Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Criminals Tying Up Emergency Phone Lines Through TDoS Attacks, DHS Warns

Posted by Soulskill on from the now-you're-just-being-jerks dept.

tsamsoniw writes "Emergency-service providers and other organizations are being targeted with TDoS (telephony denial of service) attacks, according to a security alert (PDF) from the Department of Homeland Security and the FBI, obtained by security expert Brian Krebs. TDoS attacks use high volumes of automated calls to tie up target phone systems, halting incoming and outgoing calls. Perpetrators are using the attacks to extort cash from target organizations, who receive a call from a representative from a purported payday loan company, who demands payment of $5,000 for an outstanding debt — usually speaking in an unspecified 'strong accent.'"

17 of 115 comments (clear)

  1. Police, Fire Brigade, Truncheon, Axe... by flyingfsck · · Score: 2

    I can think of various interesting ways to handle these idiots.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
    1. Re:Police, Fire Brigade, Truncheon, Axe... by Barryke · · Score: 2

      This just like a telephony call after ransomware. Its hard to know their address, they usually are foreign and call via VOIP gateways.

      --
      Hivemind harvest in progress..
    2. Re:Police, Fire Brigade, Truncheon, Axe... by mwvdlee · · Score: 3, Insightful

      The money has to be deposited somewhere, and that somewhere may be traceable.
      I understand that is how scam-/spam-gangs are traced.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re:Police, Fire Brigade, Truncheon, Axe... by Big+Hairy+Ian · · Score: 2

      You've obviously never tried to trace a fraudulent transaction though multiple jurisdictions :(

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    4. Re:Police, Fire Brigade, Truncheon, Axe... by wonkey_monkey · · Score: 2

      No, it's clearly more like holding the owner responsible if someone steals the car and crashes it into another vehicle, isn't it?

      --
      systemd is Roko's Basilisk.
    5. Re:Police, Fire Brigade, Truncheon, Axe... by FireFury03 · · Score: 2

      Require VOIP providers to provide proper safeguards or stop operating (and having access) to any of the wired networks?
      Seems like a fairly simple solution.

      That's very similar to saying the solution to botnets is to require computer owners to provide proper safeguards. In short: completely unworkable. We're not just talking about big VoIP gateways, we're talking about anyone who has a VoIP device exposed to the internet. FWIW, I see a *lot* of SIP wardialling attempts on my Asterisk servers - in my case they all get given a "callee number invalid" response, but presumably there are enough misconfigured PBXes around to make it worth setting a botnet to work finding one that will allow anonymous callers to make PSTN calls.

      --
      http://blog.nexusuk.org
    6. Re:Police, Fire Brigade, Truncheon, Axe... by DarkOx · · Score: 2

      I too have advocated the owners of machines should be responsible for its actions on the network. Someone does something bad from your open or weakly secured access point, you are at least liable for civil negligence claims. Someone makes your PC a botnet member and there is a ddos or spam incident, ditto.

      I come down on side of end user owning the responsibility mostly because if the end users don't fix it someone like the DHS is going to fix it for them and the result will be another crony capitalism tax dollar give away, a strait jacket on everyone's freedom, and good bye to yet more privacy even for those who do choose to put effort into protecting that.

      I am not sure the car analogies really work here. Not sure but I think there have heard some cases where owners of guns and cars have faced some civil liability for damages where they failed to secure them properly and they were used in crimes. So there may be some useful precedent there.

      A better analogy though still stretched is to give the computer equipment some agency. Treat it like a large dog. If you have one and you leave it outside you'd better have a secure fence or some other way to keep it confined to your property. If the dog gets loose and does something unintended like bite someone you the owner have to be responsible for it.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    7. Re:Police, Fire Brigade, Truncheon, Axe... by __aaltlg1547 · · Score: 2

      A computer is not a car, nor is it a dog. But it's more like the car than the dog. It does not go do things by itself without human intervention. The human who commands it to do the illegal thing should be the only one held responsible. Holding individual owners responsible for staying ahead of an ever-increasing threat is absurd.

    8. Re:Police, Fire Brigade, Truncheon, Axe... by andy.ruddock · · Score: 2

      Ok, yes, if the owner has left the keys in the ignition, the doors unlocked, and walked away leaving a big sign on the car saying "please steal me".

      --
      God: An invisible friend for grown-ups.
    9. Re:Police, Fire Brigade, Truncheon, Axe... by DarkOx · · Score: 4, Interesting

      Right a computer is not a car or a dog; the analogy is stretched in either case. I am not saying owners should be criminally culpable. Whoever made unauthorized use of the equipment should be. I do think they should be exposed to civil liability where their maintenance of the machine is found to be negligent.

      A civil court would be free to decide for example that it appears your machine was pwnd by a zero day; and there is nothing therefore you could have 'reasonably' done so you have no responsibility for any damage it was used to inflict. OOTH your machine hasn't seen a patch in four years and your firewall is no-existent or configured so as to be nearly useless you could be responsible as you were negligent.

      (here we go again another car analogy) Just like you'd be negligent if you left your car in neutral without the parking break applied and it rolled in to traffic while you were shopping. Sure we might blame the guy who gave it a push if he was known or could be found but in most cases its going to land in the owners lap.

      I am not saying the analogies fit exactly or that its entirely fair but a few things are true:
      1) Leaving an un-patched, unprotected box connected to the internet is a negligent (if not legally practically).
      2) Something is going to be done about this issue now that banks and utilities are being DDOSed unless that stops;
      3) Most of us won't like the something in 2
      4) If you want individuals to take computer security seriously they will need to be either made to or to feel they are personally at risk if they don't.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    10. Re:Police, Fire Brigade, Truncheon, Axe... by Runaway1956 · · Score: 3, Insightful

      Hmmm. Where do I fit into all of this? I run Linux Mint Debian. I've basically turned the firewall off, on the computer and at the router. No antivirus. But, I'm up to date with a rolling distro. Although I have three versions of Java installed, my browsers don't know about them. Flash is installed, and disabled by default. Javascript is disabled by default, but I can select sites on which to run it. In the unlikely event that I am pwned - how liable do you think I should be? Are my precautions adequate?

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    11. Re:Police, Fire Brigade, Truncheon, Axe... by ExploHD · · Score: 3, Funny

      You've obviously never tried to trace a fraudulent transaction though multiple jurisdictions :(

      It's simple really, just write a program in VB so you can backtrace it.

  2. "unspecified strong accent"... oblig.Monty Python? by fantomas · · Score: 2

    "unspecified strong accent"

    There must be a Monty Python reference here, because it sure ain't science....

  3. Re:Appropriate response by BeerCat · · Score: 3, Interesting

    What if it is being done by rival emergency services?

    The automated telephone exchange was invented by someone who ran a fire brigade, and reckoned (rightly, as it turned out), that the switchboard operators were favouring his rival.

    With increasing fragmentation, then the "best performing" one will be the one that can answer calls; by blocking a rival, they can't answer as many calls, and hence will appear to be performing less well (and hence will be shut down)

    --
    "She's furniture with a pulse"
  4. Re:Appropriate response by raburton · · Score: 5, Informative

    > The automated telephone exchange was invented by someone who ran a fire brigade

    Not quite, he was an undertaker:
    http://en.wikipedia.org/wiki/Almon_Brown_Strowger

  5. Bad headline by anorlunda · · Score: 2

    The security alert linked in the summary says that the attacks were on the administrative lines of the emergency services, not the 911 lines. The summary and the Slashdot headline are bogus.

  6. Re:block them by PPH · · Score: 2

    That would be just great for the E911 system. Ask someone to enter a four digit code while they are being raped/stabbed/beaten to death.

    --
    Have gnu, will travel.