[ISN] Sprint security faulted in Vegas hacks

From: InfoSec News (isnat_private)
Date: Tue Aug 20 2002 - 05:40:20 PDT

  • Next message: InfoSec News: "RE: [ISN] Sleuths Invade Military PCs With Ease"

    By Kevin Poulsen, SecurityFocus Online
    Posted: 20/08/2002 at 08:36 GMT
    Citing the "compelling, credible testimony" of ex-hacker Kevin
    Mitnick, state officials urged Nevada regulators to force a series of
    dramatic security reforms on Las Vegas telephone company Sprint of
    Nevada last week, as final arguments were filed in the case of an
    in-room adult entertainment operator who believes he's being driven
    out of business by phone hackers.
    Sprint would be required to retain outside computer security
    consultants, launch a security training program for company employees,
    develop a process for detecting a deterring intrusion attempts into
    its network, and begin documenting its security investigations, if the
    Public Utilities Commission follows the recommendations of its
    regulatory operations staff, acting as independent investigators in
    the case.
    Plaintiff Eddie Munoz first complained to the commission in 1994 that
    the phone company was allowing mercenary hackers to cripple his
    business by diverting, monitoring and blocking his phone calls - a
    complaint that's been echoed by private investigators, bail bondsmen
    and some of Munoz's competitors over the years. Sprint has maintained
    that Munoz's problems are in his own equipment, and that as far as
    they know their systems have never suffered a single intrusion.
    But the company's invulnerability was brought into question in a
    series of hearings earlier this year in which Sprint officials
    admitted that they'd lost or destroyed years of investigatory records
    in a reorganization of their security department, and that they
    permitted dial-up access into their switches for maintenance purposes
    with little logging.
    The hearings concluded in June with testimony by Mitnick -- hired by
    Munoz as a consultant and an expert witness. The ex-hacker testified
    that prior to his 1995 arrest he had illicit control of the company's
    Las Vegas switching systems through the dial-ups, and also enjoyed
    unfettered access to a computerized testing system manufactured by
    Nortel Networks called CALRS -- pronounced "callers" -- that allows
    users to monitor phone lines and intercept or originate calls.
    Sprint: Mitnick's a Liar
    Challenged to prove his claims, Mitnick used a break in the hearing to
    visit an old rented storage locker, returning with a list of passwords
    he said unlocked the CALRS system at the time of his arrest (Contacted
    by SecurityFocus Online, Nortel Networks spokesman David Chamberlin
    declined to comment on CALRS, writing in an email, "I'd point you back
    to Sprint to discuss their phone network with them.")
    Sprint opposes a new docket to supervise their security, and slammed
    Mitnick's testimony. In the company's closing arguments Friday,
    outside counsel Patrick Riley described the ex-hacker as an unreformed
    "con artist," reminded the commission of Mitnick's criminal record,
    and pointed accusingly to his authorship of the upcoming Wiley book on
    social engineering titled "The Art of Deception: Controlling the Human
    Element of Security."
    The company also claimed Mitnick lacked the technical know-how to be
    an expert witness on Sprint's security ills because the hacker never
    worked as a "switch engineer" for a telephone company. "Although Mr.  
    Munoz presented Mr. Mitnick as an 'expert' witness, Mr. Mitnick is an
    expert in only one thing-- lying," wrote Riley.
    But PUC staff attorney Louise Uttinger found Mitnick's detailed
    testimony -- coupled with Sprint's admissions in some areas, and
    silence in others -- credible enough to raise serious questions about
    the security of Sprint's Nevada network. Those questions, Uttinger
    wrote, "could impact economic, social, and national matters of
    importance to all Nevadans and to anyone conducting business in
    While they disagree on Mitnick's credibility as a witness, commission
    staff agreed with Sprint that Munoz never produced a smoking gun in
    his case. Pointing to undisciplined testing procedures and unclear
    record-keeping by Munoz, as well as several tests that failed to show
    any unexplained dropped calls, Uttinger recommended that the complaint
    be dismissed.
    In his closing argument, Munoz attorney Peter Alpert argued that his
    client had limited resources and access, and asked the commission to
    compel Sprint to conduct a battery of additional tests under PUC
    supervision. "It is respectfully suggested that Mr. Munoz has come
    upon a flaw in Sprint's system which only Sprint is capable of
    detecting since only it has access to the network."
    The commission is expected to rule this fall.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:27:23 PDT