RE: Re: Re: Re: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

Here we get to the real point. Obscurity is not the factor that is
increasing the security of the site. You have a confounding variable in
this model. That is monitoring. 

The confusion here is that you are assuming that this is the only (or
best) method to increase log visibility and that this will find the
attacker.

First, increasing monitoring efficiency is a good (though uncommon)
improvement. But the argument is that port knocking etc will find the
people with a clue who are able to attack the SSH or other service.

When scanning a site managed by a profession 24x7 firms, with notice, I
have rarely had them become aware of (maybe 1 in 10) the fact that the
client is being tested. It is randomised and over time and uses event
sequence mining to reconstruct the ruleset (i.e. maths). I do however
guess that gets ride of much of the "hacker" community of course these
days as it requires that SAS, SPSS, R or some other statistical package
is used and does not rely on a tool.

Obscurity does not work. You are confounding the control from SSH with
some additional but unmeasurable additional event as people do not know
the sequence. This is not the same as having a firewall and AV. 

To test the effectiveness of obscurity scientifically you have to remove
or make account for the confounding variables. In assessing the relative
strength of a control, you can not compare in the manner that is being
proposed as you have cross-correlated effects from the additional
controls. In a test that is determined scientifically and without bias,
the results show that obscurity does not reduce risk and is thus not a
benefit.

Regards,
Craig

PS there is no 100% secure system and this is mathematically provable.
The best you do is reduce the risk and proability of a successful
attack/intrusion. 



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of levinson_k () securityadmin info
Sent: Thursday, 12 April 2007 6:40 PM
To: security-basics () securityfocus com
Subject: Re: Re: Re: Re: Concepts: Security and Obscurity

> Obscurity is just that, obscure.  It's "hiding" rather than actually
> proactively keeping people out...  just makes it 
> slightly harder.  The attackers must try a few doors before they 
> find the one with the network gear, or call the company and say 
> there's something wrong with the website - can they talk with the 
> webmaster to let them know, 

One might as well throw away your antivirus and firewalls, because those
won't block social engineering either.


> When we define things this way, then we can clearly see why 
> "obscurity" doesn't add much benefit against targeted attacks. 

Obscurity isn't intended to block targeted attacks, just as firewalls
aren't intended to block social engineering.  The people here who
require countermeasures to be 100% effective against everything will
quickly end up with no countermeasures at all.  But at least they won't
have, horror of horrors, a false sense of security!

Obscurity does help you against targeted attacks, in that targeted
attacks that hit your SSH server listening on a nonstandard port will
tend to stand out, because your logs will have less noise in them.

kind regards,
Karl Levinson
http://securityadmin.info