[ISN] Mitnick testimony burns Sprint in Vegas 'vice hack' case

From: InfoSec News (isnat_private)
Date: Wed Jun 26 2002 - 00:58:14 PDT

  • Next message: InfoSec News: "[ISN] Nationwide alert warns of university computer infiltration by Russian mob"

    By Kevin Poulsen, SecurityFocus Online
    Posted: 26/06/2002 at 02:28 GMT
    Since adult entertainment operator Eddie Munoz first told state
    regulators in 1994 that mercenary hackers were crippling his business
    by diverting, monitoring and blocking his phone calls, officials at
    local telephone company Sprint of Nevada have maintained that, as far
    as they know, their systems have never suffered a single intrusion.
    The Sprint subsidiary lost that innocence Monday when convicted hacker
    Kevin Mitnick shook up a hearing on the call-tampering allegations by
    detailing years of his own illicit control of the company's Las Vegas
    switching systems, and the workings of a computerized testing system
    that he says allows silent monitoring of any phone line served by the
    incumbent telco.
    "I had access to most, if not all, of the switches in Las Vegas,"  
    testified Mitnick, at a hearing of Nevada's Public Utilities
    Commission (PUC). "I had the same privileges as a Northern Telecom
    Mitnick's testimony played out like a surreal Lewis Carroll version of
    a hacker trial -- with Mitnick calmly and methodically explaining
    under oath how he illegally cracked Sprint of Nevada's network, while
    the attorney for the victim company attacked his testimony,
    effectively accusing the ex-hacker of being innocent.
    The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence
    in allegedly allowing hackers to control their network to the benefit
    of a few crooked businesses. Munoz is the publisher of an adult
    advertising paper that sells the services of a bevy of in-room
    entertainers, whose phone numbers are supposed to ring to Munoz's
    switchboard. Instead, callers frequently get false busy signals, or
    reach silence, Munoz claims. Occasionally calls appear to be rerouted
    directly to a competitor. Munoz's complaints have been echoed by other
    outcall service operators, bail bondsmen and private investigators --
    some of whom appeared at two days of hearings in March to testify for
    Munoz against Sprint.
    Munoz hired Mitnick as a technical consultant in his case last year,
    after SecurityFocus Online reported that the ex-hacker -- a onetime
    Las Vegas resident -- claimed he had substantial access to Sprint's
    network up until his 1995 arrest. After running some preliminary
    tests, Mitnick withdrew from the case when Munoz fell behind in paying
    his consulting fees. On the last day of the March hearings,
    commissioner Adriana Escobar Chanos adjourned the matter to allow
    Munoz time to persuade Mitnick to testify, a feat Munoz pulled-off
    just in time for Monday's hearing.
    Mitnick admitted that his testing produced no evidence that Munoz is
    experiencing call diversion or blocking. But his testimony casts doubt
    on Sprint's contention that such tampering is unlikely, or impossible.  
    With the five year statute of limitations long expired, Mitnick
    appeared comfortable describing with great specificity how he first
    gained access to Sprint's systems while living in Las Vegas in late
    1992 or early 1993, and then maintained that access while a fugitive.
    Mitnick testified that he could connect to the control consoles --
    quaintly called "visual display units" -- on each of Vegas' DMS-100
    switching systems through dial-up modems intended to allow the
    switches to be serviced remotely by the company that makes them,
    Ontario-based Northern Telecom, renamed in 1999 to Nortel Networks.
    Each switch had a secret phone number, and a default username and
    password, he said. He obtained the phone numbers and passwords from
    Sprint employees by posing as a Nortel technician, and used the same
    ploy every time he needed to use the dial-ups, which were inaccessible
    by default.
    With access to the switches, Mitnick could establish, change, redirect
    or disconnect phone lines at will, he said.
    That's a far cry from the unassailable system portrayed at the March
    hearings, when former company security investigator Larry Hill -- who
    retired from Sprint in 2000 -- testified "to my knowledge there's no
    way that a computer hacker could get into our systems." Similarly, a
    May 2001 filing by Scott Collins of Sprint's regulatory affairs
    department said that to the company's knowledge Sprint's network had
    "never been penetrated or compromised by so-called computer hackers."
    Under cross examination Monday by PUC staff attorney Louise Uttinger,
    Collins admitted that Sprint maintains dial-up modems to allow Nortel
    remote access to their switches, but insisted that Sprint had improved
    security on those lines since 1995, even without knowing they'd been
    compromised before.
    But Mitnick had more than just switches up his sleeve Monday.
    The ex-hacker also discussed a testing system called CALRS (pronounced
    "callers"), the Centralized Automated Loop Reporting System. Mitnick
    first described CALRS to SecurityFocus Online last year as a system
    that allows Las Vegas phone company workers to run tests on customer
    lines from a central location. It consists of a handful of client
    computers, and remote servers attached to each of Sprint's DMS-100
    Mitnick testified Monday that the remote servers were accessible
    through 300 baud dial-up modems, guarded by a technique only slightly
    more secure than simple password protection: the server required the
    client -- normally a computer program -- to give the proper response
    to any of 100 randomly chosen challenges. The ex-hacker said he was
    able to learn the Las Vegas dial-up numbers by conning Sprint workers,
    and he obtained the "seed list" of challenges and responses by using
    his social engineering skills on Nortel, which manufactures and sells
    the system.
    The system allows users to silently monitor phone lines, or originate
    calls on other people's lines, Mitnick said.
    Mitnick's claims seemed to inspire skepticism in the PUC's technical
    advisor, who asked the ex-hacker, shortly before the hearing was to
    break for lunch, if he could prove that he had cracked Sprint's
    network. Mitnick said he would try.
    Two hours later, Mitnick returned to the hearing room clutching a
    crumpled, dog-eared and torn sheet of paper, and a small stack of
    copies for the commissioner, lawyers, and staff.
    At the top of the paper was printed "3703-03 Remote Access Password
    List." A column listed 100 "seeds", numbered "00" through "99,"  
    corresponding to a column of four digit hexadecimal "passwords," like
    "d4d5" and "1554."
    Commissioner Escobar Chanos accepted the list as an exhibit over the
    objections of Sprint attorney Patrick Riley, who complained that it
    hadn't been provided to the company in discovery. Mitnick retook the
    stand and explained that he used the lunch break to visit a nearby
    storage locker that he'd rented on a long-term basis years ago, before
    his arrest. "I wasn't sure if I had it in that storage locker," said
    Mitnick. "I hadn't been there in seven years."
    "If the system is still in place, and they haven't changed the seed
    list, you could use this to get access to CALRS," Mitnick testified.  
    "The system would allow you to wiretap a line, or seize dial tone."
    Mitnick's return to the hearing room with the list generated a flurry
    of activity at Sprint's table; Ann Pongracz, the company's general
    counsel, and another Sprint employee strode quickly from the room --
    Pongracz already dialing on a cell phone while she walked. Riley
    continued his cross examination of Mitnick, suggesting, again, that
    the ex-hacker may have made the whole thing up. "The only way I know
    that this is a Nortel document is to take you at your word, correct?,"  
    asked Riley. "How do we know that you're not social engineering us
    Mitnick suggested calmly that Sprint try the list out, or check it
    with Nortel. Nortel could not be reached for comment after hours
    The PUC hearing is expected to run through Tuesday.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 04:06:56 PDT