Jump to content


Photo
- - - - -

Security through obscurity


  • Please log in to reply
19 replies to this topic

#1 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 13 August 2007 - 07:24 PM

Hey guys,
I'm always hearing criticism about security through obscurity. Well I was pretty fricken' bored at work, and let my mind wander to this subject.

What's more secure?

A folder off of wwwroot called "THIS-IS-HIDDEN" or the main page of a website with the password "THIS-IS-HIDDEN" that references something in that folder?

I think the security through obscurity is MORE secure. Having a login on the site makes people AWARE that their is hidden content, and provides them a medium to crack it. (e.g. Brute Force, injection); whereas not many people would think to brute force search for directories, how about sub-directories of those directories?

What do you think?

#2 jabzor

jabzor

    hax?

  • Agents of the Revolution
  • 1,146 posts
  • Country:
  • Gender:Male
  • Location:Northern Elbonia, fighting the lefties

Posted 13 August 2007 - 07:34 PM

An obscure subdomain on a non-standard port, running over ssl with an obscure sub-folder and requiring a login, with a set list of allowed ips and login attempts?

hxxps://mwh4h4.example.com:31778/cgi-bin_rev/

#3 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 13 August 2007 - 07:35 PM

In many places, security through obscurity works. Look how long Macintosh OS went without any real vulnerabilities (all versions) or how there are for things like VMS. Even security through false obscurity (banner/header forging) works well for the most part.

#4 thej3w

thej3w

    T0tal n00b

  • Members
  • 0 posts
  • Location:Chicago

Posted 13 August 2007 - 07:54 PM

Hey guys,
I'm always hearing criticism about security through obscurity. Well I was pretty fricken' bored at work, and let my mind wander to this subject.

What's more secure?

A folder off of wwwroot called "THIS-IS-HIDDEN" or the main page of a website with the password "THIS-IS-HIDDEN" that references something in that folder?

I think the security through obscurity is MORE secure. Having a login on the site makes people AWARE that their is hidden content, and provides them a medium to crack it. (e.g. Brute Force, injection); whereas not many people would think to brute force search for directories, how about sub-directories of those directories?

What do you think?


How about both....

#5 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 13 August 2007 - 08:08 PM

Hey guys,
I'm always hearing criticism about security through obscurity. Well I was pretty fricken' bored at work, and let my mind wander to this subject.

What's more secure?

A folder off of wwwroot called "THIS-IS-HIDDEN" or the main page of a website with the password "THIS-IS-HIDDEN" that references something in that folder?

I think the security through obscurity is MORE secure. Having a login on the site makes people AWARE that their is hidden content, and provides them a medium to crack it. (e.g. Brute Force, injection); whereas not many people would think to brute force search for directories, how about sub-directories of those directories?

What do you think?


How about both....


I was waiting for someone to say that. ;-)

#6 tiocsti

tiocsti

    rekcah-rebÜ

  • Banned
  • 676 posts

Posted 13 August 2007 - 08:37 PM

deleted.

Edited by tiocsti, 08 December 2007 - 12:13 AM.


#7 inaequitas

inaequitas

    SUP3R 31337

  • Members
  • 158 posts

Posted 13 August 2007 - 09:04 PM

Security through obscurity generally makes quite a few assumptions, setting itself up for compromise in the process.

First and foremost, it makes a mockery of would-be attackers by considering them too dumb to find out where things are. This is a dangerous practise because it can tick off the ego - and hurt egos do wonders when it comes to wanton destruction.
It also relies on itself too much. Secure systems should be able to fallback to others in case of a breach, which a lot of 'truly' obscured systems can't do.
Thirdly, things generally don't stay unknown for far too long in this world.

Yes, both elements need to be put together to properly secure systems, but in that case I don't think we are talking about 'security through obscurity' anymore - obscurity becomes a part of the system, not the whole.

#8 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 13 August 2007 - 09:42 PM

Security through obscurity generally makes quite a few assumptions, setting itself up for compromise in the process.

First and foremost, it makes a mockery of would-be attackers by considering them too dumb to find out where things are. This is a dangerous practise because it can tick off the ego - and hurt egos do wonders when it comes to wanton destruction.
It also relies on itself too much. Secure systems should be able to fallback to others in case of a breach, which a lot of 'truly' obscured systems can't do.
Thirdly, things generally don't stay unknown for far too long in this world.

Yes, both elements need to be put together to properly secure systems, but in that case I don't think we are talking about 'security through obscurity' anymore - obscurity becomes a part of the system, not the whole.



I really don't think you would bruise an ego through obscurity.

#9 inaequitas

inaequitas

    SUP3R 31337

  • Members
  • 158 posts

Posted 13 August 2007 - 09:54 PM

I really don't think you would bruise an ego through obscurity.


It certainly is not the primary concern when obscurity is involved - but you have to think the people that put said system in place either didn't much care for any of this or thought people using said system are too dumb to break it. It might beg teaching a lesson even if the ego isn't really bruised.

Or, you know, skiddies get bruised very easily because they're so hardcore :)

#10 BrakeDanceJ

BrakeDanceJ

    Hakker addict

  • Binrev Financier
  • 598 posts
  • Location:Chicago

Posted 13 August 2007 - 10:02 PM

I really don't think you would bruise an ego through obscurity.


It certainly is not the primary concern when obscurity is involved - but you have to think the people that put said system in place either didn't much care for any of this or thought people using said system are too dumb to break it. It might beg teaching a lesson even if the ego isn't really bruised.

Or, you know, skiddies get bruised very easily because they're so hardcore :)


:) If I put a password on a system, I'm betting people are too stupid to guess it lol

#11 inaequitas

inaequitas

    SUP3R 31337

  • Members
  • 158 posts

Posted 13 August 2007 - 10:59 PM

:) If I put a password on a system, I'm betting people are too stupid to guess it lol


Yeah that's true, I mean after all that's why we talk about 'strong passwords' - things that are not only hard to compute by a machine [except for brute-force] but rather complicated for a human being to guess. In the trade-off between resources [spent on breaking in] and value [of the information to be retrieved] it often makes more sense to kidnap and torture the password out of someone rather than come up with complicated schemes to guess their password. But allowing admin access to whomever knows to click in a certain corner of your site is just asking for it, I'd say. :)

#12 Abhayaa

Abhayaa

    SUP3R 31337 P1MP

  • Members
  • 296 posts
  • Location:Too many handles, too many places.

Posted 13 August 2007 - 11:18 PM

No matter what you believe about it being right or wrong, security via obscurity works. Take a look at the information out there since 'full disclosure' started, or even when the web started, compared to what we were plinking out bit by bit on BBSes back in the 80s/early 90s (and before, of course). Take away obscurity and you require more hardcore security. It's a matter of keeping out the really concerted-effort types, versus keeping away the skiddies, to an extent. We've all seen people come on here (and elsewhere) looking for googleable answers -- and that's not even obscure stuff. All that said, can't turn back time. People push the envelope which means everybody else has to push their envelopes, which means the original people have to push even harder and further and so on. There's also the fact that information that's hard to find can drive some of us to push harder, but I think that making things hard to find out cuts off probably 99.9% of the people that would try. It might push the other .1% more, but it's still a big improvement. Just imho.

#13 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 13 August 2007 - 11:27 PM

How so? Macs had plenty of vulns, the fact that they didn't show up on bugtraq is irrelevant. SBO hides things from public view, but produces systems that are less secure.

In many places, security through obscurity works. Look how long Macintosh OS went without any real vulnerabilities (all versions) or how there are for things like VMS. Even security through false obscurity (banner/header forging) works well for the most part.


Oh, I'm not saying there weren't vulns, I know there were but they weren't public (on bugtraq for example) but I also used the qualifier "real" to denote there were vulns. I agree that SBO leads to insecurity down the road eventually, no one can stay in their ivory tower forever.

#14 savant

savant

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 368 posts
  • Gender:Male
  • Location:408

Posted 14 August 2007 - 08:17 PM

No matter what you believe about it being right or wrong, security via obscurity works sometimes.


Fixed.

Obscurity in and of itself is a terrible form of security. Bottom line is, once it becomes less obscure, it generally crumbles. For example, in the "some-random-dir-name" approach, as soon as one careless mistake is made, there's no security at all. Let's say there's a file in the directory that links to something offsite, like an image or a hyperlink. Rolling with this hypothetical situation, now you've got a potential for things like your referrer giving away your "secret" directory in someone's weblogs. Or you link your avatar from your super secret directory and someone views the properties of your image link.

Or better yet, you browse to your super secret directory but forgot you have the Google Toolbar installed on IE and Google spiders you, spilling your guts to the entire world. By itself, obscurity offers varying results, but it tends to lean toward the poor.

Or, god forbid, someone with a lot of time and a strong desire to enter your ssd (super secret directory) just writes a script to brute force all possible or logical combinations of words and characters until they eventually get in.

But this directory example is a bit flawed, and we could hypothesize various situations where it would and wouldn't work until we grew old and died.

How about a hideakey? You know, the key that you leave under your mat or in a fake rock in the front yard. Or under a potted plant. This is a means of security through obscurity, and someone who has experience breaking and entering knows to look FOR these things, even if (s)he doesn't know where the key is.

An example of sec-through-obs that works better is the lock-box system Realtors use when showing a house. The house key is hidden somewhere on the property, but stored in a combination lock. Just finding the key is not enough to gain entrance, you need to know the password as well.

Obscurity has its place, but it's meant to be used in conjunction with other means; a layered approach. After all, most things that are protected only by secrecy eventually become not-so-secret.

#15 tiocsti

tiocsti

    rekcah-rebÜ

  • Banned
  • 676 posts

Posted 14 August 2007 - 08:34 PM

deleted.

Edited by tiocsti, 08 December 2007 - 12:08 AM.


#16 tiocsti

tiocsti

    rekcah-rebÜ

  • Banned
  • 676 posts

Posted 14 August 2007 - 08:37 PM

deleted.

Edited by tiocsti, 08 December 2007 - 12:07 AM.


#17 operat0r

operat0r

    Dangerous free thinker

  • Members
  • 793 posts
  • Location:ops

Posted 15 August 2007 - 05:32 AM

I think the security through obscurity is MORE secure.


Keep thinking that.. hackers will just find creative ways to get around it...

security through obscurity I think can work but only if you have explored every angle of attack and you are willing to 'ride' on that measure to defend against the universe. It does not work for morons that are just to lazy to do it right.

#18 Dare To Imagine

Dare To Imagine

    SUP3R 31337

  • Members
  • 188 posts
  • Location:Chicago

Posted 15 August 2007 - 05:40 AM

Security through obscurity is like having locks on all of the doors and windows on the 1st story of a warehouse, but then leaving the doors on the roof unlocked.

People just tend to think "well, nobody will do that". This is usually effective, until somebody finds the unlocked door.

#19 Abhayaa

Abhayaa

    SUP3R 31337 P1MP

  • Members
  • 296 posts
  • Location:Too many handles, too many places.

Posted 15 August 2007 - 07:04 AM

Good arguments. Maybe I should have said instead "security via obscurity works for me, as long as I am smart and don't go around being stupid or thinking I am invulnerable." The key is to be *careful* and you are right -- I think most people aren't careful, primarily because people by their nature can be notoriously lazy, and implementations can be thoroughly imperfect. Most people certainly aren't as anal as I am; I know that (believe me, I know that). "Security via obscurity" isn't a synonym for "security via laziness" -- you should STILL do it *right*, planned carefully and well-thought-out. To do that you need a background that a lot of security schmucks these days don't have. For them, I highly advocate *against* thinking they are cleverer than the typical hacker (ie not skiddie).

When I made my original statement, by the way, I was thinking more in terms of things outside of the internet, for example access procedures and misdirection -- not hiding data and directory structures off of known paths. While I understand that there are very good reasons to use the net, let's face it, a lot of the stuff that's accessible online shouldn't be accessible online in the ways that they are accessible online, nowadays. Companies make a trade-off choosing convenience over security. Maybe that's because they realize that most people, if told to take a more secure route, would try to create lazy shortcuts instead, eventually making the increased security measures practically moot (and maybe worse). This doesn't make their actions right -- it just means they're being lazy in a different way. [EDIT: If you remove the intersection, then people can't be as lazy. They can find other loopholes, sure, but they'll be loopholes that won't be as freely accessible as something anybody with a couple of scanning tools/toys can find. [/EDIT]]

I continue to stand by the one statement I have stood by since I first started out, decades ago: people will always be the biggest vulnerability (and not just the people trying to access things they have no right to access).

Edited by Abhayaa, 15 August 2007 - 07:08 AM.


#20 kingospam

kingospam

    SUP3R 31337

  • Members
  • 177 posts

Posted 15 August 2007 - 11:04 PM

http://www.schneier....ram-0205.html#1

Schneier is someone worth listening to. He's written a lot on security through obscurity. Take a look at his site.

Full-disclosure isn't an issue here. Although full-disclosure is a GREAT idea, it doesn't belong in the discussion of open source vs. closed source. In the end, there are many reasons to chose either. It depends on the situation. We can't say that ALL software/algorithms/<anything else> should be open source. Saying that would be foolish. We should be saying, who can we trust to see this code IF this code should be seen by a limited/finite amount of people. It's all about trust. My employer is not going to release any of his code because his code is what keeps his job alive. His code is his source of income. People are willing to pay for products. While I applaud the open source community (I love NetBSD), closed source/proprietary software is necessary. It gave me a job.




BinRev is hosted by the great people at Lunarpages!