Mitnick Testifies on Telco's Security

Woefdram writes "Our favourite computer criminal (?) Kevin Mitnick testified in a case against Telco Sprint that their security was like Swiss cheese: full of holes. The story on SecurityFocus quotes Mitnick, saying, 'I had access to most, if not all, of the switches in Las Vegas,' and tells how he came up with a list of 100 challenge-response codes." We've written about this case before.

Why do it?

[Anonymous Coward]

Why give yet more attention to a pathological 'social engineer' (liar)?

Publicity grubbing...

[Ratface]

The only thing Mitnick is better at than hacking (or possibly eating pizza!) is publicity grubbing. Let's face it, there have been thousands of better crackers, but Mitnick manages to always claim the spotlight. Most people would want to lie low after what Mitnick has been through - but he has a career as "Celebrity Cracker" to maintain.

I liked this quote "The only way I know that this is a Nortel document is to take you at your word, correct?," asked Riley. "How do we know that you're not social engineering us now?" - now *that* guy is thinking correctly!

Sentence

[Dilbert_]

Wasn't he forbidden to do any kind of computer related work ever again? And would testifying in this case mean breaking his parole? Just wondering...

You have to wonder.

[Nomad7674]

The article indicates that Mitnick is calmly able to lay out what he did, because the statute of limitations has expired on his alleged crimes. Anyone who has spent anytime watching LAW & ORDER (and of its spin-offs) has to wonder if there is an enterprising District Attorney somewhere combing the law for any permutation of the law WITHOUT a statute of limitations to use against him based on this testimony. For example, he can not be tried for the hacking itself, but could he be tried for Conspiracy?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Double Jeopardy

[Anonymous Coward]

Of course, the problem with the movie "Double Jeopardy" is the fact that there was no double jeopardy involved. If you kill someone and are tried for that, and it turns out the person isn't dead after all, you can still be tried for killing them again since it's a different crime. Same person, but different crime.

It's like saying that if you rob a bank the first time, you're going to jail. But each time you rob it after that, you can't be tried because you've already been tried once. Not likely, you're still going to jail again and again.

Not surprising

[nakedsavage]

This does not surprise me at all. I work for a large telecommunications company. 4 years ago our group took over responsibility for 40 switches, 32 of which were DMS-100s. The forst thing we had to do was change the admin passwords- some were still the default password installed by Nortel when the switch was first built, others were as simple as admin:admin. All someone would have needed to do is call a NOC and pose as a Nortel engineer to get the dial up numbers and voila! Tens of thousands of customers without service and a very long report to the FCC.

Re:Sentence

[Wingchild]

From http://www.usdoj.gov/criminal/cybercrime/mitnick.h tm [usdoj.gov] :

"Once he is released from prison, Mitnick will be on supervised release for three years, during which time his access to computers and his employment in the computer industry will be severely restricted."

While testifying in a case isn't technically work in the computer industry, consulting definetly would be. Maybe this is outside the scope because we're talking about telco equipment and not computers per se (which, coincidentally, goes back to Mitnick's roots as a marginally talented phreaker and a decent social engineer)?

Or perhaps Mitnick's just an outright idiot. I don't recall him getting wailed on by Sprint during his legal proceedings, so I'm not certain that he's exempted from prosecution by way of double jeopardy. A curious thing, this testimoney.

An interesting turn-about

[tshoppa]

The SecurityFocus article takes a very interesting look at the PUC hearing and is, I think, very newsworthy and a significant legal development.

What is most vital is that in this case, unlike other previous Mitnick cases, the telco is arguing that Mitnick didn't break in while Mitnick is insisting that he did. Mitnick is offering proof in the form of documents and passwords and the Sprint of Nevada lawyer is saying that the information Mitnick is bogus or publicly available. This is such an exact turnaround from the last legal tangle that Mitnick was in that I gotta wonder if it's even the same universe.

Does this have any relevance to legal cases outside the Munoz "Vegas escort" case? I don't know, but I could see it happening: Hollywood lawyers calling on DeCSS authors and users, arguing that the software they have doesn't actually promote piracy. Could be interesting!

Re:Publicity grubbing...

[Ami Ganguli]

Under the circumstances, I can't say I blame him. The man isn't allowed to touch a computer. Nowadays that means he can't even work at McDonalds.

Cashing in on his celebrity is the only carreer option the guy has.

Re:Why do it?

[JPriest]

As someone that was following the series of articles that securityfocus was publishing on "phone phreakers owning Vegas" this is actually very interesting news. The articles detail about how "hackers" are stealing business by re-routing phone calls. After multiple complaints from the business owners sprint could never seem to find a problem during its investigations and insisted they were crazy. It was concluded that the "hackers" had someone inside working for sprint tipping them off because the phone system always seemed to route just fine while sprint was doing its audits. One of the frustrated business owners hired Kevin Mitnick to come in and help straighten things out, and that was the last I've heard till now. The Security focus has a write up is here [securityfocus.com]

Re:Sentence

[unFKNreal]

I especially like this part... "Judge Pfaelzer ordered Mitnick to pay only totalling just over $4,125. Judge Pfaelzer said she was issuing this nominal restitution order based on the Court's determination that the defendant would have limited earnings in the future."

Limited earnings my ass. You just know as soon as those 3 years are up (which should be soon), he's gonna be raking it in as a security consultant for somebody like IBM or Sun... Wonder what that judge thinks now!

Vendors to blame

[scoove]

were still the default password installed by Nortel

Had the same problem with a bunch of calling card switches installed by PCM (Priority Call Management - somewhat of a bigger name in that world).

Root passwords were "root", no OS patches (SCO & QNX) were ever applied since "they hadn't tested whether their software would interoperate with a patched version of the OS", .rhosts were common between systems to enable trusting, all the usual sockets were wide open, etc.

Course, then there's the time we were paying Lucent $75,000 to install voice access concentrators and they complained that they couldn't telnet to them. Lucent set 200.200.200.0/24 addresses on all the systems they built - just made up a number - and couldn't figure out why the numbers wouldn't route across the open Internet. Boy did I get a stupid look when I asked the Lucent people what the Comite Gestor no Brasil thought about their address scheme... (whois 200.200.200.0@whois.arin.net)

Really, how do these folks stay in business?

*scoove*

On the good side of the Mafia...

[sfgoth]

So one theory is that the Mafia was behind Munoz's problems. Forget legal trouble... how much trouble might Kevin be getting himself into now?

Sprint's security DOES suck, first hand story.

[rice_burners_suck]

How Sprint's crappy security directly affected me.

I live in Arizona, and I have four Sprint PCS phones: One for myself and three are for my "on-call" employees. These phones are on 24 hours a day for obvious reasons.

A disgruntled ex-employee in Delaware (who had been fired years ago), who happens to know my phone number, strolled into a Sprint PCS store in Kentucky, and asked the proprietor (or rather, the idiot working there) to bring up my account information. Now remember: All this person knew was my phone number. The Sprint PCS idiot happily punched up my account and showed the unidentified person my account details: All my phone numbers, numbers that had been called on these phones, how much my bill was... it goes on and on. In short, someone who only knew my phone number got access to all my "private" information, no questions asked.

I discovered this when the person in Delaware (who was in Kentucky at the time) called and told me, in the form of a threat. I immediately called the Sprint PCS customer support line and told them of the problem. They had some explaining to do, and I expected them to immediately change my phone numbers and account information. They refused, and explained that any such breach of security was impossible: The gentleman in the store should have asked for an account password. If the customer didn't know the password (or so claimed the customer support woman), the account information could not be accessed. This made sense, as computers do ask for passwords before showing any protected information. So I assumed the ex-employee was lying to annoy me, and dropped the issue.

Later that night, angry employees began calling me repeatedly and complaining of crank calls. Then, I got a call from the disgruntled shmoe in Delaware. Turns out, my assumption had been wrong. I came to the conclusion that private account information is protected by nothing more than a company policy: The employees in the stores can bring up any account, and the password is DISPLAYED along with all the other information. They're SUPPOSED TO ask you for the password before giving out any information. That's one hell of a security system, eh? So I immediately called Sprint PCS's customer support thing again, but this time, when they answered, I demanded to talk to a supervisor. The conversation went something like this:

Sprint PCS lady: May I ask about the nature of the call?

Me THE NATURE OF THE CALL IS SPRINT PCS GIVING OUT MY PERSONAL INFORMATION TO STRANGERS WITHOUT MY CONSENT!

Sprint PCS lady: One moment...

At this point, a supervisor lady answered, and I explained (rather angrily, I may add) exactly what happened, and DEMANDED that they change all my phone numbers IMMEDIATELY. (I was doing this as an immediate action, to be followed by any number of things, including the high possibility of cancelling my account altogether, followed by strong legal action.) Now the supervisor freaked out and got a bunch of people on my case within minutes. She explained that my conclusion about their security had been correct (that nothing is password protected at all), but that I could optionally make my account "high security", which basically means that certain other information (like a social security number or something) is needed before account details can be accessed. So I demanded that my account immediately be made high security. Then, she began the process of changing my phone numbers, and mentioned that it would cost some amount of dollars to make the change. At that point, I became pissed and said, "I'M STILL CONSIDERING WHETHER I'M GOING TO SUE YOU AND YOU'RE GOING TO CHARGE ME TO CHANGE THE PHONE NUMBERS, AFTER YOUR COMPANY SCREWED UP?!?!?!?" She realized the error of her ways and waived the fees. I continued to raise hell with Sprint PCS for an hour or so, making DAMN SURE that no errors would occur in my next bill (because every time a change is made with them, errors show up in the next bill or two and you have to call and bitch about it, especially when you have multiply phones), and that international calls won't be disabled on the phones (because enabling international calls is a long and complicated process with them, one that raised my blood pressure to the sky too), and that various other problems won't pop up. In all, they were a bit helpful, considering they did screw me over.

But anyway, that was MY story of how much their security sucks.

No, troll...

[Anonymous Coward]

It doesn't harm us "all". It harms those people whose card numbers were misused, those who were blackmailed, and those who were spied upon.
Pirating music albums only hurts the RIAA....

Your "logic" doesn't hold up.