Monthly Archives: March 2013

Anti-Spam Blocklists DDoSed Down

At least three anti-spam blocklists were taken down this week by Distributed Denial of Service (DDoS) attacks: Spamhaus, CBL, and APEWS. The first two are back up; the third is not.

The Composite Blocking List (CBL) currently has this at the top of its home page:

Important Information on Spamhaus/CBL DDOS

Commencing March 19 the CBL was hit by a very large-scale distributed denial of service attack. At the time of writing (March 21, 00:15 UTC) this attack is still ongoing.

Throughout this period the CBL DNSBL has continued to remain available through the CBL mirrors and via Spamhaus XBL (and Zen), and we’ve been doing our utmost to restore the rest.

Access to the lookup/removal page has just been restored.

The CBL rsync facility has been restored.

Email to the CBL is not working yet.

We ask for your patience while we finish restoring the rest of the CBL to service.

SpamRankings.net is receiving CBL data normally again, although yesterday’s is lost.

We never saw any interruption in data from the Passive Spam Block List (PSBL).

Spamhaus says it got a 75Gbps DDoS attack, according to Liam Tung with CSO Online (Australia) today:

Continue reading

Current security models broken; need resilience; how about reputation?

Bruce Schneier asserted yesterday that Our Security Models Will Never Work — No Matter What We Do. After detailing why he thinks that (the bad guys can get new techonology faster and have fewer restrictions on using it), he summarized:

As it gets easier for one member of a group to destroy the entire group, and the group size gets larger, the odds of someone in the group doing it approaches certainty. Our global interconnectedness means that our group size encompasses everyone on the planet, and since government hasn’t kept up, we have to worry about the weakest-controlled member of the weakest-controlled country. Is this a fundamental limitation of technological advancement, one that could end civilization? First our fears grip us so strongly that, thinking about the short term, we willingly embrace a police state in a desperate attempt to keep us safe; then, someone goes off and destroys us anyway?

If security won’t work in the end, what is the solution?

Continue reading

An Eerie Silence on Cybersecurity

Apparently it takes an alleged Chinese threat to get the New York Times to notice Internet security problems. The Times has escalated from a recent article to an editorial.

NYTimes Editorial 26 February 2013, An Eerie Silence on Cybersecurity, notes a few exceptions, and then remarks:

American companies have been disturbingly silent about cyberattacks on their computer systems — apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government.

In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses. Most companies would tell investors if an important factory burned to the ground or thieves made off with hundreds of millions of dollars in cash.

Maybe it’s better to have a prescribed burn of released breach information than to have a factory fire of unprescribed released information.

Why don’t companies do this?

Continue reading