Feeds

Sprint security faulted in Vegas hacks

Telco facing audits

  • alert
  • submit to reddit

Build a business case: developing custom apps

Citing the "compelling, credible testimony" of ex-hacker Kevin Mitnick, state officials urged Nevada regulators to force a series of dramatic security reforms on Las Vegas telephone company Sprint of Nevada last week, as final arguments were filed in the case of an in-room adult entertainment operator who believes he's being driven out of business by phone hackers.

Sprint would be required to retain outside computer security consultants, launch a security training program for company employees, develop a process for detecting a deterring intrusion attempts into its network, and begin documenting its security investigations, if the Public Utilities Commission follows the recommendations of its regulatory operations staff, acting as independent investigators in the case.

Plaintiff Eddie Munoz first complained to the commission in 1994 that the phone company was allowing mercenary hackers to cripple his business by diverting, monitoring and blocking his phone calls - a complaint that's been echoed by private investigators, bail bondsmen and some of Munoz's competitors over the years. Sprint has maintained that Munoz's problems are in his own equipment, and that as far as they know their systems have never suffered a single intrusion.

But the company's invulnerability was brought into question in a series of hearings earlier this year in which Sprint officials admitted that they'd lost or destroyed years of investigatory records in a reorganization of their security department, and that they permitted dial-up access into their switches for maintenance purposes with little logging.

The hearings concluded in June with testimony by Mitnick -- hired by Munoz as a consultant and an expert witness. The ex-hacker testified that prior to his 1995 arrest he had illicit control of the company's Las Vegas switching systems through the dial-ups, and also enjoyed unfettered access to a computerized testing system manufactured by Nortel Networks called CALRS -- pronounced "callers" -- that allows users to monitor phone lines and intercept or originate calls.

Sprint: Mitnick's a Liar

Challenged to prove his claims, Mitnick used a break in the hearing to visit an old rented storage locker, returning with a list of passwords he said unlocked the CALRS system at the time of his arrest (Contacted by SecurityFocus Online, Nortel Networks spokesman David Chamberlin declined to comment on CALRS, writing in an email, "I'd point you back to Sprint to discuss their phone network with them.")

Sprint opposes a new docket to supervise their security, and slammed Mitnick's testimony. In the company's closing arguments Friday, outside counsel Patrick Riley described the ex-hacker as an unreformed "con artist," reminded the commission of Mitnick's criminal record, and pointed accusingly to his authorship of the upcoming Wiley book on social engineering titled "The Art of Deception: Controlling the Human Element of Security."

The company also claimed Mitnick lacked the technical know-how to be an expert witness on Sprint's security ills because the hacker never worked as a "switch engineer" for a telephone company. "Although Mr. Munoz presented Mr. Mitnick as an 'expert' witness, Mr. Mitnick is an expert in only one thing-- lying," wrote Riley.

But PUC staff attorney Louise Uttinger found Mitnick's detailed testimony -- coupled with Sprint's admissions in some areas, and silence in others -- credible enough to raise serious questions about the security of Sprint's Nevada network. Those questions, Uttinger wrote, "could impact economic, social, and national matters of importance to all Nevadans and to anyone conducting business in Nevada."

While they disagree on Mitnick's credibility as a witness, commission staff agreed with Sprint that Munoz never produced a smoking gun in his case. Pointing to undisciplined testing procedures and unclear record-keeping by Munoz, as well as several tests that failed to show any unexplained dropped calls, Uttinger recommended that the complaint be dismissed.

In his closing argument, Munoz attorney Peter Alpert argued that his client had limited resources and access, and asked the commission to compel Sprint to conduct a battery of additional tests under PUC supervision. "It is respectfully suggested that Mr. Munoz has come upon a flaw in Sprint's system which only Sprint is capable of detecting since only it has access to the network."

The commission is expected to rule this fall.

© 2002 SecurityFocus.com, all rights reserved.

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?