Cyber Criminals Tying Up Emergency Phone Lines Through TDoS Attacks, DHS Warns 115
tsamsoniw writes "Emergency-service providers and other organizations are being targeted with TDoS (telephony denial of service) attacks, according to a security alert (PDF) from the Department of Homeland Security and the FBI, obtained by security expert Brian Krebs. TDoS attacks use high volumes of automated calls to tie up target phone systems, halting incoming and outgoing calls. Perpetrators are using the attacks to extort cash from target organizations, who receive a call from a representative from a purported payday loan company, who demands payment of $5,000 for an outstanding debt — usually speaking in an unspecified 'strong accent.'"
Re:Appropriate response (Score:4, Interesting)
What if it is being done by rival emergency services?
The automated telephone exchange was invented by someone who ran a fire brigade, and reckoned (rightly, as it turned out), that the switchboard operators were favouring his rival.
With increasing fragmentation, then the "best performing" one will be the one that can answer calls; by blocking a rival, they can't answer as many calls, and hence will appear to be performing less well (and hence will be shut down)
Re:Police, Fire Brigade, Truncheon, Axe... (Score:2, Interesting)
That's like saying home users should be made personally liable if their PC is infected with a virus that adds it to a botnet and is used for a DDOS attack.
Or like saying a car driver should be responsible for the damage he causes if he crashes into another vehicle.
Oh.. wait..
Re:Police, Fire Brigade, Truncheon, Axe... (Score:5, Interesting)
Right a computer is not a car or a dog; the analogy is stretched in either case. I am not saying owners should be criminally culpable. Whoever made unauthorized use of the equipment should be. I do think they should be exposed to civil liability where their maintenance of the machine is found to be negligent.
A civil court would be free to decide for example that it appears your machine was pwnd by a zero day; and there is nothing therefore you could have 'reasonably' done so you have no responsibility for any damage it was used to inflict. OOTH your machine hasn't seen a patch in four years and your firewall is no-existent or configured so as to be nearly useless you could be responsible as you were negligent.
(here we go again another car analogy) Just like you'd be negligent if you left your car in neutral without the parking break applied and it rolled in to traffic while you were shopping. Sure we might blame the guy who gave it a push if he was known or could be found but in most cases its going to land in the owners lap.
I am not saying the analogies fit exactly or that its entirely fair but a few things are true:
1) Leaving an un-patched, unprotected box connected to the internet is a negligent (if not legally practically).
2) Something is going to be done about this issue now that banks and utilities are being DDOSed unless that stops;
3) Most of us won't like the something in 2
4) If you want individuals to take computer security seriously they will need to be either made to or to feel they are personally at risk if they don't.