Security by obscurity
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Security by obscurity

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    339

    Security by obscurity

    Forgive my ignorance, but I don't really understand if one is against security by obscurity.

    I mean, passwords and encryption to me are obvious implementation of it. You can't get access because you don't know the password or encryption key (it's hidden/obscured). Once you know (how to get) it, you're in. And it's just a matter of time (i.e. processing power) to crack them. IMHO only physical protections, such as physical key/access, biometric key, (two factor) token, etc, give the real "security not by obscurity" thing (not necessarily provide the best protection).

    Security gurus please shed some light on this... Thanks.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  2. #2
    By no means am I a guru, but I agree. All encryption is vulnerable to brute force, even if the processing time is unrealistic. But the demand for communication over the wire requires protection, and that justifies the use of encryption to safeguard it.

    The only other way to securely pass along information is to physically present it, and even then you can get mugged.

  3. #3
    Banned
    Join Date
    Nov 2003
    Posts
    1,161

    Re: Security by obscurity

    Originally posted here by jdenny
    Forgive my ignorance, but I don't really understand if one is against security by obscurity.

    I mean, passwords and encryption to me are obvious implementation of it. It's just a matter of time (i.e. processing power) to crack them. IMHO only physical protections, such as physical key/access, biometric key, (two factor) token, etc, give the real "security not by obscurity" thing (not necessarily provide the best protection).

    Security gurus please shed some light on this... Thanks.

    Peace always,
    <jdenny>
    Encryption is highly useful for communicating with remote hosts.

    Yes, signing is handy, but if the host has been compromised, it is utterly useless and serves little beyond false security.

    The problem with encryption is, it places to high a value on trust: "I'll accept this and give you whatever you want due to the fact that I trust you have not been compromised." This is a bad policy. If you are relying on encryption for verification, you are begging for problems.

    If you are going to assume things are insecure, sure encryption helps... the problem is that when people use encryption they assume they don't need to worry about the rest. Also, organizations have limited resources in both time and money and frequently it is much better to use consolidated security rather then trying to encrypt everything... what if a host gets compromised? Encryption is of zero use at that point. I am not saying encryption is bad... but it is frequently a last thing I would establish and only if resources permitted.

    Encryption fails because no matter how good your lock on the door is, if an attacker has broken in through the window. Encryption fails to protect the systems themselves. I suppose in a perfect world where every single server and every single users had their own certs and sigs encryption would be a great thing, but the fact remains that the vast majority of systems accept anon traffic. Encryption is only useful when the data can be acquired by untrusted hosts. No other time. Over using it merely needlessly complicates your system lowering it assurance thereby reducing it's security.

    Encryption has nothing to do with system security.

    Read the DOD-STD-5200.28 "unencrypted data should be dealt with no differently then encrypted data."

    I learn from master yoda.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Security or Inscurity or Obscurity?


    An example with Paper/Rock/Scissors:

    Fact: If I play a game of Paper/Rock/Scissors, my odds of winning always start 1/2 if the game is completely random. (One chance of winning over one of tying and one of losing)
    Fact: If I know what my opponent's move will be ahead of time, I will always win.

    If I meet a kid who I know always starts off with Scissors, I can play Rock and always beat him.


    If I play against a kid I've never meet before, I have no idea what he will play. My odds of winning are 1/2 as per what is below:

    If this kid always plays Rock first, and I don't know it, my odds of winning are still 1/2 if I play a random game.
    If this kid always plays a random game (except when he knows a move in advance), my odds of winning are still 1/2 and will always be 1/2 if I play a random game.

    If I knew he always played Rock first, I could play paper first and always beat him first. From there, I am back to a 1/2 odds of winning. There is also a 1/2 odds of tying. And 1/2 odds of losing.




    Tie-in with computers:

    If I know something is loaded (Kid I meet who always plays Scissors, or maybe default file locations for popular programs) it is insecure.
    If I don't know something is loaded (Kid I never saw before who plays Rock, or maybe default file locations for programs I've never seen before) it is obscure.
    If something is not loaded (Kid who plays a random game, or maybe Cryptography) it is secure.




    I need to go to sleep now. This fairly short post took about 1.5 hours to write, and now I know for sure I'll be feeling my 4 hours of sleep per night at school...

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Security through obscurity is more the concept that computer systems attempt to hide things in plain sight. Encryption/cryptography is an overt act of hiding data and, in essense, changing or encapsulating a piece of data. A good example is say you decide to fool attackers by running your vulnerable Apache server on Port 8001 instead of 80. You choose 8001 because you know no one else will run it there (creating a false sense of security). That is security through obscurity.

    Another example would be putting your house key under the door mat because no one would look there.

    Does this make more sense/clarify a bit more?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    The examples of security by obscurity that I like is where you change the names of default user accounts or the locations of critical items.

    A malicious person or code coming looking for the defaults, won't find them.

    This is fine against script attacks but not against a hacker, who knows that the item is there and will search for it. If it is not protected by other means such as a strong password, encryption etc. it remains just as vulnerable as it was before being obscured.

    Whilst obscurity can be effective against malware it is not very good against malicious persons and should not be relied upon. I think that the "objectors" to it are afraid that it brings a false sense of security that is dangerous.

    Hope that helps
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    The way I see it, "security by obscurity" is just having a system set up or configuration, so strange and unusual that common attacks don't work.

    Essentially, although the system configuration information is unusual, it isn't "secret"... documents about it might be distributed to employees, or even partners or external contractors. In this sense, it isn't as a sensitive as a password, which never would.

    For example, if you decide to run your vulnerable web server on port 19241 instead of the usual 80, most attackers are not going to try to attack it simply because they don't know it's there. This makes it seem more secure.

    But it isn't actually any more secure - someone who KNOWS it's there can still attack it just as easily.

    Ditto for renaming the administrator account.

    So even though obscurity is in some cases, extremely effective as a security measure, it still should not be relied on.

    Slarty

  8. #8
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    Thanks to everyone who replies... especially Tim_axe with his confusing example (his idea about randomness did remind me about the cryptography concept).

    I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.

    Regarding changing the default settings, what about changing the default admin password on routers/servers/anything? Is it security by obscurity too? So if it's bad, then we don't need to change default passwords?

    To me, something is obscure if nobody or only a few people know about it. With the right skill and tools, nothing is impossible. You never know, what bored teenagers and their friends and their brothers can do with all their and their relatives PCs. If encryption can be defeated, isn't it as bad as changing default http port?

    Please don't get me wrong. I'm not encouraging security by obscurity (alone). But I don't think we must not use it.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    Like everyone it seems, I think something is obscure if only a select few people know about something...but especially if this something being something that is insecure.

    IE, it really isn't safe to leave your key near your house because there is a chance someone might find it if the wind somehow manages to move your doormat. But provided nobody who isn't supposed to know doesn't uncover it, for all intents and purposes it doesn't look like the key is there and the house appears safe. Of course, if someone takes the time to look everywhere for a key before breaking in, they will find it under the doormat, or ontop of a light fixture, or in some other crevice.

    In computers, this could be likened to performing a full port scan. Checking for the common signs of a non-secure computer like open and outdated software on ports 80, 23, etc., is pretty accurate. (Is the house key resting ontop of your mailbox?) If they decide it is worth their time, IE you're a huge coorporation, they might decide to take extra time and port scan everything because what they could find might be worth it. (Do you live in a house with a 3-car garage and a swimming pool/spa? Do you look like you have something worth stealing?)


    In the real world, I think security through obscurity is pretty valid although not entirely useful at protecting you. You just have to obscure stuff really well. I think it is good because there are physical limits - how fast can someone search - how much time do they have to search - is anybody watching them search - would they skip searching and physically damage whatever it is they need to to break in?

    In the computer world, the networked one that is, that last one isn't as easily possible - something needs to be exploited. To know if something could be exploited, they must try everything else first. With the computer, your IDS (you are protecting yourself right?) could watch everything and realize something is not right and then disconnect you from the Internet or redirect the attack to a honeypot. You aren't really risking anything if you practice obscurity since they can't simply break into your car with a baseball bat and steal everything. You can detect it and protect yourself...



    I think I need to get more sleep. I didn't think I'd end up supporting obscurity in this fairly long post, although is sure better not be the only layer of security...because then you loose to time and that underlined example above becomes true in the computer sense of it...

  10. #10
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi jdenny,

    I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.
    Yes, it adds another layer of protection, and I think that the only objections are that it should not be relied upon as a sole measure; and that it creates a non-standard system that might be difficult to maintain. In other words it needs to be strictly controlled, and understood by suitably authorised users.

    Regarding changing the default settings, what about changing the default admin password on routers/servers/anything? Is it security by obscurity too? So if it's bad, then we don't need to change default passwords?
    NO!, I think that this is where the misunderstanding is. A password is part of your "normal" security....you MUST change default passwords, or they are useless as a security measure. The "obscurity" part would be changing the default ACCOUNT NAME (you need to get BOTH right to gain access). Obviously if there is only one password and account, this would be a pointless exercise for the most part, other than against some sort of "mindless", scripted remote attack.

    Obviously, there is no such thing as absolute security; all you are doing is buying time, and obscurity measures increase this amount of time.

    Please don't get me wrong. I'm not encouraging security by obscurity (alone). But I don't think we must not use it.
    Your typical script kiddie has a low intellect, minimal knowledge and a very short attention span. Make life difficult for them and they will just go somewhere else. The principle is similar to those steering wheel/ gear stick locks in automobiles...........yours requires more effort so they steal someone else's It is not a case of "must not use it", it is a case of not TOTALLY relying on it.

    In a way, you could argue that most of the security around MacOSX and the Linux distros are security through obscurity, because the Windows exploits and skiddie tools won't work on them.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides