[Full-Disclosure] Security & Obscurity: First-time attacks and lawyer jokes
yehudi at tehila.gov.il
Sun Sep 5 14:09:42 BST 2004
> The flaw in your specific example [about a software program freezing
up it is attacked] is that every program can be run as
> many times as you need to "attack" it. You would never need more than
> one copy.
First, there are times when you cannot attack the program over
and over. For instance, you may not have the ability to access the
software over and over again, such as when it is running on someone
else's system and you don't have continuous access. Second, other
persons on FD have written to me privately about self-modifying code
that would render Dave Aitel's point untrue. With that said, the
example could be better written.
Much more importantly, though, is that Dave accepts one of the
fundamental points of my paper in trying to refute it. He says "every
program can be run as many times as you need to attack it." Exactly!
The big difference between physical and computer security that I
emphasize is the number of attacks. Dave emphasizes the number of
attacks. Hey, it's a unifying principle that even lawyers and
non-experts can understand in the future! (See separate post today on
why the analogy between physical and cyber security is useful.)
A theme of the paper: when attacks are closer to first-time
attacks (when they have high uniqueness), then secrecy can be an
effective tool. When there is low uniqueness, security through
obscurity is BS. And many, many cyberattacks fall into the second
A smart firewall, or other appliance, or policies of a smart security
administrator, may quickly detect an attack, and restrict or bar access
of the attacker to the program. That will keep the obscurity factor
high for a much longer period of time.
A prime example is the attempt to discover a password. Two or three
failed attempts will lock you out (at least for a certain period of
time). This makes the attack on a well designed password statistically
unlikely to succeed within the attackers lifetime - regardless of the
raw computational power available to him / her.
If security by obscurity _always_ sucks, then I hope that all the
readers of this post will send me detailed network diagrams, IPs and
passwords; also name, address and credit card number while you're at it.
If you're going to be "open", be open!
We make passwords difficult precisely because we (all?) believe that
_sometimes_ a lot of obscurity is a very good thing. And many of us now
use two factor authentication just so that we can widen the gap, between
what is known and what is unknown, just that much further.
Food for thought I hope.
Best Regards, Ya'akov
Full-Disclosure is hosted and sponsored by Secunia.