Technology

Mitnick Testifies Against Sprint in Vice Hack Case


LAS VEGAS--Since adult entertainment operator Eddie Munoz first told state

regulators in 1994 that mercenary hackers were crippling his business by

diverting, monitoring and blocking his phone calls, officials at local

telephone company Sprint of Nevada have maintained that, as far as they

know, their systems have never suffered a single intrusion.

The Sprint subsidiary lost that innocence Monday when convicted hacker Kevin

Mitnick shook up a hearing on the call-tampering allegations by detailing

years of his own illicit control of the company's Las Vegas switching

systems, and the workings of a computerized testing system that he says

allows silent monitoring of any phone line served by the incumbent telco.

"I had access to most, if not all, of the switches in Las Vegas," testified

Mitnick, at a hearing of Nevada's Public Utilities Commission (PUC). "I had

the same privileges as a Northern Telecom technician."

Mitnick's testimony played out like a surreal Lewis Carroll version of a

hacker trial -- with Mitnick calmly and methodically explaining under oath

how he illegally cracked Sprint of Nevada's network, while the attorney for

the victim company attacked his testimony, effectively accusing the

ex-hacker of being innocent.

The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence in

allegedly allowing hackers to control their network to the benefit of a few

crooked businesses. Munoz is the publisher of an adult advertising paper

that sells the services of a bevy of in-room entertainers, whose phone

numbers are supposed to ring to Munoz's switchboard. Instead, callers

frequently get false busy signals, or reach silence, Munoz claims.

Occasionally calls appear to be rerouted directly to a competitor. Munoz's

complaints have been echoed by other outcall service operators, bail

bondsmen and private investigators -- some of whom appeared at two days of

hearings in March to

testify for Munoz against Sprint.

Munoz hired Mitnick as a technical consultant in his case last year, after

SecurityFocus Online reported that the

ex-hacker -- a onetime Las Vegas resident -- claimed he had substantial

access to Sprint's network up until his 1995 arrest. After running some

preliminary tests, Mitnick withdrew from the case when Munoz fell behind in

paying his consulting fees. On the last day of the March hearings,

commissioner Adriana Escobar Chanos adjourned the matter to allow Munoz time

to persuade Mitnick to testify, a feat Munoz pulled-off just in time for

Monday's hearing.

Mitnick admitted that his testing produced no evidence that Munoz is

experiencing call diversion or blocking. But his testimony casts doubt on

Sprint's contention that such tampering is unlikely, or impossible. With the

five year statute of limitations long expired, Mitnick appeared comfortable

describing with great specificity how he first gained access to Sprint's

systems while living in Las Vegas in late 1992 or early 1993, and then

maintained that access while a fugitive.

Mitnick testified that he could connect to the control consoles -- quaintly

called "visual display units" -- on each of Vegas' DMS-100 switching systems

through dial-up modems intended to allow the switches to be serviced

remotely by the company that makes them, Ontario-based Northern Telecom,

renamed in 1999 to Nortel Networks.

Each switch had a secret phone number, and a default username and password,

he said. He obtained the phone numbers and passwords from Sprint employees

by posing as a Nortel technician, and used the same ploy every time he

needed to use the dial-ups, which were inaccessible by default.

With access to the switches, Mitnick could establish, change, redirect or

disconnect phone lines at will, he said.

That's a far cry from the unassailable system portrayed at the March

hearings, when former company security investigator Larry Hill -- who

retired from Sprint in 2000 -- testified "to my knowledge there's no way

that a computer hacker could get into our systems." Similarly, a May 2001

filing by Scott Collins of Sprint's regulatory affairs department said that

to the company's knowledge Sprint's network had "never been penetrated or

compromised by so-called computer hackers."

Under cross examination Monday by PUC staff attorney Louise Uttinger,

Collins admitted that Sprint maintains dial-up modems to allow Nortel remote

access to their switches, but insisted that Sprint had improved security on

those lines since 1995, even without knowing they'd been compromised before.

But Mitnick had more than just switches up his sleeve Monday.

The ex-hacker also discussed a testing system called CALRS (pronounced

"callers"), the Centralized Automated Loop Reporting System. Mitnick first

described CALRS to SecurityFocus Online last year as a system that allows

Las Vegas phone company workers to run tests on customer lines from a

central location. It consists of a handful of client computers, and remote

servers attached to each of Sprint's DMS-100 switches.

Mitnick testified Monday that the remote servers were accessible through 300

baud dial-up modems, guarded by a technique only slightly more secure than

simple password protection: the server required the client -- normally a

computer program -- to give the proper response to any of 100 randomly

chosen challenges. The ex-hacker said he was able to learn the Las Vegas

dial-up numbers by conning Sprint workers, and he obtained the "seed list"

of challenges and responses by using his social engineering skills on

Nortel, which manufactures and sells the system.

The system allows users to silently monitor phone lines, or originate calls

on other people's lines, Mitnick said.

Mitnick's claims seemed to inspire skepticism in the PUC's technical

advisor, who asked the ex-hacker, shortly before the hearing was to break

for lunch, if he could prove that he had cracked Sprint's network. Mitnick

said he would try.

Two hours later, Mitnick returned to the hearing room clutching a

crumpled, dog-eared and torn sheet of paper, and a small stack of copies for

the commissioner, lawyers, and staff.

At the top of the paper was printed "3703-03 Remote Access Password List." A

column listed 100 "seeds", numbered "00" through "99," corresponding to a

column of four digit hexadecimal "passwords," like "d4d5" and "1554."

Commissioner Escobar Chanos accepted the list as an exhibit over the

objections of Sprint attorney Patrick Riley, who complained that it hadn't

been provided to the company in discovery. Mitnick retook the stand and

explained that he used the lunch break to visit a nearby storage locker that

he'd rented on a long-term basis years ago, before his arrest. "I wasn't

sure if I had it in that storage locker," said Mitnick. "I hadn't been there

in seven years."

"If the system is still in place, and they haven't changed the seed list,

you could use this to get access to CALRS," Mitnick testified. "The system

would allow you to wiretap a line, or seize dial tone."

Mitnick's return to the hearing room with the list generated a flurry of

activity at Sprint's table; Ann Pongracz, the company's general counsel, and

another Sprint employee strode quickly from the room -- Pongracz already

dialing on a cell phone while she walked. Riley continued his cross

examination of Mitnick, suggesting, again, that the ex-hacker may have made

the whole thing up. "The only way I know that this is a Nortel document is

to take you at your word, correct?," asked Riley. "How do we know that

you're not social engineering us now?"

Mitnick suggested calmly that Sprint try the list out, or check it with

Nortel. Nortel could not be reached for comment after hours Monday.

The PUC hearing is expected to run through Tuesday. By Kevin Poulsen


Ebola Rising
LIMITED-TIME OFFER SUBSCRIBE NOW

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus