Security Basics mailing list archives
Re: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Sat, 14 Apr 2007 07:21:01 +1000
"It is impossible for you to make that assertion for all environments and situations" Of course it is not. This is what statistical inference is all about. It is a complexity calculation and not as difficult as you believe. As for the next point, I have to believe that you misunderstood the sentance as that is the only way that your response can make sense. This idea that experimentation has nothing to do with the real world is sad. You sit typing on a machine that is developed through advances in mathematics and pure theory (and some of what is the theory can not be experimentally tested in the quantum physics used to develop processes to tunnel electrons that make processors work) and state theory has no part in the real world. How sad. "I'd love to see such a study. It does not exist. " HUH! Do you read any academic journels? IEEE, ACM... I suggest that you do a search before stating this. This idea that your logs are not full of junk as you have obscurity? Where did this come from? Please? Stating that I agreed with you in terms of obscurity is not the case in terms of a low level of methematical knowledge in the IT and hacker community. The knowledge is open and available. It is not obscure. There is a clear difference to obscurity and ignorance. Also, this is a threat not a securty feature. "It would take you forever to assess all 65,535 TCP and UDP ports" As for the how longs, scanning externally generally takes 2-3 hours of time setting up. A weekend to run and a night to run the results through an inference engine. Clients do not pay for computer time - so minimal. Ports and addresses are randomised and if I was not doing this for money I would spread it over a month, but either way I get about 1 in 10 for being accurately detected. I think that you need to come to understand the real cost of a control. Economic cost is not finacial cost, but it is the one that matters most. I would suggest that you read up on what the two terms are. Your comments on costs demonstrate that you do not understand economic cost. This is not a cash cost. There is more to it. Craig Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. ________________________________ From: listbounce () securityfocus com on behalf of levinson_k () securityadmin info Sent: Fri 13/04/2007 1:42 PM To: security-basics () securityfocus com Subject: Re: RE: Re: Re: Re: Concepts: Security and Obscurity
Obscurity does not work.
It is impossible for you to make that assertion for all environments and situations. "Obscurity" includes a lot of different things. You cannot do a risk assessment in an ivory tower without knowledge of the specific environment, threats, etc.
Here we get to the real point. Obscurity is not the factor that is increasing the security of the site. You have a confounding variable in this model. That is monitoring.
Exactly. It is pointless in the real world to try to say that obscurity never works, because methods of obscurity are often inexplicably tied to other benefits. So maybe you're using a purely theoretical model that doesn't apply in the real world.
To test the effectiveness of obscurity scientifically you have to remove or make account for the confounding variables.
This kind of pure theoretical study would have no value in actual real world security.
In a test that is determined scientifically and without bias, the results show that obscurity does not reduce risk and is thus not a benefit.
I'd love to see such a study. It does not exist. Obscurity often reduces certain risks (script kiddies, viruses, etc.), while doing nothing to increase other risks (some determined attackers). This is what you call your win-win scenario.
When scanning a site managed by a profession 24x7 firms, with notice, I have rarely had them become aware of (maybe 1 in 10) the fact that the client is being tested.
That's because their logs are full of junk. Because they're not using obscurity.
It is randomised and over time and uses event sequence mining to reconstruct the ruleset (i.e. maths).
I would love to see you do such a low and slow scan of a site that uses a nonstandard TCP/IP port and something like port knocking. It would take you forever to assess all 65,535 TCP and UDP ports, certainly longer than your typical penetration testing engagement. Therefore, obscurity works. You keep arguing against obscurity by cherry picking these extreme cases of a very determined and experienced attacker. Yes, some attackers could bypass obscurity, and also antivirus, firewalls, etc. No one ever claimed obscurity would prevent these things. This does not make them useless at reducing risk. In risk assessments, countermeasures are tied to specific threats they are meant to mitigate. You are intentionally taking other irrelevant threats to try to claim zero effectiveness of obscurity. You also assert that obscurity is always expensive, despite many examples to the contrary. You are making "always" and "never" statements that are frequently impossible to support, certainly not by cherry picking certain extreme examples.
I do however guess that gets ride of much of the "hacker" community of course these days as it requires that SAS, SPSS, R or some other statistical package is used and does not rely on a tool.
So then we are in agreement that obscurity is effective at reducing certain risks. Thank you!
The confusion here is that you are assuming that this is the only (or best) method to increase log visibility and that this will find the attacker.
I did not. But it may very well be a good method to use, as it costs little or nothing. You cannot prove that this method is never a useful method. But it is easy to prove that it might *sometimes* be a useful method. kind regards, Karl Levinson http://securityadmin.info
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 12)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 12)
- Message not available
- Message not available
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 17)
- Re: Concepts: Security and Obscurity Daniel Miessler (Apr 12)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- Re: Concepts: Security and Obscurity Jeffrey F. Bloss (Apr 13)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Concepts: Security and Obscurity Craig Wright (Apr 13)
- Message not available
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Re: Concepts: Security and Obscurity Florian Rommel (Apr 16)
- Re: Re: Concepts: Security and Obscurity Justin Lintz (Apr 16)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)