http://www.securityfocus.com/news/205
By Kevin Poulsen
May 14, 2001 1:12 AM PT
Eddie Munoz knows a secret about Las Vegas.
As the operator of one of the city's oldest in-room adult
entertainment services, Munoz knows Vegas is a town fuelled by the
unceasing buzz of money and vice. When he was at the top of his game
his phones rang 100 times a day, and he dispatched private nude
"dancers" (prostitution is illegal in Las Vegas) to the hotels along
the Strip fifteen to twenty times a night, raking in, he says,
$240,000 a year in referral fees.
That's not the secret.
The secret, Munoz says, lies in the hundreds of miles of modern glass
fiber and aging copper wire buried beneath the town's sun-baked
streets, and in the dozens of digital switches that speed data and
voice from one end of the Strip to the other. Munoz believes that for
a decade a shadowy cabal of criminals, corrupt insiders and
professional hackers has had an illicit stranglehold on Vegas
cyberspace, and all but muscled him out of the adult entertainment
industry by selectively blocking, tapping and rerouting the telephone
lines crucial to the outcall biz.
"In this business, you receive your calls from 5:00 in the afternoon
until 5:00 in the morning, and that's when they hit us," says Munoz.
"It's like you're the Maytag man. The phone will not ring."
These days Munoz is lucky if he gets one or two customers a night, and
his once great empire of vice is a threadbare operation run from an
office in his home, far from Vegas' neon core. He's hanging on
primarily through his hard-won ownership of nearly half of the five
hundred licensed news racks on the Strip, which he crams with stacks
of his own paper, "The Las Vegas Informer" -- twelve gritty pages of
advertisements for "Red Hot Red Heads" and "Hot Hot Hot Tall Sexy
Blondes." Until recently, every phone number advertised in the paper
went to Munoz's switchboard, yet his phones still didn't ring. The
economics of the situation eventually forced him to sell advertising
space to a competitor to pay the rent.
Munoz's phone problems are legion; his log of trouble-reports
stretches longer than a junkie's rap sheet. Callers from outside
Vegas, or from payphones and cell phones, get through, he says, but
hotel callers get false busy signals, or reach silence, driving them
into the arms of competing services. Sometimes calls are rerouted
directly to a competitor, he claims. And when a would-be customer does
get through, and Munoz dispatches a dancer to the tourist's hotel
room, she's likely to find another entertainer already there.
"Sometimes they beat us to the calls, like they're listening," says
Munoz.
At least three other adult entertainment outfits, a private
investigator and a bail bondsman have reported similar patterns. "I'd
get half a ring, and pick up the phone, and there would be no one
there," says Hilda Brauer, the former owner of the now-defunct "Sexy
Girls" outcall service. In 1998, Brauer filed suit against the local
phone company, a competitor she blamed for the problem, and the
publisher of the Donnelly Directory, in which Sexy Girls had seven
full page ads. She later dropped the suit, closed her business, and
now makes her living telling fortunes for a psychic hotline. "I lost
my home, I had to sell my furniture to get money to move into an
apartment," says Brauer.
Peter Vilencia, a former bail bondsman, had phone problems as well.
Vilencia purchased Bail Bonds Inc. in 1996, and, after a week of brisk
business springing drunken tourists and small time crooks from the
Clark County Detention Center, he suddenly suffered a sharp drop in
call volume. "At 4:00 in the afternoon Friday, my phone would stop
ringing," says Vilencia, who sold the company last year. "Almost every
weekend for nearly four years, you could set your watch by it."
Sabotage defies testing
"We would lose our phones from Friday night, through the weekend, and
that's the most common time people get arrested," recalls Mike Kapfer,
Vilencia's former bounty hunter. Sometimes the phones would half-ring,
as though call forwarding was in effect; more commonly, inmates would
seem to be switched to a competing bond writer in mid call. Only calls
from the jail were at risk. "If I tried calling the number from my
cell phone, it would go through," says Kapfer.
Both men agree with Munoz and Brauer that someone is pulling strings
from deep within the network. "I had guys watching the building in the
back where the phone lines come in, and the junction boxes down the
street," says Vilencia. "It had to be internal, nobody else had
access."
But even after Brauer's lawsuit, years of formal complaints from
Munoz, a written complaint from a private investigator who claimed to
be losing calls, and two stories about the call diversion allegations
in The New York Times, the local phone company is adamant that nothing
is wrong.
"We've run our tests, we've spent time and resources on this, and we
haven't seen any indication of call diversion," says Scott Collins, of
Sprint subsidiary Central Telephone's department of regulatory
affairs. Last November, at the direction of the Nevada Public
Utilities Commission (PUC), the phone company ran three days of test
calls from five different Las Vegas hotels: the Sahara, Travel Lodge,
Vagabond, Motel 6, and Four Queens. Of 205 calls, all but 23 went
through, and none were diverted to competitors. (Further investigation
of the 23 incomplete calls turned up innocent explanations.) Testing
by AT&T in 1997 produced similar results.
Munoz blames leaks -- he says everyone knew the tests were taking
place, and the culprits deliberately let the calls slip through. But
in December, a reporter's call from a Vegas hotel also went through
without incident.
Could the Vegas cyber jacking be a myth, woven from the detritus of
failed businesses and blurry technological anecdotes? If so, it's a
myth that's attained the status of 'common knowledge' on Vegas'
nocturnal fringe, and in one bizarre case, it almost made an adult
entertainment operator the victim of brutal mob reprisal.
Vinnie "Aspirins" and his power drill
It happened in 1998: An FBI investigation into police corruption in
Vegas turned up a six-man organized crime plot to muscle in on a
handful of successful Las Vegas outcall services, which had been
trouncing a mob-backed venture headed by one of the men, Christiano
DeCarlo.
According to court documents, the conspirators, allegedly affiliated
with the Gambino crime family, were particularly interesting in moving
in on Richard Soranno, the owner of one of the town's largest
services, Vegas Girls. They believed Soranno had been diverting phone
calls from competitors, including DeCarlo, with the help of a
mysterious computer expert named Charles Coveney.
"Coveney has contacts in the Sprint Telephone Company and is able to
have telephone calls diverted from one number to another," the
gangsters believed, according to an FBI affidavit. The men expected to
"persuade" Coveney to leave Seranno "and assist DeCarlo in his out
call business by diverting telephone calls to DeCarlo." Among the
persuasive tools at the gang's disposal, an enforcer named Vinnie
"Aspirins" Congiusti, flown in from Tampa, who reputedly earned his
nickname by once using a cordless power tool to drill holes in
someone's head.
When the mobsters began scouring Las Vegas for Coveney, the FBI was
forced to swoop in, prematurely pulling the plug on a massive
undercover operation. All six men later plead guilty to conspiracy.
Vinnie "Aspirins" died in jail from apparent heart failure last year.
Today, there's no love lost between Munoz and Soranno; Munoz believes,
but admits he cannot prove, that Soranno is one of the masterminds of
a plot to destroy his business, while Soranno says that's exactly the
kind of talk that nearly got him whacked. "It all got started because
Munoz picked up on a rumor and made it into a thing," says Soranno.
"He put my life in danger." The sex mogul says he doesn't know anyone
named Charles Coveney, and has triumphed in the adult entertainment
trade purely through marketing skill and general business acumen.
"Munoz is the worst businessman in the world," Soranno says. "If you
were the worst businessman in the world, would you get calls?"
Telco: Vegas is hack proof
But even Soranno sees corruption in the ebb and flow of Vegas'
telephonic tide -- though not in Sprint's network. At some hotels, he
believes, corrupt insiders monitor the PBX logs for calls to adult
entertainment services. When they spot one, they leapfrog the service
by sending their own entertainer to the guest's room. "Once they know
there's an interested party, they can send someone up," says Soranno.
If true, the tactic would explain the duplicate-dancer scenario Munoz
reports. "If a girl goes to a call, and another girl is already there,
the first thing they think is someone's tapping the phone," says
Soranno.
Sprint's Collins says that, as far as Sprint Central Telephone knows,
the company has never had a problem with corrupt employees or hackers
of any kind. "No one that we're aware of," says Collins. "We haven't
had any indication that any of that has happened."
The company came to the same conclusion in September 1995, in response
to a complaint filed with the Nevada PUC (then called the Public
Service Commission) by Hilda Brauer. According to documents in the
case, the commission's staff concluded that the volume of complaints
suggested something was indeed rotten in Vegas cyberspace, but there
was no "probable cause" to believe Sprint Central Telephone was
culpable. The commission noted that the telephone company had
"followed established rules and regulations and had turned up no
evidence of an illegal intrusion into its network."
For decades, regional and long distance telephone companies from coast
to coast have seen hackers gain control of critical systems. Most
recently, in 1999 federal officials won guilty pleas from three
members of a nationwide hacker group they dubbed "The Phone Masters."
Until the FBI raided them in 1995, The Phone Master had access to
Sprint Long Distance, Southwestern Bell and GTE computers, and in some
areas of the country were able to obtain unlisted phone numbers,
monitor phone lines, and leverage their access to crack unrelated
systems, including the FBI's National Crime Information Center (NCIC).
If Sprint Central Telephone has never been hacked, the company is a
rarity among telecommunications carriers. But SecurityFocus has
learned that the company's Las Vegas network may not be immune to
hackers after all.
"Vegas was easy"
Until he went on the lam in the early nineties, Las Vegas was a
home-away-from-home for the world's most famous hacker, Kevin Mitnick,
who had family in town. And from approximately 1992 until his February
1995 arrest, Mitnick says he enjoyed substantial illicit access to the
Vegas network. What's more, he recalls once being approached with an
offer to redirect calls from an adult entertainment service for a
single weekend, for $3,000. "They wanted me to somehow take control of
the line and forward it," Mitnick recalls."
"It would have taken, had I wanted to do it, all of three minutes."
Currently under court supervision after five years in prison, Mitnick
is not known to have ever cashed in on his hacking, and he says he
never participated in a call diversion scheme. But he points to two
specific holes in the Las Vegas network that would make such a scheme
possible for a knowledgeable insider, or a sophisticated hacker.
For starters, Mitnick says he had direct access to the control
consoles on Vegas' switching systems through dial-up modems. Each
Nortel DMS switch had a secret phone number, and a default username
and password. The dial-ups were normally inaccessible, and Mitnick had
to call a Sprint employee and pose as a technician to get the lines
turned on, he says. Once that was done, "I had the same access to the
switch that the techs did," he recalls: total control over how calls
are routed.
With access to the switches, Mitnick found it useful to launder his
calls through sin city as an anti-tracing tactic, even when he was
hiding out in Seattle and Raleigh, North Carolina, "Vegas was easy,"
Mitnick says.
The second hole is a testing system pronounced "Callers" -- Mitnick
says he never saw its name in print, so he doesn't know how it was
spelled or capitalized. As he describes it, the system was designed to
allow phone company workers to run tests on customer lines, "loops" in
the parlance of telephony, from a central location. The system
consisted of a handful of client computers, and remote servers
attached to each of Sprint Central Telephone's DMS-100 switches.
Vegas' remote servers were poorly protected, Mitnick says. They were
accessible through low-speed dial-up modems, guarded by a technique
only slightly more secure than simple password protection: the server
required the client -- normally a computer program -- to give the
proper response to any of 100 randomly chosen challenges. "It would
prompt you with a query, and you would have to answer promptly,"
Mitnick says. "It was a number, like 54, and it had a certain hex
response, like 3FAE."
Mitnick says he was able to learn the Las Vegas dial-up numbers by
conning Sprint workers, and he snagged the "seed list" of challenges
and responses from the company that made the system, Ontario-based
Northern Telecom, renamed in 1999 to Nortel Networks. "I had to call
Nortel and have one of the engineer's talk me though it," says
Mitnick. "I told them I was writing software that had to interface
with it."
The system allowed users to silently monitor phone lines, or originate
and answer phone calls on other people's lines, Mitnick says. "All you
needed was a laptop and a phone." The implications go well beyond mere
call-napping. "Somebody with real criminal intent, in a city like Las
Vegas-- think of the possibilities."
Nortel spokesman David Chamberlin dismissed Mitnick's account as "wild
speculation" and "rumor." But a list on the company web site offers a
feature called "CALRS", "Centralized Automated Loop Reporting System,"
as an option on the company's DMS line of switches. Elsewhere on the
site, Nortel literature describes CALRS as an "external test access
system."
A Sprint spokesperson, and an attorney representing the company, both
declined to comment on CALRS, and would neither confirm nor deny the
existence of a poorly protected testing system that might be an open
door into the inner sanctum of Vegas' telecommunications
infrastructure.
Public hearings set
The company may not be able to stay mum forever. After fielding years
of complaints, the State of Nevada is now taking Munoz's allegations
seriously. In February, over Sprint's objections, the PUC found
"probable cause" for a full investigation, and has scheduled public
hearings for September. Meanwhile, the commission is demanding
answers. Last month it formally served Sprint with a "data request"
asking, among other things, whether the company has ever been hacked.
The company responded Thursday, once again claiming that there was no
evidence that it had ever suffered from corrupt employees or outside
intruders.
Sprint's Collins is no longer talking to reporters, referring calls to
the company's outside counsel, Patrick Reilly, a lawyer with the
Nevada law firm Hale Lane Peek Dennison Howard and Anderson. "To our
knowledge, there's been no evidence of a breach of the network," says
Reilly.
"Now I have subpoena power," says Munoz. "Look out."
"Eddie's been knocking on people's doors, various governmental
entities, for years, and as far as I know this is the first genuine
forum that he's gotten," says Nevada PUC consumer complaint manager
Rick Hackman. "Although he hasn't convinced us that Sprint is at
fault, we believe that he deserves the forum to make his case in front
of the full commission."
The PUC decision to hold hearings is an enormous victory for Munoz,
and it raises the stakes for Sprint Central Telephone. If Munoz
prevails, the commission could impose monetary fines and sanctions.
Further, Munoz says he'll sue the company for $20 million.
That's the price, he says, for ten years of lost business, in a period
that's seen mind boggling growth in the city. Construction of super
hotels like the Bellagio, the Venetian, Paris, and Aladdin have pushed
Las Vegas' guest capacity to over 120,000 hotel rooms, and the city
now hosts some four thousand conventions each year. And that's a lot
of people who could have been trying to call one of Munoz's Hot Hot
Hot Tall Sexy Blondes.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe@SecurityFocus.com.
Received on Tue May 15 01:25 CDT 2001