Mitnick Testifies on Telco's Security

← Back to Stories (view on slashdot.org)

Mitnick Testifies on Telco's Security

Posted by michael on Monday June 24, 2002 @11:57PM from the what-me-worry dept.

Woefdram writes "Our favourite computer criminal (?) Kevin Mitnick testified in a case against Telco Sprint that their security was like Swiss cheese: full of holes. The story on SecurityFocus quotes Mitnick, saying, 'I had access to most, if not all, of the switches in Las Vegas,' and tells how he came up with a list of 100 challenge-response codes." We've written about this case before.

3 of 206 comments (clear)

Min score:

Reason:

Sort:

Re:Publicity grubbing... by CodeMonky · 2002-06-25 00:12 · Score: 4, Insightful

You left something out, Mitnicks response to the question.

Mitnick suggested calmly that Sprint try the list out, or check it with Nortel. Nortel could not be reached for comment after hours Monday Perhaps he knew that spring/nortel couldn't be reached. But you should still at least include the response if you're gonna quote something like that.

--
--"Karma is justice without the satisfaction"
from a former Nortel employee... by deander2 · 2002-06-25 01:08 · Score: 4, Insightful

I worked for a year and a 1/2 on a project designed to replace the DMS-100 provisioning and configuration systems. I can tell you that those systems are complex in the extreme to set up correctly. I knew people who had worked with them for 20 years and still had questions about how they worked. It's not through Sprint's stupidity that they were hackable, it is a by-product of overly complex system engineering.

This is a common problem in this industry. Having complex systems when you're the defacto standard makes a great revenue stream in your consulting and training systems, but kills the reliability of said systems. Nortel/Cisco/IBM never take the fall for it however, because they can just say "well, you didn't configure it right" and Sprint/etc can't even argue - it would take 2 years and 10 consultants to even find out.

--
http://kered.org
1. Re:from a former Nortel employee... by JUSTONEMORELATTE · 2002-06-25 01:35 · Score: 5, Insightful
  
  To be REALLY fair to nortel, while the web was young seven years ago, (the net was old, even then) that has absolutely nothing to do with this crack job.
  The DMS-100s were broken the good old fashioned way -- use a war dialer to find the dialup number, then call the switch directly. Once connected, try the obvious passwords first (either admin/admin or admin/NORTEL_DEFAULT_PASSWORD, which Mitnick had learned from Nortel docs)
  
  Deander2 got it right -- Nortel designed an absurdly complex product, and was unmotivated to clean house because they were able to rake in the consulting bucks. WHEN (not if) this comes back to bite a client in the butt (like it did with Sprint) Nortel takes no heat for it, and in fact most likely gets even MORE consulting dollars for a hasty clean-up effort.