Security Basics mailing list archives
Re: Concepts: Security and Obscurity
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Mon, 16 Apr 2007 23:46:48 +0200
On 2007-04-16 levinson_k () securityadmin info wrote:
To give proof relating to the example of wireless... a good example of obscurity with wireless would be disabling SSID broadcast. The benefit of this has been debated (again because it does not defeat a determined attacker, and was never designed to). Nevertheless, doing so is a common security suggestion and at least some people find this a useful benefit, especially in home uses where nonskilled attackers and viruses are a much more likely risk than a determined attacker. Disabling SSID broadcast raises the bar that an attacker must pass to compromise a system. If you choose not to disable SSID broadcast, that's your call, and it can be the right call depending. But you're arguably lowering the bar to the point where unskilled attackers become equal in threat as determined attackers. All you need to crack the system is any unpatched or unmitigated vuln. The attacker no longer needs skill, time or effort.
Disabling SSID broadcasts is probably the single most ridiculous example you could come up with. Could you please refrain from spreading this nonsense? Disabling SSID broadcasts does *not* - in any way, form, or manner - add anything of even remote significance to network security. Most (if not all) wireless cracking tools will show a list of all wireless networks (broadcasting or not), from which the undetermined attacker will simply chose arbitrarily, whereas the determined attacker will know his target anyway. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: Concepts: Security and Obscurity, (continued)
- Re: Concepts: Security and Obscurity jbloss (Apr 13)
- Re: Re: Concepts: Security and Obscurity levinson_k (Apr 15)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Re: Concepts: Security and Obscurity Florian Rommel (Apr 16)
- Re: Re: Concepts: Security and Obscurity Justin Lintz (Apr 16)
- Re: Concepts: Security and Obscurity Pranay Kanwar (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- RE: Re: Concepts: Security and Obscurity Craig Wright (Apr 15)
- Re: Concepts: Security and Obscurity Ansgar -59cobalt- Wiechers (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- RE: Concepts: Security and Obscurity Craig Wright (Apr 17)
- Re: Concepts: Security and Obscurity Michael Rash (Apr 17)
- Re: Re: Concepts: Security and Obscurity TheGesus (Apr 17)