Forwarded from: Tony | AVIEN / EWS <tonyat_private> Cc: jerichoat_private, steveat_private, Robat_private [Last post on this topic... - WK] <<Our attacker visits and runs their scanning software. They find BradleyHTTP instead of Apache or IIS which they prefer because they have an arsenal of attacks for those servers. They use Nikto or Whisker to scan out vulnerable CGIs or pages with exposed information, and get all false positives. Now what? What is the attacker going to do at this point? If s/he is intent on defacing web pages for personal amusement, s/he will move on to the next IP address because yours represents too much time to figure out. You have just thwarted an attacker by utilizing obscurity. If they are intent on defacing that site, they have to wade through a thousand false positives to find something vulnerable. Each time they try something, BradleyHTTP is logging it, while BradleyIDS is logging and warning, and maybe BradleyFW is cutting the route from their computer to yours. It forces that attacker to spend more time on your machine and help establish their intent (which is quite important in many cases). If they recode their scanner to deal with the 301, or if they have to look for a new point of attack, then the simple layer of obscurity was well worth the little time it took you to implement.>> I certainly don't disagree that your example scenarios are a valid security measure. I think the examples of using non-standard web server applications or non-standard port assignments are valid and useful in securing an environment. Where I would differ with you I guess is on the definition of security through obscurity- or at least for the purposes of this discussion. In a way all of security IS obscurity. You hide behind a firewall, strip header information from packets, NAT your source IP address, encrypt your communications or use steganography to hide the existence of information altogether. Almost every measure of security is designed to somehow "obscure" your information so that only those you authorize are aware of its existence or can gain access to it. That said, in my opinion your point is apples and oranges to the "security through obscurity" debate. The security through obscurity mantra *I* am referring to is related to a vendor being aware that a vulnerability exists and choosing to ignore that fact. I am talking about a vendor operating on the philosophy that if they just don't publicly announce a flaw or vulnerability that it will remain secret and therefore won't be exploited. My point is that nine times out of ten underground knows of a vulnerability before the vendors do or will eventually discover it somehow. If the vendor sits on knowledge of a flaw thinking that will keep their product secure they are mistaken. Instead, they are leaving their customers vulnerable to attacks that they could prevent but choose not to. For a good example I would refer to the Unpatched IE Security Holes web site (http://www.pivx.com/larholm/unpatched/). Microsoft is obviously aware that these flaws exist since they can visit this web site just like anyone else. Companies have abused and misused the DMCA to threaten security researchers and prevent them from disclosing or sharing their findings because they would rather pretend the vulnerability doesn't exist and hope it never gets exploited rather than developing a patch and sharing the information with the public and their customers. I see your points and I think they are valid, but it is a semantic debate. Your definition and illustrations of how to use obscurity to help secure your computer or network are entirely separate from the intent of the Security Through Obscurity mantra being touted. Read the following articles- they don't talk about not attempting to hide or obscure your actions or implementing security measures to prevent attack- they talk about vendors not disclosing known vulnerabilities in hopes they won't have to bother issuing a patch. http://slashdot.org/features/980720/0819202.shtml http://www.vnunet.com/Analysis/1126488 http://www.nightfallsecurity.com/whitepapers/obscurityeu.html http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?security+through+obscurity Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ About.com Guide for Internet / Network Security http://netsecurity.about.com Click here to sign up for the weekly Internet / Network Security Newsletter: NetSecurity Newsletter - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 04:18:52 PDT