Security Basics mailing list archives
RE: Concepts: Security and Obscurity
From: "Craig Wright" <Craig.Wright () bdo com au>
Date: Wed, 18 Apr 2007 12:36:25 +1000
I have to agree with Ansgar on this: "Disabling SSID broadcasts is probably the single most ridiculous example you could come up with. Could you please refrain from spreading this nonsense?" It seems that some people have the idea that there is a special difference from determined attackers and those who are just there/out for a lark and that we always know the difference. How do you know? What are you correlating? A good determined attacker will attack and recon from separate addresses or hosts. Use zombies etc. Correlating my IDS information to refernce an attack can at times take days and I have to make the assumption that attacks from a single C Class could be the same person - at least probabilistically. Please explain how you know or how you can correlate attacks from a determined attacker to map all the addresses that they may use. Some Zombie networks consist of thousands of hosts [1]. The idea that manually watching a log for an address is unfounded for correlating attacks by a detemined attacker - maybe once in the past - but the world has moved on. Even port scanning correlations only get the simple/fast scans. I could scan 1 port at a time for a random host on a zombie network. Please explain how this will be noticed as an attack by a single determined attacker and not a random port bvlocked in my logs. Do you have a list of zombie networks? If so I would like a copy - I will even pay money - lots for this information! So to get back to the real issue, survivability. How long will the system survive. The cost of implementing a control - even if minor - has to provide a gain - even if minor. All gains are measurable - at least probabilistically. What am I getting in a real sense - not a warm and fuzzy - I never have those - but in a true quantified state of security? How much time have I gained? If I am scanned from a zombie and than attacked - with the portknocking sequence - how do I detect this? Different addresses and hosts after all. Warm fuzzy feeling V. Increased time to survive an attack... I know my choice. No one has as yet explained or demonstrated that I will gain time. Maybe some script kiddie who has been at it all of a week will be discouraged - but who cares - they are not what I care about anyway. My home address averages 12,700,778 separate attacks per day. Yes this likely is not normal and demonstartes my popularity :P. So please state how I correlate these, sort them, pick zombies who are chained and than rely on no attacker having mapped my network and controls? Lets us call this the economic cost analysis of security. I have heard some valid hypothesises and I awaiting the experiments that are to be run on this, but untill I have proof, than there is no way I will believe claims thaty obscurity adds value. There is too much evidence against it and to have this belief would not be based on logically sound scientific reasoning. In fact, I will go as far as: [1] Home router - Cisco (patched 1 week ago) [2] 100 base switch - unmanaged Snort engine Scanning machine (linux) Scanning machine (solaris) Randomly placed honeypots for an experiment... [3] IPTables firewall (2 interfaces) NO NAT used at all - I have NO hidden addressing - all a C CLass Snort Engine [4] Persaonally updated Gauntlet Firewall on Solaris (Sun not Intel) [5] Cisco Managed Switch Windows 2000/2003 domain Windows XP hosts Linux host with MySQL MS SQL host 2x File servers Domain controllers About 12 client machines Microsoft Exchange Server 2003 Snort is set to update the external firewall rules - still a little iffy with this, but it seems to work. There is a VPN as well. The network is 203.57.21.0/24 So little obscurity. At least for my home network. Please explain how this make me quantifiably less secure? This is not permission, but I am sure that some on the list will make this a challenge, but the good ones I figure already know this and have already targeted me ;) Just my popular nature. Here is a test in itself. Thgough I have not authorised any attack, I am sure that they will now increase - just to see... I doubt that there is any additional risk. I will let you know, but I doubt a real change. Regards, Craig [1] http://query.nytimes.com/gst/fullpage.html?res=9B02EEDE1530F934A35752C0A 9619C8B63 Craig Wright Manager of Information Systems Direct +61 2 9286 5497 Craig.Wright () bdo com au BDO Kendalls (NSW) Level 19, 2 Market Street Sydney NSW 2000 GPO Box 2551 Sydney NSW 2001 Fax +61 2 9993 9497 www.bdo.com.au Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au. BDO Kendalls is a national association of separate partnerships and entities. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Tuesday, 17 April 2007 7:47 AM To: security-basics () securityfocus com Subject: Re: Concepts: Security and Obscurity On 2007-04-16 levinson_k () securityadmin info wrote:
To give proof relating to the example of wireless... a good example of obscurity with wireless would be disabling SSID broadcast. The
benefit
of this has been debated (again because it does not defeat a
determined
attacker, and was never designed to). Nevertheless, doing so is a common security suggestion and at least some people find this a useful benefit, especially in home uses where nonskilled attackers and
viruses
are a much more likely risk than a determined attacker. Disabling SSID broadcast raises the bar that an attacker must pass to compromise a system. If you choose not to disable SSID broadcast, that's your call, and it can be the right call depending. But you're arguably lowering the bar to the point where unskilled attackers
become
equal in threat as determined attackers. All you need to crack the system is any unpatched or unmitigated vuln. The attacker no longer needs skill, time or effort.
Disabling SSID broadcasts is probably the single most ridiculous example you could come up with. Could you please refrain from spreading this nonsense? Disabling SSID broadcasts does *not* - in any way, form, or manner - add anything of even remote significance to network security. Most (if not all) wireless cracking tools will show a list of all wireless networks (broadcasting or not), from which the undetermined attacker will simply chose arbitrarily, whereas the determined attacker will know his target anyway. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: Concepts: Security and Obscurity, (continued)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 17)
- RE: RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Nhon Yeung (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 19)
- Re: Re: Concepts: Security and Obscurity Lord Bane (Apr 23)