Mob phreakers rule Vegas phone network
Adult 'room service' market hacked and locked
Eddie Munoz knows a secret about Las Vegas. As the operator of one of the city's oldest in-room adult entertainment services, Munoz knows Vegas is a town fuelled by the unceasing buzz of money and vice. When he was at the top of his game his phones rang 100 times a day, and he dispatched private nude "dancers" (prostitution is illegal in Las Vegas) to the hotels along the Strip fifteen to twenty times a night, raking in, he says, $240,000 a year in referral fees.
That's not the secret.
The secret, Munoz says, lies in the hundreds of miles of modern glass fiber and aging copper wire buried beneath the town's sun-baked streets, and in the dozens of digital switches that speed data and voice from one end of the Strip to the other. Munoz believes that for a decade a shadowy cabal of criminals, corrupt insiders and professional hackers has had an illicit stranglehold on Vegas cyberspace, and all but muscled him out of the adult entertainment industry by selectively blocking, tapping and rerouting the telephone lines crucial to the outcall biz.
"In this business, you receive your calls from 5:00 in the afternoon until 5:00 in the morning, and that's when they hit us," says Munoz. "It's like you're the Maytag man. The phone will not ring."
These days Munoz is lucky if he gets one or two customers a night, and his once great empire of vice is a threadbare operation run from an office in his home, far from Vegas' neon core. He's hanging on primarily through his hard-won ownership of nearly half of the five hundred licensed news racks on the Strip, which he crams with stacks of his own paper, "The Las Vegas Informer" -- twelve gritty pages of advertisements for "Red Hot Red Heads" and "Hot Hot Hot Tall Sexy Blondes." Until recently, every phone number advertised in the paper went to Munoz's switchboard, yet his phones still didn't ring. The economics of the situation eventually forced him to sell advertising space to a competitor to pay the rent.
Munoz's phone problems are legion; his log of trouble-reports stretches longer than a junkie's rap sheet. Callers from outside Vegas, or from payphones and cell phones, get through, he says, but hotel callers get false busy signals, or reach silence, driving them into the arms of competing services. Sometimes calls are rerouted directly to a competitor, he claims. And when a would-be customer does get through, and Munoz dispatches a dancer to the tourist's hotel room, she's likely to find another entertainer already there. "Sometimes they beat us to the calls, like they're listening," says Munoz.
At least three other adult entertainment outfits, a private investigator and a bail bondsman have reported similar patterns. "I'd get half a ring, and pick up the phone, and there would be no one there," says Hilda Brauer, the former owner of the now-defunct "Sexy Girls" outcall service. In 1998, Brauer filed suit against the local phone company, a competitor she blamed for the problem, and the publisher of the Donnelly Directory, in which Sexy Girls had seven full page ads. She later dropped the suit, closed her business, and now makes her living telling fortunes for a psychic hotline. "I lost my home, I had to sell my furniture to get money to move into an apartment," says Brauer.
Peter Vilencia, a former bail bondsman, had phone problems as well. Vilencia purchased Bail Bonds Inc. in 1996, and, after a week of brisk business springing drunken tourists and small time crooks from the Clark County Detention Center, he suddenly suffered a sharp drop in call volume. "At 4:00 in the afternoon Friday, my phone would stop ringing," says Vilencia, who sold the company last year. "Almost every weekend for nearly four years, you could set your watch by it."
Sabotage defies testing
"We would lose our phones from Friday night, through the weekend, and that's the most common time people get arrested," recalls Mike Kapfer, Vilencia's former bounty hunter. Sometimes the phones would half-ring, as though call forwarding was in effect; more commonly, inmates would seem to be switched to a competing bond writer in mid call. Only calls from the jail were at risk. "If I tried calling the number from my cell phone, it would go through," says Kapfer.
Both men agree with Munoz and Brauer that someone is pulling strings from deep within the network. "I had guys watching the building in the back where the phone lines come in, and the junction boxes down the street," says Vilencia. "It had to be internal, nobody else had access."
But even after Brauer's lawsuit, years of formal complaints from Munoz, a written complaint from a private investigator who claimed to be losing calls, and two stories about the call diversion allegations in The New York Times, the local phone company is adamant that nothing is wrong.
"We've run our tests, we've spent time and resources on this, and we haven't seen any indication of call diversion," says Scott Collins, of Sprint subsidiary Central Telephone's department of regulatory affairs. Last November, at the direction of the Nevada Public Utilities Commission (PUC), the phone company ran three days of test calls from five different Las Vegas hotels: the Sahara, Travel Lodge, Vagabond, Motel 6, and Four Queens. Of 205 calls, all but 23 went through, and none were diverted to competitors. (Further investigation of the 23 incomplete calls turned up innocent explanations.) Testing by AT&T in 1997 produced similar results.
Munoz blames leaks -- he says everyone knew the tests were taking place, and the culprits deliberately let the calls slip through. But in December, a reporter's call from a Vegas hotel also went through without incident.
Could the Vegas cyber jacking be a myth, woven from the detritus of failed businesses and blurry technological anecdotes? If so, it's a myth that's attained the status of 'common knowledge' on Vegas' nocturnal fringe, and in one bizarre case, it almost made an adult entertainment operator the victim of brutal mob reprisal.
Vinnie "Aspirins" and his power drill
It happened in 1998: An FBI investigation into police corruption in Vegas turned up a six-man organized crime plot to muscle in on a handful of successful Las Vegas outcall services, which had been trouncing a mob-backed venture headed by one of the men, Christiano DeCarlo.
According to court documents, the conspirators, allegedly affiliated with the Gambino crime family, were particularly interesting in moving in on Richard Soranno, the owner of one of the town's largest services, Vegas Girls. They believed Soranno had been diverting phone calls from competitors, including DeCarlo, with the help of a mysterious computer expert named Charles Coveney.
"Coveney has contacts in the Sprint Telephone Company and is able to have telephone calls diverted from one number to another," the gangsters believed, according to an FBI affidavit. The men expected to "persuade" Coveney to leave Serrano "and assist DeCarlo in his out call business by diverting telephone calls to DeCarlo." Among the persuasive tools at the gang's disposal, an enforcer named Vinnie "Aspirins" Congiusti, flown in from Tampa, who reputedly earned his nickname by once using a cordless power tool to drill holes in someone's head.
When the mobsters began scouring Las Vegas for Coveney, the FBI was forced to swoop in, prematurely pulling the plug on a massive undercover operation. All six men later plead guilty to conspiracy. Vinnie "Aspirins" died in jail from apparent heart failure last year.
Today, there's no love lost between Munoz and Soranno; Munoz believes, but admits he cannot prove, that Soranno is one of the masterminds of a plot to destroy his business, while Soranno says that's exactly the kind of talk that nearly got him whacked. "It all got started because Munoz picked up on a rumor and made it into a thing," says Soranno. "He put my life in danger." The sex mogul says he doesn't know anyone named Charles Coveney, and has triumphed in the adult entertainment trade purely through marketing skill and general business acumen. "Munoz is the worst businessman in the world," Soranno says. "If you were the worst businessman in the world, would you get calls?"
Telco: Vegas is hack proof
But even Soranno sees corruption in the ebb and flow of Vegas' telephonic tide -- though not in Sprint's network. At some hotels, he believes, corrupt insiders monitor the PBX logs for calls to adult entertainment services. When they spot one, they leapfrog the service by sending their own entertainer to the guest's room. "Once they know there's an interested party, they can send someone up," says Soranno. If true, the tactic would explain the duplicate-dancer scenario Munoz reports. "If a girl goes to a call, and another girl is already there, the first thing they think is someone's tapping the phone," says Soranno.
Sprint's Collins says that, as far as Sprint Central Telephone knows, the company has never had a problem with corrupt employees or hackers of any kind. "No one that we're aware of," says Collins. "We haven't had any indication that any of that has happened."
The company came to the same conclusion in September 1995, in response to a complaint filed with the Nevada PUC (then called the Public Service Commission) by Hilda Brauer. According to documents in the case, the commission's staff concluded that the volume of complaints suggested something was indeed rotten in Vegas cyberspace, but there was no "probable cause" to believe Sprint Central Telephone was culpable. The commission noted that the telephone company had "followed established rules and regulations and had turned up no evidence of an illegal intrusion into its network."
For decades, regional and long distance telephone companies from coast to coast have seen hackers gain control of critical systems. Most recently, in 1999 federal officials won guilty pleas from three members of a nationwide hacker group they dubbed "The Phone Masters." Until the FBI raided them in 1995, The Phone Master had access to Sprint Long Distance, Southwestern Bell and GTE computers, and in some areas of the country were able to obtain unlisted phone numbers, monitor phone lines, and leverage their access to crack unrelated systems, including the FBI's National Crime Information Center (NCIC).
If Sprint Central Telephone has never been hacked, the company is a rarity among telecommunications carriers. But SecurityFocus has learned that the company's Las Vegas network may not be immune to hackers after all.
"Vegas was easy"
Until he went on the lam in the early nineties, Las Vegas was a home-away-from-home for the world's most famous hacker, Kevin Mitnick, who had family in town. And from approximately 1992 until his February 1995 arrest, Mitnick says he enjoyed substantial illicit access to the Vegas network. What's more, he recalls once being approached with an offer to redirect calls from an adult entertainment service for a single weekend, for $3,000. "They wanted me to somehow take control of the line and forward it," Mitnick recalls."
"It would have taken, had I wanted to do it, all of three minutes."
Currently under court supervision after five years in prison, Mitnick is not known to have ever cashed in on his hacking, and he says he never participated in a call diversion scheme. But he points to two specific holes in the Las Vegas network that would make such a scheme possible for a knowledgeable insider, or a sophisticated hacker.
For starters, Mitnick says he had direct access to the control consoles on Vegas' switching systems through dial-up modems. Each Nortel DMS switch had a secret phone number, and a default username and password. The dial-ups were normally inaccessible, and Mitnick had to call a Sprint employee and pose as a technician to get the lines turned on, he says. Once that was done, "I had the same access to the switch that the techs did," he recalls: total control over how calls are routed.
With access to the switches, Mitnick found it useful to launder his calls through sin city as an anti-tracing tactic, even when he was hiding out in Seattle and Raleigh, North Carolina, "Vegas was easy," Mitnick says.
The second hole is a testing system pronounced "Callers" -- Mitnick says he never saw its name in print, so he doesn't know how it was spelled or capitalized. As he describes it, the system was designed to allow phone company workers to run tests on customer lines, "loops" in the parlance of telephony, from a central location. The system consisted of a handful of client computers, and remote servers attached to each of Sprint Central Telephone's DMS-100 switches.
Vegas' remote servers were poorly protected, Mitnick says. They were accessible through low-speed dial-up modems, guarded by a technique only slightly more secure than simple password protection: the server required the client -- normally a computer program -- to give the proper response to any of 100 randomly chosen challenges. "It would prompt you with a query, and you would have to answer promptly," Mitnick says. "It was a number, like 54, and it had a certain hex response, like 3FAE."
Mitnick says he was able to learn the Las Vegas dial-up numbers by conning Sprint workers, and he snagged the "seed list" of challenges and responses from the company that made the system, Ontario-based Northern Telecom, renamed in 1999 to Nortel Networks. "I had to call Nortel and have one of the engineer's talk me though it," says Mitnick. "I told them I was writing software that had to interface with it."
The system allowed users to silently monitor phone lines, or originate and answer phone calls on other people's lines, Mitnick says. "All you needed was a laptop and a phone." The implications go well beyond mere call-napping. "Somebody with real criminal intent, in a city like Las Vegas-- think of the possibilities."
Nortel spokesman David Chamberlin dismissed Mitnick's account as "wild speculation" and "rumor." But a list on the company web site offers a feature called "CALRS", "Centralized Automated Loop Reporting System," as an option on the company's DMS line of switches. Elsewhere on the site, Nortel literature describes CALRS as an "external test access system."
A Sprint spokesperson, and an attorney representing the company, both declined to comment on CALRS, and would neither confirm nor deny the existence of a poorly protected testing system that might be an open door into the inner sanctum of Vegas' telecommunications infrastructure.
Public hearings set
The company may not be able to stay mum forever. After fielding years of complaints, the State of Nevada is now taking Munoz's allegations seriously. In February, over Sprint's objections, the PUC found "probable cause" for a full investigation, and has scheduled public hearings for September. Meanwhile, the commission is demanding answers. Last month it formally served Sprint with a "data request" asking, among other things, whether the company has ever been hacked. The company responded Thursday, once again claiming that there was no evidence that it had ever suffered from corrupt employees or outside intruders.
Sprint's Collins is no longer talking to reporters, referring calls to the company's outside counsel, Patrick Reilly, a lawyer with the Nevada law firm Hale Lane Peek Dennison Howard and Anderson. "To our knowledge, there's been no evidence of a breach of the network," says Reilly.
"Now I have subpoena power," says Munoz. "Look out."
"Eddie's been knocking on people's doors, various governmental entities, for years, and as far as I know this is the first genuine forum that he's gotten," says Nevada PUC consumer complaint manager Rick Hackman. "Although he hasn't convinced us that Sprint is at fault, we believe that he deserves the forum to make his case in front of the full commission."
The PUC decision to hold hearings is an enormous victory for Munoz, and it raises the stakes for Sprint Central Telephone. If Munoz prevails, the commission could impose monetary fines and sanctions. Further, Munoz says he'll sue the company for $20 million.
That's the price, he says, for ten years of lost business, in a period that's seen mind boggling growth in the city. Construction of super hotels like the Bellagio, the Venetian, Paris, and Aladdin have pushed Las Vegas' guest capacity to over 120,000 hotel rooms, and the city now hosts some four thousand conventions each year. And that's a lot of people who could have been trying to call one of Munoz's Hot Hot Hot Tall Sexy Blondes.
© 2001 SecurityFocus.com, all rights reserved.
Sponsored: Cyberespionage and your business