As we’ve reported repeatedly in these pages, distributed denial of service attacks are growing both in terms of number and size.

Now it seems that DDoS attackers are coming up with even more elaborate tools and attack methods to take down websites and networks, according to the latest report from DDoS mitigation firm Imperva.

Imperva’s analysis is based on data from 3,791 network layer and 5,267 application layer DDoS attacks on websites using its Incapsula services from January 1, 2016 through February 29, 2016.

For example, attackers are expanding their use of browser-like DDoS bots capable of bypassing standard security challenges. The use of these bots increased to a record-breaking 36.6 percent of application layer attacks, up from 6.1 percent in the previous report.

In addition, DDoS attackers are increasingly using upload scripts to mount multi-gigabit HTTP POST flood attacks. The scripts randomly generate large files and attempt to upload them to the server, creating an HTTP flood of extremely large content-length requests.

Also, network layer attacks are growing more sophisticated. Attackers are employing millions-of-packets-per-second, or Mpps, assaults in which small network packets are pumped out at extremely high speed to overwhelm network switches, resulting in denial of service.

In terms of botnets, the first quarter saw a steep increase in DDoS traffic out of South Korea, making it the country of origin for 29.5 percent of botnet activity. The majority of these assaults were aimed at websites hosted in Japan and the United States.

The United States took the brunt of all DDoS attacks, with a majority of attacks targeting that country. The United Kingdom came in a distant second with 9.2 percent of attacks targeting that country.


LACNIC and the Latin American Operational Security Community Joins Forces With M3AAWG to Combat Online Threats

SAN FRANCISCO, CA–(Marketwired – Mar 31, 2016) – LACNIC, the regional Internet registry for the Latin America and Caribbean region, has joined the Messaging, Malware and Mobile Anti-Abuse Working Group to collaborate on global cybersecurity issues. LACNIC is also the convening forum for the LAC Network Operators Group; LACSEC, the region’s Network Security Forum; and LAC-CSIRT, a regional security incident response forum. As part of a mutual partnership to fight online threats, M3AAWG has also joined LACNIC to engage with these service providers and online security communities.

The ongoing engagement will provide M3AAWG access to regional expertise on operational and anti-abuse trends and the opportunity to develop relevant joint solutions that address current cybersecurity and cybercrime trends. LACNIC, the Latin America and Caribbean Network Information Center, will gain access to the diverse experience of the M3AAWG membership and its ongoing work developing best practices.

To foster this partnership, several M3AAWG members will participate in the LACNIC 25 meeting on May 2-6, 2016 in Havana, Cuba. They will engage with LACNIC, LACNOG, LACSEC and LAC-CSIRT to identify future collaboration projects and to adapt existing M3AAWG best practices to accommodate region-specific needs. LACNIC members will also be attending future M3AAWG meetings, which are held three times a year.

“By participating in M3AAWG, we can actively engage with leading researchers and experts from around the world on what anti-abuse techniques perform well, and why they do, while sharing our regional perspective. A better understanding of M3AAWG best practices can help improve our local cybersecurity efforts, minimize threats and create more economic opportunities for our Latin American citizens,” said Graciela Martinez, LACNIC’s WARP (Warning, Advice and Reporting Point) Coordinator.

LACNIC is a non-governmental organization that manages the delegation of number resources, such as IP addresses and Autonomous System Numbers that are necessary for Internet connectivity and routing. LACNIC meetings serve as a convening forum for regional operator communities, such as LACNOG, and for security communities such as LACSEC. LACNIC also facilitates initiatives that support an open, stable and secure Internet within its assigned territory of South America, Central America and the Caribbean.

M3AAWG Board of Directors Vice Chairperson Sara Roper said, “With LACNIC participating in our meetings and ongoing initiatives, we can better understand and address the issues specific to Latin America as we strive to make the online experience safer for everyone. As a LACNIC member, we will also be working to adapt the best practices developed by the global M3AAWG membership to this important region.”

M3AAWG has published over 40 papers and best practices defining proven processes for preventing or mitigating online threats. It is a global industry association where vetted operational and public policy security specialists from over 20 countries come together in a confidential environment to share information, develop best practices and identify strategies to combat bots, malware, spam, viruses, DoS attacks and other online exploits.

Many M3AAWG best practices address issues specific to Internet service providers and other industry segments that are relevant to LACNIC members. For example, M3AAWG has published best practices to help service providers protect mobile messaging, anti-phishing best practices for ISPs, and guidelines on using a walled garden to contain malware infections.


LACNIC, the Latin American and Caribbean Internet Addresses Registry, is an international non-government organization established in Uruguay in 2002. It is responsible for assigning and administrating Internet numbering resources (IPv4, IPv6), Autonomous System Numbers, Reverse Resolution and other resources for the region of Latin America and the Caribbean. It is one of the five Regional Internet Registries that exist worldwide.

LACNIC contributes to Internet development in the region through an active cooperation policy, promoting and defending the regional community’s interests and helping create conditions that will allow the Internet to become an effective instrument for social inclusion and economic development in benefit of all Latin American and Caribbean countries and citizens. More information is available at

About M3AAWG

The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) is where the industry comes together to work against bots, malware, spam, viruses, denial-of-service attacks and other online exploitation. M3AAWG ( members represent more than one billion mailboxes from some of the largest network operators worldwide. It leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services through technology, collaboration and public policy. It also works to educate global policy makers on the technical and operational issues related to online abuse and messaging. Headquartered in San Francisco, Calif., M3AAWG is driven by market needs and supported by major network operators and messaging providers.

M3AAWG Board of Directors: AT&T (NYSE: T); CenturyLink (NYSE: CTL); Cloudmark, Inc.; Comcast (NASDAQ: CMCSA); Cox Communications; Facebook; Google; LinkedIn (NYSE: LNKD); Mailchimp; Message Systems; Orange (NYSE: ORAN) and (EURONEXT: ORA); Rackspace; Return Path; SendGrid; Time Warner Cable; Vade Retro – OpenIO; Verizon Communications; and Yahoo! Inc.

M3AAWG Full Members: 1&1 Internet AG; Adobe Systems Inc.; Agora, Inc.; AOL; Bluehost-Endurance; Campaign Monitor Pty.; Cisco Systems, Inc.; CloudFlare; Constant Contact (NASDAQ: CTCT); dotmailer; Dyn; ExactTarget, Inc.; IBM; iContact; Internet Initiative Japan (IIJ, NASDAQ: IIJI); Level 3; Liberty Global; Listrak; Litmus; McAfee Inc.; Microsoft Corp.; Mimecast; Nominum, Inc.; Oracle Marketing Cloud; OVH; PayPal; Proofpoint; Spamhaus; and Symantec.



Having a military background, I tend to look at all security issues with the perspective of someone who’s served in the armed forces. That means using a thorough investigation process that doesn’t treat any action as accidental or an attack as a stand-alone incident and looking for links between seemingly unconnected events.


This method is used by law enforcement agencies to investigate acts of terrorism, which, sadly, are happening more frequently. While terror attacks that have occurred in the physical world are making headlines, the virtual world is also under attack by sophisticated hackers. However, not much is said about the similarities between investigating both types of attacks or what security researchers can learn from their law enforcement counterparts. I’ve had this thought for awhile and, fearing that I’d be seen as insensitive to recent events, debated whether to write this blog. After much thought, I decided that the stakes are too high to remain silent and continue treating each breach as a one-off event without greater security implications.

The parallels between cyber and terror attacks are numerous: they involve well-coordinated adversaries who have specific goals and planned intricate campaigns months in advance. The target’s security measures are irrelevant and can always be exploited. Preventing cyber and terror attacks is difficult, given the numerous vectors an adversary can use. Discovering one component of either type of attack can lead to clues that reveal an even larger, more detailed operation. But the methods used to investigate cyber attacks often fall short at establishing links between different events and possibly preventing hackers from striking again.

Cyber attacks targeting infrastructure are happening

To date, we haven’t experienced a cyber attack that has caused the same devastation of what’s happened in the physical world. Having your credit card number stolen doesn’t compare to lives being lost. But this doesn’t mean we won’t see cyber attacks that cause major disruptions by targeting critical infrastructure.

In fact, they’re already happening. Just last week the U.S. Department of Justice accused seven Iranians of hacking the computer control system of a dam in New York and coordinating DDoS attacks against the websites of major U.S. banks. According to the DOJ, the hackers would have been able to control the flow of water through the system had a gate on the dam not been disconnected for repairs. Then in December, hackers used malware to take over the control systems of two Ukraine energy plants and cut power to 700,000 people. I’m not trying to spread fear of a cyber apocalypse by mentioning these incidents. Fear mongering isn’t applicable if the events have occurred.
+ ALSO ON NETWORK WORLD U.S. Critical Infrastructure under Cyber-Attack +

When examining terror attacks, police conduct forensic investigations on evidence found at the scene. If suspects are arrested, the police confiscate their smartphones (as we’ve seen with the iPhone used by the shooter in the San Bernardino, Calif., attack) and computers and review information like call logs and browsing histories. These procedures may provide investigators with new information that could lead to other terror plots being exposed, the arrest of additional suspects and intelligence on larger terrorist networks.

Applying an IT perspective to breaches won’t reveal complete cyber attacks

Cyber attacks, on the other hand, are investigated in a manner that isn’t as effective. They’re handled as individual incidents instead of being viewed as pieces of a larger operation. I’ve found that too many security professionals are overly eager to remediate an issue. Considering the greater security picture isn’t factored into the process, nor is it culturally acceptable within most organizations to do so. Corporate security teams have been conditioned to resolve security incidents as quickly as possible, re-image the infected machine and move on to the next incident.

Cyber attacks, though, are multi-faceted and the part that’s the most obvious to detect sometimes serves as a decoy. Adversaries know security teams are trained to quickly shut down a threat so they include a component that’s easy to discover. While this allows a security professional to report that a threat has been eliminated, this sense of security is false. Shutting down one known threat means exactly that: you’re acting on a threat that was discovered. But campaigns contain other threats that are difficult to discover, allowing the attack to continue without the company’s knowledge.

Unfortunately, most companies don’t approach cyber security with either a military or law enforcement perspective. They use IT-based methods and try to block every threat and prevent every attack, approaches that are unrealistic and ineffective given the sophisticated adversaries they’re facing. The clues security teams need to discover, eliminate and mitigate the damage from advanced threats is contained in the incidents they have been resolving.

Cyber security stands to learn a lot from law enforcement when it comes to investigating attacks. Next time they’re looking into a breach, security professionals should:
• Not treat a security incident as an individual event. Try to place it in the greater context of what else is occurring in your IT environment. View the attack as a clue that, if followed, can reveal a much larger, more complex operation.

• Instead of immediately remediating an incident, consider letting the attack execute to gather more intelligence about the campaign and the adversary.

• Remember the threat that’s the most obvious to detect is often used as a decoy to shield a more intricate operation.

While there will always be terrorists and hackers, remembering these points helps us stay ahead of them, minimize the impact of their attacks and regain a sense of control.


Bitcoin startup Coinkite closes wallet service due to “BS” of DDoS attacks, dealing with lawyers | SiliconANGLE


Bitcoin startup Coinkite, Inc. has announced that it is closing down its secure Bitcoin wallet service in order to focus on building hardware-based Bitcoin products instead.

Founded in 2012, Coinkite billed itself as the easiest and safest way to use and accept Bitcoin, along with the claim that if offered “the world’s most advanced web wallet system” that “empowers customers and merchants to BUY, SELL, ACCEPT and STORE Bitcoins and other crypto currencies, in both the online and physical worlds.”

The closure of the Bitcoin wallet service will take place over the coming 30 days, with users who do not remove funds from their wallets at the end of the period having their Bitcoin withdrawn and credited to them automatically.

Projects listed by the company as being their future include something called Opendime, which is described as a physical Bitcoin; a completely stand alone Bitcoin terminal/ hardware wallet with printer and QR scanner; hardware products for authentication and security; general purpose stand-alone Bitcoin solutions, and last but not least hardened services for hosting Bitcoin hot wallets.


It would appear that much of the decision to get out of the online Bitcoin wallet business was due to the company constantly dealing with harassment, with a blog post announcing the move describing that they had been under constant Distributed Denial of Service (DDoS) attacks over the last three years, and that they had also had to deal with Government agencies and attempted intrusions into client privacy.

In an interview with Coindesk, Chief Executive Officer Rodolfo Novak said that the company wanted to move away from software as their meager resources were being drained by the “amount of bullshit” involved with running the service.

“We want to write software, not deal with lawyers and DDoSing … One of the main issues with SaaS is all the free users and need support and we want to provide good support. All these things have costs,” Novak noted.

Coinkite’s decision to close its Bitcoin wallet service is quite considerable, with the company having reported in September 2015 that it had processed some $250 million in transactions in the preceding 3 months, making it one of the bigger Bitcoin wallet providers in the market.

Before all services stop with 30 days Tor access and Coinkite’s application program interface will be closed with 14 days, along with prorated balances for annual pre-paid plans being refunded.


A number of Swiss companies have recently suffered their biggest ever coordinated cyber attacks, which paralysed IT and telephone systems.(SRF/

Some of the worst affected websites belong to the Swiss Federal Railways and the country’s largest supermarket chains, Migros and Coop. The NZZ am Sonntag newspaper reported that there were also attempts by the hackers to blackmail the targeted companies.

These were so-called denial-of-service (DDoS) attacks, which occur when multiple systems flood the bandwidth of a targeted system, usually one or more web servers.

Such an attack is often the result of a botnet. This is a network with software specifically designed to disrupt or damage computer systems.

Switzerland is particularly vulnerable to cyber attacks because of its high-tech infrastructure and financial services sector.

A report published in 2015 by the professional service company, KPMG, stated that Swiss companies suffered losses of over CHF200 million ($206 million) due to cyber crime in 2014.

Hacking doesn’t only affect large scale commerce. Recently, the emails of 6000 Swiss small companies and private individuals were also hi-jacked.