RE: Concepts: Security and Obscurity

["Craig Wright" <Craig.Wright () bdo com au>]

As a conclusion...

Being that this thread has been solicited to conclude, the issue is not
the number of scans, but the hazard function. I prefer to trust
quantified results over speculation. (I do not believe these to be big
words, those who do could note that I have not been using terms such as
heteroscadastic, stochastic etc)

The number of scans has little relevance to security - what matters are
the relative level of determinacy, resources and skill that the attacker
has. I would dare to speculate that 1 determined, skilled and
resourceful attacker has more opportunity and thus is a greater threat
than 1,000 unskilled attackers. Daniel is proposing the alternate that
the volume of attacks is the determining factor.

Daniel's assertion has a problem mathematically. The result is skewed
though different classes of attackers. No effort has been made to
stratify the attackers and they have been classified as a single threat
- rather than a selection of separate threats.

I have seen nothing on the list stating that a determined, resourced
attacker will be either deterred or stopped from this addition of
obscurity. Rather the argument is that more logs will allow you to see
and correlate the attack. I fail to see how this will detect an attacker
using a zombie network to recon and than not attack with a separate
address. In fact, several posts have just stated that you should ignore
the determined attacker and concentrate on the lower bar, that the
script kiddies pose the greatest threat. With this I disagree.

In support of this argument, there are a number of groups (organised
crime) that sell access to zero day vulnerabilities and zombie networks.
I see the threat level from these groups to far exceed the threat by any
number of determined but unknowing script kiddies. We did after all
initially state a secured SSH service. This would remove the script
kiddies as a valid threat. I find it unlikely that many script kiddies
have open access to zero day vulnerabilities - which is what is needed
to attack a patched, secured SSH service as was initially proposed. Thus
the determined attacker can not be discounted.

As for details, there has been a fair amount of press concerning
76Service, Russian Business Network (RBN) and other groups
quasi-ligitimate or downright criminal groups.

Last June Finjan released a white paper detailing the move towards the
criminalisation of malware and attacks. I have seen this personally in
client work. 

Daniel has taken this a little personally, he is trying to defend a
paper which is written and published on the internet without a prior
peer review process. This of course could be considered a peer review,
but the fact that he will not consider criticism negates this.

Maybe Ben could provide some insight from the results at Symantec? If
not this is ok and understandable as well.

There are a couple on list proposals for experiments and I have been
approached to help with 3 experiments offlist. In contradiction to
Daniel's belief, I am not desirous of being proved right, I just want
the truth. Truth is fact and evidence not speculation.

10 years ago I would have stated the same thing that Daniel and others
have stated. Times have changed however and I no longer see the
necessary conditions to adhere to this belief.

Port knocking and SPA have a cost - open source software is not free and
the time that it takes to install and configure a client has a value.
There are other methods which may be used to validate access to a port
which have the same of less cost. Some of these are not based on
obscurity and are time tested and have been extensively analysed.

I state again that without an ability to quantify the gains, that they
should not be seen as gains, but a loss. A quantifiable gain is always
more effective than a warm-fuzzy.

As an interesting side post, since posting the details of my home
network yesterday, the number of individual attacks has dropped by 60%.
This is something I did find unexpected and especially that all numbers
are significant - lower sources, lower intensity etc.

A drop from 1.2 million separate recorded attacks to 471 thousand where
the prior 5 yeasr low was over 800 thousand a day is statistically
significant at the 99% Confidence level (SD 126,150.21). So this does
have some relivance - just what I can not however state.

Not that I will mention names, but there is a very strong correlation
between the IP addresses used by some people on the list to send email
and some in the logs. Please feel free to answer this offlist, but those
on the list who accessed the wingate proxy and winframe server last week
and used it as a zombie, did you actually notice the host description
which read "HI, I am a honeypot - welcome to my logs". I would suggest a
remailer to send this message, but it would have value in the experiment
I was doing.

I guess that this is a form of complement... ;)

Regards,
Craig

PS - not that I approve of it, but I was impressed by the attack two
weeks back - and I am not impressed by much these days. To the person
involved, you have a bright future if you keep your nose clean. I would
suggest that you stop believing you can not be caught.





Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: Daniel Miessler [mailto:daniel () dmiessler com] 
Sent: Thursday, 19 April 2007 6:06 AM
To: Craig Wright
Cc: Nhon Yeung; TheGesus; Florian Rommel; levinson_k () securityadmin info;
security-basics () securityfocus com
Subject: Re: Concepts: Security and Obscurity


On Apr 18, 2007, at 3:20 PM, Craig Wright wrote:

> Again as I have stated - the number of scans or some aribtary  
> reduction which has been argued in the number of people who know of  
> the service are irrelevant.

Irrelevant?

What sort of academic gyrations do you need to go through to in order  
to realize that a server that's behind a firewall and is only  
connected to by 100 internal users is MORE SECURE than that IDENTICAL  
server exposed to billions of potentially malicious systems online  
(in addition to the same 100 users)?

And this is what obscurity does -- it *effectively* reduces the  
attack surface of your system while the obfuscation is in effect.

It doesn't require a committee, an academic paper, or an elaborate  
experiment to realize that reducing your potential attackers from  
1,000,000,000 to 100 improves your security. It's so obvious that I'm  
losing IQ points just by arguing about it. You're giving academia a  
bad name by using big words to illustrate your inability to grasp a  
concept that your less-educated colleagues understood the instant  
they saw it. It's precisely the type of behavior that fosters  
stereotypes about academia.

And the PhD who writes infosec books for O'Reilly who thinks you're  
insane will likely mention this when he blogs about this thread. Good  
luck with that.

Wow, I'm entirely too riled up about this. :)

--
Daniel Miessler
E: daniel () dmiessler com
W: http://dmiessler.com
G: 0xDA6D50EAC