Feeds

Sprint cleared of negligence in vice hacks

Security no worse than any other telco

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

The Nevada Public Utilities Commission pulled the plug Thursday on a Las Vegas adult entertainment operator's claim that telephone calls meant for his stable of private dancers are being blocked by hackers with access to local phone company Sprint of Nevada's systems, closing an eight-year-old legal battle that pitted the vanquished brokers of Sin City's competitive sex trade against the corporate legal muscle of a telecom giant.

"Having reviewed all of the evidence in the hearing, and taken a lot of thought and reviewed everything over and over again... in my opinion there is no evidence that Sprint has caused this to occur or has substandard security," said commission Adriana Escobar Chanos, recommending the case's dismissal to the full commission in a morning PUC agenda meeting.

Plaintiff Eddie Munoz first complained to the PUC in 1994 that the phone company was allowing mercenary hackers to cripple his business by diverting, monitoring and blocking his phone calls -- a complaint that's been echoed by private investigators, bail bondsmen and some of Munoz's competitors. In the years of testing and legal wrangling that followed, Munoz produced a wealth of anecdotal evidence, but no empirical proof to support his claim.

Munoz faulted Sprint for not cooperating in the testing, and had asked the PUC to order a new round of tests under close supervision, a plea the commissioners rejected Thursday.

The commission found that there wasn't sufficient evidence to believe that Munoz's problems were in Sprint's network, rather than in his own equipment, or at the hotel PBXs where most calls originate.

The ruling also rejected the recommendation of the PUC's own staff investigators, who, while arguing for the dismissal, had urged the commission to open a new docket to closely supervise Sprint's computer security practices. The recommendation would have forced the company to retain outside security consultants, launch a security training program for employees, develop a process for detecting and deterring intrusion attempts into its network, and begin documenting its security investigations.

In several days of hearings held earlier this year by Escobar Chanos, Sprint officials admitted that they'd lost or destroyed years of records in a reorganization of their security department, and that they permitted dial-up access into their switches for maintenance purposes with little logging. In June, ex-hacker Kevin Mitnick -- hired by Munoz as a consultant -- testified that prior to his 1995 arrest he had illicit control of the company's switching systems through the dial-ups, and also enjoyed unfettered access to a computerized testing system called CALRS that allows users to monitor phone lines and intercept or originate calls throughout Las Vegas.

A draft of the commission's final order in the case suggests that Escobar Chanos found Mitnick's testimony convincing, but that in some ways it actually hurt Munoz's case: the ex-hacker's own testing found no evidence of ongoing call diversion, and Mitnick testified that his access as a fugitive was not limited to Sprint's network, but included every phone company in every city where he'd holed up.

The draft order concludes that "Sprint's security is no better nor no worse than that of other telephone companies," and credits the company with taking "reasonable steps" to protect its network.

In an interview following the ruling, Munoz vowed to take his case to the federal courts. "What's a consumer supposed to do?... They sent a message across the United States that the telephone company can do whatever they want to do."

© 2002 SecurityFocus.com, all rights reserved.

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.