Feeds

Sprint cleared of negligence in vice hacks

Security no worse than any other telco

  • alert
  • submit to reddit

SANS - Survey on application security programs

The Nevada Public Utilities Commission pulled the plug Thursday on a Las Vegas adult entertainment operator's claim that telephone calls meant for his stable of private dancers are being blocked by hackers with access to local phone company Sprint of Nevada's systems, closing an eight-year-old legal battle that pitted the vanquished brokers of Sin City's competitive sex trade against the corporate legal muscle of a telecom giant.

"Having reviewed all of the evidence in the hearing, and taken a lot of thought and reviewed everything over and over again... in my opinion there is no evidence that Sprint has caused this to occur or has substandard security," said commission Adriana Escobar Chanos, recommending the case's dismissal to the full commission in a morning PUC agenda meeting.

Plaintiff Eddie Munoz first complained to the PUC in 1994 that the phone company was allowing mercenary hackers to cripple his business by diverting, monitoring and blocking his phone calls -- a complaint that's been echoed by private investigators, bail bondsmen and some of Munoz's competitors. In the years of testing and legal wrangling that followed, Munoz produced a wealth of anecdotal evidence, but no empirical proof to support his claim.

Munoz faulted Sprint for not cooperating in the testing, and had asked the PUC to order a new round of tests under close supervision, a plea the commissioners rejected Thursday.

The commission found that there wasn't sufficient evidence to believe that Munoz's problems were in Sprint's network, rather than in his own equipment, or at the hotel PBXs where most calls originate.

The ruling also rejected the recommendation of the PUC's own staff investigators, who, while arguing for the dismissal, had urged the commission to open a new docket to closely supervise Sprint's computer security practices. The recommendation would have forced the company to retain outside security consultants, launch a security training program for employees, develop a process for detecting and deterring intrusion attempts into its network, and begin documenting its security investigations.

In several days of hearings held earlier this year by Escobar Chanos, Sprint officials admitted that they'd lost or destroyed years of records in a reorganization of their security department, and that they permitted dial-up access into their switches for maintenance purposes with little logging. In June, ex-hacker Kevin Mitnick -- hired by Munoz as a consultant -- testified that prior to his 1995 arrest he had illicit control of the company's switching systems through the dial-ups, and also enjoyed unfettered access to a computerized testing system called CALRS that allows users to monitor phone lines and intercept or originate calls throughout Las Vegas.

A draft of the commission's final order in the case suggests that Escobar Chanos found Mitnick's testimony convincing, but that in some ways it actually hurt Munoz's case: the ex-hacker's own testing found no evidence of ongoing call diversion, and Mitnick testified that his access as a fugitive was not limited to Sprint's network, but included every phone company in every city where he'd holed up.

The draft order concludes that "Sprint's security is no better nor no worse than that of other telephone companies," and credits the company with taking "reasonable steps" to protect its network.

In an interview following the ruling, Munoz vowed to take his case to the federal courts. "What's a consumer supposed to do?... They sent a message across the United States that the telephone company can do whatever they want to do."

© 2002 SecurityFocus.com, all rights reserved.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.