Google Play Store to Rentroduce Androd Gamblng Apps n March

Last year, the cyber attack, which closed the two top casinos in Las Vegas, quickly became one of the most notable security stories in 2023. U. S. -English hackers, whose native language is English, is known as the first case with Russi a-based Ransomware group. However, this story like this Hollywood movie surpassed much more terrible trends: many young cyber criminals in Europe and the United States have been bullying, stalking, harassing, and blackmailing, and in their teens. He is also a member of the rapidly growing online group, which exists only to add physical harm to us.

In September 2023, Russia's Ransomware Group, known as Alphv/Black Cat, has invaded MGM Resorts Hotel Chain and quickly stopped MGM casinos in Las Vegas. While MGM is still trying to get rid of the intruder from the system, a person who knows hacking directly contacts multiple media and interviews the history of hacking.

One of the testimony about hacking is from a 1 7-yea r-old boy living in the UK, and one of the hackers speaking English calls the MGM technical support representative and reset the password of the employee account. He said that he had begun to enter after deceiving.

Security company CROWDSTRIKE has named the group "Scattered Spider". This is a perception that MGM hackers are from a variety of parliamentary native, scattered on the sea of ​​Telegram and Discord server, which specializes in cyber crimes for money.

A group of chat communities, which specialize in the crime, are collectively called the "The com," and functions as a kind of distributed cyber crime network that promotes collaboration.

However, in most cases, thecom is a place where cyber criminals boast of their achievements, their positions in the community, or lower others by one or two steps. The top members of Com are always fighting opinions on who succeeded in the most stunning robbery or who saved the most of the stolen virtual currency.

As well as extacing the victims for financial benefit, the members of Thecom are trying to take the money stolen from the cyber criminal's rival.

CrowDstrike later manufactured and sold the action figure of the Scattered Spider, and at this year's RSA Security Conference in San Francisco, it exhibited a lif e-sized Scattered Spider sculpture.

But marketing security products and services based on specific cybercrime groups can be troubling, especially when it turns out that robbing and extorting victims isn't the most odious activity those groups routinely engage in.

KrebsOnSecurity investigated the Telegram user ID number of the account that provided media interviews about the MGM hack (corresponding to the screen name "@Holy") and discovered that the same account is used by a number of cybercrime channels focused entirely on blackmailing young people into harming themselves or others and recording the harm on video.

HOLY NAZI

Holy was known for owning multiple valuable Telegram usernames, including @bomb, @halo, and @cute, as well as one of the most valuable Telegram usernames ever to be put up for sale: nazi.

In a post on a Telegram channel dedicated to extorting young people, the same user is seen asking if anyone knows the current Telegram handles of several core members of 764, an extremist group known for victimizing children through coordinated online campaigns of extortion, doxing, swatting, and harassment.

They often lurk on gaming platforms, social media sites, and mobile applications popular with young people, such as Discord, Minecraft, Roblox, Steam, Telegram, and Twitch, to recruit new members.

"This type of crime typically begins with direct messages through gaming platforms and may move to more private chat rooms on other virtual platforms, typically with video capabilities, where the conversations quickly become sexual or violent," warns a recent alert issued by the Royal Canadian Mounted Police (RCMP) about the rise of sextortion groups on social media channels.

"One of the tactics used by these actors is sextortion, but they are not using it to extract money or for sexual gratification," the RCMP continued. "Instead, they use it to further manipulate and control their victims and create more harmful and violent content as part of their ideological objectives and radicalization path.

The 764 Network is one of the most populous victim communities, but there are many others. Some of the largest known groups include CVLT, Court, Kaskar, Leak Society, 7997, 8884, 2992, 6996, 555, Slit Town, 545, 404, NMK, 303 and H3ll.

In March, a consortium of reporters from Wired, Der Spiegel, Recorder and The Washington Post investigated millions of messages in more than 50 Discord and Telegram chat groups. "We investigated millions of messages in more than 50 Discord and Telegram chat groups that found evidence of perpetrators who sexually abused children and forced them to self-harm, inflicting deep lacerations on their bodies and carving 'cut signs' of their perpetrators' online aliases into their skin." The article continues:

"Victims have flushed their heads down the toilet, attacked their siblings, killed their pets, and in extreme cases attempted or died by suicide. According to court records in the United States and European countries, participants in this network have also been charged with robbery, sexual abuse of minors in public, kidnapping, weapons violations, swatting, and murder.

"Some members of this network blackmail children for sexual gratification, others for power and control, some simply for the pleasure of manipulation. Others sell explicit CSAM content created through blackmail on the dark web."

KrebsOnSecurity has learned that Holy is a 17-year-old who was arrested by West Midlands Police in the UK in July 2024 as part of a joint investigation with the FBI into the MGM hack.

Early in his cybercriminal career (around age 15), @Holy went by the handle Vsphere and was a proud member of the cybercrime group LAPSUS$. Until 2022, LAPSUS$ had hacked and social engineered some of the world's largest technology companies, including EA Games, Microsoft, NVIDIA, Okta, Samsung, and T-Mobile.

The recent criminal group that stole a huge amount of customer records from users of cloud data provider Snowflake is also a timely example of the overlap between the toxic community and top members of The Com.

JUDISCHE/WAIFU

In late 2023, malicious hackers discovered that many large companies were uploading large amounts of valuable and sensitive customer data to Snowflake's servers, while the Snowflake accounts were protected by just usernames and passwords (no multi-factor authentication required). They then tracked down stolen Snowflake account credentials on darknet markets and began raiding data vaults used by some of the world's largest companies.

Some companies that leaked data in SnowFlake also included at & amp; T. AT & Amp; T announced in July that cyber criminals had stolen personal information, telephone and text messages for almost all customers.

According to a report on extortion groups announced by the inciden t-compatible company Mandiant, Snowflake damage companies were personally contacted and required ransom instead of selling or leaking stolen data. More than 160 tissues, including Ticketmaster, Lending Tree, Advance Auto Parts, and Neiman Marcus, have been exposed to over 160 tissues.

On May 2, 2024, a user named "Judische" claimed that it had hacked Santandale Bank, one of the first victims of SnowFlake, on the Star Chat on the Telegram channel specializing in fraud. Judische repeated this claim on the STAR Chat on May 13, the day before Santandale announced data leakage, and regularly before the data was sold in the cyber criminal forum, the name of other SnowFlake victims. Was spoken.

If you look carefully at Judische's account history and posting to Telegram, you can see that this user is widely known for the nickname "WAIFU".

In the SIM swapping attack, the scammers are reedirect on the device that attackers control calls and text messages from target mobile phones using their authentication information and use those authentication information. do.

Some Telegram channels frequently update the 10 0-rich SIM swapper leader boards related to the 10 0-rich SIM swapper and a specific cyber criminal group (WAIFU is 24th). The leader board for a long time contained WAIFU in the group's hacker list, named "Beige."

BEIGE members were involved in two articles published here in 2020. The first is a voice fishing aimed at the mobile-19 employee mobile device due to the epidemic of COVID-19 in an article called "Voice PHISHERS TARGETING CORPORPORATE VPNS" published in August 2020. The waves of the attack have rushed, and many of them have been deceived to provide the necessary authentication information to remote and access to the employer's network.

Beige group members also claim to be a device of domain registries in Godaddy. In November 2020, an intruder who seems to be related to the beige group deceives a GODADDY employee to install malicious software, and redires the web and email web and e-mails of multiple cryptocurrency trading platforms with its access. I was able to do it.

Looking at the Telegram channel that Judische and his related accounts have been frequently used for many years, this user posted to SIM swapping and Cyber ​​Crime Cash Autchannel and in harmful communities such as Leak Society and Court. You can see that you are spending time on harassment and stalking acts.

Mandiant states that SnowFlake's infringement is based on a group called "UNC5537", which is based in North America and Turkey. Krebsonsecurity has revealed that Judische is a 2 6-yea r-old software engineer living in Ontario, Canada.

According to Krebsonsecurity, which is close to the investigation of the SnowFlake case, the members of the UNC5537 in Turkey were John Erin Bins (John Erin Bins), leaked at least 76. 6 million customers. It is said that T-MOBILE's 2021 violation of the United States Judge (DOJ) was indicted by the US Department of Justice (DOJ).

Bins is currently detained by Turkish prison and is fighting over. On the other hand, he has sued almost all federal organizations and investigators who provided investigative resources to their incidents.

According to a Mandiant employee in June 2024, the members of the UNC5537 have been killed by the Cyber ​​Security expert who are investigating hackers, and in one case. It is said that he used artificial intelligence to create fake nude photos from researchers and harass them. read more

September 10, 2024

Bug Left Some Windows PCs Dangerously Unpatched

Microsoft has released a update to correct at least 79 security vulnerability of the company's Windows operating system and related software. Microsoft has also revised a serious bug that had not applied a dangerous patch for aggressively abusive vulnerabilities for several months this year.

Among the security weaknesses released by Microsoft today, the overwhelmingly worrisome is CVE-2024-43491. According to Microsoft, some vulnerabilities have been rolled back some of the vulnerability that affect the "optional component" of a specific Windows 10 system manufactured in 2015. They include a Windows monthly security update program released in March 2024, or a Windows 10 system installed with other updates released until August 2024.

According to Satnam Narang, a senior staffing engineer of Tenable, the expression "Explosoft's advisory" "Explosoft" is abused by cyber criminals. However, in the CVE-2024-43491, it seems that this was displayed as this was re-introduced the vulnerability that had previously been found to be abused by the rollback of the correction program.

"To fix this issue, users need to apply both services stack updates in September 2024 and Windows security updates in September 2024," Narang said.

Kev Breen, a senior director of ImmerSive Labs, says CVE-2024-43491, the fundamental cause of the Windows 10, the build version checked by the update service is in the code. He said that it was not properly processed.

According to Microsoft's precautionary note, "The build version number has entered the range that causes code defects." "In short, some versions of Windows 10, whose optional components are enabled, were left in a vulnerable state. Read more.

advertisement

September 3, 2024

Sextortion Scams Now Include Photos of Your Home

Known as SexTortion, a new personality has been added to the old but persistent email fraud: Malware has captured the video of the webcam that the recipient is entertained. In order to make the threat of the disclosure of the public, a photo of the target home has been attached to make it more frightening and compelling.

This week, some readers reported that they received their own name and received sex e-mails that seem to have obtained from online map applications such as Google Maps. 。

The message says that it has been sent from a hacker who has invaded your computer and recorded a video of you using a web camera. The message threatens to publish a video to all your contacts, unless you pay the Bitcoin ransom. In this case, the required amount is less than $ 2, 000, and can be paid by scanning a QR code embedded in the email.

Following a greeting that includes the recipient's full name, the message begins with the message, "If you don't take action, a more convenient way to contact you is to visit [recipient's address]. Nice place, eh?", followed by a photo of the recipient's address.

Screenshot of a new sextortion scam, including a photo of the target's front yard.

The message tells the victim that if they don't pay within 24 hours, the embarrassing video will be made public to all their contacts, friends and family.

"Don't even think about replying to this, it's pointless," the message concludes. "I make no mistakes. If I notice that you have shared or discussed this email with anyone, your shitty video will start being sent to your contacts instantly."

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic, containing thematic elements seen in most previous sextortion waves, including a claim that the blackmailer has installed malware on your computer (in this case, the spyware is called "Pegasus," and the scammers claim that it's monitoring all of your computer activity).

A previous innovation in sextortion customization was to send an email containing at least one password previously used on an online account tied to an email address. Read more

September 2, 2024

Owners of 1-Time Passcode Theft Service Plead Guilty

Three men in the UK admitted to operating otp[.]agency, a once-popular online service that helps attackers intercept one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to a password.

Launched in November 2019, OTP Agency was a service for intercepting one-time passcodes required to log into various websites. The scammers, who had already stolen someone's bank account credentials, would enter the target's phone number and name, and the service would place an automated call to the target, alerting them to fraudulent activity on their account.

The call would prompt the thief to enter a one-time passcode that would be sent to the user via SMS when they tried to log in. The code shared by the target was then relayed to the scammer's user panel on the OTP Agency website.

According to a statement released by the UK National Crime Agency (NCA) on August 30, three men pleaded guilty to operating OTP Agency: Karam Picari (22, from Hornchurch, Essex), Vijayasidrshan Vijayanathan (21, from Aylesbury, Buckinghamshire), and Aza Siddiq (19, from Milton Keynes, Buckinghamshire).

KrebsOnSecurity featured OTP Agency in February 2021 in a story about arrests linked to another UK-based phishing-related service. A person claiming to represent OTP Agency subsequently posted multiple comments on the article, calling it defamatory and claiming that they were a legitimate anti-fraud service. However, the service's Telegram channel made it clear that its owners had built OTP Agency with one purpose: to help customers take over their online accounts.

Within hours of the announcement, the OTP agency said it would take down the website, close stores and clear its user database. The NCA said the February 2021 article sparked a frantic exchange of messages between Pikari and Vijayanathan:

Pikari: Bro, we are in big trouble... you're going to get me arrested... bro, delete the chat

Vijayanathan: Really?

Pikari: There's a lot of evidence there

Vijayanathan: Really? Are you 100% sure?

Pikari: It seems very evidential... take a look, search "scam"... in the OTP chat... we didn't find... think of all the evidence... they will find it.

Vijayanathan: Exactly.

Pikali: They accessed our initial messages... we look guilty... if we shut down... just delete our chat... our chat is 100% fraud

Vijayanathan: Anyone with a brain would say stop here and move on.

Pikali: Just because we shut down doesn't mean we're not doing it... but if we delete our chat... it will hurt their investigation... there is nothing fraudulent on this site

Despite deleting the Telegram channel, OTP Agency clearly found it hard to walk away from its customers (and/or money). Instead of shutting down as per Vijayanathan's wise advice, just a few days later OTP Agency reached out to its customers on a new Telegram channel, provided a new login page, and assured existing customers that their usernames, passwords, and balances would remain unchanged.

OTP Agency, Shortly After First Shutdown, Tells Customers Their Existing Logins Still Work.

August 28, 2024

When Get-Out-The-Vote Efforts Look Like Phishing

This week, several media warned Americans to pay attention to new phishing scams, which inform the recipients that they have not yet registered. A little investigation revealed that this email was sent as part of a voting promotion activity with a good intention, which could be counterproductive, with the characteristics of the phishing campaign, which could be in good faith. 。

Image WDIV Detroit YouTube

On August 27, Detroit's local channel fou r-line station WDIV warned of the new SMS message wave that could hinder the voting of registered authority. The article introduced one of the related text messages linked to all- vote. com, which did not explain how to hinder the voter voting.

"We are not registered to vote, but we are put you in our records," said the unba n-prohibited SMS. "Check the registration status and register within 2 minutes.

Similar warnings have been issued by ABC stations in Arizona and NBC affiliates in Pennsylvania. In Pennsylvania, the election authorities have just warned to pay attention to fraud messages from ALL-vote. com. The people who answered the interviews that received the message said they thought they were scams because they knew they were registered to vote in the state. WDIV also interviewed a firs t-year junior high school student from Canada. He also received the SMS that was not registered in the voting.

Anyone who wants to judge whether all- vote. com is legitimate may first access the main URL (not only to click the SMS link) and investigate the organization in detail. However, if you access all- vote. com directly, a login page to the online service is displayed. According to Domaintools. com, all- vote. com was registered on July 10, 2024. Red flag part 1.

Information requested by people who accessed votewin. org through the SMS campaign.

Another version of the SMS campaign tells the recipient to check the voter status on a site called votewin. org, and according to Domaintools, the site was registered on July 9, 2024. There is almost no information about who operates the votewin. org website, and there is a general inquiry form on the contact page. Red signal 2.

In addition, Votewin. org asks visitors to enter the names, addresses, e-mail addresses, date of birth, and mobile phone numbers in advance, and also check the options to sign up to more notifications. Big Red Flag#3.

Votewin. org's terms of service referenced a California-based voter participation platform called VoteAmerica LLC. The same voter registration inquiry form advertised in the SMS message is available by clicking on the "check your registration status" link on Voteamerica. org.

VoteAmerica founder Debra Cleaver told KrebsOnSecurity that the San Francisco political consulting firm Movement Labs is responsible for the unregistered SMS campaign.

Cleaver said her office has received several inquiries about the messages, which violate a key principle of voter outreach: "This is one of the worst ways to do it," she said, "because voter files are unreliable and often out of date.

Movement Labs founder Yoni Landau said the SMS campaign is "targeted at underrepresented groups in the electorate, young people, people who are moving, low-income households, and other people who are not in our database, and is meant to help them register to vote."

According to Landau, when visitors fill out a form on Votewin. org, the site checks whether the visitor is registered to vote in that state and only tries to help them register if they are not.

"We tested hundreds of variations of the message and found that these variations of the message had the greatest impact on the likelihood of registering to vote," he said.

Cleaver said Movement Lab's SMS campaign may have been incompetent, but it was not malicious.

"When you're in the business of voter mobilization, it's not enough to want to do good things, you have to actually do good things," he said. "At the end of the day, the end result of incompetence and maliciousness is the same.

To register to vote or update your voter registration, visit vote. gov and select your state or region.

August 27, 2024

Malicious hackers abuse the zer o-day vulnerability of Versa Director, a software product used by many Internet providers and IT service providers. Researchers focus on building a foundation for this activity to enter important US networks and to build a foundation to hinder communication between the United States and Asia during a future armed conflict with China. I think it is related to the spy group, Volt Typhoon.

New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

The Versa Director system is mainly used in Internet Service Providers (ISP) and Managed Service Providers (MSP), which simultaneously meet the IT needs of many small and mediu m-sized enterprises. A security recommendation announced on August 26 has urged customers to introduce a patch for vulnerability (CVE-2024-39717) corrected in Versa Director 22. 1. 4 or later.

According to Versa, the vulnerability can upload any file to a vulnerable system. According to the advisory, "I neglected the implementation of the system hardening and firewall guidelines ... I left the management port exposed on the Internet ..." Versa customers are mostly responsible. Is to.

VERSA's advisory does not mention how this zer o-day defect, but the Mitre. org vulnerability list says "Other reports based on the Third Party Provider's Backbone Remote Measurement Observation. However, it is unconfirmed at this time.

These thir d-party reports were in late June 2024, the Senior Read Information Senior Read Information of Black Lotus Lab, the Security Research Division of Lumen Technologies, which operates one of the world's largest Internet backbone. ・ It was brought by engineer Michael Holka.

In an interview with Krebsonsecurity, Horka specifies a we b-based backdoor on the Versa Director system owned by four American victims and one no n-American victims of ISP and MSP sector. The earliest known Exploit activities occurred on June 12, 2024 in ISP.

"From this, Versa Director has a hig h-scale browsing or controlling network infrastructure, and an advanced sustainable threat (APTTT) wants to transfer to an additional (or downstream) network. ) HORKA states in a blog post released today.

Black Lotus Labs has assessed Volt Typhoon as the source of the breach with "medium" confidence, noting that the intrusions bear characteristics of a Chinese state-sponsored espionage group, including zero-day attacks targeting IT infrastructure providers and a Java-based backdoor that runs only in memory.

In May 2023, the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as "Bronze Silhouette" and "Insidious Taurus."

In early December 2023, Black Lotus Labs published findings on the "KV-botnet," thousands of compromised SOHO routers linked together to form a covert data transmission network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.

In January 2024, the Department of Justice revealed that the FBI had carried out a court-authorized takedown of the KV-botnet just before Black Lotus Labs released its December report. Read more

August 23, 2024

The proliferation of new top-level domains (TLDs) exacerbates a well-known security weakness: many organizations set up their internal Microsoft authentication systems years ago using domain names from TLDs that didn't exist at the time. That means they continue to send Windows usernames and passwords to domain names they don't control that anyone can register. Here's one security researcher's efforts to map and scale this insidious problem.

Local Networks Go Global When Domain Names Collide

The problem is a well-known security and privacy threat called "namespace collision," where domain names intended for use only on an internal network overlap with domain names that are normally resolvable on the open Internet.

Windows computers on a private corporate network use a Microsoft innovation called Active Directory to find other things on that network, and at the heart of how these things find each other is a Windows feature called "DNS name devolution," a kind of network shorthand.

Consider the virtual network InternalNetwork. example. com: If you want to access the shared drive called "Drive1" It is necessary to enter "m" do not have.

However, if an Active Directory network is built on a domain that the organization does not own or managed, problems may occur. This may seem ridiculous as a way to design a corporate authentication system, but many organizations have introduced hundreds of new to p-level domain (TLD), such as . NETWORK, . inc, . llc. Remember that you are building a network long before you do it.

For example, a company in 2005 has built a Microsoft Active Directory service centered on the domain called Company. llc. Perhaps it was the theory that the . llc was not a routing TLD, so if the organization's Windows computer was used outside the local network, the domain would simply fail.

Unfortunately, the . llC TLD was born in 2018, and domain sales began. Since then, anyone who has registered Company. llc has been inevitably intercepted the authentication information of Microsoft Windows in the organization, or actively changes the connection in some way (redirect to a malicious place, etc. ) You can now.

Philip Kachulegli, the founder of the security consultant company Seralys, is one of several researchers who are trying to clarify the size of the name space collision. As a professional invading tester, CATUREGLI has long been exploited this collision and has been attacking a specific target that has been paid for cyber defense. However, in the past year, CATUREGLI has gradually mapped this vulnerability throughout the Internet by searching for clues that appear in sel f-signed security certificates (SSL/TLS certificates, etc.).

CATUREGLI refer to various TLD domains that are likely to appeal to companies, such as . ad, . associates, . CLOUD, . consulting, . dev, . digital, . Domains, . Email, . global, and other companies. The sel f-signed certificate has been scanned on the open Internet. . email, . global, . gmbh, . Holdings, . Host, . Hoste, . institute, . Institute, . It, . llc, . ltd, . manageMent, . manageMent, . ms, . name, . NETWORK, . Security , Services, . site, . srl, . Support, . Systems, . Systems, . Tech, . win, . win, . zone, etc. Is to issue a sel f-signed certificate for various TLD domains that are likely to appeal to business. Can do.

Seralys discovered a certificate for more than 9, 000 domains throughout these TLDs. According to their analysis, many TLDs have much more domains than other TLDs, and about 20 % of the domains that end with . ad, . cloud, and . group are still unregistered. It turned out.

"The size of this problem seems to be bigger than I had forced," CATUREGLI responded to the Krebselsecurity interview. "During the investigation, we have identified government agencies (domestic and overseas) and important infrastructure that have such misconutable assets."

Some of the TLDs listed above are not new, but compatible with national code TLDs, such as Italy's . it and a small country, a national code TLD . ad. Ad. According to CATUREGLI, many organizations are considered a convenient abbreviation for setting an i n-house Active d IRECTORY in the company, but on the other hand, someone actually has such a domain. I was not aware that there was a possibility of intercepting all Windows certification information or united traffic.

When CATUREGLI found that encryption certificates were actively used in the domain Memrtcc. ad, the domain was still registered. He learned that the . ad registry demands that the domain a valid trademark before the domain registration.

REAL-TIME CRIME

Nevertheless, CATUREGLI finds a domain registration that sells domains for $ 160 and processes trademark registration for $ 500 (after that, in . ad registration, an Andra's company that handles trademark applications at half the price. i got you).

According to CATUREGLI, immediately after setup of Memrtcc. ad DNS servers, communications from hundreds of Microsoft Windows Computers to authenticate this domain have flooded. Each request contains a user name and a hashed Windows password, and when searching for a user name online, CATUREGLI concluded that they were all of Memphis, Tennessee.

"Every police car there has a laptop, all of which seem to be connected to this Memrtcc. ad domain I have now," CATUREGLI said. " Ironically pointed out tha t-Time CRIME CENTER is an abbreviation.

According to CATUREGLI, setting Memrtcc. ad's e-mail server records will receive automatic messages from IT Help Desks at the police station, including troubles and tickets for OKTA authentication systems in the city.

Mike Barlow, information security manager for the city of Memphis, confirmed that Memphis Police Department systems share Microsoft Windows credentials with the domain, and the city is working with Caturegli to have the domain transferred over.

"We're working with Memphis Police Department to try to at least mitigate this issue somewhat," Barlow said.

Domain administrators have long encouraged the use of . local for internal domain names because . local is reserved for use on local networks and cannot traverse the open Internet. But Caturegli said many organizations seem to miss that memo and do the opposite, such as setting up their internal Active Directory structures around the fully routable domain local. ad.

Cateurgli said he found this out because he registered local. ad "defensively." He said local. ad is currently used to set up Active Directory at several large organizations, including European cell phone providers and the city of Newcastle in the UK. Read more