I think that's the real point. OS Fingerprint detection isn't a huge security issue. Kids don't base their attack on os detection; and the scripts usually just attack with everything anyways -- they don't care if the attack fails.
I think the real point is humor and coolness. If I were scanning a net and found a hundred "Sega Dreamcasts" I'd roll on the floor laughing, and know that the admin understood something about hardening servers.
On the other hand, eliminating responses to non-conventional packets makes sense. Under the principle of minimal services, there isn't any point in responding to packets with SYN and FIN set. Heck, Cisco even recommends dropping all frags at the perimeter! (In their SAFE document.) Go figure!:-(
Security is a funny thing. "Anti-intrusion systems should be built into the OS" is great when the operator knows what to do when the binary doesn't run. Certainly Integrity is one of the CIA triad, but Availability is in there as well. A system that has information integrity but isn't providing services is only slightly more useful than a doorstop.
What percentage installed Tripwire? Slight. 1 in 10 would be surprising. And of those, how many stored the sigs offline? But they will notice that the system is acting funny. Then maybe a friend will run a scan and discover they are now an IRC host. Or maybe they get a turnkey IDS and it tells them about a problem -- but then they don't understand what the IDS is telling them anyways.
The good news is that they don't have any investment in the operating system, and it won't play Warcraft III, so it will get nuked and replaced with XP.
The key point here is that you should never spend more to protect an asset than the value of the asset. Their home data isn't very valuable (witness how often its backed up.) The only value they have is network connectivity, to fuzz the forensics or provide a zombie. While it would be nice if home users had some due diligence, its not going to happen with the current approaches. Solving the real problem is going to take centralized strategies, either through the rise of AOL-like management of application and OS, or else network operators who stepped above business rivalries and really cleaned up the net.
There is some of that going on. A DDoS doesn't really impact the core much, and its getting easier to control those flows, and provide tracking. Last-mile providers can disable rogue systems. But frankly, I don't think even that really matters much.
I think we are coming into a new age, when real crime occurs on the Internet. Not vandalism (even Warhol's flash worms are just vandalism writ large) but serious bucks through outsider fraud, theft, blackmail, etc. That might actually cause some things to change on the perimeter of the net.
I don't think Unless you are doing a weekly sweep of your network, and documenting the changes, any network, wired or wireless is suspectable to comprimise works. If the black hat has physical access to a wire run, they can transparently hide the AP and not have it detectable from the wired side. You have to monitor new devices in real time if you want to detect injected packets -- and even that can be compromised if the bad guy manipulates his MAC to that of a device that is supposed to be there.
On the other side, the question of safe deployment is non-trivial. While t0qer's suggestion to reject all unknown mac addresses and accept from a known list raises the bar, but doesn't eliminate problems. Again, the bad guy can readily manipulate his mac.
Best practice seems to be to put APs on a dedicated VLAN, isolated from resources until authentication is provided. [LEAP and such are nice, but subject to MITM, so make sure that mutual auth with a pre-shared secret is part of the solution, if you really want to isolate resources...] and disallow any traffic that isn't part of an encrypted session.
Because this is health care information, HIPAA, the health information portability and accountability act applies. Unfortunately, encryption is not required: under technical controls, they state:The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Role-based access, User-based access. The use of Encryption is optional. However, there are also physical access controls required, and clearly those failed.
The real guts of story might be that this will be a poster child for what can go wrong with centralized health care databases. In the long run, this might be a good thing to have happened.
Slashdot Mirror
I think that's the real point. OS Fingerprint detection isn't a huge security issue. Kids don't base their attack on os detection; and the scripts usually just attack with everything anyways -- they don't care if the attack fails.
I think the real point is humor and coolness. If I were scanning a net and found a hundred "Sega Dreamcasts" I'd roll on the floor laughing, and know that the admin understood something about hardening servers.
On the other hand, eliminating responses to non-conventional packets makes sense. Under the principle of minimal services, there isn't any point in responding to packets with SYN and FIN set. Heck, Cisco even recommends dropping all frags at the perimeter! (In their SAFE document.) Go figure! :-(
What percentage installed Tripwire? Slight. 1 in 10 would be surprising. And of those, how many stored the sigs offline? But they will notice that the system is acting funny. Then maybe a friend will run a scan and discover they are now an IRC host. Or maybe they get a turnkey IDS and it tells them about a problem -- but then they don't understand what the IDS is telling them anyways.
The good news is that they don't have any investment in the operating system, and it won't play Warcraft III, so it will get nuked and replaced with XP.
The key point here is that you should never spend more to protect an asset than the value of the asset. Their home data isn't very valuable (witness how often its backed up.) The only value they have is network connectivity, to fuzz the forensics or provide a zombie. While it would be nice if home users had some due diligence, its not going to happen with the current approaches. Solving the real problem is going to take centralized strategies, either through the rise of AOL-like management of application and OS, or else network operators who stepped above business rivalries and really cleaned up the net.
There is some of that going on. A DDoS doesn't really impact the core much, and its getting easier to control those flows, and provide tracking. Last-mile providers can disable rogue systems. But frankly, I don't think even that really matters much.
I think we are coming into a new age, when real crime occurs on the Internet. Not vandalism (even Warhol's flash worms are just vandalism writ large) but serious bucks through outsider fraud, theft, blackmail, etc. That might actually cause some things to change on the perimeter of the net.
On the other side, the question of safe deployment is non-trivial. While t0qer's suggestion to reject all unknown mac addresses and accept from a known list raises the bar, but doesn't eliminate problems. Again, the bad guy can readily manipulate his mac.
Best practice seems to be to put APs on a dedicated VLAN, isolated from resources until authentication is provided. [LEAP and such are nice, but subject to MITM, so make sure that mutual auth with a pre-shared secret is part of the solution, if you really want to isolate resources...] and disallow any traffic that isn't part of an encrypted session.
The real guts of story might be that this will be a poster child for what can go wrong with centralized health care databases. In the long run, this might be a good thing to have happened.