Security Through Obscurity. You hear people tell you not to use it. You also hear people telling you that it is a useful layer of defense. Actually it is all of these things and none of these things. Obscurity can just happen or it can be planned. You can put a file within your web server’s root directory and if you do not refer to it on your webpage then it just happens to be obscured. You can plan to change the default port of an application to a non-standard port so that it does not appear to the average user that you are running that particular service thereby making the service obscured.
Obscurity only helps you as long as nobody else knows about it. A document can be found by simply guessing common file names. The web application security tool Paros does this when it is checking for backup files with common extentions such as files that end with “_bk.” These types of files are especially helpful to malicious hackers because they often contain useful information directly displayed or within HTML comments. Because there are a limited number of ports available to an application, non-standard ports can be discovered by expanding the port range during a scan. Most scanners now perform automatic banner grabbing and application versioning that will take the guess work out of determining what service a strange port is offering.
Lets face it. Everybody who uses a password is using security through obscurity. Think about it. A password is a fact that somebody else does not know. But they do have a means to access or attempt to access the information. Brute forcing authentication mechanisms, cracking password files, keystroke logging, and shoulder surfing are several examples of attempts to bypass this method of security through obscurity. Heck, you don’t even have to guess anymore. People are offering up rainbow tables of password lists. A rainbow table is a list of ALL possible password combinations. Yes, it is a very long list, but I guarantee that your password is in it. All it takes is time and a lack of log monitoring to determine which password matches yours.
In the military, new recruits often confuse concealment for cover. Concealment is the act of hiding in or behind something that does not readily protect the body from danger. A good example of this is leaning up against a wooden wall. The person on the other side cannot see you but he can still shoot you through the wall. Cover, on the other hand, usually provides concealment while also protecting the body from danger. In other words, replace the wooden wall with a brick wall. Now the wall provides you with protection by not allowing the person on the other side to shoot directly through the wall.
If you are not in the military then you can use the title of this article as your example. Just because somebody or something is invisible does not mean that they or it cannot be molested. In other words, invisibility does not make them or it invincible.
In the realm of computer and information security, obscurity relates to concealment or invisibility. It needs something extra to actually provide protection.
So, stop going out of your way deliberately considering security through obscurity as a layer of your network, operating system, or application protections. Let obscurity come naturally. Plan your deployments and limit your distributed information so that others are forced to perform a lot of queries to determine what you have available. After all, the more noise they make the more likely you are to catch them in the act.
Addition:
I see the Roger Grimes has addressed this issue in his latest blog entry. He brings up several good points that I think I have addressed here. Be warned, the database with a NULL SA password that he set up was a “honeypot.” Please do not try this at home.
press back at any time and then quickly press down,up,down(2),up,right,left,right,Y,X(2),A,
Cutaway
security, obscurity, NMap, Superscan, THC-Amap, THC-Hydra, Medusa, keykatcher, Cain&Abel, Shmoo, Security Ripcord, John The Ripper, Paros Proxy, Roger Grimes, Rainbow Crack, Security Through Obscurity