur. If CIOs feel they're not up to that challenge, then they should step aside -- or be told to do so.

    « Next Generation iPhone Could Have An Intel Inside | Main | Pacific Northwest National Lab Does Cybersecurity »



    Sign Up Now
    For InformationWeek News Alerts




    This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

    Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

    Important Note: This comment area is NOT intended for commercial messages or solicitations of business.




     
    InformationWeek Chief Of The Year:
    Call For Nominations
    Know a dynamic, future-oriented tech chief? We're looking for the most insightful, innovative, forward-thinking business technology leader to honor as our 2008 Chief Of The Year. "Tomorrow's CIO" is the theme of our InformationWeek 500 Conference, and of a recent in-depth InformationWeek Analytics Report based on our extensive survey. The qualities identified with Tomorrow's CIO—equal parts leadership, vision, business savvy, technology expertise--are what we're looking for in our Chief Of The Year.

    Candidates must be CIOs, CTOs, or VP-of-IT level executives. Nominations will be accepted now through Oct. 31, 2008.

    Please send your nominations to: cjmurphy@techweb.com.



    Sign Up For The CIOs Uncensored Newsletter
    Every Thursday, Chris Murphy and his fellow analysts explore the business, strategy, and management issues most important to IT leaders.

    Sign up for our free, weekly newsletter today!

    Newsletter Archives


    Global CIO Video

     

    1. Here's to the First Responders!
    2. HPC Joins the Dummy Revolution?
    3. Detecting Scalability Problems With Intel Parallel Universe Portal


    Join The InformationWeek Group On LinkedIn


                               


    1. Motorola Droid Is Gadget Of The Year
    2. Windows Mobile 7 Now A Q4 Release
    3. Nexus One Google Phone: Sorting Fact From Fiction
    4. Verizon Wireless Starts Updating The Motorola Droid
    5. 'Nexus One' Is Google's Android Phone For Consumers


    1. Microsoft Taps Into Open Government Market
    2. Full Nelson Video: Cisco's 'Health Presence' Showcase
    3. Microsoft Launches, Pulls, Twitter-Style Microblog
    4. SMS Project Fights Malaria In Africa
    5. Amazon IDs Cause Of Data Center Outage
    6. Global CIO: Welcome To The CIO Revolution, Circa 2010

     

      Ars Technica
    Boing Boing
    Channel 9 Forums
    CRN Blogs
    Dr.Dobb's Portal: Blogs
    Engadget
    Gizmodo
    GrokLaw
      Lifehacker
    Schneier on Security
    Slashdot
    TechCrunch
    Techdirt
    Techmeme
    Valleywag

      DECEMBER 2008
    NOVEMBER 2008
    OCTOBER 2008
    SEPTEMBER 2008
    AUGUST 2008
    JULY 2008
    JUNE 2008
    MAY 2008
      APRIL 2008
    MARCH 2008
    FEBRUARY 2008
    JANUARY 2008
    DECEMBER 2007
    NOVEMBER 2007
    OCTOBER 2007
    SEPTEMBER 2007