36 Years of the Digest ... founded August 21, 1981
Copyright © 2017 E. William Horne. All Rights Reserved.

The Telecom Digest for Wed, 03 Jan 2018
Volume 37 : Issue 2 : "text" format

Table of contents
How a Dorm Room Minecraft Scam Brought Down the Internet Monty Solomon
How the telecommunications industry influenced VoIP deregulation legislation in 36 statesMonty Solomon
Alleged prank 'swatting' call turns deadly with fatal police shooting of man in KansasRetired
Web trackers exploit browser login managersMonty Solomon
---------------------------------------------------------------------- Message-ID: <3621E93D-E32D-417D-852D-1ED3C6912D63@roscom.com> Date: Mon, 1 Jan 2018 17:43:26 -0500 From: Monty Solomon <monty@roscom.com> Subject: How a Dorm Room Minecraft Scam Brought Down the Internet How a Dorm Room Minecraft Scam Brought Down the Internet THE MOST DRAMATIC cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet - powered by unsecured internet-of-things devices like security cameras and wireless routers - that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn't anarchist politics or shadowy ties to a nation-state. It was Minecraft. It was a hard story to miss last year: In France last September, the telecom provider OVH was hit by a distributed denial-of-service (DDoS) attack a hundred times larger than most of its kind. Then, on a Friday afternoon in October 2016, the internet slowed or stopped for nearly the entire eastern United States, as the tech company Dyn, a key part of the internet's backbone, came under a crippling assault. https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/ ------------------------------ Message-ID: <DCD6DB61-EF2C-4D92-BB89-E4D6BBF0F3BD@roscom.com> Date: Mon, 1 Jan 2018 11:08:26 -0500 From: Monty Solomon <monty@roscom.com> Subject: How the telecommunications industry influenced VoIP deregulation legislation in 36 states A critical discourse analysis of how the telecommunications industry influenced VoIP deregulation legislation in 36 states Gwen Shaffer Abstract About 36 U.S. states have enacted legislation that eliminates or reduces the authority of local and state agencies to regulate voice-over Internet protocol (VoIP) telephone services. This study draws on critical discourse analysis to examine how lawmakers and telecommunications providers associated widely supported policy goals - including job creation, technological innovation, consumer protection, digital equity and modernization - with less government oversight of phone and broadband services. The discourse surrounding passage of VoIP deregulation provides key insights into how the telecommunications industry, and legislative sponsors of the bills, adopted culturally symbolic phrases and touted populist goals to legitimize policies that weaken consumer protections. Ultimately, these policy frames - found within the dialogues and texts presented to various audiences - shape the rules and regulations governing a technology integral to daily life. http://firstmonday.org/ojs/index.php/fm/article/view/8142/6614 ------------------------------ Message-ID: <X92dnU7zfeVCitXHnZ2dnUU7-K2dnZ2d@giganews.com> Date: Sat, 30 Dec 2017 17:49:03 -0500 From: Retired <Retired@home.com> Subject: Alleged prank 'swatting' call turns deadly with fatal police shooting of man in Kansas A 25-year-old man in California has been arrested over an alleged hoax 911 call that led to police killing an unarmed man in Kansas on Thursday night, authorities said. Tyler Barriss from South Los Angeles was arrested on a fugitive warrant Friday afternoon for allegedly making the so-called "swatting" call, according to the Los Angeles Police Department. http://abcnews.go.com/US/la-man-arrested-swatting-incident-led-police-killing/story?id=52057251 +--------------------+ Re the 911 call to Wichita police, how does someone call 911 in KS from Los Angeles. Aren't 911 calls limited to that PSAPs surrounding area ? Does spoofing the CallerID get the call routed to that PSAP ? ***** Moderator's Note ***** E911 centers get their phone number ID from ANI info, just like the holders of "800" numbers, and it's difficult to forge that info from most phone lines. However, there's a backdoor: VoIP phones, which can be moved to different houses or different states anytime the user wants, caused a problem with "911" calls, i.e., that the address info sent to local 911 centers was often out-of-date and pointed to the wrong address or the wrong city or state. Something had to be done, and it was - however, the VoIP providers, whom are in a niche market between the "Obamaphone" users and POTS lines, cut the cost of sending accurate info to 911 by offloading the job of entering it onto their customers. In other words, a VoIP-based phone company, which might have customers all across the nation, will ask each customer to fill out a 911 database form, and then that address information will be automatically entered into the 911 database for the town/city/state involved. There is no provision for assuring the accuracy of the information, so a VoIP customer can change his/her 911 "location" to anything they choose, and the 911 center that gets their "Emergency" call is none the wiser. IMHO, this is the canonical example of how new, highly profitable technology often clashes with the assumptions of civic planners. The E911 system managers assumed that good 'ol Ma Bell would always deliver the "right" address - and they forced many residents of cities that were being converted to E911 to change their street address numbers and/or street names so as to assure that each phone number would report a unique address - and they didn't consider that the end users would ever be involved in data-entry. Bill Horne Moderator ------------------------------ Message-ID: <930DE095-7043-4428-8888-49483C8E91CC@roscom.com> Date: Sun, 31 Dec 2017 07:32:49 -0500 From: Monty Solomon <monty@roscom.com> Subject: Web trackers exploit browser login managers No boundaries for user identities: Web trackers exploit browser login managers We show how third-party scripts exploit browsers' built-in login managers (also called password managers) to retrieve and exfiltrate user identifiers without user awareness. To the best of our knowledge, our research is the first to show that login managers are being abused by third-party scripts for the purposes of web tracking. The underlying vulnerability of login managers to credential theft has been known for years. Much of the past discussion has focused on password exfiltration by malicious scripts through cross-site scripting (XSS) attacks. Fortunately, we haven't found password theft on the 50,000 sites that we analyzed. Instead, we found tracking scripts embedded by the first party abusing the same technique to extract emails addresses for building tracking identifiers. https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ Ad targeters are pulling data from your browser's password manager Nearly every web browser now comes with a password manager tool, a lightweight version of the same service offered by plugins like LastPass and 1Password. But according to new research from Princeton's Center for Information Technology Policy, those same managers are being exploited as a way to track users from site to site. The researchers examined two different scripts - AdThink and OnAudience - both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising. https://www.theverge.com/2017/12/30/16829804/browser-password-manager-adthink-princeton-research ------------------------------ ********************************************* End of telecom Digest Wed, 03 Jan 2018

Telecom Digest Archives