(Fwd) Nortel secret security part of court records now, gracia
Iggy River
iggy at panix.com
Wed Jun 26 21:01:15 PDT 2002
I looked at the Nevada PUC (PUCN) web site and found that the most
recent document on-line that relates to docket #{HYPERLINK "dkt_00-6057/00-6057.htm"}00-6057 (EDDIE
MUNOZ VS CENTRAL TELEPHONE COMPANY-NEVADA
DBA SPRINT OF NEVADA, COMPLAINT ALLEGING
INCOMING CALLS ARE BEING BLOCKED OR DIVERTED
FROM CUSTOMERS BUSINESS) is from 04/07/02 - and the link is
broken. Clearly the below referenced document (Nortel codes) will not
appear on-line -- at least not courtesy of the PUCN. However, chapter 703,
"PUBLIC UTILITIES COMMISSION OF NEVADA - GENERAL
PROVISIONS", of the Nevada Revised Statues states) among other
things):
NRS 703.190 Records open to public inspection; exception.
1. Except as otherwise provided in this section, all biennial reports,
records, proceedings, papers and files of the commission must be open
at all reasonable times to the public.
2. The commission shall, upon receipt of a request from a public utility,
prohibit the disclosure of any information in its possession concerning the
public utility if the commission determines that the information would
otherwise be entitled to protection as a trade secret or confidential
commercial information pursuant to {HYPERLINK "NRS-049.html" \l "NRS049Sec325"}NRS 49.325 or {HYPERLINK "NRS-600A.html" \l "NRS600ASec070"}600A.070 or Rule
26(c)(7) of the Nevada Rules of Civil Procedure. Upon making such a
determination, the commission shall establish the period during which the
information must not be disclosed and a procedure for protecting the
information during and after that period.
[Part 12:109:1919; 1919 RL p. 3157; NCL ' 6111]�(NRS A 1995,
385)
I don't know what the legal definition of "confidential commercial
information" is, but I doubt that the code list could be construed as a
trade secret *of the utility*, perhaps of Nortel, but according to the
statute only the utility can move to limit public access to the documents.
Perhaps this document is currently accessible in hard copy in NV?
I wonder how many people have visited the PUCN office in the past
three days!
------- Forwarded message follows -------
Date sent: Wed, 26 Jun 2002 09:23:14 -0700
From: "Major Variola (ret)" <mv at cdc.gov>
Subject: Nortel secret security part of court records now, gracias Kevin
To: undisclosed-recipients: ;
Towards the bottom of this article its mentioned that Mitnick submitted
a list of Nortel's
[1] 'security' barriers to r00t [2] on a widely used piece of telco
switching equiptment.
One wonders how many copies of this info circulate in TLA's technical
intercept depts?
[1] (presumably obsolete :-)
[2] Should this be called "tapr00t" ??
----------
http://online.securityfocus.com/news/497
Mitnick Testifies Against Sprint in Vice Hack Case
The ex-hacker details his past control of Las Vegas' telecom network,
and raids his old storage
locker to produce the evidence.
By Kevin Poulsen, Jun 24 2002 11:25PM
LAS VEGAS--Since adult entertainment operator Eddie Munoz first told
state regulators in
1994 that mercenary hackers were crippling his business by diverting,
monitoring and blocking
his phone calls, officials at local telephone company Sprint of Nevada
have maintained that, as
far as they know, their systems have never suffered a single
intrusion.
The Sprint subsidiary lost that innocence Monday when convicted hacker
Kevin Mitnick shook
up a hearing on the call-tampering allegations by detailing years of
his own illicit control of the
company's Las Vegas switching systems, and the workings of a
computerized testing system that
he says allows silent monitoring of any phone line served by the
incumbent telco.
"I had access to most, if not all, of the switches in Las Vegas,"
testified Mitnick, at a hearing of
Nevada's Public Utilities Commission (PUC). "I had the same privileges
as a Northern Telecom
technician."
Mitnick's testimony played out like a surreal Lewis Carroll version of
a hacker trial -- with
Mitnick calmly and methodically explaining under oath how he illegally
cracked Sprint of
Nevada's network, while the attorney for the victim company attacked
his testimony, effectively
accusing the ex-hacker of being innocent.
The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence
in allegedly allowing hackers
to control their network to the benefit of a few crooked businesses.
Munoz is the publisher of an
adult advertising paper that sells the services of a bevy of in-room
entertainers, whose phone
numbers are supposed to ring to Munoz's switchboard. Instead, callers
frequently get false busy
signals, or reach silence, Munoz claims. Occasionally calls appear to
be rerouted directly to a
competitor. Munoz's complaints have been echoed by other outcall
service operators, bail
bondsmen and private investigators -- some of whom appeared at two
days of hearings in
March to testify for Munoz against Sprint.
Mitnick returned to the hearing room clutching a crumpled, dog-eared
and torn sheet of paper.
Munoz hired Mitnick as a technical consultant in his case last year,
after SecurityFocus Online
reported that the ex-hacker -- a onetime Las Vegas resident -- claimed
he had substantial
access to Sprint's network up until his 1995 arrest. After running
some preliminary tests, Mitnick
withdrew from the case when Munoz fell behind in paying his consulting
fees. On the last day of
the March hearings, commissioner Adriana Escobar Chanos adjourned the
matter to allow
Munoz time to persuade Mitnick to testify, a feat Munoz pulled-off
just in time for Monday's
hearing.
Mitnick admitted that his testing produced no evidence that Munoz is
experiencing call diversion
or blocking. But his testimony casts doubt on Sprint's contention that
such tampering is unlikely,
or impossible. With the five year statute of limitations long expired,
Mitnick appeared
comfortable describing with great specificity how he first gained
access to Sprint's systems while
living in Las Vegas in late 1992 or early 1993, and then maintained
that access while a fugitive.
Mitnick testified that he could connect to the control consoles --
quaintly called "visual display
units" -- on each of Vegas' DMS-100 switching systems through dial-up
modems intended to
allow the switches to be serviced remotely by the company that makes
them, Ontario-based
Northern Telecom, renamed in 1999 to Nortel Networks.
Each switch had a secret phone number, and a default username and
password, he said. He
obtained the phone numbers and passwords from Sprint employees by
posing as a Nortel
technician, and used the same ploy every time he needed to use the
dial-ups, which were
inaccessible by default.
With access to the switches, Mitnick could establish, change, redirect
or disconnect phone lines
at will, he said.
That's a far cry from the unassailable system portrayed at the March
hearings, when former
company security investigator Larry Hill -- who retired from Sprint in
2000 -- testified "to my
knowledge there's no way that a computer hacker could get into our
systems." Similarly, a May
2001 filing by Scott Collins of Sprint's regulatory affairs department
said that to the company's
knowledge Sprint's network had "never been penetrated or compromised
by so-called computer
hackers."
Under cross examination Monday by PUC staff attorney Louise Uttinger,
Collins admitted that
Sprint maintains dial-up modems to allow Nortel remote access to their
switches, but insisted
that Sprint had improved security on those lines since 1995, even
without knowing they'd been
compromised before.
But Mitnick had more than just switches up his sleeve Monday.
The ex-hacker also discussed a testing system called CALRS (pronounced
"callers"), the
Centralized Automated Loop Reporting System. Mitnick first described
CALRS to
SecurityFocus Online last year as a system that allows Las Vegas phone
company workers to
run tests on customer lines from a central location. It consists of a
handful of client computers,
and remote servers attached to each of Sprint's DMS-100 switches.
Mitnick testified Monday that the remote servers were accessible
through 300 baud dial-up
modems, guarded by a technique only slightly more secure than simple
password protection: the
server required the client -- normally a computer program -- to give
the proper response to any
of 100 randomly chosen challenges. The ex-hacker said he was able to
learn the Las Vegas
dial-up numbers by conning Sprint workers, and he obtained the "seed
list" of challenges and
responses by using his social engineering skills on Nortel, which
manufactures and sells the
system.
The system allows users to silently monitor phone lines, or originate
calls on other people's lines,
Mitnick said.
Mitnick's claims seemed to inspire skepticism in the PUC's technical
advisor, who asked the
ex-hacker, shortly before the hearing was to break for lunch, if he
could prove that he had
cracked Sprint's network. Mitnick said he would try.
Two hours later, Mitnick returned to the hearing room clutching a
crumpled, dog-eared and torn
sheet of paper, and a small stack of copies for the commissioner,
lawyers, and staff.
At the top of the paper was printed "3703-03 Remote Access Password
List." A column listed
100 "seeds", numbered "00" through "99," corresponding to a column of
four digit hexadecimal
"passwords," like "d4d5" and "1554."
Commissioner Escobar Chanos accepted the list as an exhibit over the
objections of Sprint
attorney Patrick Riley, who complained that it hadn't been provided to
the company in
discovery. Mitnick retook the stand and explained that he used the
lunch break to visit a nearby
storage locker that he'd rented on a long-term basis years ago, before
his arrest. "I wasn't sure if
I had it in that storage locker," said Mitnick. "I hadn't been there
in seven years."
"If the system is still in place, and they haven't changed the seed
list, you could use this to get
access to CALRS," Mitnick testified. "The system would allow you to
wiretap a line, or seize
dial tone."
Mitnick's return to the hearing room with the list generated a flurry
of activity at Sprint's table;
Ann Pongracz, the company's general counsel, and another Sprint
employee strode quickly from
the room -- Pongracz already dialing on a cell phone while she walked.
Riley continued his cross
examination of Mitnick, suggesting, again, that the ex-hacker may have
made the whole thing up.
"The only way I know that this is a Nortel document is to take you at
your word, correct?,"
asked Riley. "How do we know that you're not social engineering us
now?"
Mitnick suggested calmly that Sprint try the list out, or check it
with Nortel. Nortel could not be
reached for comment after hours Monday.
The PUC hearing is expected to run through Tuesday.
------- End of forwarded message -------
More information about the cypherpunks-legacy
mailing list