Mitnick testimony burns Sprint in Vegas 'vice hack' case

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/25893.html

By Kevin Poulsen, SecurityFocus Online
Posted: 26/06/2002 at 02:28 GMT

Since adult entertainment operator Eddie Munoz first told state
regulators in 1994 that mercenary hackers were crippling his business
by diverting, monitoring and blocking his phone calls, officials at
local telephone company Sprint of Nevada have maintained that, as far
as they know, their systems have never suffered a single intrusion.

The Sprint subsidiary lost that innocence Monday when convicted hacker
Kevin Mitnick shook up a hearing on the call-tampering allegations by
detailing years of his own illicit control of the company's Las Vegas
switching systems, and the workings of a computerized testing system
that he says allows silent monitoring of any phone line served by the
incumbent telco.

"I had access to most, if not all, of the switches in Las Vegas,"  
testified Mitnick, at a hearing of Nevada's Public Utilities
Commission (PUC). "I had the same privileges as a Northern Telecom
technician."

Mitnick's testimony played out like a surreal Lewis Carroll version of
a hacker trial -- with Mitnick calmly and methodically explaining
under oath how he illegally cracked Sprint of Nevada's network, while
the attorney for the victim company attacked his testimony,
effectively accusing the ex-hacker of being innocent.

The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence
in allegedly allowing hackers to control their network to the benefit
of a few crooked businesses. Munoz is the publisher of an adult
advertising paper that sells the services of a bevy of in-room
entertainers, whose phone numbers are supposed to ring to Munoz's
switchboard. Instead, callers frequently get false busy signals, or
reach silence, Munoz claims. Occasionally calls appear to be rerouted
directly to a competitor. Munoz's complaints have been echoed by other
outcall service operators, bail bondsmen and private investigators --
some of whom appeared at two days of hearings in March to testify for
Munoz against Sprint.

Munoz hired Mitnick as a technical consultant in his case last year,
after SecurityFocus Online reported that the ex-hacker -- a onetime
Las Vegas resident -- claimed he had substantial access to Sprint's
network up until his 1995 arrest. After running some preliminary
tests, Mitnick withdrew from the case when Munoz fell behind in paying
his consulting fees. On the last day of the March hearings,
commissioner Adriana Escobar Chanos adjourned the matter to allow
Munoz time to persuade Mitnick to testify, a feat Munoz pulled-off
just in time for Monday's hearing.

Mitnick admitted that his testing produced no evidence that Munoz is
experiencing call diversion or blocking. But his testimony casts doubt
on Sprint's contention that such tampering is unlikely, or impossible.  
With the five year statute of limitations long expired, Mitnick
appeared comfortable describing with great specificity how he first
gained access to Sprint's systems while living in Las Vegas in late
1992 or early 1993, and then maintained that access while a fugitive.

Mitnick testified that he could connect to the control consoles --
quaintly called "visual display units" -- on each of Vegas' DMS-100
switching systems through dial-up modems intended to allow the
switches to be serviced remotely by the company that makes them,
Ontario-based Northern Telecom, renamed in 1999 to Nortel Networks.

Each switch had a secret phone number, and a default username and
password, he said. He obtained the phone numbers and passwords from
Sprint employees by posing as a Nortel technician, and used the same
ploy every time he needed to use the dial-ups, which were inaccessible
by default.

With access to the switches, Mitnick could establish, change, redirect
or disconnect phone lines at will, he said.

That's a far cry from the unassailable system portrayed at the March
hearings, when former company security investigator Larry Hill -- who
retired from Sprint in 2000 -- testified "to my knowledge there's no
way that a computer hacker could get into our systems." Similarly, a
May 2001 filing by Scott Collins of Sprint's regulatory affairs
department said that to the company's knowledge Sprint's network had
"never been penetrated or compromised by so-called computer hackers."

Under cross examination Monday by PUC staff attorney Louise Uttinger,
Collins admitted that Sprint maintains dial-up modems to allow Nortel
remote access to their switches, but insisted that Sprint had improved
security on those lines since 1995, even without knowing they'd been
compromised before.

But Mitnick had more than just switches up his sleeve Monday.

The ex-hacker also discussed a testing system called CALRS (pronounced
"callers"), the Centralized Automated Loop Reporting System. Mitnick
first described CALRS to SecurityFocus Online last year as a system
that allows Las Vegas phone company workers to run tests on customer
lines from a central location. It consists of a handful of client
computers, and remote servers attached to each of Sprint's DMS-100
switches.

Mitnick testified Monday that the remote servers were accessible
through 300 baud dial-up modems, guarded by a technique only slightly
more secure than simple password protection: the server required the
client -- normally a computer program -- to give the proper response
to any of 100 randomly chosen challenges. The ex-hacker said he was
able to learn the Las Vegas dial-up numbers by conning Sprint workers,
and he obtained the "seed list" of challenges and responses by using
his social engineering skills on Nortel, which manufactures and sells
the system.

The system allows users to silently monitor phone lines, or originate
calls on other people's lines, Mitnick said.

Mitnick's claims seemed to inspire skepticism in the PUC's technical
advisor, who asked the ex-hacker, shortly before the hearing was to
break for lunch, if he could prove that he had cracked Sprint's
network. Mitnick said he would try.

Two hours later, Mitnick returned to the hearing room clutching a
crumpled, dog-eared and torn sheet of paper, and a small stack of
copies for the commissioner, lawyers, and staff.

At the top of the paper was printed "3703-03 Remote Access Password
List." A column listed 100 "seeds", numbered "00" through "99,"  
corresponding to a column of four digit hexadecimal "passwords," like
"d4d5" and "1554."

Commissioner Escobar Chanos accepted the list as an exhibit over the
objections of Sprint attorney Patrick Riley, who complained that it
hadn't been provided to the company in discovery. Mitnick retook the
stand and explained that he used the lunch break to visit a nearby
storage locker that he'd rented on a long-term basis years ago, before
his arrest. "I wasn't sure if I had it in that storage locker," said
Mitnick. "I hadn't been there in seven years."

"If the system is still in place, and they haven't changed the seed
list, you could use this to get access to CALRS," Mitnick testified.  
"The system would allow you to wiretap a line, or seize dial tone."

Mitnick's return to the hearing room with the list generated a flurry
of activity at Sprint's table; Ann Pongracz, the company's general
counsel, and another Sprint employee strode quickly from the room --
Pongracz already dialing on a cell phone while she walked. Riley
continued his cross examination of Mitnick, suggesting, again, that
the ex-hacker may have made the whole thing up. "The only way I know
that this is a Nortel document is to take you at your word, correct?,"  
asked Riley. "How do we know that you're not social engineering us
now?"

Mitnick suggested calmly that Sprint try the list out, or check it
with Nortel. Nortel could not be reached for comment after hours
Monday.

The PUC hearing is expected to run through Tuesday.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.