[ISN] Nevada probes Vegas phone hacks

From: InfoSec News (isnat_private)
Date: Mon May 14 2001 - 14:09:22 PDT

  • Next message: InfoSec News: "[ISN] Hacking charge teen commits suicide"

    http://www.securityfocus.com/news/205 
    
    By Kevin Poulsen
    May 14, 2001 1:12 AM PT
    
    Eddie Munoz knows a secret about Las Vegas.
    
    As the operator of one of the city's oldest in-room adult
    entertainment services, Munoz knows Vegas is a town fuelled by the
    unceasing buzz of money and vice. When he was at the top of his game
    his phones rang 100 times a day, and he dispatched private nude
    "dancers" (prostitution is illegal in Las Vegas) to the hotels along
    the Strip fifteen to twenty times a night, raking in, he says,
    $240,000 a year in referral fees.
    
    That's not the secret.
    
    The secret, Munoz says, lies in the hundreds of miles of modern glass
    fiber and aging copper wire buried beneath the town's sun-baked
    streets, and in the dozens of digital switches that speed data and
    voice from one end of the Strip to the other. Munoz believes that for
    a decade a shadowy cabal of criminals, corrupt insiders and
    professional hackers has had an illicit stranglehold on Vegas
    cyberspace, and all but muscled him out of the adult entertainment
    industry by selectively blocking, tapping and rerouting the telephone
    lines crucial to the outcall biz.
    
    "In this business, you receive your calls from 5:00 in the afternoon
    until 5:00 in the morning, and that's when they hit us," says Munoz.
    "It's like you're the Maytag man. The phone will not ring."
    
    These days Munoz is lucky if he gets one or two customers a night, and
    his once great empire of vice is a threadbare operation run from an
    office in his home, far from Vegas' neon core. He's hanging on
    primarily through his hard-won ownership of nearly half of the five
    hundred licensed news racks on the Strip, which he crams with stacks
    of his own paper, "The Las Vegas Informer" -- twelve gritty pages of
    advertisements for "Red Hot Red Heads" and "Hot Hot Hot Tall Sexy
    Blondes." Until recently, every phone number advertised in the paper
    went to Munoz's switchboard, yet his phones still didn't ring. The
    economics of the situation eventually forced him to sell advertising
    space to a competitor to pay the rent.
    
    Munoz's phone problems are legion; his log of trouble-reports
    stretches longer than a junkie's rap sheet. Callers from outside
    Vegas, or from payphones and cell phones, get through, he says, but
    hotel callers get false busy signals, or reach silence, driving them
    into the arms of competing services. Sometimes calls are rerouted
    directly to a competitor, he claims. And when a would-be customer does
    get through, and Munoz dispatches a dancer to the tourist's hotel
    room, she's likely to find another entertainer already there.
    "Sometimes they beat us to the calls, like they're listening," says
    Munoz.
    
    At least three other adult entertainment outfits, a private
    investigator and a bail bondsman have reported similar patterns. "I'd
    get half a ring, and pick up the phone, and there would be no one
    there," says Hilda Brauer, the former owner of the now-defunct "Sexy
    Girls" outcall service. In 1998, Brauer filed suit against the local
    phone company, a competitor she blamed for the problem, and the
    publisher of the Donnelly Directory, in which Sexy Girls had seven
    full page ads. She later dropped the suit, closed her business, and
    now makes her living telling fortunes for a psychic hotline. "I lost
    my home, I had to sell my furniture to get money to move into an
    apartment," says Brauer.
    
    Peter Vilencia, a former bail bondsman, had phone problems as well.
    Vilencia purchased Bail Bonds Inc. in 1996, and, after a week of brisk
    business springing drunken tourists and small time crooks from the
    Clark County Detention Center, he suddenly suffered a sharp drop in
    call volume. "At 4:00 in the afternoon Friday, my phone would stop
    ringing," says Vilencia, who sold the company last year. "Almost every
    weekend for nearly four years, you could set your watch by it."
    
    Sabotage defies testing
    
    "We would lose our phones from Friday night, through the weekend, and
    that's the most common time people get arrested," recalls Mike Kapfer,
    Vilencia's former bounty hunter. Sometimes the phones would half-ring,
    as though call forwarding was in effect; more commonly, inmates would
    seem to be switched to a competing bond writer in mid call. Only calls
    from the jail were at risk. "If I tried calling the number from my
    cell phone, it would go through," says Kapfer.
    
    Both men agree with Munoz and Brauer that someone is pulling strings
    from deep within the network. "I had guys watching the building in the
    back where the phone lines come in, and the junction boxes down the
    street," says Vilencia. "It had to be internal, nobody else had
    access."
    
    But even after Brauer's lawsuit, years of formal complaints from
    Munoz, a written complaint from a private investigator who claimed to
    be losing calls, and two stories about the call diversion allegations
    in The New York Times, the local phone company is adamant that nothing
    is wrong.
    
    "We've run our tests, we've spent time and resources on this, and we
    haven't seen any indication of call diversion," says Scott Collins, of
    Sprint subsidiary Central Telephone's department of regulatory
    affairs. Last November, at the direction of the Nevada Public
    Utilities Commission (PUC), the phone company ran three days of test
    calls from five different Las Vegas hotels: the Sahara, Travel Lodge,
    Vagabond, Motel 6, and Four Queens. Of 205 calls, all but 23 went
    through, and none were diverted to competitors. (Further investigation
    of the 23 incomplete calls turned up innocent explanations.) Testing
    by AT&T in 1997 produced similar results.
    
    Munoz blames leaks -- he says everyone knew the tests were taking
    place, and the culprits deliberately let the calls slip through. But
    in December, a reporter's call from a Vegas hotel also went through
    without incident.
    
    Could the Vegas cyber jacking be a myth, woven from the detritus of
    failed businesses and blurry technological anecdotes? If so, it's a
    myth that's attained the status of 'common knowledge' on Vegas'
    nocturnal fringe, and in one bizarre case, it almost made an adult
    entertainment operator the victim of brutal mob reprisal.
    
    Vinnie "Aspirins" and his power drill
    
    It happened in 1998: An FBI investigation into police corruption in
    Vegas turned up a six-man organized crime plot to muscle in on a
    handful of successful Las Vegas outcall services, which had been
    trouncing a mob-backed venture headed by one of the men, Christiano
    DeCarlo.
    
    According to court documents, the conspirators, allegedly affiliated
    with the Gambino crime family, were particularly interesting in moving
    in on Richard Soranno, the owner of one of the town's largest
    services, Vegas Girls. They believed Soranno had been diverting phone
    calls from competitors, including DeCarlo, with the help of a
    mysterious computer expert named Charles Coveney.
    
    "Coveney has contacts in the Sprint Telephone Company and is able to
    have telephone calls diverted from one number to another," the
    gangsters believed, according to an FBI affidavit. The men expected to
    "persuade" Coveney to leave Seranno "and assist DeCarlo in his out
    call business by diverting telephone calls to DeCarlo." Among the
    persuasive tools at the gang's disposal, an enforcer named Vinnie
    "Aspirins" Congiusti, flown in from Tampa, who reputedly earned his
    nickname by once using a cordless power tool to drill holes in
    someone's head.
    
    When the mobsters began scouring Las Vegas for Coveney, the FBI was
    forced to swoop in, prematurely pulling the plug on a massive
    undercover operation. All six men later plead guilty to conspiracy.
    Vinnie "Aspirins" died in jail from apparent heart failure last year.
    
    Today, there's no love lost between Munoz and Soranno; Munoz believes,
    but admits he cannot prove, that Soranno is one of the masterminds of
    a plot to destroy his business, while Soranno says that's exactly the
    kind of talk that nearly got him whacked. "It all got started because
    Munoz picked up on a rumor and made it into a thing," says Soranno.
    "He put my life in danger." The sex mogul says he doesn't know anyone
    named Charles Coveney, and has triumphed in the adult entertainment
    trade purely through marketing skill and general business acumen.
    "Munoz is the worst businessman in the world," Soranno says. "If you
    were the worst businessman in the world, would you get calls?"
    
    Telco: Vegas is hack proof
    
    But even Soranno sees corruption in the ebb and flow of Vegas'
    telephonic tide -- though not in Sprint's network. At some hotels, he
    believes, corrupt insiders monitor the PBX logs for calls to adult
    entertainment services. When they spot one, they leapfrog the service
    by sending their own entertainer to the guest's room. "Once they know
    there's an interested party, they can send someone up," says Soranno.
    If true, the tactic would explain the duplicate-dancer scenario Munoz
    reports. "If a girl goes to a call, and another girl is already there,
    the first thing they think is someone's tapping the phone," says
    Soranno.
    
    Sprint's Collins says that, as far as Sprint Central Telephone knows,
    the company has never had a problem with corrupt employees or hackers
    of any kind. "No one that we're aware of," says Collins. "We haven't
    had any indication that any of that has happened."
    
    The company came to the same conclusion in September 1995, in response
    to a complaint filed with the Nevada PUC (then called the Public
    Service Commission) by Hilda Brauer. According to documents in the
    case, the commission's staff concluded that the volume of complaints
    suggested something was indeed rotten in Vegas cyberspace, but there
    was no "probable cause" to believe Sprint Central Telephone was
    culpable. The commission noted that the telephone company had
    "followed established rules and regulations and had turned up no
    evidence of an illegal intrusion into its network."
    
    For decades, regional and long distance telephone companies from coast
    to coast have seen hackers gain control of critical systems. Most
    recently, in 1999 federal officials won guilty pleas from three
    members of a nationwide hacker group they dubbed "The Phone Masters."
    Until the FBI raided them in 1995, The Phone Master had access to
    Sprint Long Distance, Southwestern Bell and GTE computers, and in some
    areas of the country were able to obtain unlisted phone numbers,
    monitor phone lines, and leverage their access to crack unrelated
    systems, including the FBI's National Crime Information Center (NCIC).
    
    If Sprint Central Telephone has never been hacked, the company is a
    rarity among telecommunications carriers. But SecurityFocus has
    learned that the company's Las Vegas network may not be immune to
    hackers after all.
    
    "Vegas was easy"
    
    Until he went on the lam in the early nineties, Las Vegas was a
    home-away-from-home for the world's most famous hacker, Kevin Mitnick,
    who had family in town. And from approximately 1992 until his February
    1995 arrest, Mitnick says he enjoyed substantial illicit access to the
    Vegas network. What's more, he recalls once being approached with an
    offer to redirect calls from an adult entertainment service for a
    single weekend, for $3,000. "They wanted me to somehow take control of
    the line and forward it," Mitnick recalls."
    
    "It would have taken, had I wanted to do it, all of three minutes."
    
    Currently under court supervision after five years in prison, Mitnick
    is not known to have ever cashed in on his hacking, and he says he
    never participated in a call diversion scheme. But he points to two
    specific holes in the Las Vegas network that would make such a scheme
    possible for a knowledgeable insider, or a sophisticated hacker.
    
    For starters, Mitnick says he had direct access to the control
    consoles on Vegas' switching systems through dial-up modems. Each
    Nortel DMS switch had a secret phone number, and a default username
    and password. The dial-ups were normally inaccessible, and Mitnick had
    to call a Sprint employee and pose as a technician to get the lines
    turned on, he says. Once that was done, "I had the same access to the
    switch that the techs did," he recalls: total control over how calls
    are routed.
    
    With access to the switches, Mitnick found it useful to launder his
    calls through sin city as an anti-tracing tactic, even when he was
    hiding out in Seattle and Raleigh, North Carolina, "Vegas was easy,"
    Mitnick says.
    
    The second hole is a testing system pronounced "Callers" -- Mitnick
    says he never saw its name in print, so he doesn't know how it was
    spelled or capitalized. As he describes it, the system was designed to
    allow phone company workers to run tests on customer lines, "loops" in
    the parlance of telephony, from a central location. The system
    consisted of a handful of client computers, and remote servers
    attached to each of Sprint Central Telephone's DMS-100 switches.
    
    Vegas' remote servers were poorly protected, Mitnick says. They were
    accessible through low-speed dial-up modems, guarded by a technique
    only slightly more secure than simple password protection: the server
    required the client -- normally a computer program -- to give the
    proper response to any of 100 randomly chosen challenges. "It would
    prompt you with a query, and you would have to answer promptly,"
    Mitnick says. "It was a number, like 54, and it had a certain hex
    response, like 3FAE."
    
    Mitnick says he was able to learn the Las Vegas dial-up numbers by
    conning Sprint workers, and he snagged the "seed list" of challenges
    and responses from the company that made the system, Ontario-based
    Northern Telecom, renamed in 1999 to Nortel Networks. "I had to call
    Nortel and have one of the engineer's talk me though it," says
    Mitnick. "I told them I was writing software that had to interface
    with it."
    
    The system allowed users to silently monitor phone lines, or originate
    and answer phone calls on other people's lines, Mitnick says. "All you
    needed was a laptop and a phone." The implications go well beyond mere
    call-napping. "Somebody with real criminal intent, in a city like Las
    Vegas-- think of the possibilities."
    
    Nortel spokesman David Chamberlin dismissed Mitnick's account as "wild
    speculation" and "rumor." But a list on the company web site offers a
    feature called "CALRS", "Centralized Automated Loop Reporting System,"
    as an option on the company's DMS line of switches. Elsewhere on the
    site, Nortel literature describes CALRS as an "external test access
    system."
    
    A Sprint spokesperson, and an attorney representing the company, both
    declined to comment on CALRS, and would neither confirm nor deny the
    existence of a poorly protected testing system that might be an open
    door into the inner sanctum of Vegas' telecommunications
    infrastructure.
    
    Public hearings set
    
    The company may not be able to stay mum forever. After fielding years
    of complaints, the State of Nevada is now taking Munoz's allegations
    seriously. In February, over Sprint's objections, the PUC found
    "probable cause" for a full investigation, and has scheduled public
    hearings for September. Meanwhile, the commission is demanding
    answers. Last month it formally served Sprint with a "data request"
    asking, among other things, whether the company has ever been hacked.
    The company responded Thursday, once again claiming that there was no
    evidence that it had ever suffered from corrupt employees or outside
    intruders.
    
    Sprint's Collins is no longer talking to reporters, referring calls to
    the company's outside counsel, Patrick Reilly, a lawyer with the
    Nevada law firm Hale Lane Peek Dennison Howard and Anderson. "To our
    knowledge, there's been no evidence of a breach of the network," says
    Reilly.
    
    "Now I have subpoena power," says Munoz. "Look out."
    
    "Eddie's been knocking on people's doors, various governmental
    entities, for years, and as far as I know this is the first genuine
    forum that he's gotten," says Nevada PUC consumer complaint manager
    Rick Hackman. "Although he hasn't convinced us that Sprint is at
    fault, we believe that he deserves the forum to make his case in front
    of the full commission."
    
    The PUC decision to hold hearings is an enormous victory for Munoz,
    and it raises the stakes for Sprint Central Telephone. If Munoz
    prevails, the commission could impose monetary fines and sanctions.
    Further, Munoz says he'll sue the company for $20 million.
    
    That's the price, he says, for ten years of lost business, in a period
    that's seen mind boggling growth in the city. Construction of super
    hotels like the Bellagio, the Venetian, Paris, and Aladdin have pushed
    Las Vegas' guest capacity to over 120,000 hotel rooms, and the city
    now hosts some four thousand conventions each year. And that's a lot
    of people who could have been trying to call one of Munoz's Hot Hot
    Hot Tall Sexy Blondes.
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Mon May 14 2001 - 23:23:17 PDT