Security by obscurity

Printable View

October 15th, 2004, 05:37 AM
jdenny

Security by obscurity

Forgive my ignorance, but I don't really understand if one is against security by obscurity.

I mean, passwords and encryption to me are obvious implementation of it. You can't get access because you don't know the password or encryption key (it's hidden/obscured). Once you know (how to get) it, you're in. And it's just a matter of time (i.e. processing power) to crack them. IMHO only physical protections, such as physical key/access, biometric key, (two factor) token, etc, give the real "security not by obscurity" thing (not necessarily provide the best protection).

Security gurus please shed some light on this... Thanks.

Peace always,
<jdenny>
October 15th, 2004, 05:58 AM
Soda_Popinsky

By no means am I a guru, but I agree. All encryption is vulnerable to brute force, even if the processing time is unrealistic. But the demand for communication over the wire requires protection, and that justifies the use of encryption to safeguard it.

The only other way to securely pass along information is to physically present it, and even then you can get mugged. :eek:
October 15th, 2004, 06:40 AM
!mitationRust

Re: Security by obscurity

Quote:

Originally posted here by jdenny
Forgive my ignorance, but I don't really understand if one is against security by obscurity.

I mean, passwords and encryption to me are obvious implementation of it. It's just a matter of time (i.e. processing power) to crack them. IMHO only physical protections, such as physical key/access, biometric key, (two factor) token, etc, give the real "security not by obscurity" thing (not necessarily provide the best protection).

Security gurus please shed some light on this... Thanks.

Peace always,
<jdenny>

Encryption is highly useful for communicating with remote hosts.

Yes, signing is handy, but if the host has been compromised, it is utterly useless and serves little beyond false security.

The problem with encryption is, it places to high a value on trust: "I'll accept this and give you whatever you want due to the fact that I trust you have not been compromised." This is a bad policy. If you are relying on encryption for verification, you are begging for problems. ;)

If you are going to assume things are insecure, sure encryption helps... the problem is that when people use encryption they assume they don't need to worry about the rest. Also, organizations have limited resources in both time and money and frequently it is much better to use consolidated security rather then trying to encrypt everything... what if a host gets compromised? Encryption is of zero use at that point. I am not saying encryption is bad... but it is frequently a last thing I would establish and only if resources permitted.

Encryption fails because no matter how good your lock on the door is, if an attacker has broken in through the window. Encryption fails to protect the systems themselves. I suppose in a perfect world where every single server and every single users had their own certs and sigs encryption would be a great thing, but the fact remains that the vast majority of systems accept anon traffic. Encryption is only useful when the data can be acquired by untrusted hosts. No other time. Over using it merely needlessly complicates your system lowering it assurance thereby reducing it's security.

Encryption has nothing to do with system security.

Read the DOD-STD-5200.28 "unencrypted data should be dealt with no differently then encrypted data."

I learn from master yoda. ;)
October 15th, 2004, 08:27 AM
Tim_axe

Security or Inscurity or Obscurity?

An example with Paper/Rock/Scissors:

Fact: If I play a game of Paper/Rock/Scissors, my odds of winning always start 1/2 if the game is completely random. (One chance of winning over one of tying and one of losing)
Fact: If I know what my opponent's move will be ahead of time, I will always win.

If I meet a kid who I know always starts off with Scissors, I can play Rock and always beat him.

If I play against a kid I've never meet before, I have no idea what he will play. My odds of winning are 1/2 as per what is below:

If this kid always plays Rock first, and I don't know it, my odds of winning are still 1/2 if I play a random game.
If this kid always plays a random game (except when he knows a move in advance), my odds of winning are still 1/2 and will always be 1/2 if I play a random game.

If I knew he always played Rock first, I could play paper first and always beat him first. From there, I am back to a 1/2 odds of winning. There is also a 1/2 odds of tying. And 1/2 odds of losing.

Tie-in with computers:

If I know something is loaded (Kid I meet who always plays Scissors, or maybe default file locations for popular programs) it is insecure.
If I don't know something is loaded (Kid I never saw before who plays Rock, or maybe default file locations for programs I've never seen before) it is obscure.
If something is not loaded (Kid who plays a random game, or maybe Cryptography) it is secure.

I need to go to sleep now. This fairly short post took about 1.5 hours to write, and now I know for sure I'll be feeling my 4 hours of sleep per night at school... :(
October 15th, 2004, 10:03 AM
MrLinus

Security through obscurity is more the concept that computer systems attempt to hide things in plain sight. Encryption/cryptography is an overt act of hiding data and, in essense, changing or encapsulating a piece of data. A good example is say you decide to fool attackers by running your vulnerable Apache server on Port 8001 instead of 80. You choose 8001 because you know no one else will run it there (creating a false sense of security). That is security through obscurity.

Another example would be putting your house key under the door mat because no one would look there.

Does this make more sense/clarify a bit more?
October 15th, 2004, 10:24 AM
nihil

The examples of security by obscurity that I like is where you change the names of default user accounts or the locations of critical items.

A malicious person or code coming looking for the defaults, won't find them.

This is fine against script attacks but not against a hacker, who knows that the item is there and will search for it. If it is not protected by other means such as a strong password, encryption etc. it remains just as vulnerable as it was before being obscured.

Whilst obscurity can be effective against malware it is not very good against malicious persons and should not be relied upon. I think that the "objectors" to it are afraid that it brings a false sense of security that is dangerous.

Hope that helps
October 16th, 2004, 01:02 AM
slarty

The way I see it, "security by obscurity" is just having a system set up or configuration, so strange and unusual that common attacks don't work.

Essentially, although the system configuration information is unusual, it isn't "secret"... documents about it might be distributed to employees, or even partners or external contractors. In this sense, it isn't as a sensitive as a password, which never would.

For example, if you decide to run your vulnerable web server on port 19241 instead of the usual 80, most attackers are not going to try to attack it simply because they don't know it's there. This makes it seem more secure.

But it isn't actually any more secure - someone who KNOWS it's there can still attack it just as easily.

Ditto for renaming the administrator account.

So even though obscurity is in some cases, extremely effective as a security measure, it still should not be relied on.

Slarty
October 16th, 2004, 03:50 AM
jdenny

Thanks to everyone who replies... especially Tim_axe with his confusing example :) (his idea about randomness did remind me about the cryptography concept).

I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.

Regarding changing the default settings, what about changing the default admin password on routers/servers/anything? Is it security by obscurity too? So if it's bad, then we don't need to change default passwords?

To me, something is obscure if nobody or only a few people know about it. With the right skill and tools, nothing is impossible. You never know, what bored teenagers and their friends and their brothers can do with all their and their relatives PCs. If encryption can be defeated, isn't it as bad as changing default http port?

Please don't get me wrong. I'm not encouraging security by obscurity (alone). But I don't think we must not use it.

Peace always,
<jdenny>
October 16th, 2004, 07:38 AM
Tim_axe

Like everyone it seems, I think something is obscure if only a select few people know about something...but especially if this something being something that is insecure.

IE, it really isn't safe to leave your key near your house because there is a chance someone might find it if the wind somehow manages to move your doormat. But provided nobody who isn't supposed to know doesn't uncover it, for all intents and purposes it doesn't look like the key is there and the house appears safe. Of course, if someone takes the time to look everywhere for a key before breaking in, they will find it under the doormat, or ontop of a light fixture, or in some other crevice.

In computers, this could be likened to performing a full port scan. Checking for the common signs of a non-secure computer like open and outdated software on ports 80, 23, etc., is pretty accurate. (Is the house key resting ontop of your mailbox?) If they decide it is worth their time, IE you're a huge coorporation, they might decide to take extra time and port scan everything because what they could find might be worth it. (Do you live in a house with a 3-car garage and a swimming pool/spa? Do you look like you have something worth stealing?)

In the real world, I think security through obscurity is pretty valid although not entirely useful at protecting you. You just have to obscure stuff really well. I think it is good because there are physical limits - how fast can someone search - how much time do they have to search - is anybody watching them search - would they skip searching and physically damage whatever it is they need to to break in?

In the computer world, the networked one that is, that last one isn't as easily possible - something needs to be exploited. To know if something could be exploited, they must try everything else first. With the computer, your IDS (you are protecting yourself right?) could watch everything and realize something is not right and then disconnect you from the Internet or redirect the attack to a honeypot. You aren't really risking anything if you practice obscurity since they can't simply break into your car with a baseball bat and steal everything. You can detect it and protect yourself...

I think I need to get more sleep. I didn't think I'd end up supporting obscurity in this fairly long post, although is sure better not be the only layer of security...because then you loose to time and that underlined example above becomes true in the computer sense of it...
October 16th, 2004, 10:10 AM
nihil

Hi jdenny,

Quote:

I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.

Yes, it adds another layer of protection, and I think that the only objections are that it should not be relied upon as a sole measure; and that it creates a non-standard system that might be difficult to maintain. In other words it needs to be strictly controlled, and understood by suitably authorised users.

Quote:

Regarding changing the default settings, what about changing the default admin password on routers/servers/anything? Is it security by obscurity too? So if it's bad, then we don't need to change default passwords?

NO!, I think that this is where the misunderstanding is. A password is part of your "normal" security....you MUST change default passwords, or they are useless as a security measure. The "obscurity" part would be changing the default ACCOUNT NAME (you need to get BOTH right to gain access). Obviously if there is only one password and account, this would be a pointless exercise for the most part, other than against some sort of "mindless", scripted remote attack.

Obviously, there is no such thing as absolute security; all you are doing is buying time, and obscurity measures increase this amount of time.

Quote:

Please don't get me wrong. I'm not encouraging security by obscurity (alone). But I don't think we must not use it.

Your typical script kiddie has a low intellect, minimal knowledge and a very short attention span. Make life difficult for them and they will just go somewhere else. The principle is similar to those steering wheel/ gear stick locks in automobiles...........yours requires more effort so they steal someone else's ;) It is not a case of "must not use it", it is a case of not TOTALLY relying on it.

In a way, you could argue that most of the security around MacOSX and the Linux distros are security through obscurity, because the Windows exploits and skiddie tools won't work on them. :cool:

Cheers
October 16th, 2004, 03:22 PM
chsh

Quote:

Originally posted here by jdenny
I understand that we can't rely on security by obscurity (alone). However, it adds another layer of protection, doesn't it? I just want to understand why people try to avoid it. I mean it's not that bad, but yes, we also need to put some other kind of security measure in place.

It isn't a layer of protection, and treating it as such is relying on it to actually do something to protect you. Phase one of an intrusion generally includes enumeration, which generally defeats measures relying on obscurity to protect them.

Imagine if you will, the following scenario. A car company makes a car with remote door locks that are uniquely keyed to frequencies, one per car. This frequency in and of itself is how the door is unlocked, there is no data sent on the signal, nor is there a "fingerprint" or encryption-key style mechanism in place to ensure it is really the owner, only the frequency identifies the proper owner. Now, the only people who have the remote door locks are the owners, but let's say a car thief wants to open some doors. He develops an ingenius device to broadcast a signal on increasing frequencies until he hits the kill switch, and manages to rather easily unlock the door of the car and steal it.

Even if you consider it a layer of protection, security through obscurity doesn't actually protect you from anything.
October 18th, 2004, 06:21 AM
jdenny

I'm still seeing that password authentication method and encryption method implement security thru obscurity in more general/loose term. Passwords can be sniffed and/or brute-forced. Ditto with encryption.

I think I'll still use some security thru obscurity efforts, combined with IDS and logging, in an early warning/action system. But of course I won't rely on that as my sole protection.

[ Borrowing chsh's example of remote door locks, the vendor should develop a scanning detector which disables the lock (ignoring unlock request) for a given period (say 5 minutes) if it detects such scanning. One could argue that the thief would increase the delay between frequency broadcasts to avoid detection. And I would say he'd better be very patient as he may need to spend some time doing it before the owner comes and forces him find another victim. And so on, and so on. ]

Well, I believe I've got the answers I need. Thank you all.

edit: I'm sorry for being stubborn :) (see my sig).

Peace always,
<jdenny>