Feeds

Sprint cleared of negligence in vice hacks

Security no worse than any other telco

  • alert
  • submit to reddit

Protecting against web application threats using SSL

The Nevada Public Utilities Commission pulled the plug Thursday on a Las Vegas adult entertainment operator's claim that telephone calls meant for his stable of private dancers are being blocked by hackers with access to local phone company Sprint of Nevada's systems, closing an eight-year-old legal battle that pitted the vanquished brokers of Sin City's competitive sex trade against the corporate legal muscle of a telecom giant.

"Having reviewed all of the evidence in the hearing, and taken a lot of thought and reviewed everything over and over again... in my opinion there is no evidence that Sprint has caused this to occur or has substandard security," said commission Adriana Escobar Chanos, recommending the case's dismissal to the full commission in a morning PUC agenda meeting.

Plaintiff Eddie Munoz first complained to the PUC in 1994 that the phone company was allowing mercenary hackers to cripple his business by diverting, monitoring and blocking his phone calls -- a complaint that's been echoed by private investigators, bail bondsmen and some of Munoz's competitors. In the years of testing and legal wrangling that followed, Munoz produced a wealth of anecdotal evidence, but no empirical proof to support his claim.

Munoz faulted Sprint for not cooperating in the testing, and had asked the PUC to order a new round of tests under close supervision, a plea the commissioners rejected Thursday.

The commission found that there wasn't sufficient evidence to believe that Munoz's problems were in Sprint's network, rather than in his own equipment, or at the hotel PBXs where most calls originate.

The ruling also rejected the recommendation of the PUC's own staff investigators, who, while arguing for the dismissal, had urged the commission to open a new docket to closely supervise Sprint's computer security practices. The recommendation would have forced the company to retain outside security consultants, launch a security training program for employees, develop a process for detecting and deterring intrusion attempts into its network, and begin documenting its security investigations.

In several days of hearings held earlier this year by Escobar Chanos, Sprint officials admitted that they'd lost or destroyed years of records in a reorganization of their security department, and that they permitted dial-up access into their switches for maintenance purposes with little logging. In June, ex-hacker Kevin Mitnick -- hired by Munoz as a consultant -- testified that prior to his 1995 arrest he had illicit control of the company's switching systems through the dial-ups, and also enjoyed unfettered access to a computerized testing system called CALRS that allows users to monitor phone lines and intercept or originate calls throughout Las Vegas.

A draft of the commission's final order in the case suggests that Escobar Chanos found Mitnick's testimony convincing, but that in some ways it actually hurt Munoz's case: the ex-hacker's own testing found no evidence of ongoing call diversion, and Mitnick testified that his access as a fugitive was not limited to Sprint's network, but included every phone company in every city where he'd holed up.

The draft order concludes that "Sprint's security is no better nor no worse than that of other telephone companies," and credits the company with taking "reasonable steps" to protect its network.

In an interview following the ruling, Munoz vowed to take his case to the federal courts. "What's a consumer supposed to do?... They sent a message across the United States that the telephone company can do whatever they want to do."

© 2002 SecurityFocus.com, all rights reserved.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.