Re: Concepts: Security and Obscurity

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-04-16 levinson_k () securityadmin info wrote:
> To give proof relating to the example of wireless... a good example of
> obscurity with wireless would be disabling SSID broadcast.  The benefit
> of this has been debated (again because it does not defeat a determined
> attacker, and was never designed to).  Nevertheless, doing so is a
> common security suggestion and at least some people find this a useful
> benefit, especially in home uses where nonskilled attackers and viruses
> are a much more likely risk than a determined attacker.  
>
> Disabling SSID broadcast raises the bar that an attacker must pass to
> compromise a system.  If you choose not to disable SSID broadcast,
> that's your call, and it can be the right call depending.  But you're
> arguably lowering the bar to the point where unskilled attackers become
> equal in threat as determined attackers.  All you need to crack the
> system is any unpatched or unmitigated vuln.  The attacker no longer
> needs skill, time or effort.

Disabling SSID broadcasts is probably the single most ridiculous example
you could come up with. Could you please refrain from spreading this
nonsense? Disabling SSID broadcasts does *not* - in any way, form, or
manner - add anything of even remote significance to network security.
Most (if not all) wireless cracking tools will show a list of all
wireless networks (broadcasting or not), from which the undetermined
attacker will simply chose arbitrarily, whereas the determined attacker
will know his target anyway.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq