Vegas commission probes vice hacks
City telecoms infrastructure ruled by cyber-syndicate?
The only hint that Larry Duke Reubel is 63-years-old is his slow step as he ambles to the witness chair and takes a seat behind the microphone. Once seated he looks fifteen years younger. He's dapper in a sports coat and a black shirt buttoned to the top, the overhead florescent lights glint off his gold watch, which matches his earring and peroxide hair. In the hearing room in this anonymous Las Vegas office building there's a trace of weariness etched into Reubel's sunburned face, as he recounts his story of a high-flying life in the adult entertainment industry -- driven slowly and inexorably into the ground by hackers.
Watching from across the room is Eddie Munoz, 43, the plaintiff in the case, who summoned Reubel from Ogden, Utah to testify here. Piled against the wall nearest Munoz is a mountain of plastic document bins stuffed with hundreds of filings, news articles, trouble tickets, police reports, and four thousand pages of call logs from Munoz's business. It's a monument to his tenacity; it's taken Munoz ten years to get this hearing in front of the Public Utilities Commission of Nevada (PUC) -- the regulatory body that oversees the state's electric, gas, water and telecommunications companies.
The PUC is where utilities come to request rate increases or ask for permission to offer a new service. But in this unprecedented hearing that began last week, and continues through Tuesday, the commission is taking a hard look at a bizarre complaint that's bubbled up from this town's nocturnal fringe economy again and again for the past ten years, from outcall service operators, bail bondsman and private eyes: that Vegas' telecommunications infrastructure is secretly controlled by super hackers working for a few powerful players in the vice biz; mobbed-up cyberpunk puppet masters pulling strings right under the nose of the local phone company.
That phone company, Sprint of Nevada, is effectively on trial here, accused by Munoz and his allies of turning a blind eye to the abuse. Commissioner Adriana Escobar Chanos, one of three PUC commissioners appointed by Nevada's governor, is judge and jury in these proceedings; eventually, likely months from now, she'll make a recommendation to the full commission based on what she sees, hears and reads. She's guided by the PUC staff, which has its own lawyer and investigator in the room, and by three advisors on her panel. If Munoz prevails, the commission could impose monetary fines and sanctions on Sprint.
Reubel is one of the alleged victims, and his story typifies the complaints. Until he gave up four years ago, Reubel published Show World West, an advertisement magazine distributed by hand to thousands of passing tourists up and down Las Vegas Boulevard each day. Like the other papers, glossy cards and printed magazines competing for eyeballs on the Strip, Reubel's publication was all about sex, spotlighting a bevy of in-room "entertainers" -- blonds, brunettes, redheads -- each of them only a phone call and a few hundred dollars away from visiting the hotel room of some randy tourist looking for a private dance. Reubel got a piece of every call, and for years business was brisk.
"Then, all of a sudden, the phones stopped ringing," says Reubel, gravel in his voice. "There's no reason for the phones to stop ringing."
The Long Nothing
The quiet phones are a common thread described by all the alleged victims. Sometimes calls appear to be tapped by competitors, other times they're diverted outright. More often, they're simply blocked, and the caller receives dead air or a circuit-busy signal. A 1996 report by a private investigator describes a test call he placed from the Monte Carlo hotel to the "Perfect Bodies" outcall service -- an alleged victim of the scheme. "The phone rang 4 times, there was a pause of short duration then a sound similar to rushing air, then a tone and a long nothing." In 1998, word of the supposed scheme reached mobsters affiliated with the Gambino crime family, according to an FBI affidavit, and six of them were snared by an undercover investigation as they tried to muscle in on the phone racket.
Throughout it all, Sprint of Nevada, the incumbent local exchange carrier, has denied any culpability. Now, sitting catty-corner from Reubel in the hearing room, dressed in business suits, are three representatives of Sprint, which fought tooth and nail to prevent the hearing from taking place: Scott Collins from the regulatory affairs department, Ann Pongracz, Sprint's general counsel, and outside counsel Patrick Riley, who handles Reubel's cross examination with the aplomb of an experienced corporate litigator.
"Going over your testimony, you seem to blame Sprint for the loss of your business," Riley says, with mock bewilderment. "Is that correct?"
"They're providing a service to me, and they're not providing the security they should," Reubel replies. "So, yes."
Riley counters by carefully outlining all the steps the phone company took to investigate Reubel's complaint when he first raised it in 1995: Sprint made test calls to Reubel's numbers, and they all went through. They ran a script at their switching control center that periodically checked his lines for covert call-forwarding, never finding any. They examined his lines for physical taps, and there were none. "Doesn't it look like Sprint went to an awful lot of trouble to investigate your complaint?," Riley asks reasonably.
Reubel smiles without humor, leans into the microphone and speaks slowly. "I was making a quarter million dollars a year. I'm making ten dollars an hour now. Whatever they did, it wasn't enough."
And so it goes, with a procession of Munoz's witnesses sharing their own tales of ruin. Former "Perfect Bodies" operator Hilda Brauer, gray-haired and matronly, peers over her glasses and testifies that the entertainers she dispatched to Vegas hotel rooms often found women from a particular competing service already there -- as though the competitor was listening in. One of the women even "trick-rolled" a client -- stole from him -- leaving Brauer holding the bag. Former bail bondman Peter Vilencia says he effectively caught the call burglars in the act, but was still powerless to stop them "I personally called my own phone number and got connected to other bail bonds companies," says Vilencia. "I feel this hearing is justified, and something needs to be done to correct the problem."
Finally, Munoz begins his testimony. Like Reubel, Munoz is a publisher. He owns nearly half of the five hundred licensed news racks on the Strip, which he crams with stacks of the Las Vegas Informer -- twelve gritty newsprint pages advertising in-room entertainers. Ten years ago, the ads would result in fifteen or twenty outcalls a night; now, it's more like one or two, and Munoz is having trouble paying his bills. His phone problems are similar to the others' -- callers from outside Vegas, or from payphones and cell phones, get through, he says, but hotel callers frequently get false busy signals, or reach silence, driving them into the arms of competing services. He filed his first complaint with the PUC in 1994. It took two more complaints and an abortive federal writ before the commission staff launched an investigation, which led them a year ago to recommend this full hearing.
Munoz testifies that he's stayed in business this long by selling ad space to competitors, and by employing his own crude countermeasures against his invisible adversaries. "What I've learned to do in order to survive this phone problem is continuously change the numbers, continuously change locations, because after a while they don't ring any more," he says.
Munoz isn't his own best advocate. Commissioner Escobar Chanos frequently has to admonish him for his long rambling answers under cross examination. He often alludes to his personal theory on the nature and methodology of his enemies, which, like a piece of gum stuck to the bottom of a shoe, seems to pick up bits and pieces of everything he walks through. These days it ties together the New Jersey mafia, corrupt phone company employees, a telco billing company in Los Angeles, several hackers, and a 1999 takeover robbery at a southwest Vegas Sprint office, in which masked gunmen made off with 233 telephone line cards.
The only documented tests that have been conducted weigh against Munoz's complaint. When AT&T called his lines from Vegas hotels in 1997, the calls went through without incident. In August of 2001, a PUC staffer made several test calls from a Vegas hotel with the same results. And in November of 2000, at the direction of the PUC, Sprint ran three days of test calls from five different Las Vegas hotels. Of 205 calls, all but 23 went through, and none were diverted to competitors. Further investigation of the 23 incomplete calls turned up innocent explanations.
The Phone Cop
Munoz believes that test was compromised, and the hackers cleverly arranged for him to receive the test calls, while still blocking the other hotels. In fact, a switch report he subpoenaed from Sprint includes some mysterious entries during the test period -- a dozen calls were placed from hotels not involved in the test, and most of them had a duration of "0 seconds." But it's hard not to wonder how a phenomenon capable of crippling Munoz's business could be so difficult to reproduce.
It's against that backdrop that the PUC staff -- the only players in the room without their own chips in the game -- have adopted the position that Munoz hasn't proven his case, and that no fines or other sanctions should be imposed on Sprint.
But if staffers are skeptical of Munoz's complaint, they're equally incredulous over Sprint's assertion that the phone company takes computer security seriously. PUC staff attorney Louise Uttinger summoned a witness of her own to the hearing -- former Vegas phone cop Larry Hill, who, up until his retirement in 2000, was in charge of investigations involving "Sprint's various internal systems" in Las Vegas, according to a company affidavit.
The gaunt and grizzled Hill is a former NYPD captain, and he testifies like a pro, giving short quick answers and volunteering little. "I remember investigating many cases of this nature," Hill says. "We would generally check to see that all the programming on the complainant's line was in order... We determined in every case that there was no unauthorized call-forwarding."
Under cross examination by Uttinger and Munoz's attorney Peter Alpert, Hill testifies that when he retired from the company all of his files on those cases disappeared. He also says that nobody was hired to replace him when he left. Perhaps there was no need: in his twelve years with Sprint, Hill never once saw a hacker in the company's network. "To my knowledge there's no way that a computer hacker could get into our systems," says Hill.
If Sprint of Nevada is hack-proof, the achievement would make it a rarity among regional phone companies. But a report written by a technical consultant hired by the PUC staff concluded otherwise. "[W]hile I have encountered several capable Sprint employees, each an excellent specialist, some have clearly never considered the presence of a sophisticated hacker, the kind routinely found on the Internet nowadays," wrote Ron Bardarson, a former system administrator at a Reno ISP. "Additionally, I have not yet encountered anyone thinking about 'breaking into your own system,' which is the best way to improve a system's security. If such a person exists, I cannot help wondering why she/he is not a witness in this docket."
Bardarson says he discovered what appears to be computer security weakness in Sprint's infrastructure. He's not the only one. As SecurityFocus Online reported last year, former hacker Kevin Mitnick claims extensive penetrations into Sprint's Las Vegas systems from approximately 1992 until his February, 1995 arrest -- smack dab in the middle of the call diversion complaints. Mitnick's access gave him the power to monitor or reprogram any phone line in town. Following that story, Munoz retained Mitnick as a technical consultant in his case, only to give him up later. Munoz says Mitnick wanted to run too many pointless tests; Mitnick says Munoz stiffed him and a partner for thousands of dollars in fees and expenses.
Citing Bardarson's findings and Mitnick's statements, the PUC staff is recommending that the commission open a new investigatory docket to explore Sprint's security issues, and to force the company to undergo security audits, and report back to the PUC annually on the results. If the commission follows that recommendation it will set a remarkable precedent -- regardless of its action on Munoz's complaint.
At a time when official Washington is emphasizing the link between the United States' "critical infrastructures" and national security, it may be a state regulatory body more accustomed to tariffs than cyber terrorists that first takes on oversight of an infrastructure provider's network security. And all because a ragtag lineup of lost and struggling peddlers of vice wouldn't fade quietly into the neon glow of the Las Vegas night.
© 2002 SecurityFocus.com, all rights reserved.
Sponsored: RAID: End of an era?