RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

I have to agree with Ansgar on this:
"Disabling SSID broadcasts is probably the single most ridiculous
example you could come up with. Could you please refrain from spreading
this nonsense?"

It seems that some people have the idea that there is a special
difference from determined attackers and those who are just there/out
for a lark and that we always know the difference. How do you know? What
are you correlating? A good determined attacker will attack and recon
from separate addresses or hosts. Use zombies etc. Correlating my IDS
information to refernce an attack can at times take days and I have to
make the assumption that attacks from a single C Class could be the same
person - at least probabilistically.

Please explain how you know or how you can correlate attacks from a
determined attacker to map all the addresses that they may use. Some
Zombie networks consist of thousands of hosts [1].

The idea that manually watching a log for an address is unfounded for
correlating attacks by a detemined attacker - maybe once in the past -
but the world has moved on. Even port scanning correlations only get the
simple/fast scans. 

I could scan 1 port at a time for a random host on a zombie network.
Please explain how this will be noticed as an attack by a single
determined attacker and not a random port bvlocked in my logs. Do you
have a list of zombie networks? If so I would like a copy - I will even
pay money - lots for this information!

So to get back to the real issue, survivability. How long will the
system survive. The cost of implementing a control - even if minor - has
to provide a gain - even if minor. All gains are measurable - at least
probabilistically. What am I getting in a real sense - not a warm and
fuzzy - I never have those - but in a true quantified state of security?
How much time have I gained? If I am scanned from a zombie and than
attacked - with the portknocking sequence - how do I detect this?
Different addresses and hosts after all.

Warm fuzzy feeling V. Increased time to survive an attack...

I know my choice. No one has as yet explained or demonstrated that I
will gain time. Maybe some script kiddie who has been at it all of a
week will be discouraged - but who cares - they are not what I care
about anyway.

My home address averages 12,700,778 separate attacks per day. Yes this
likely is not normal and demonstartes my popularity :P. So please state
how I correlate these, sort them, pick zombies who are chained and than
rely on no attacker having mapped my network and controls?

Lets us call this the economic cost analysis of security. I have heard
some valid hypothesises and I awaiting the experiments that are to be
run on this, but untill I have proof, than there is no way I will
believe claims thaty obscurity adds value. There is too much evidence
against it and to have this belief would not be based on logically sound
scientific reasoning.

In fact, I will go as far as:

[1]     Home router - Cisco (patched 1 week ago)
[2]     100 base switch - unmanaged
                Snort engine
                Scanning machine (linux)
                Scanning machine (solaris)
                Randomly placed honeypots for an experiment...
[3]     IPTables firewall (2 interfaces)
                NO NAT used at all - I have NO hidden addressing - all a
C CLass
                Snort Engine
[4]     Persaonally updated Gauntlet Firewall on Solaris (Sun not Intel)
[5]     Cisco Managed Switch
                Windows 2000/2003 domain
                Windows XP hosts
                Linux host with MySQL
                MS SQL host
                2x File servers
                Domain controllers 
                About 12 client machines
                Microsoft Exchange Server 2003
        Snort is set to update the external firewall rules - still a
little iffy with this, but it seems to work.

There is a VPN as well. The network is 203.57.21.0/24

So little obscurity. At least for my home network. Please explain how
this make me quantifiably less secure? This is not permission, but I am
sure that some on the list will make this a challenge, but the good ones
I figure already know this and have already targeted me ;) Just my
popular nature.

Here is a test in itself. Thgough I have not authorised any attack, I am
sure that they will now increase - just to see... I doubt that there is
any additional risk. I will let you know, but I doubt a real change.

Regards,
Craig

[1]
http://query.nytimes.com/gst/fullpage.html?res=9B02EEDE1530F934A35752C0A
9619C8B63



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Tuesday, 17 April 2007 7:47 AM
To: security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity

On 2007-04-16 levinson_k () securityadmin info wrote:
> To give proof relating to the example of wireless... a good example of
> obscurity with wireless would be disabling SSID broadcast.  The
benefit
> of this has been debated (again because it does not defeat a
determined
> attacker, and was never designed to).  Nevertheless, doing so is a
> common security suggestion and at least some people find this a useful
> benefit, especially in home uses where nonskilled attackers and
viruses
> are a much more likely risk than a determined attacker.  
>
> Disabling SSID broadcast raises the bar that an attacker must pass to
> compromise a system.  If you choose not to disable SSID broadcast,
> that's your call, and it can be the right call depending.  But you're
> arguably lowering the bar to the point where unskilled attackers
become
> equal in threat as determined attackers.  All you need to crack the
> system is any unpatched or unmitigated vuln.  The attacker no longer
> needs skill, time or effort.

Disabling SSID broadcasts is probably the single most ridiculous example
you could come up with. Could you please refrain from spreading this
nonsense? Disabling SSID broadcasts does *not* - in any way, form, or
manner - add anything of even remote significance to network security.
Most (if not all) wireless cracking tools will show a list of all
wireless networks (broadcasting or not), from which the undetermined
attacker will simply chose arbitrarily, whereas the determined attacker
will know his target anyway.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq