----------------------------------------------------------------------
Message-ID: <3621E93D-E32D-417D-852D-1ED3C6912D63@roscom.com>
Date: Mon, 1 Jan 2018 17:43:26 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How a Dorm Room Minecraft Scam Brought Down the Internet
How a Dorm Room Minecraft Scam Brought Down the Internet
THE MOST DRAMATIC cybersecurity story of 2016 came to a quiet
conclusion Friday in an Anchorage courtroom, as three young American
computer savants pleaded guilty to masterminding an unprecedented
botnet - powered by unsecured internet-of-things devices like security
cameras and wireless routers - that unleashed sweeping attacks on key
internet services around the globe last fall. What drove them wasn't
anarchist politics or shadowy ties to a nation-state. It was
Minecraft.
It was a hard story to miss last year: In France last September, the
telecom provider OVH was hit by a distributed denial-of-service (DDoS)
attack a hundred times larger than most of its kind. Then, on a Friday
afternoon in October 2016, the internet slowed or stopped for nearly
the entire eastern United States, as the tech company Dyn, a key part
of the internet's backbone, came under a crippling assault.
https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
------------------------------
Message-ID: <DCD6DB61-EF2C-4D92-BB89-E4D6BBF0F3BD@roscom.com>
Date: Mon, 1 Jan 2018 11:08:26 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How the telecommunications industry influenced VoIP
deregulation legislation in 36 states
A critical discourse analysis of how the telecommunications industry
influenced VoIP deregulation legislation in 36 states
Gwen Shaffer
Abstract
About 36 U.S. states have enacted legislation that eliminates or
reduces the authority of local and state agencies to regulate
voice-over Internet protocol (VoIP) telephone services. This study
draws on critical discourse analysis to examine how lawmakers and
telecommunications providers associated widely supported policy
goals - including job creation, technological innovation, consumer
protection, digital equity and modernization - with less government
oversight of phone and broadband services. The discourse surrounding
passage of VoIP deregulation provides key insights into how the
telecommunications industry, and legislative sponsors of the bills,
adopted culturally symbolic phrases and touted populist goals to
legitimize policies that weaken consumer protections. Ultimately,
these policy frames - found within the dialogues and texts presented
to various audiences - shape the rules and regulations governing a
technology integral to daily life.
http://firstmonday.org/ojs/index.php/fm/article/view/8142/6614
------------------------------
Message-ID: <X92dnU7zfeVCitXHnZ2dnUU7-K2dnZ2d@giganews.com>
Date: Sat, 30 Dec 2017 17:49:03 -0500
From: Retired <Retired@home.com>
Subject: Alleged prank 'swatting' call turns deadly with fatal
police shooting of man in Kansas
A 25-year-old man in California has been arrested over an alleged
hoax 911 call that led to police killing an unarmed man in Kansas on
Thursday night, authorities said.
Tyler Barriss from South Los Angeles was arrested on a fugitive
warrant Friday afternoon for allegedly making the so-called
"swatting" call, according to the Los Angeles Police Department.
http://abcnews.go.com/US/la-man-arrested-swatting-incident-led-police-killing/story?id=52057251
+--------------------+
Re the 911 call to Wichita police, how does someone call 911 in KS
from Los Angeles.
Aren't 911 calls limited to that PSAPs surrounding area ?
Does spoofing the CallerID get the call routed to that PSAP ?
***** Moderator's Note *****
E911 centers get their phone number ID from ANI info, just like the
holders of "800" numbers, and it's difficult to forge that info from
most phone lines.
However, there's a backdoor: VoIP phones, which can be moved to
different houses or different states anytime the user wants, caused a
problem with "911" calls, i.e., that the address info sent to local
911 centers was often out-of-date and pointed to the wrong address or
the wrong city or state. Something had to be done, and it was -
however, the VoIP providers, whom are in a niche market between the
"Obamaphone" users and POTS lines, cut the cost of sending accurate
info to 911 by offloading the job of entering it onto their customers.
In other words, a VoIP-based phone company, which might have customers
all across the nation, will ask each customer to fill out a 911
database form, and then that address information will be automatically
entered into the 911 database for the town/city/state involved. There
is no provision for assuring the accuracy of the information, so a
VoIP customer can change his/her 911 "location" to anything they
choose, and the 911 center that gets their "Emergency" call is none
the wiser.
IMHO, this is the canonical example of how new, highly profitable
technology often clashes with the assumptions of civic planners. The
E911 system managers assumed that good 'ol Ma Bell would always
deliver the "right" address - and they forced many residents of cities
that were being converted to E911 to change their street address
numbers and/or street names so as to assure that each phone number
would report a unique address - and they didn't consider that the end
users would ever be involved in data-entry.
Bill Horne
Moderator
------------------------------
Message-ID: <930DE095-7043-4428-8888-49483C8E91CC@roscom.com>
Date: Sun, 31 Dec 2017 07:32:49 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Web trackers exploit browser login managers
No boundaries for user identities: Web trackers exploit browser login
managers
We show how third-party scripts exploit browsers' built-in login
managers (also called password managers) to retrieve and exfiltrate
user identifiers without user awareness. To the best of our knowledge,
our research is the first to show that login managers are being abused
by third-party scripts for the purposes of web tracking.
The underlying vulnerability of login managers to credential theft has
been known for years. Much of the past discussion has focused on
password exfiltration by malicious scripts through cross-site
scripting (XSS) attacks. Fortunately, we haven't found password theft
on the 50,000 sites that we analyzed. Instead, we found tracking
scripts embedded by the first party abusing the same technique to
extract emails addresses for building tracking identifiers.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
Ad targeters are pulling data from your browser's password manager
Nearly every web browser now comes with a password manager tool, a
lightweight version of the same service offered by plugins like
LastPass and 1Password. But according to new research from Princeton's
Center for Information Technology Policy, those same managers are
being exploited as a way to track users from site to site.
The researchers examined two different scripts - AdThink and
OnAudience - both of are designed to get identifiable information out
of browser-based password managers. The scripts work by injecting
invisible login forms in the background of the webpage and scooping up
whatever the browsers autofill into the available slots. That
information can then be used as a persistent ID to track users from
page to page, a potentially valuable tool in targeting advertising.
https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research
------------------------------
*********************************************
End of telecom Digest Wed, 03 Jan 2018
