Cyber Criminals Tying Up Emergency Phone Lines Through TDoS Attacks, DHS Warns 115
tsamsoniw writes "Emergency-service providers and other organizations are being targeted with TDoS (telephony denial of service) attacks, according to a security alert (PDF) from the Department of Homeland Security and the FBI, obtained by security expert Brian Krebs. TDoS attacks use high volumes of automated calls to tie up target phone systems, halting incoming and outgoing calls. Perpetrators are using the attacks to extort cash from target organizations, who receive a call from a representative from a purported payday loan company, who demands payment of $5,000 for an outstanding debt — usually speaking in an unspecified 'strong accent.'"
Police, Fire Brigade, Truncheon, Axe... (Score:3)
Re: (Score:3)
This just like a telephony call after ransomware. Its hard to know their address, they usually are foreign and call via VOIP gateways.
Re: (Score:2, Interesting)
That's like saying home users should be made personally liable if their PC is infected with a virus that adds it to a botnet and is used for a DDOS attack.
Or like saying a car driver should be responsible for the damage he causes if he crashes into another vehicle.
Oh.. wait..
Re: (Score:3)
Re: (Score:3)
Re: (Score:2, Insightful)
Re: (Score:2)
The question is - how do you know that VoIP call isn't from a local person needing 911 services? After all, a lot of people have dumped landlines in favor of VoIP lines. And s
Re: (Score:2)
Parent's implict argument was: Hold the victims of computer crime accountable because they didn't aply common sense to protect their computers like they would do (for example) to protect their car. He made this argument by describing how common sense meassures protect your car and the things in it from beeing stolen. I justed wanted to point out that this argument is wrong.
Re: (Score:2)
Ok, yes, if the owner has left the keys in the ignition, the doors unlocked, and walked away leaving a big sign on the car saying "please steal me".
Of course, because no otherwise secure system has ever been compromised by a zero-day attack.
Re: (Score:2)
The millions of those who can't be bothered to update their systems have been bloody lucky not to get caught up in it then haven't they?
And just because somebody might get caught out by a zero day doesn't automatically absolve everybody from taking some responsibility for the security of their systems.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
How many of these infections are caused by the user not having up-to-date AV software and blindly clicking on links in random e-mails?
You have to take some responsibility.
Re: (Score:1)
The point is there is currently no reasonable, cost effective, fair method to decide if a user has taken 'sufficient' steps to secure their PC, especially if you are talking about someone just being one small part of a botnet.
To make this reasonable you would have to have (say) a government license to use any general purpose computing device, whereby your responsibilities are laid out to you and you show in some way that you understand them - similar to a driving license.
And we'd all love to have the govern
Re: (Score:2, Flamebait)
And we'd all love to have the government decide who gets to have a PC, wouldn't we?
You do not have to go through all that.
Simply bring back the command line. Have people run Linux. Make the computers a little more difficult to use. Just a little.
Make them think a tiny bit when hooking up to the internet. Daily.
Even if you removed licensing for cars the percentage of people that would go on the road with NO ability to drive would be small.
The number of people with no fucking clue how to read or not click a link that travel the information super highway is STAGGERING!
Make the barrier to ent
Re: (Score:3)
I too have advocated the owners of machines should be responsible for its actions on the network. Someone does something bad from your open or weakly secured access point, you are at least liable for civil negligence claims. Someone makes your PC a botnet member and there is a ddos or spam incident, ditto.
I come down on side of end user owning the responsibility mostly because if the end users don't fix it someone like the DHS is going to fix it for them and the result will be another crony capitalism tax
Re: (Score:3)
Re: (Score:2)
Re:Police, Fire Brigade, Truncheon, Axe... (Score:5, Interesting)
Right a computer is not a car or a dog; the analogy is stretched in either case. I am not saying owners should be criminally culpable. Whoever made unauthorized use of the equipment should be. I do think they should be exposed to civil liability where their maintenance of the machine is found to be negligent.
A civil court would be free to decide for example that it appears your machine was pwnd by a zero day; and there is nothing therefore you could have 'reasonably' done so you have no responsibility for any damage it was used to inflict. OOTH your machine hasn't seen a patch in four years and your firewall is no-existent or configured so as to be nearly useless you could be responsible as you were negligent.
(here we go again another car analogy) Just like you'd be negligent if you left your car in neutral without the parking break applied and it rolled in to traffic while you were shopping. Sure we might blame the guy who gave it a push if he was known or could be found but in most cases its going to land in the owners lap.
I am not saying the analogies fit exactly or that its entirely fair but a few things are true:
1) Leaving an un-patched, unprotected box connected to the internet is a negligent (if not legally practically).
2) Something is going to be done about this issue now that banks and utilities are being DDOSed unless that stops;
3) Most of us won't like the something in 2
4) If you want individuals to take computer security seriously they will need to be either made to or to feel they are personally at risk if they don't.
Re: (Score:1)
Right a computer is not a car or a dog; the analogy is stretched in either case. I am not saying owners should be criminally culpable. Whoever made unauthorized use of the equipment should be. I do think they should be exposed to civil liability where their maintenance of the machine is found to be negligent.
A civil court would be free to decide for example that it appears your machine was pwnd by a zero day; and there is nothing therefore you could have 'reasonably' done so you have no responsibility for any damage it was used to inflict. OOTH your machine hasn't seen a patch in four years and your firewall is no-existent or configured so as to be nearly useless you could be responsible as you were negligent.
Or we just make all PC owners everywhere throughout the land take compulsory insurance against third party attacks should their PCs or network become infected.
Cars already have compulsory insurance required by law.
Re:Police, Fire Brigade, Truncheon, Axe... (Score:4, Insightful)
Hmmm. Where do I fit into all of this? I run Linux Mint Debian. I've basically turned the firewall off, on the computer and at the router. No antivirus. But, I'm up to date with a rolling distro. Although I have three versions of Java installed, my browsers don't know about them. Flash is installed, and disabled by default. Javascript is disabled by default, but I can select sites on which to run it. In the unlikely event that I am pwned - how liable do you think I should be? Are my precautions adequate?
Re: (Score:2)
Where do I fit into all of this?
Let's see...
I run Linux Mint Debian.
Ouch... App Armour instead of SELinux.
I've basically turned the firewall off, on the computer and at the router.
No least amount of privilages (see app armour as well), making you exposing functionality one can abuse. Very. Stupid.
Flash is installed, and disabled by default.
I hope it's not Adobe Flash? Take Gnash for DRM'd YouTube. Use this for everything else:
http://youtube.com/html5 [youtube.com]
And please don't tell me you need Flash for anything important.
Widely spread closed source crap that is internet-only. (plugin, right?)
Javascript is disabled by default, but I can select sites on which to run it.
Entire... sites? Not individual scripts? Not per-session or whitelist?
In the unlikely event that I am pwned - how liable do you think I should be?
You did no
Re: (Score:2)
App Armor - check.
Gnash - check.
Javascript - whitelist and per session, check.
forgot to disable the file:/// protocol in use by your webbrowser, - OOPS! Yeah, my browser can open files in my home folder - fixing that! DUHHH!
The ONLY whitelisted WIFI is the one I own.
Rooting a mobile device? How else do you get rid of un-needed, un-wanted crap installed by the telco? Cyanogen Mod!
Re: (Score:2)
Rooting your device is difficult, so doing it yourself makes it so fscking easy for a cracker to use it?
And about that WiFi...
Laptop: "Is my SSID HomeRouter1337 around?
MITM attack script: change SSID to HomeRouter1337
HomeRouter1337~: "Right here baby 3"
Laptop: "I wanna connect to 9gag so bad"
HomeRouter1337~: "Not so fast, lolcats. I'v got badass security 'n shit, so why don't you prove you are not an evil scriptkiddy first?"
Laptop: Don't worry man, the password is 1234luggage"
MITM attack script: change WPA2
Re: (Score:2)
Given some of the idiotic rulings on tech cases we've seen out of courts even at the highest levels wit
Re: (Score:2)
Re: (Score:2)
And that cuts to the heart of the problem with such a system.. who decides what taking sufficient steps involves? People who support this idea assume that they or someone like them will be in charge, but chances are it would be a beurocratic mess which would involve certification of underlying components (like the OS), which would not make FOSS people very happy...
The only people who would benefit from such a situation are lawyers who would have another category of people to sue.
Re: (Score:2)
No you don't do that. Its up to whoever feels they were wronged to sue the owners of the machines or not. Most people who get DDOSed wont do it. The time it work take to file all the discovery motions, collect the evidence and build a case would mostly be more than what they could hope to collect.
Yes the software vendors should absolutely be potentially on the hock to if you could show they made not effort to address security issues in a timely manor or knowing ignored security issues, etc.
You are trying
Re: (Score:1)
Unfortunately, an ISP would likely require you to run some some closed source executable on your machine to do this "verification", and it would be very unlikely that they would support a version of said executable on the OS or distribution that you prefer (unless you prefer the latest version of Microsoft Windows). And it wouldn't take long before some ISPs would use this as an opportunity to install some toolbar that sticks their ads in your face.
BTW, since /. is all about analogies - mine for this situa
Re: (Score:1)
Some universities and businesses do this already with things like this http://www.bradfordnetworks.com/network_sentry [bradfordnetworks.com]
Re: (Score:1)
It should be on the user to make sure that their computer is clean. Claiming ignorance is hurting everyone.
Re: (Score:2)
They should.
Fuck them and their virus laden PCs.
If you can not make good decisions then fuck you and get your viral POS of my fucking internet.
Re: (Score:3)
Require VOIP providers to provide proper safeguards or stop operating (and having access) to any of the wired networks?
Seems like a fairly simple solution.
That's very similar to saying the solution to botnets is to require computer owners to provide proper safeguards. In short: completely unworkable. We're not just talking about big VoIP gateways, we're talking about anyone who has a VoIP device exposed to the internet. FWIW, I see a *lot* of SIP wardialling attempts on my Asterisk servers - in my case they all get given a "callee number invalid" response, but presumably there are enough misconfigured PBXes around to make it worth setting a botnet to work
Re: (Score:2)
Require VOIP providers to provide proper safeguards or stop operating (and having access) to any of the wired networks?
Seems like a fairly simple solution.
Brilliant!
This is exactly what the motivation for these alleged attacks is.
Big Phone Providers annual back room meeting:
Lets kill this VOIP thing before it eats all of our monstrous profit margin. Let's see, how can we do that? Oh, I know, lets get the public all enraged about VOIP providers and see if we can regulate them out of business. We will hire a bunch of Kenyans and put them in some basement somewhere and use Voip to attack something to scare the Americans into regulating Voip either out of business or back into our hands. Brilliant. And then we will post the the "Solution" on Slashdot to get the sheeple thinking in the right direction. Good one! More caviar, and another glass of wine all around.
Re:Police, Fire Brigade, Truncheon, Axe... (Score:4, Insightful)
The money has to be deposited somewhere, and that somewhere may be traceable.
I understand that is how scam-/spam-gangs are traced.
Re: (Score:1)
The money has to be deposited somewhere, and that somewhere may be traceable.
And this is where Bitcoin becomes an interesting option for ransom payments.
Re: (Score:1)
Re: (Score:3)
Re:Police, Fire Brigade, Truncheon, Axe... (Score:4, Funny)
You've obviously never tried to trace a fraudulent transaction though multiple jurisdictions :(
It's simple really, just write a program in VB so you can backtrace it.
Re: (Score:2)
It can think that, but will find out otherwise when the Romanian institution in question gives the US the middle finger.
Unless they want good 'ol Western Union... (Score:2)
If they demand payment via Western Union, it cannot be traced, and I'm pretty sure $5k is under their max transaction amount.
Re: (Score:2)
And when that somewhere is "we-dont-care-what-the-FBI-says" China or Romania, then what?
Re: (Score:1)
Unless that information is lost by the time the call arrives at the carrier.
There has to be an originating caller id - as this is who is charged for the call,
certainly if the destination is not an emergency services number.
Re: (Score:2)
The fundamental problem is that the phone system is notoriously insecure and trusts the sending provider to show accurate information. All you need to do to spoof the calling info? A digital line.. this means that any office with a T1 or better and a digital PBX can spoof calls and worse yet VOIP services often let the caller set that info as well.
We all get to suffer because the telcos are too lazy to add egress filtering.
Re: (Score:2)
How do you tell a legitimate emergency call from a VOIP customer from a malicious one also originating with VOIP?
Re: (Score:2)
Yeah, my Asterisk boxes use to get slammed with brute force attempts left and right from foreign IP addresses, then I installed Fail2ban. Works wonders.
Re: (Score:2)
This just like a telephony call after ransomware. Its hard to know their address, they usually are foreign and call via VOIP gateways.
Which suggests that this is but another ploy to induce knee-jerk regulation of the VOIP industry, with the ultimate goal of forcing everyone back to POTS. Geee, who would want to do that, you say? Other than your nanny state Federal Government, and several telephone companies I can't think of anyone.
This is pretty much a non issue, because 911 calls in any area can instantly be re-routed to a different ACTUAL Phone number on the fly, a feature built into the 911 system to handle the possibility that the 9
Re: (Score:1)
...Pb therapy (Score:2)
Re: (Score:2)
"unspecified strong accent"... oblig.Monty Python? (Score:3)
"unspecified strong accent"
There must be a Monty Python reference here, because it sure ain't science....
Re: (Score:1)
It is probably this one [youtube.com] you silly english kniggets.
Re:Appropriate response (Score:4, Interesting)
What if it is being done by rival emergency services?
The automated telephone exchange was invented by someone who ran a fire brigade, and reckoned (rightly, as it turned out), that the switchboard operators were favouring his rival.
With increasing fragmentation, then the "best performing" one will be the one that can answer calls; by blocking a rival, they can't answer as many calls, and hence will appear to be performing less well (and hence will be shut down)
Re: (Score:1)
Sorry, am I correct in thinking you are saying you have RIVAL emergency services. Really?!
Re: (Score:2)
Rival emergency services, united by phone pumber. Maybe Capcom can make a fighting game [wikipedia.org] of this.
Re: (Score:2)
Sorry, am I correct in thinking you are saying you have RIVAL emergency services. Really?!
More likely the Phone companies themselves, who would like nothing more than to kill off independent VOIP providers.
Re:Appropriate response (Score:5, Informative)
> The automated telephone exchange was invented by someone who ran a fire brigade
Not quite, he was an undertaker:
http://en.wikipedia.org/wiki/Almon_Brown_Strowger [wikipedia.org]
Re: (Score:2)
As far as I can tell, you're wrong; see http://en.wikipedia.org/wiki/Telephone_exchange#Historic_perspective [wikipedia.org]
Wikipedia seems to be slightly contradicting itself on these two pages. This one, however, is the one I believe to be correct (from having heard the same thing from numerous different sources).
Re: (Score:2)
What are you saying is correct/incorrect? You say believe the version on the page you have linked to, but this also states that the automated exchange was invented by Strowger (the person I linked to), so as far as I can work out from your link you are agreeing with me.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2, Funny)
Jedi Masters need to pay bills just like everybody else...
Re: (Score:2)
Jedi Masters need to pay bills just like everybody else...
Pix or it didn't happen.
Re: (Score:2)
I bet it isn't an English accent...
Not necessarily: Most scammers are from the Third World, e.g. Yorkshire.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
So is it a network of compromised phones now ??
Don't think "phones", think "devices that are connected to both the phone network and the internet". PCs of users who kept their modems after switching to broadband for "backup" or "fax". VOIP exhanges (whether private or service provider operated) with PSTN gateway hardware, smartphones and so-on.
Re: (Score:2)
My opinion is that the telcos have too many cheap overseas cables being hacked. These are "inside jobs". Some unscrupulous telcos are selling their leftover call center volume on hard lines to the USA.
So they are "war dialing" from blocks that the telcos reserved for large company call centers, debt collectors, etc.. Those are lines with all the "spoofing" left on so YOU can't block the paying telemarketers and debt collectors. The telco can't cut them off because its the same lines companies pay lots of m
Re: (Score:2)
Re: (Score:2)
that involves a computer and a network, where the computers may or may not have played an instrumental part in the commission of a crime.
Quick! to the USPTO! That'll fix 'em!
Manslaughter (Score:1)
If they are caught, these people should be held financially and criminally responsible for any emergency call that fails to go through. If anyone dies, I would think they should be charged with manslaughter at the least, but given that they intentionally tied up phone lines for emergency calls I would go as far as to call it premeditated murder.
Re: (Score:2)
Throwing the book at them (preferably an authentic replica of the stone tablets that the 10 Commandments were written on) would be very satisfying, but arguing premeditation would be a challenge - there are definitely elements to the scam that suggest it could be made to stick, but the defence would also have plausible arguments.
Manslaughter or culpable homicide would be easier to argue for, and given that you would almost certainly be looking at more than one death, the results should amount to a similar t
Bad headline (Score:3)
The security alert linked in the summary says that the attacks were on the administrative lines of the emergency services, not the 911 lines. The summary and the Slashdot headline are bogus.
Re: (Score:2)
Or, it might be deliberately spun that way to give people the impression that they are "putting the safety of the general public" at risk, which, I believe, is one of the unquestionable patriot-act definitions of terrorism?
block them (Score:1)
Re: (Score:3)
That would be just great for the E911 system. Ask someone to enter a four digit code while they are being raped/stabbed/beaten to death.
Testing infrastructure weaknesses (Score:2)
I've read, heard about a lot of recent DoS attacks lately, from banks to power grids to government agencies and now to phone lines. I've seen my share of things that are systematically done to break something down, so I see all these attacks (some successful) as a strategic way for those who want to hurt us to prepare for the big hit. Just like corporations that are considered "Too Big to Fail", I think our US infrastructure has been built this way also. The more we interconnect to make things easier to
Are they sure (Score:2)
It may be Rachael from Card Services...
Because Punking the Police is Such a Good Idea (Score:2)
Somebody may not have thought their clever little plan through as completely as they might have liked. The police have guns. And a lot of friends with guns. And a solid organized network for both communicating among themselves and with other departments, through multiple channels. I don't see this ending in a big payday.