Preparing For and Mitigating DDoS Attacks

By | Business | No Comments

The Distributed Denial of Service (DDoS) attack against Spamhaus, an anti-spam group, has been dubbed the largest DDoS attack to date. According to The New York Times, the impact of the attack extends beyond Spamhaus, affecting other sites and services that rely on the same infrastructure (like Netflix).

But did you know about the DDoS attack on Wells Fargo? Key Bank? TD Bank? PNC? JPMC? Capital One? SendGrid? Free Malaysia Radio? Krebs on Security? All of these sites have recently been victims of DDoS attacks, a list that unfortunately continues to grow.

Simply put, a Denial of Service (DoS) attack overwhelms a system or application by throwing more data at the target than the target can handle. A Distributed of Denial of Service (DDoS) attack accomplishes the same result, the key difference being that a DDoS attack is launched simultaneously from multiple sources (attackers).

Although the most widely publicized DDoS attacks are launched by Internet activists/hacktivists, these types of attacks are also launched by criminal organizations in an effort to extort money from business owners, as well as by unscrupulous business owners trying to gain the upper hand on their competition. Don’t take my word for it, though. Ask your local FBI field office.

If you’re concerned that your organization may be targeted with a DDoS attack, there are steps you can take to harden your web application infrastructure against these types of attacks. An ounce of prevention now could mean the difference in your site being offline for a few minutes and your site being offline for a few days.

Take a look at this list of recommended controls designed to help you prepare for and mitigate both DoS and DDoS attacks. Where are the gaps in your infrastructure?

  • Network Architecture
    • Do you have redundant network devices installed?
    • Do you have an Intrusion Prevention System (IPS) installed and tuned?
    • Do you have a Security Information Event Management (SIEM) system installed and tuned?
    • Do you have any anti-DDoS hardware installed in your network infrastructure?
    • Are you running IPv6 on any Internet-facing devices without corresponding business justification?
  • Network Router
    • Have you enabled Reverse Path Forwarding on your router?
    • Does your router filter all RFC-1918 address spaces?
    • Have you configured the router to drop forged packets, per RFC-2827?
    • Does your router enforce rate limiting for ICMP and SYN packets?
  • Network Firewall
    • Does your firewall deny all private, illegal, and routable source IP’s?
  • Internet-Facing Hosts
    • Have all Internet-facing hosts undergone a system hardening process, removing insecure configurations and unnecessary services?
    • Are all Internet-facing hosts fully patched?
    • Are all Internet-facing hosts free from known denial of service (DoS) vulnerabilities?
  • Web Application
    • Are third party services enabled to proactively mitigate DDoS attacks?
    • Is a web application firewall installed and enabled?
    • Is the application load balanced across multiple servers?
    • Are the web and application servers virtualized?
    • Has an application performance baseline been tested and documented, including traffic thresholds and expected source IP’s?
    • Are web application vulnerability scan results free from known DoS vulnerabilities?
    • Has CAPTCHA been implemented on all submittable forms?
  • Security Incident Response
    • Have you provided your staff with training on security log analysis and/or security incident response?
    • Have you documented a DoS/DDoS Attack security incident response procedure?
    • Does the security incident response procedure include ISP contact information?
    • Does the security incident response procedure include instructions on how to null route attackers?
    • Does the security incident response procedure include instructions on when and how to enable temporary third party DoS/DDoS mitigating controls?
    • Have you implemented a list of invalid geographic source IP deny rules in the firewall?

Did Google Index Your Organization’s WiFi Password?

By | Business | No Comments

iPad and iPhone users are no strangers to .mobileconfig files. These are the files that contain customized iDevice configurations unique to your organization. Administrators can create these XML files with the iPhone Configuration Utility, and then send the files to users via email or a download link. When a user installs the .mobileconfig file on their device, the device settings (e.g., passcode, VPN, are automatically updated to match the predetermined configuration.

Pretty cool feature, but what happens when Google indexes .mobileconfig files that it discovers on Internet-facing websites?

The end result is that the wifi password that you thought you had hidden within that .mobileconfig file is now publicly available.

The field HIDDEN_NETWORK Password isn’t quite as hidden as it’s supposed to be. To see what .mobileconfig files have already been indexed, you can plug this search query into Google:


filetype:mobileconfig hidden_network password


If your organization’s internal wireless password is ever exposed in this manner, the first priority is to take the appropriate security incident response measures:

  • Change the wireless network password
  • Distribute an updated .mobileconfig file to your users
  • Remove the old .mobileconfig file from your Internet-facing web server
  • Review wireless logs for any suspicious activity

Going forward, you can take certain precautions to significantly reduce the likelihood that this type of incident could happen in the future. A few of those precautions include:

  • Publish .mobileconfig files on password-protected webpages
  • Deploy a Mobile Device Management (MDM) solution to securely manage mobile devices
  • Implement a type of Network Access Control (NAC) so that devices need more than just a password to connect to your wireless network

If you have any questions about how to secure your network and manage mobile devices, let us know. We’re here to help.

HHS unveils Final HIPAA (HITECH) Omnibus Rule

By | Business | No Comments

Last Thursday, HHS published its Final Rule, conclusively settling the conversation about its numerous interim and proposed rules developed in light of the American Recovery and Reinvestment Act of 2009. Our inbox received a  surge of alarming announcements by analysts and vendors telling us how the new rules would impact our way of doing business.  We propose a more measured, analytical approach to the implementation of the changes imposed by the Final Rule.  The Final Rule becomes effective on March 26, 2013.  Those covered by the Rule will have until September 21, 2013 to comply.

Final Omnibus Rule Comprised of Final Versions of Four Proposed or Interim Final Rules

The four rules that combine to create the omnibus final rule include:

  • Modifications to the HIPAA Privacy and Security Rules required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
  • Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
  • A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
  • A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009.

While we believe the size of the Omnibus Rule and the time allotted to allow to plan for compliance in September provides the opportunity to have an educated response we also strongly believe that the signs exist that enforcement actions will become more aggressive and more encompassing.

Expanding Patient’s Privacy Rights and Protections while Strengthening Enforcement

In the press release accompanying publication of the Final Rule, HHS Office of Civil Rights Director Leon Rodriquez stated, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

These comments are in the shadow of HHS issuing its first-ever HIPAA fine to small non-profit organization for a portable device data breach for a loss of 441 records.  The action is the first for a breach of protected health information for fewer than 500 individuals under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The not-for-profit Hospice of North Idaho reported to the HHS Office for Civil Rights that an unencrypted laptop with patient information was stolen in June 2010.

Disabling Java in Your Web Browser(s)

By | Business | No Comments

If you’ve been following the news surrounding the latest Java 0-Day vulnerability, then you’re aware that it is already being exploited. You may also be aware that US-CERT has made an official recommendation that everyone disable Java in their web browsers until this vulnerability has been fixed.

The simplest way to disable Java in all your web browsers at once is as follows:

1. Open the Java Control Panel

    • In Windows (7), go to Start > Control Panel
    • In Mac OS X (10.7.3 and above), go to System Preferences > Control Panel

2. Change View by: to Large icons, and then click Java

3. Select the Security tab in the Java Control Panel, uncheck the box that reads Enable Java content in the browser, and click OK to save your changes

Java Control Panel - Security Tab

– See more at:

Jacadis … Bigger. Faster. Stronger.

By | Business | No Comments

Change seems constant in information technology and information security.

Eleven years ago we started Jacadis to focus on two key services.  We hardened servers for companies investing in web technologies and we assessed the security of our client’s internet connections against the best practices of the time.

Read More

Overwatch: Staying on Top of Your Vulnerabilities

By | Business | No Comments

If you’re an information security professional, you know that managing your vulnerabilities in your environment isn’t a sprint. It’s a marathon.

New vulnerabilities are discovered each day, and it isn’t enough for us to turn on Windows Updates and hope for the best. Attackers aren’t just looking at OS vulnerabilities. They’re also looking at the software you have on your desktop, that nifty app on your mobile phone, and the scripts you have running on your website.

Read More