Information Security News mailing list archives

RE: This computer security column is banned in Canada

From: InfoSec News <isn () c4i org>
Date: Mon, 16 Jun 2003 04:15:51 -0500 (CDT)

Forwarded from: Tony | AVIEN / EWS <tony () avien org>
Cc: jericho () attrition org, steve () entrenchtech com, Rob () vmyths com

[Last post on this topic...  - WK]

<<Our attacker visits and runs their scanning software. They find
BradleyHTTP instead of Apache or IIS which they prefer because they
have an arsenal of attacks for those servers. They use Nikto or
Whisker to scan out vulnerable CGIs or pages with exposed information,
and get all false positives. Now what? What is the attacker going to
do at this point? If s/he is intent on defacing web pages for personal
amusement, s/he will move on to the next IP address because yours
represents too much time to figure out. You have just thwarted an
attacker by utilizing obscurity. If they are intent on defacing that
site, they have to wade through a thousand false positives to find
something vulnerable. Each time they try something, BradleyHTTP is
logging it, while BradleyIDS is logging and warning, and maybe
BradleyFW is cutting the route from their computer to yours. It forces
that attacker to spend more time on your machine and help establish
their intent (which is quite important in many cases). If they recode
their scanner to deal with the 301, or if they have to look for a new
point of attack, then the simple layer of obscurity was well worth the
little time it took you to implement.>>

I certainly don't disagree that your example scenarios are a valid
security measure. I think the examples of using non-standard web
server applications or non-standard port assignments are valid and
useful in securing an environment.

Where I would differ with you I guess is on the definition of security
through obscurity- or at least for the purposes of this discussion. In
a way all of security IS obscurity. You hide behind a firewall, strip
header information from packets, NAT your source IP address, encrypt
your communications or use steganography to hide the existence of
information altogether. Almost every measure of security is designed
to somehow "obscure" your information so that only those you authorize
are aware of its existence or can gain access to it.

That said, in my opinion your point is apples and oranges to the
"security through obscurity" debate. The security through obscurity
mantra *I* am referring to is related to a vendor being aware that a
vulnerability exists and choosing to ignore that fact. I am talking
about a vendor operating on the philosophy that if they just don't
publicly announce a flaw or vulnerability that it will remain secret
and therefore won't be exploited.

My point is that nine times out of ten underground knows of a
vulnerability before the vendors do or will eventually discover it
somehow. If the vendor sits on knowledge of a flaw thinking that will
keep their product secure they are mistaken. Instead, they are leaving
their customers vulnerable to attacks that they could prevent but
choose not to. For a good example I would refer to the Unpatched IE
Security Holes web site (http://www.pivx.com/larholm/unpatched/).
Microsoft is obviously aware that these flaws exist since they can
visit this web site just like anyone else.

Companies have abused and misused the DMCA to threaten security
researchers and prevent them from disclosing or sharing their findings
because they would rather pretend the vulnerability doesn't exist and
hope it never gets exploited rather than developing a patch and
sharing the information with the public and their customers.

I see your points and I think they are valid, but it is a semantic
debate. Your definition and illustrations of how to use obscurity to
help secure your computer or network are entirely separate from the
intent of the Security Through Obscurity mantra being touted. Read the
following articles- they don't talk about not attempting to hide or
obscure your actions or implementing security measures to prevent
attack- they talk about vendors not disclosing known vulnerabilities
in hopes they won't have to bother issuing a patch.

        http://slashdot.org/features/980720/0819202.shtml

        http://www.vnunet.com/Analysis/1126488

        http://www.nightfallsecurity.com/whitepapers/obscurityeu.html

        
http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?security+through+obscurity


Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+
About.com Guide for Internet / Network Security
http://netsecurity.about.com 

Click here to sign up for the weekly Internet / Network Security
Newsletter: NetSecurity Newsletter 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

Current thread:

This computer security column is banned in Canada InfoSec News (Jun 02)
- <Possible follow-ups>
- RE: This computer security column is banned in Canada InfoSec News (Jun 02)
- RE: This computer security column is banned in Canada InfoSec News (Jun 04)
- RE: This computer security column is banned in Canada InfoSec News (Jun 05)
- Re: This computer security column is banned in Canada InfoSec News (Jun 12)
- RE: This computer security column is banned in Canada InfoSec News (Jun 13)
- RE: This computer security column is banned in Canada InfoSec News (Jun 13)
- RE: This computer security column is banned in Canada InfoSec News (Jun 16)