Comments for Tales from Room 641A

Comment on SSL by default? Your mad! Simply mad! by not you

not you — Sat, 19 Jun 2010 05:59:59 +0000

So it’s pretty much a http to https auto redirect? Why don’t the sites do this automatically?

Comment on Security through obscurity by Josh-The Admin

Josh-The Admin — Thu, 03 Jun 2010 21:53:28 +0000

@dude – You once again struck the nail on the head. The use of security through obscurity as a primary defense is what I take issue with. Looking back at my first post I can see where my statements were lacking.
First off, I agree that not disclosing information can help shed those kiddies from the security system. I should have mentioned in my first post that I’m not advocating the disclosure of intranet IP’s and server configurations. Security is about the layers, not the Iron wall of doom that no one can breach. I guess my arguement can be boiled down to my beleif that obscurity is a flimsy layer in the complete security package.

Take for example the cryptographic world. Would you trust a cryptographic suite that says “It’s secure, we say it is, but you can’t see the actually math” or would you trust the suite that has been through the public rigors and has been deemed computationally secure? This is an area where I believe the security through obscurity model does not work.

As for the high horse, I must apologize if I came off as a rude blogger, that’s not my deal. I’ve been around enough (not nearly as long as some)to see that there is room for both “real world” views and the attempt to apply portions academic design. Unfortunately, budget in the business is never as big as the budget of a professor’s mind.

Comment on Security through obscurity by dude

dude — Thu, 03 Jun 2010 21:29:59 +0000

Most working security professional hatred of security through obscurity comes not from its use but from the exclusive use of it a means to protect assets. Obscurity is a valuable tool in many deployments. For example in a web application it is useful to deny information about the server to users. Where this helps is to raise the level of the attack required to one that can identify the server (since we appear to be rabid open-source types here see http://net-square.com/httprint/ and http://code.google.com/p/waffit/).

Denying information helps to keep the low level ankle biters who just do massive banner scans away. This helps to keep the threat down to only attackers worth our time. It also reduces the false positive rate on the NIDS, WAFs, etc to a dull roar. Because so many companies fail to invest adequately in real security professionals and instead rely on the all in one super security box this is important. Reducing the rate of threat presentation allows each threat to be given more attention. If every banner-scanning script kiddie is hitting the unit and setting off the alarm the staff then learns to ignore the alarms. As a tester that is great so that we can hide in the noise but as a defender it is annoying. Obscurity helps reduce the noise and keep people focused on the real threats. It just can not be your only means of defense, which sadly it is all to often.

Keep up the good work but you may want to get off your high horse and realize that the real world is a lot more complicated than some academic perfect security mindset. Developers never want to acknowledge that their code sucks, finance guys never want to pay for something that has a ROI of ‘it makes us more secure’, how do you put that in a spreadsheet? Defending against 1000 threats has no ROI. Even a breach has a very low cost except for a few big cases. (reading http://www.databreaches.net/ for a few days should convince you how little people care about the issue). Security people are not cheap, obscurity is.

Comment on Security through obscurity by Josh-The Admin

Josh-The Admin — Thu, 03 Jun 2010 15:43:59 +0000

Mr Hilwa

Thanks very much for the response. I must apologize for only commenting on the blurb portion of the article. In response though, I would lend a word of caution, be careful with sarcasm on the written page (or typed page for that matter). It does not shine through in many cases.

The rest of the article goes on:

————————-
Considering that it’s not yet offered commercially on computers, Chrome OS is as obscure as it gets, lending credence to Hilwa’s argument.

However, Hilwa added, this strategy does not always work with precision-targeted attacks, as the attackers would invest what it takes to target an environment.

“More often, software that is less popularly deployed may in some cases harbor basic vulnerabilities that would have been discovered with broader field testing and deployment. It is a judgment call,” he said.
—————————————

Comment on Security through obscurity by Crystal

Crystal — Thu, 03 Jun 2010 11:57:19 +0000

In my opinion a well tested open source system will be more secure than one that was developed in-house. More bugs will likely be found when it is open-source, but that does not mean the software actually has more/less bugs than the internally developed app. Exposure to more people means more security holes will be identified and resolved. This is good. Besides, if Bruce says you should only accept open source solutions for anything related to security…who am I to disagree? (http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html)

Comment on Security through obscurity by Al Hilwa

Al Hilwa — Thu, 03 Jun 2010 06:36:28 +0000

Hey Josh, thanks for caring enough to pick apart my comments. Sadly you did not pick-up in the tongue-in-cheek sarcasm in my statement. The comment I submitted to the journalist included the following statement, which was in one article but dropped in the another: “However, Hilwa added, this strategy does not always work with precision-targeted attacks, as the attackers would invest what it takes to target an environment.”

This is the main article: http://www.eweek.com/c/a/Application-Development/Google-Shunning-of-Windows-Paves-the-Way-for-Chrome-OS-293116/

Anyone familiar with security issues is also familiar with the age-old mantra that there is no security in obscurity, which is why I keyed off the phrase implying that deploying an unknown and untested operating system like Chrome OS may have some such risks. Truth be said, though, anyone who has kept quiet in a closet while a thief ravaged their house may have understood the value of security through obscurity (in certain settings .

Josh, again thanks for taking the time to pay attention. As another mantra goes, at the end of the day, no attention is bad attention.

Cheers!

Comment on A Telnet Rant by Josh

Josh — Sat, 22 May 2010 15:28:21 +0000

You won't find a disagreement from me if I were on the attacking side of the house for a penn test. But, you did hit the hammer on the head(yes, I know...) naming netcat as a bit better tool. Though telnet has a slight advantage of being on most OS releases by default. The rant was more directed at companies, corporations, and individuals who feel the need to use Telnet for their chosen remote admin tool. (Debian key vuln for those that are curious)

Comment on A Telnet Rant by dude

dude — Sat, 22 May 2010 06:47:37 +0000

Dude, you freakin use telnet to test HTTP servers not for remote access. But of course for that netcat and socat are better…… I prefer my targets to use either telnet or the weak Debian SSH keys, they are easier to pwn.

Comment on A Telnet Rant by Crystal

Crystal — Fri, 21 May 2010 22:41:09 +0000

amen

Comment on Can I getta Vroom Vroom? by Cstam

Cstam — Wed, 10 Mar 2010 15:44:10 +0000

Yeah, I have no interest in having my car internet enabled. I would be fine tethering to my phone’s data connection (maybe get data pushed over the next version of Bluetooth?!?) but that does of course bring up the paranoid me echoing your concerns. I mean, if they can’t program the acceleration software right, do you think they’ll have the foresight to completely isolate the “Accessories” from the internal system? It’ll be an interesting/scary future!