Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How A Little Obscurity Can Bolster Security
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/17/2014 | 10:10:49 AM
Good examples but do they work?
Thanks for those simple obfuscations, Corey. Wondering if you've tried them out in practice.
User Rank: Apprentice
4/17/2014 | 10:29:24 AM
slows down an attack -- so it helps
It seems like you are reacting to the overuse of a good idea.  The good idea is that you have to put your energy into fixing the basic security of your system and NOT rely on obscurity.  A determined bad guy will still find your changed port number, or the name of your administrator group.

In my security training, we were taught not to give away any unnessary information that tells an attacker how the system works.  That header information you mention would be a big no-no.  So are exception traces that emit to the end-user.  Error messages are there to help the user, but should avoid giving away too much system design information.  One might argue that this is also security by obscurity.  I would disagree.  A system might have many vulnerabilities that are 'unknown' until an attack is crafted that bypasses the security I've set up.  The less I tell an attacker about my system, the less likely that they can find those 'open' doors between the time an attack is discovered and the time I can patch my system.

We sometimes tend to forget that our 'bad guys' are using computers too.  They have invested in automation and the more we 'follow convention', the easier it is for them to try their 'key' in thousands of virtual doors.
David F. Carr
David F. Carr,
User Rank: Strategist
4/17/2014 | 10:49:36 AM
Custom platforms another example of security by obscurity
There's also some security benefit from using a custom platform, such as a homegrown content management system instead of WordPress. WordPress has the advantage of being tested constantly by those trying to break it (maliciously or not), so security flaws tend to be found and patched -- which is good as long as you can keep up with the patches. Even then, hackers know that the login url is likely to be www.somedomain.com/wp-admin/ so they can throw brute force attacks against that and other known addresses like the one for sending trackbacks. A custom system may have more latent flaws, but they won't be as widely known as with a popular open source software platform.
User Rank: Apprentice
4/17/2014 | 12:55:03 PM
Know your risks first
Interesting article, Corey. Something to consider here is that there is a distinction between obscurity, where you rely upon the use of an unknown or custom system to trip up a tracker, and a defensive posture where you don't emit system details without cause.

However, it's also worth looking at what risks you're protecting against. If you're describing a strategy for protecting your servers, it makes total sense to not expose your Apache patch level; if you're looking at an infosec program for your data stored in a public cloud platform (say, Google Apps) from leak, obscurity isn't nearly as sensible a strategy. In general terms, outsider threat is defended against via (amongst other things) an approach of least information exposure; insider risk is mitigated by clarity and classification that helps avoid unintentional breach or leak. 
User Rank: Author
4/17/2014 | 1:19:48 PM
Re: Know your risks first
That is an excellent point! When relying on someone elses' systems (the cloud) obscurity is NOT good. We need transparency in what tactics and strategies our external partners are using to protect out data...

But in that sense, the external partner becomes an extension of ourselves. I wouldn't argue we obscure things from trusted parties, only from truly untrusted attackers.

Thanks for you thoughts!

User Rank: Author
4/17/2014 | 1:25:49 PM
Re: Custom platforms another example of security by obscurity
I absolutely agree... However, to be devils advocate to this point (and my own article), I think this will only be the case if you have security conscious and trained folks creating the custom systems. Since they are blackboxes, custom systems are more difficult for an attacker to enumerate. However, the arguement against them is sometimes the folks creating custom systems aren't necessarily the best secure coders or designers. Because of its popularity and past issues, Wordpress has had to spend time and money learning about secure design... Another example is when non-cryptologists try to roll their own encryption. It usually ends in disaster..

However, it's kind of like the hidden rock WITH the combination lock example. If you have folks who are experts at secure design, and you use them to create a custom system, you have the benefit of both layers. The secure design limits the true vulnerabilities in the system, and the fact that it's custom adds that extra layer that makes it hard (and thus less ROI for the attacker) to figure out!


User Rank: Author
4/17/2014 | 1:27:16 PM
Re: slows down an attack -- so it helps
Yep... we agree. The best security is securely designed systems, but there is no point in making those systems easy to find. ^_^


User Rank: Guru
4/17/2014 | 1:28:27 PM
Security v. Obscurity
Better to deride obscurity than end up back where we started: Obscurity is Security
David F. Carr
David F. Carr,
User Rank: Strategist
4/17/2014 | 1:39:22 PM
Re: Custom platforms another example of security by obscurity
One site I converted to WordPress previously ran on a CMS of sorts that you could edit by going to www.mydomain.com/data/ - no password required, pure security by obscurity. So compared with that, WordPress was certainly a huge improvement.
User Rank: Author
4/17/2014 | 1:44:48 PM
Re: Security v. Obscurity
I can see that point. So many have relied ONLY on security by obscurity (which IS bad) for protection that it is probably good to hammer that idea out of a Infosec neophyte's head... However, I still think the more exprienced infosec folk, who realize that their primary defense needs to be true secure design, can add some obscurity to the mix too... ^_^
Page 1 / 3   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-31
Netgear routers R7000P before v1.3.3.154, R6900P before v1.3.3.154, R7960P before v1.4.4.94, and R8000P before v1.4.4.94 were discovered to contain a pre-authentication stack overflow.
PUBLISHED: 2023-01-31
On Xerox WorkCentre 3550 devices, an authenticated attacker can view the SMB server settings and can obtain the stored cleartext credentials associated with those settings.
PUBLISHED: 2023-01-30
A CWE-306: Missing Authentication for Critical Function vulnerability exists that could cause access to manipulate and read files in the IGSS project report directory when an attacker sends specific messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versions prior to V15.0.0.22170)
PUBLISHED: 2023-01-30
A CWE-120: Buffer Copy without Checking Size of Input vulnerability exists that could cause a stack-based buffer overflow, potentially leading to remote code execution when an attacker sends specially crafted log data request messages. Affected Products: IGSS Data Server - IGSSdataServer.exe (Versio...
PUBLISHED: 2023-01-30
A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxureâ„¢ Cybersecurity Admin Expert (CAE) (Vers...