RE: Re: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

No Karl, you have not provided mathematical proof or something that serves to prove your point. 
 
I stated survivability - the number of scans by service not the key to this test. The number of scans and attacks are 
differnt factors. A scan is not an attack. Now as you state, proving a negative for all cases is near impossible, but 
you have to prove the positive, and this is not being done. You have not as yet proved proof.
 
As I have stated, please provide some proof. Demonstrate how obscurity works. Either provide an experiment or a peer 
reviewed paper. Speculation is not proof. You keep stating that there are other cases to my proofs and I have stated 
that disproving a negative is often a futile effort. Please provide real proof and not just state that your views are 
proof.
 
The number of scans example is not a survivability case and is not proof for your assertion.
 
Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: listbounce () securityfocus com on behalf of levinson_k () securityadmin info
Sent: Sat 14/04/2007 2:53 PM
To: security-basics () securityfocus com
Subject: Re: Re: Concepts: Security and Obscurity




> > > In a test that is determined scientifically and without bias,
> > > the results show that obscurity does not reduce risk and is thus not a
> > > benefit.
> >
> > I'd love to see such a study.  It does not exist.
>
> Actually, I believe the honeynet project compiles statistics on how well
> obfuscation of ports works, and last I read they have decided it makes
> no difference at all. Services running on nonstandard ports are
> attacked just as much as services on standard ports over time.

It is easy to demonstrate this is false.

http://www.incidents.org/top10.html

The top ports receiving unsolicited scans are all well known, published server ports:
TCP 8080
TCP 2967 (symantec)
TCP 445
TCP 139
TCP 1434
TCP 5900

Put a server on any other port, and your number of attacks is going to be demonstrably lower than the numbers above.  
Hence, reduced risk by obscurity.

Besides, given that so much hacking nowadays is financially motivated and aims at compromising the most systems 
starting with low hanging fruit, I don't see how could anyone could prove that non-standard ports are attacked just as 
often as standard ports.

Anyways, obfuscation of ports is just one example of obscurity, and any study of that countermeasure would not be 
applicable to all forms of obscurity.  That's why I objected to the absurd claim that it has been mathematically proven 
that all forms of obscurity are ineffectual, and objected to the attempts here to point out some examples of bad 
obscurity in order to prove that obscurity is universally bad.  Certainly some forms of obscurity are ineffectual.  I 
only need to point out one beneficial form of obscurity to invalidate such universal statements.  People talking about 
math should realize my side is more likely to be proven true.

There, I gave mathematical data suggesting that obscurity significantly reduces the number and type of threats it was 
intended to reduce.  Let's see some statistics proving otherwise.


> > > Obscurity does not work.
> >
> > It is impossible for you to make that assertion for all
> environments and situations. 
>
> Yes it is possible to make that assertion, based on logic and hard math.
> Security has nothing at all to do with raw numbers of break in
> attempts,

Incorrect.  Security is based on risk management and (quantitative) risk assessment, which are mathematical formulas 
that evaluate the likelihood of certain risks occurring in a given year, e.g. raw numbers of break in attempts.  
Furthermore, risk assessment, while mathematical, is pretty meaningless unless you apply it to specific situations, 
because the value, threats and existing countermeasures of a particular system are variables that have to be known and 
inserted into the mathematical formula.  That's why I say you cannot assert that obscurity is never a (cost) effective 
measure at reducing risk. 

Obscurity absolutely can and often does reduce certain kinds of risks, such as risk of script kiddies and viruses, 
frequently at very low cost.  I can't see how anyone can debate that point.  Though some here clearly do not see any 
value


> and everything to do with how resilient a system is to any
> and all attacks.

That's not how security and countermeasure evaluation, e.g. quantitative risk assessment, work.  Countermeasures are 
designed to mitigate JUST SPECIFIC THREATS, not all of them.  It is meaningless to evaluate countermeasures by 
including threats that they were never designed to mitigate.  Firewalls don't protect against social engineering, but 
that doesn't mean you don't need one.


> The "obscurity factor" is utterly irrelevant because
> it has no impact what so ever on actual security. Using offered
> examples, if your passwords are good ones it makes absolutely no
> difference how many times an attacker tries to guess them because they
> simply can't make enough attempts in any sane time frame to do any
> damage. Inversely, a single attempt is all it might take to "crack" a
> weakly protected system regardless of what port it's made on. So the
> only security one could possibly gain by limiting the numbers of
> attempts is of type "false sense".

Not true.  It is an obvious truism that most all computers, especially those on the Internet, are going to be 
vulnerable to unpatched zero day vulnerabilities from time to time.  Once a vulnerability is exploited by a network 
worm or easily downloadable script tool, your likelihood of being compromised (a key component in quantitative risk 
assessment) increases.  If you change the port on which your server listens, you evade those attacks, and your 
likelihood of being compromised decreases significantly. 

Please note here that by your purely theoretical definition, the system is just as secure in both cases, because its 
configuration and resistance to attack have not changed at all.  And yet, in the real world, the system has a reduced 
risk and/or reduced number of compromise events (which is the key result in quantitative risk assessment formulas used 
to judge security).


> conclusion that it can't be any other way. Obscurity carries with it
> precisely as much potential for disaster as it does its ability to "hide
> something". That direct relationship exists by the very definition of
> obscurity.

Most of the supposed dangers, risks and costs of obscurity are actually risks of incompetent administration and 
failures of other recommended security countermeasures such as the system procedures and configuration being 
documented.  If your sysadmin assumes a system is in the default configuration and takes a damaging action based on 
that assumption, that's arguably not the fault of obscurity, and that damage would arguably be just as likely to happen 
without obscurity, when you have an incompetent sysadmin plus inadequate documentation.


> And before we meander off into an endless debate about "would have" and
> "should have", I'll point out that all that is irrelevant. Obscurity
> adds far more complexity than it affords protection, and no amount of
> after the fact  tail chasing can change the fact that this is a bad
> thing at its core.

Another broad, unsupportable generalization.  Tell me how something like changing an FTP banner adds prohibitively 
costly complexity.  Obscurity includes a lot of different things.


> This is the brittleness experts warn you about. It's a real life issue,
> not some theoretical mumbo-jumbo. By performing tasks in "nonstandard"
> ways you're as likely to confound the good guys as the bad. Not only
> does obscurity not work, if it has any real effect at all it's
> more likely to be a negative one than not. :(

Again, quantitative risk assessment comes to the rescue.  Risk assessment is an example of theory that is useful in the 
real world.  When using risk assessment to evaluate whether or not a countermeasure is beneficial, you quantify and 
compare the amount that risks go up and down.  You are not using or demonstrating mathematics when you state that the 
increased risk/cost of obscurity's complexity outweighs the other security risks that obscurity decreases.  Are you 
jumping to conclusions, or do you have data to show that proves that in most all environments, systems and 
obscurity-related countermeasures,


> There
> may be brief respites and fluctuations, but they're invariably
> discovered and quite often attacked even harder than services on
> standard ports, for obvious reasons.

I don't see how that's very likely.  Putting hundreds of thousands of servers on the same nonstandard port would not be 
a good implementation of obscurity.  Attacking a poor implementation of anything is not really relevant to whether or 
not a good implementation of it has merit.

Besides, unless you're talking hundreds of thousands of systems using the same non-standard port, you're still pretty 
much talking about determined human attackers.  I thought I made it clear that obscurity is not intended as a 
countermeasure to determined human attackers, social engineering, earthquakes, etc.

kind regards,
Karl Levinson
http://securityadmin.info