RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

As I have previously stated this is not the only means of identifying a
host. However, you will find that most routers at the ISP and other
levels do send information. Most poeople do not go to this level
however. This is not the same thing as the information not being
available.

What can be found rather quickly is any hidden gateway. A hidden gateway
is (practically) always a security control. This than places a target to
extrapolate the hosts that are behind it.

It does not need to be a "true indictator", just a probabilistic
function of of a possible security control. Other checks would than
either confirm this or dispel it.

True, multiple layers of stealthed firewalls would make a statistical
analysis of return packets difficult and if done correctly, improbable.
But what we are talking about is not a system that is likely to have
multiple inline firewalls of differing variety/manufacture/ruleset.

Again (and as a side point) this also comes down to assuming that you
are not a target and that the major threat is a random script kiddie.
This I would also dispute.

Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Daniel Miessler
Sent: Wednesday, 18 April 2007 3:42 AM
To: Ansgar -59cobalt- Wiechers
Cc: security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity


On Apr 17, 2007, at 12:28 PM, Ansgar -59cobalt- Wiechers wrote:

> > So if I'm scanning a class B for port 22 in order to unleash a
> > zero-day exploit, how do you propose I differentiate between the dead
> > network space (i.e. there's nothing there) vs. the systems that just
> > SEEM to not be there because I get no response?
>
> You differentiate by the fact that for the former you *do* get a
> response (destination-unreachable), whereas for the latter you don't.
>
> Please read up on how TCP/IP actually works.

Yes, we're aware of the basics here, and now I ask that you scan a  
class B and see if for every system that's NOT there you get back an  
ICMP message like you're supposed to. I think you'll find that  
reality doesn't correlate well with the RFC on this matter.

Getting back proper ICMP responses from "somewhere upstream" is hit  
and miss, and therefore unreliable as a true indicator of a "hiding  
system".

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC