SecurityFocus

Sprint Cleared of Negligence in Vice Hacks

State commission finds Sprint's security no worse than any other telephone company.
By Kevin Poulsen, Sep 12 2002 8:05PM

The Nevada Public Utilities Commission pulled the plug Thursday on a Las Vegas adult entertainment operator's claim that telephone calls meant for his stable of private dancers are being blocked by hackers with access to local phone company Sprint of Nevada's systems, closing an eight-year-old legal battle that pitted the vanquished brokers of Sin City's competitive sex trade against the corporate legal muscle of a telecom giant.

"Having reviewed all of the evidence in the hearing, and taken a lot of thought and reviewed everything over and over again... in my opinion there is no evidence that Sprint has caused this to occur or has substandard security," said commission Adriana Escobar Chanos, recommending the case's dismissal to the full commission in a morning PUC agenda meeting.

Plaintiff Eddie Munoz first complained to the PUC in 1994 that the phone company was allowing mercenary hackers to cripple his business by diverting, monitoring and blocking his phone calls -- a complaint that's been echoed by private investigators, bail bondsmen and some of Munoz's competitors. In the years of testing and legal wrangling that followed, Munoz produced a wealth of anecdotal evidence, but no empirical proof to support his claim.

Munoz faulted Sprint for not cooperating in the testing, and had asked the PUC to order a new round of tests under close supervision, a plea the commissioners rejected Thursday.

The commission found that there wasn't sufficient evidence to believe that Munoz's problems were in Sprint's network, rather than in his own equipment, or at the hotel PBXs where most calls originate.

The ruling also rejected the recommendation of the PUC's own staff investigators, who, while arguing for the dismissal, had urged the commission to open a new docket to closely supervise Sprint's computer security practices. The recommendation would have forced the company to retain outside security consultants, launch a security training program for employees, develop a process for detecting and deterring intrusion attempts into its network, and begin documenting its security investigations.

In several days of hearings held earlier this year by Escobar Chanos, Sprint officials admitted that they'd lost or destroyed years of records in a reorganization of their security department, and that they permitted dial-up access into their switches for maintenance purposes with little logging. In June, ex-hacker Kevin Mitnick -- hired by Munoz as a consultant -- testified that prior to his 1995 arrest he had illicit control of the company's switching systems through the dial-ups, and also enjoyed unfettered access to a computerized testing system called CALRS that allows users to monitor phone lines and intercept or originate calls throughout Las Vegas.

A draft of the commission's final order in the case suggests that Escobar Chanos found Mitnick's testimony convincing, but that in some ways it actually hurt Munoz's case: the ex-hacker's own testing found no evidence of ongoing call diversion, and Mitnick testified that his access as a fugitive was not limited to Sprint's network, but included every phone company in every city where he'd holed up.

The draft order concludes that "Sprint's security is no better nor no worse than that of other telephone companies," and credits the company with taking "reasonable steps" to protect its network.

In an interview following the ruling, Munoz vowed to take his case to the federal courts. "What's a consumer supposed to do?... They sent a message across the United States that the telephone company can do whatever they want to do."