RE: This computer security column is banned in Canada

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>
Cc: tony () avien org

: Forwarded from: Tony | AVIEN / EWS <tony () avien org>
: Cc: steve () entrenchtech com, Rob () vmyths com
:
: There are articles and papers everywhere talking about why Security
: Through Obscurity doesn't work as an effective security measure. It is
: a bureaucratic dream that if only you pretend the problem doesn't
: exist or hide its existence from the general population that the
: problem will go away.

I don't know where to begin.

"Security through obscurity doesn't work" yadda yadda. This has been
parroted by a majority of the security industry for a long time. For
those who have only been working in the security field for the past
two or three years, this is especially true. It seems they read a
paper or some CISSP instructor told them and they believed it. Not
only believed it, but began preaching it with a fervor typically found
in bible schools or cults. If any of these "security experts" would
stop to talk about obscurity over a few beers at the next conference,
eyes might open a bit more. More on obscurity in a bit.

Your second sentence .. I simply can't tell if this is two seperate
thoughts put together in the same paragraph, or if you have made the
most simple of mistakes when talking about the "security through
obscurity" concept. Obscurity isn't pretending the problem doesn't
exist. It isn't hiding the existence of a problem typically, just
making that problem more difficult to find or reach. In a nutshell,
this is no different than putting vulnerable systems behind a strong
external layer of security really, where firewalls and IDS guard
unpatched Windows NT boxes that haven't seen their first security
patch.

While the legions of certified security experts tout these policies
and concepts, companies are losing out big. Relying on obscurity as
the primary means of protection is a bad idea, no one will argue that.
But for those taking it one step farther and saying it offers *no*
security or "isn't effective", simply don't understand security or
obscurity.  If you break it down by the cost to implement, it's a much
better value than some of the commercial products or security
consultants you pay for. It certainly can have a place and is one
layer of security a company should consider, in conjunction with other
forms of security.

: Do the students have to develop new viruses to learn about viruses-
: no. But, to quote Albert Einstein "You cannot solve the problem with
: the same kind of thinking that has created the problem."

To quote Denzel Washington in _Training Day_: "This shit is chess, not
checkers".

: Read the article I wrote on this controversial topic:
: http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm

Bland article, but it did lead me to:
http://netsecurity.about.com/cs/generalsecurity/a/aa060103.htm
Security Through Obscurity: What You Don't Know CAN Hurt You

This two page article barely nicked the surface of security, obscurity
or anything related and instead seems to weakly tackle the full
disclosure argument more than anything. After hinting about it a
little, the article finally concludes:

  Ignorance is not bliss. Security through obscurity doesnt work. It only
  means that the bad guys know things that you dont and will exploit your
  ignorance to the fullest every opportunity they get.

If we look at the basic definition of obscurity:
http://dictionary.reference.com/search?q=obscurity

2a: The quality or condition of being unknown
2b: One that is unknown.
3a: The quality or condition of being imperfectly known or difficult to
    understand

3b: An instance of being imperfectly known or difficult to understand.

Your point is that obscurity is a scenario where you don't know
something about your network and the attacker does. This is
fundamentally wrong, even if you use the "security through obscurity"
maxim like most security experts preach. Obscurity is not ignorance,
it is making something more difficult to find or more unknown to the
attacker. It doesn't necessarily equate to ignoring your own problems
or vulnerabilities. Loyal ISN readers should add dictionary.com to
their arsenal along with netsecurity.about.com I think.

Now, let's apply this to the most basic of scenarios in a network
environment and see if your assertion holds true. Let's take a machine
running a web server as an example, since it is a favorite place for
attackers to start. Instead of running Apache or IIS or Lotus, let's
run something different, that most people haven't run into, and call
it BradleyHTTP. In this software, we don't identify the version of
software we run, we return 301 instead of 404 and redirect them to the
front page, etc. These changes sound like they meet the criteria of
making the server "imperfectly known or difficult to understand" since
it isn't giving clear answers to many requests (namely 404 in this
example) that others do. As such, it is using obscurity as one of many
layers of security.

Our attacker visits and runs their scanning software. They find
BradleyHTTP instead of Apache or IIS which they prefer because they
have an arsenal of attacks for those servers. They use Nikto or
Whisker to scan out vulnerable CGIs or pages with exposed information,
and get all false positives. Now what? What is the attacker going to
do at this point? If s/he is intent on defacing web pages for personal
amusement, s/he will move on to the next IP address because yours
represents too much time to figure out. You have just thwarted an
attacker by utilizing obscurity. If they are intent on defacing that
site, they have to wade through a thousand false positives to find
something vulnerable. Each time they try something, BradleyHTTP is
logging it, while BradleyIDS is logging and warning, and maybe
BradleyFW is cutting the route from their computer to yours. It forces
that attacker to spend more time on your machine and help establish
their intent (which is quite important in many cases). If they recode
their scanner to deal with the 301, or if they have to look for a new
point of attack, then the simple layer of obscurity was well worth the
little time it took you to implement.

Another simple example is moving HTTPD off port 80 to some random
unassigned port. Security experts will be quick to cry "this isn't
security! security through obscurity is no security at all!". When
they are done foaming at the mouth and forcing their sales information
down your throat, consider it. A bulk of attackers looking to deface
web pages do what? They run a scanner that checks a few siple
conditions. First, is port 80 answering? Second, is it HTTP like?
Third, is Vulnerable CGI 1.3 present? Fourth, can it be exploited? The
attackers use these scripts and sweep entire class B networks at a
time. They don't care who you are, the name of your company, or
anything else. You are nothing but an IP address to them until they
find you vulnerable, then they *might* care. So in this example, by
moving HTTPD off port 80 to anything else did what? Protected you from
one of thousands of the mass scanner/defacers out there. What elite
certified security mechanism did you use to thwart the attack?
Obscurity.


: Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+

Jericho, Security Curmudgeon



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.