[HN Gopher] Security through obscurity is underrated
___________________________________________________________________
Security through obscurity is underrated
Author : metadat
Score : 15 points
Date : 2022-10-23 18:56 UTC (4 hours ago)
(HTM) web link (utkusen.com)
(TXT) w3m dump (utkusen.com)
| kayson wrote:
| This is something that really needs to be said more in amateur
| circles (i.e. self-hosters and homelabbers). For these scenarios
| I think it's even worse, though, because it's a case of
| insecurity through transparency. People don't realize that all
| ACME/Let's Encrypt certificates are published in transparency
| logs that get scanned constantly, giving attackers a shiny
| target. I saw a reddit post recently (which I won't link for the
| victims' sakes) where someone had searched for Heimdall (a
| popular dashboard) in a web-security-oriented search engine and
| found a bunch of insecure publicly facing instances, some of
| which contained credentials.
|
| Fixing this would be as simple as using wildcard certs, wildcard
| dns, and unique subdomains. Configure your web server to 404 any
| request without a valid subdomain (esp. www.domain.tld or
| domain.tld) and you've avoided nearly every web-based scan
| because the attacker doesn't know the host name. This is pure
| obscurity, but it definitely works.
|
| Yes, host name can get leaked through SNI, but if someone is
| monitoring your traffic, you probably need something more
| sophisticated anyways.
| naasking wrote:
| > Configure your web server to 404 any request without a valid
| subdomain (esp. www.domain.tld or domain.tld) and you've
| avoided nearly every web-based scan because the attacker
| doesn't know the host name.
|
| But you haven't actually avoided it, you kicked the can down
| the road at best. Sometimes that's useful but it's not a sound
| general strategy.
| _trampeltier wrote:
| They beauty with special ports are, much less bloated logs.
| anjbe wrote:
| Do people using high ports actually check their logs enough
| for it to matter?
| slooonz wrote:
| Using a random port for SSH (or even "better", port knocking) is
| a "clever trick", until you forget the one you used for that
| server that quietly runs on which you log once every two years.
| Then it can range from minor annoyance to major PITA.
|
| Security by obfuscation has the potential to confuse some (mostly
| dumb) attackers, but it has also the potential to confuse your
| future self, for VERY minor benefits (since everyone agrees but
| most of your security should not come from security-through
| obfuscation anyway).
|
| Hence, avoid.
| alerighi wrote:
| You can maintain a .ssh/config file with all the port that you
| used (and backup it) or use always the same custom port.
|
| Anyway, it is useless but it can avoid all sort of bots trying
| out common login to your SSH server, that consumes resources
| (even if minimal) and fills your logs.
| hotpotamus wrote:
| I would say that every attacker I've ever encountered was dumb
| in the sense that it's a bot just scanning around. For ssh, I'm
| amazed by 2 things - 1, how quick a new server with 22 open on
| a public IP will be found and attempted to be compromised by
| brute force guessing, and 2, how changing the port (even to an
| obvious one like 2222) will eliminate all that noise.
|
| I suppose you could say that the attackers are filtering out
| anyone who has done some basic hardening, but I suspect the
| truth is mostly more mundane - the attackers just aren't that
| motivated/clever; at least the ones who mass scan the internet
| trying to compromise ssh.
| smitty1e wrote:
| One would think that if a list of services were going to be
| bound to non-standard ports, that would be an occasion to
| document very, very carefully.
| magicalhippo wrote:
| From 2020, previously discussed here, as mentioned in the
| article: https://news.ycombinator.com/item?id=24444497
| woopwoop24 wrote:
| Risk = Likelihood * Impact
|
| If someone is capable enough to combine things, he does not need
| to be told this advise. All the others we tell just to follow
| common advise and not live by obscurity because it is crap most
| of the time. Strong security does not need obscurity
| blincoln wrote:
| Security through making things harder in some unquantifiable way
| for an attacker to exploit[1] is usually a waste of time (IMO)
| because there is no way to measure or even estimate with any kind
| of accuracy how much value it adds versus the costs of
| implementing and maintaining it. Maybe it will deter attackers
| forever, because you'll get lucky and no one will ever care
| enough to put in the effort. Maybe someone becomes obsessed with
| the thing you're trying to protect, and just for fun figures out
| how to bypass all of your work in a week, and publishes the
| result to Full Disclosure.
|
| The author of the article cites a typical information security
| faux version of a real thing: calculating risk by multiplying
| impact by likelihood. Risk is a real field, with real data
| collected to make those estimations as accurate as possible.
| Insurance companies use complex actuarial tables, which is where
| the old saw about red cars having higher insurance premiums comes
| from. They really do collect massive volumes of data to make
| estimates of likelihood from.
|
| In my field (information security) people who talk about
| likelihood are generally just guessing, or trusting their knee to
| ache when the haxxors are about to pwn the Gibson. There is no
| data, just someone guessing and plugging the number into a
| formula so that the result has the appearance of objectivity and
| science. Implementing controls that "make things harder" is a
| variation on that same theme.
|
| If one wants a security control they can trust, they should pick
| the ones that have actual math behind them, like "using this
| random token[/key/whatever] means that an attacker would have to
| guess for literally one million years to make a successful
| request".
|
| [1] of which security through obscurity is a subset.
| heinternets wrote:
| If security through obscurity wasn't somewhat effective, why
| would the army employ camouflage?
| bbarnett wrote:
| Camouflage is offensive, not defensive. You don't defend your
| country by hiding it, but you do sneak up when attacking...
| bitxbitxbitcoin wrote:
| Camouflage is absolutely at least as defensive as it is
| offensive. In the military context - You can defend your
| country by hiding ie with a nuclear submarine. Camo nets for
| covering anti aircraft guns, etc. outside of the military
| context, just look at how camouflage is actually deployed in
| nature.
| anjbe wrote:
| The thesis of the article, that security through obscurity is
| underrated, is "because it has a low implementation cost and it
| usually works well."
|
| But I contest both of those things. Common obscurity methods
| provide low benefit for the amount of work put in, relative to
| methods with a better foundation.
|
| One of the best examples of this is port knocking, a resurging
| fad in self-hosting circles, that is completely beaten both in
| simplicity and in actual protection by putting your SSH server
| behind WireGuard.
|
| Even the example in the article seems ridiculous. I always
| advocate disabling SSH passwords and using FIDO-backed SSH keys
| instead, but of course people will complain that they lose the
| ability to log in from arbitrary machines (well worth it in my
| opinion, but fine). So rather than using SSH with a weak password
| on a non-default port, why not use SSH with a strong password on
| a default port, which provides more entropy and also some
| protection against attacks by a local user, without having to
| remember weird port numbers?
___________________________________________________________________
(page generated 2022-10-23 23:01 UTC)