Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services

He explained that he would first scan the network looking mainly for the Cisco and Quintum boxes. If he found them, he would then scan to see what models they were and then he would scan again, this time for vulnerabilities, like default passwords or unpatched bugs in old Cisco IOS boxes. If he didn't find default passwords or easily exploitable bugs, he'd run brute-force or dictionary attacks to try to break the passwords.

"We would go to telecom forums and other telecom sites that list company names and where they're from," he explained. "We'd look at foreign countries first. We'd take the name and IP range and then dump it into the scanner. ... Some of the Cisco versions, like IOS, were old and easier to get into."

Liebermann, the prosecutor, also noted that while Moore broke into telecoms so they could steal the VoIP service, he also hacked into countless other businesses so they could use the hijacked company connections to disguise the calls they were sending to the telecoms. With the VoIP connections in place, they simply needed corporate connections to mask their trail.

"He wanted me to look for [a network] with lots of traffic," said Moore. "Even if it was not a telecom, they might be connected to a telecom and then you could move through that connection to the telecom. ... [Pena] was taking legit calls that he had customers for and then rerouting the calls through rogue boxes."

And Moore didn't just focus on telecoms. He said he scanned "anybody" -- businesses, agencies and individual users. "I know I scanned a lot of people," he said. "Schools. People. Companies. Anybody. I probably hit millions of normal [users], too."

Tips From The Hacker

Moore said it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.

"If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users. "If they had an intrusion detection system set up, they could have easily seen that these weren't their calls."

The hacker said IT technicians also could have set up access lists, telling the network to only allow their own IP addresses to get in. "We came across only two or three boxes that actually had access lists in place," he added. "The telecoms we couldn't get into had access lists or boxes we couldn't get into because of strong passwords."

The GAO's Rhodes said if companies don't fix the small problems, they can open up gaping holes that hackers are ready to jump through.

"All it takes is one bad access point and they're in," he noted. "The weak link -- you find that one point and all the security unravels. ... I'm not surprised that someone going to prison said 70% are at risk. You only have to have one default password and all your security is at risk."