RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

Except that the **Very* few is NOT 50,100 or even 1000 - it is many many
times that. Unless you have cheanged the nature of the hypothesis as I
suspect that you have done in the response (ie limiting access
addresses)

Adding a false sense of security is not adding security. An insecure
system remains an insecure system. It is mathematically provable that
you have no real gain.

As for:
"Why do we hide missile launch sites?"
We don't. They are public. They are known.

"Why does the presidential motorcade not disclose which car the
president is actually in?" 
To increase the attack time and scope. The tagrget is increased - having
3 cars reduces the risk to 1/3, having 4 cars makes a random target of
1/4 or 25% if a single car is hit (etc). The analogy is not the same
though. Scanning additional ports is not a linear probability function.
Adding an additional car is (or at least approximates to one)

You stated a potentially vulnerable service. Thus it remains so whether
you change the port or not. Next you are now seeming to add a condition
that the firewall is filtering IP addresses - a point that was not in
the original hypothesis. If so this is than a new case.

As for qualifications, several Gold GIAC, most of the other certs,
multiple IT related degrees at PG level, 20 years experience including
work in hostile environments (ie Australian Stock Exchange).

Your failure to understand a concept does not make it either true or
false. The scanning for IP services is possible - there is not a port
per se, but there is a system response.

I suggest that you learn a little more on risk and check the facts about
situations before stating them. 

Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: Daniel Miessler [mailto:daniel () dmiessler com] 
Sent: Thursday, 12 April 2007 2:59 AM
To: Craig Wright
Cc: krymson () gmail com; security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity


On Apr 11, 2007, at 1:36 AM, Craig Wright wrote:

> To translate: "Limiting access to a potentially vulnerable daemon by
> 99.9% of the Internet population."
>
> You get....
> Control:
> Limit the number of people who are likely to access this daemon to
> 1,114,274 people.

I'm not sure if you are being argumentative for the sake of doing so,  
or if you really thought I meant that 0.01% of the Internet  
population would be given valid access to the PK/SPA client being  
used by our fictional organization. I'm going to assume the former  
since the latter just sounds too silly.

I used 99.9% to mean "the vast majority", with *VERY* few exceptions  
(i.e. like 25, or 50, or 1,000)

> Costs:
> 1     Running a vulnerable service with a false sense of security and
> little concern
> 2     Documentation of the service and the time to reconfigure devices
>
> Thus the summary is that there is no gain and some cost.

Where is the false sense of security if you already have your CURRENT  
security, only you've added something in addition to it?  We're NOT  
MODIFYING existing security, whether that's via SSH, VPN, or  
whatever. That stays in place. All we're doing is making it so people  
can't see the service in the first place.

> Now if you consider the number of people who scan well know ports
> against those who scan for "hidden" ports and the levels of skills -
> what you have done is make the site a target.

How about people who scan for closed ports? Are we worried about  
people making a list of sites NOT running certain services? I'm  
personally not so worried about being put on such a list.

> You have done nothing to stop those with skills (and thus who are more
> likely to compromise the system) from attacking - but have removed  
> some
> of the noise element as the script kiddies generally scan for attacks
> they have exploits for. Thus the resultant population consists of  
> people
> who have a greater likelihood of compromising the system and these
> people have not been controlled at all.

Right, other than the fact that they'd never see the service in the  
first place due to the port not listening. Again, how do you expect  
this fictional super-hacker to open a port on a firewall that's NOT  
open? If there are people that can do that then every company in the  
world with an Internet presence is in grave danger.

> Bering that the population of users who have found the port are  
> unlikely
> to be those with valid reasons; you have not secured the daemon at  
> all.
> With the current Honeynet statistics, you may survive in this state  
> for
> 72 hours or so...

Wow.

> The system of algebraically assigning a number for each control is not
> mathematically valid. Survival in this situation forms a poisson model
> on the length of time that the service is maintained in a "secure"
> state. In this, the additional benefit would (even if algebraically
> equal - which is not the case) be included as an additional factor  
> to an
> inverse exponential. Thus it would have a minimal additional effect.

Easy killer. I'm still trying to figure out how to open closed ports  
on remote firewalls.

> The manner which you have assigned values to risk is not  
> mathematically
> sound. There are centuries of research into risk. Survival models  
> apply
> to IT risk as well. Making up numbers to state that an added layer of
> security is an improvement is unscientific at best and does nothing to
> improve the risk modelling process.

You're trying to condescend but you don't seem qualified to do so.  
Let me leave you with a few simple questions that will hopefully jar  
you back to us:

Why do we hide missile launch sites?
Why does the presidential motorcade not disclose which car the  
president is actually in?

The reason, my friend, is because no matter what security is placed  
on a given system -- making it difficult to actually INITIATE an  
attack against said security is still valuable! No algebra or list of  
references is going to make this less so.

I ask you to reconsider.

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC