Security by Obscurity, really?

Oh YES, Oh YES, really! Wait!, what!, NO! NO I mean YES! but…? Well, it all started when me and one of my ‘Skiddy’ friends went for a sleep over at our ‘Geeky’ friends place. The first few words that came out of his mouth (Skiddy friend) as we walked into our (Geeky friend’s) flat was, “I wish you had WiFi so I could connect to it and show you this web-based (bandwidth intense) app I have running remotely on one of my Servers but then again, I am picking up other WiFi signals, unfortunately their signals are really weak, like my Hacking skills!” (laughing) He went on to say, “If only I had mad skills (l337 h4x0r), I would have connected to one of the nearby WiFi’s, piggybacked it’s Internet connection to show you!” My Geeky friend replied, “I do have WiFi but it’s because of people like you it’s running in stealth mode!” It immediately registered and he (Skiddy friend) replied, “Security by Obscurity, really!”

These chain of events brought about the whole Security by Obscurity debate. Sooner than expected, we were laughing about the whole matter or scenario, but what is Security by Obscurity? The definitions from these two ‘techie junkies’ even left us more confused :-). As we ‘Console-gamed’ the night away into the New Year!!!, we agreed on the following Security by Obscurity definitions (our opinions);

1. Security by Obscurity involves securing of systems through the reliance of unknown or hidden weakness in the model or implementation of a particular system.
2. Security by Obscurity involves the concealing or addition of a protective security layer to a already hardened system or technology, in the end the overall security posture is increased.

Sounds a bit confusing right? Using the above definitions, some real life examples are as follows;

• Definition No. 1 – A computer user who writes down his / her login password on a piece of paper and keeps the piece of paper under his / her keyboard. In this example, it’s literally right out in the open for anyone to grab but not everyone can find it or will know it’s there! Someone who is really dedicated can find it and log straight in…
• Definition No.2 – A Systems Administrator who hosts a Web-based service on an alternate port (e.g port 8443) and whose pages are secured by an SSL Certificate and only allows users from a specific I.P Address range to be able to connect to it. This scenario is not hack proof but the implementation tries to add another layer of security on a already secured setup.

That being said, as our game pads did nothing but allow us to dig deeper into virtual reality, I posed the question, what real life examples of Security by Obscurity have we come across, fiddled with or currently have running? Boy oh boy, it gets interesting! These are some real life examples myself, my two friends (let’s call them – Skiddy & Geeky) came up with;

1.  Port Renaming – We realised that as former System Administrators we have come across (in most cases) colleagues who have or in our case, we have tried to narrow down the number of malicious user attacks or malicious bots connecting to specific services running on specific ports by renaming the Port Number(s), as most of these attacks are automated scans done by bots that look for specific ports. This has seen the amount of traffic to these Ports dropping considerably. Examples are Admins who rename ports like SSH Service Ports from 22, Remote Desktop Service Ports from 3389 or Web based Services Ports from 80 or 8080 to something else. In some cases it might actually not even involve renaming the port as such but implementing Network Address Translation (NAT) at a firewall level that points to these services or ports.
2. SSID WiFi Disabling – This brought about the whole Security by Obscurity argument, that being said, SSID WiFi disabling basically involves hiding ones Wireless Network name from being broadcasted. We can argue that a WiFi SSID in itself is a Network name not a password but some will argue that, at times the fact that one announces the presence of a Wireless network (by broadcasting the WiFi Network’s SSID) draws unnecessary attention, especially to some Script Skiddies and hackers alike who are generally intrigued by these ‘boundaryless signals’ (Geeky’s opinion), so why broadcast them? But then again, lets leave this debate for another day…!
3. Default CMS Admin Backend URL Renaming – Online presence in the form of Web sites is on the increase and of particular interest are Content Management Systems (CMSes) like Joomla, Drupal, WordPress and MODX to name a few. In order for one to be able to create new posts, update posts or delete posts for blogging, informative, marketing purposes e.t.c one has to log into the Admin Backend portal that allows them to make the necessary changes. The different CMSes come with default backend URLs to access their respective Admin panels; example by default – Joomla is: http://sitename/administrator; Drupal is: http://sitename/?q=user; WordPress is: http://sitename/wp-admin and MODX is: http://sitename/manager to name a few. To prevent bots (that usually run specific scripts from checking specific URL patterns) from targeting one’s site or prevent malicious users from targeting your site through the use of Google dorks most Administrator’s rename the Admin Backend URLs.
4. Local Builtin Administrator User Account Disabling – The Local Builtin Admin Account is known to possess ‘Super Cow’ powers. Usually when a malicious users has access to the User Account Login screen on a specific PC, be it remotely via RDP, VNC e.t.c or physically, they usually know, to be able to run applications with Full Permissions they need to log in with an Administrative account (or escalate their privileges). Besides, every hackers dream is owning the Administrator Account (Windows) or Root Account (Linux). Unfortunately, Windows is designed inherently in such ways the Administrator is present by default and most users enable it for ease of use. All it takes for a successful login is to get the Username and Password right, so why give away the first clue, that is Administrator or Root user account name and let them only guess the password. It is highly advisable to disable the Administrator or Root account. This makes the local user enumeration process on the local machine difficult for the malicious perpetrator.
5. Steganography – Steganography involves concealing or embedding a message within something that is seemingly harmless or which doesn’t attract itself as an object of scrutiny. That is, as an example messages can be concealed in images, text files, music files e.t.c. It’s usually ideal to use over encryption as it is plainly invisible or where use of encryption is illegal.
6. Encryption – Is a method where sensitive information is converted to cipher text and one needs to have a secret key to be able to read or decipher the message. Encrypted messages or data can be intercepted but denies the message contents to the interceptor if they do not have the decryption keys. More on encryption in my earlier post.
7. SSH Port Tunneling – SSH Port tunneling is the process of preventing people from snooping or eavesdropping your traffic and requires one to force or redirect all traffic to go via or through an artificial and encrypted electronic passage irrespective of whether they are connected to the internet via a public or private network. SSH Port Tunneling is also known as a poor System Admin’s VPN (Virtual Private Network), you can read up on SSH Port tunneling in my earlier post.

Each example above, either falls under one of the two definitions or both (our opinion); for argument purposes, I personally think Security by Obscurity can either be good or bad security! That is, I consider it good if it is used as an additional protective security layer to an already hardened system or technology and bad if one relies on it and ONLY uses it to conceal an already vulnerable or weak system (as such a scenario only buys time, eventually someone will find and expose or exploit the weakness).

Note: This post basically lists some of the real life examples of Security by Obscurity we have come across, fiddled with or currently have running! In my next article I will list steps and preventative measures one can take to achieve the above, supported by examples. That being said, even after taking the necessary listed preventive steps, it does not mean the measures taken are hacker proof, but assuming we are adding it to a system that already has decent controls in place, Security by Obscurity, really? I will chant DJ Carl Cox’s slogan on this one, “Oh yes, Oh yes!!!”