Robert Moore is a convicted hacker, currently serving two years in prison for his role in stealing and reselling VoIP services. In an interview given to Information Week, Moore describes in detail how easy it was to break into corporate systems and the methods that he used.
On particular quote that sticks in my mind from the article is:
Moore said it would have been easy for IT and security managers to detect him in their companies’ systems … if they’d been looking. The problem was that, generally, no one was paying attention.
What’s also interesting is the opinion of Alan Paller, director of research at the SANS Institute who is quoted as saying that the problem is with the vendors for making it too easy for system administrators to leave default passwords enabled on devices. “It’s all on the vendors. It’s not about the user being careless. It’s a silly thing for them to have to know to do.” I don’t agree. While vendors might be able to do more, short of providing systems that can jump into the rack fully configured for any network scenario, the onus has got to remain with network administrators to ensure that the implementation of new devices follows good hardening practices that includes changing the default password.
You can read the full interview with Robert Moore here.