Security through obscurity. Is it really effective?
Throughout our history there have been found uncountable cases in which the main security measure was the obscurity, meaning the hiding of resources or information from public view and/or access.
Secret passages in castles, values hidden inside jars or hollowed books, underground militar bases, etc...
Can't help but wonder: Is that the best of measures?
The daily practice tells us that the secret passages have no access control, the jars with hidden values have no key, and the vehicles that arrive to the underground militar bases use to drive and park on the "ground floor", publishing their movements.
Do not get me wrong, obscurity is a great method to impose security. It's no wonder it has trascended throughout milenniums. Mi question focuses on the level of effectiveness of a total security state if its only measure is obscurity.
If I were a king, I would not feel secure at all if the only thing that could stop an attacker from reaching my royal chamber is a secret passage with no access control or guard (as we have seen in many books and movies).
Why can't be a guard in that secret passage also? Hmmm, maybe because in that situation it wouldn't be "secret" any more.
Let's talk of the present day now. Let's list some of the most discussed items about IT security:
- Cryptography: Many years have passed since cryptoanalysists have realised that the obscurity in algorithms was not the safest method in providing security. That's why the algorithms were opened and now centralize their security in the key.
Now, does that mean that if I were to create an algorithm of my own and DIDN'T published its code, it would be less secure? Not at all, in fact I'm seriousely considering it
. It's just that the big fishes in the matter decided to change their posture regarding security concepts in an encryption algorithm.
And all the developers/admins/infosec officers thank them very much for their decision, since thanks to their publication all of us can implement their algorithms in our applications, internally. - Social Networks: I say it over and over again, in class, in clients and even in dinner with friends.
Many people brag about "not having a Facebook user". Is that a good decision? Aren't we facilitating the job of a falsifier or identity thief, by not having a "computerly tangible" base about our profile? What's easier to falisify than something that is not publicly known?
Imagine the following situation: A supposed archeologist goes to a collector and says "look, I have the holy grail in my possession, I dug it from a grave in Morocco". Far beyond the skepticism, the collector will never truly be sure if the afirmation from the archeologist is false.Now, imagen the following situation: A smuggler goes to a collector and says "look, I have the Mona Lisa, I stole it from the Louvre". The collector calls the museum and asks "Hi, do you have the Mona Lisa there? - Yes, we have it on display". And the mission of the smuggler to sell a falsification does not succeed.
By having our real profile in the social networks, we increase the difficulty of stealing our identity for the attacker. But please, set a strong password to the Facebook user!
By the side, I invite you to question the following (for those who don't have a user in Facebook): Is it so wrong to belong in this social network, if you can maintain a short, simple, sober, professional profile that does not publish any really important information?
- Network Perimeter: To configure services so they do NOT work in the standard ports is a good practice.
But what happens, at the side of the attacker, if when scanning the perimeter there are 5 open ports found? The attacker will have a time X of analysis more invasive to find out the services behind those open ports.What if we open 30000 ports in a perimeter? The analysis time calculation is not exactly X * 30000 (it's a little less, actually), but we would be increasing the difficulty of the attacker's job, anyway. The only thing to do is to correctly secure those ports/services and that's it. Having 30000 ports open, from which only 5 point to real services (in non-standard ports) and the rest point to a simple honeypot (or whatever), seems to me more secure than having publicly visible only what really exists and works.
To sum up, in my opinion it is best to be shown in a secure way, than to be hidden and feel safe.
I'd rather invest in a safe with a security level 10 and to leave it laying in the middle of the hallway, than to buy a safe with a security level 8 and hide it behind a painting.
I'd rather have a Facebook profile, secure it and not publish any really confidential information, than to NOT have it and letting somebody open it in my behalf.
I'd rather have a port scan to my perimeter to throw a result of hundreds of open ports with an effectiveness level of 10%, than to have thrown 4-5 ports with an effectiveness of 100%
And thousands of etceteras.
Is there one only response? I don't know. Feel free to comment (and/or complain) after reading.
Clickjacking Facebook, Google and other important sites
One of the worst threats to browser security nowadays is Clickjacking. This technique, through a frame overlapping transparent for the end-user, makes him click on malicious links making him believe that he's clicking on "valid" links.
This technique is not new. What IS new is the discovery that certain major internet sites (such as Facebook and Google, to name a few) are vulnerable to this attack.
an Israeli called Shlomi Narkolayev has published a video demonstrating a Clickjacking attack to a Facebook account through which, in a matter of seconds and without requiring an invasive intervention to the browser, computer, or even the user account of the victim, managed to install and application in his profile.
Here is the video:
The worst part of this attack (beside its reach) is that what allows it to exist is a native design error in the way that current browsers handle content. It's not about a flaw in javascript, or flash, or anything, but a vulnerability in DHTML handling.
The solution for now, scary but real, is to disable ALL script execution. Even though this will make us go back to 1990, it's the only 100% effective solution at the moment.
A personal recommendation, is to use NoScript. This software (it's a Firefox extension) allows us to establish block rules to sites, modify this rules by hand as necessary, give temporary permissions, and an endless etcetera. I personally use this software for 100% of my browsing, and it gives me an eternal relief.
For those of you willing to test, whether the level of vulnerability of your website or the effectiveness of your browser, you can enter the Israeli's site, where he has set up a demo of his Clickjacking script.
Link (English): http://shlomi.sitegoz.com/ClickJacking.html
Mkit Argentina at BarCamp 2009 – Information Safe For Everybody
Here is the recording and the presentation of the speech I gave on Universidad de Palermo for BarCamp 2009, about information security.
What was discussed on the speech was about methods, techniques and good practices to preserve at maximum possible the level of security of our information, without needing advanced IT knowledge.
Video - Part 1 - Spanish:
Video - Part 2 - Spanish:
Video - Part 3 - Spanish:
Video - Part 4 - Spanish:
Video - Part 5 - Spanish:
For anyone who needs more information about this, or for whoever wishes me to have this speech on his/her institution or company, do not hesitate to contact me at matias (at) matiaskatz [dot] com .
12 Tips for safe social networking
Mitchell Ashley, from NetworkWorld, set up a liitle slideshow with 12 basic tips for keeping social networking safe.
This information is first-level regarding information security, but it's worth publishing.
These are the subjects:
- Beware of TMI (Too Much Information): the five things you should never share
- Customize privacy options
- Limit work history details on LinkedIn
- Don't trust, just verify
- Control comments
- Avoid accidentally sharing personal details
- Search yourself
- Don't violate your company's social networking policies
- Learn how sites can use your information
- Forget the popularity contest
- Create a smaller social network
- Setup an OpenID account
These tips can be applied by any internet user in an easy and effective way. So go ahead and show it to every friend, family member, co-worker, employee or employer you may have.
Source - English: NetworkWorld
¿Do Google, Twitter, Facebook and company worry about your passwords?
(Note: This post has been automatically translated by Babelfish, sorry for any inconsistencies)
The security has taken a very important role nowadays, to protect our personal information and the information that our systems store is vitally important.
Normally the users tend to use passwords that are easy to remember. Like the name of its pair, of its dog, the name of its favorite equipment or its city of birth. For an attacker it would not be difficult to observe as they are the obsessions of the user to try to find out his password.
An attacker who wants to enter of form manual the account of a user, first who will try will be words that are important for him. If it does not secure results of fast form, the following thing will be an attack by dictionary and if this does not work either an attack by brute force will try using multiple combinations of characters although at the moment the technology puts limits to this type of attacks… although implemented not always well.
When a password is created, we must use one that is not in a dictionary. And it releases all it and complex so that an attack of brute force cannot solve it because it requires long time and processing, since a password is made more complex exponentially by each character that you add increasing its length.
Worry the social networks, webmails of which we use robust passwords?
Unfortunately, the majority of them does not demand a robust password to us, although they have indicators of the strength of the password.
Guide for the generation of passwords
The weak passwords have the following characteristics. They are possible to be found in a dictionary. They are of common use like: names of relatives, fantastic mascots, friendly, personages, terms of computer, commandos, cities, companies, hardware, software, dates of birthday and another personal information like directions or telephone numbers. Or landlords like aaabbb, qwerty or words followed or preceded of digits.
The strong passwords have the following characteristics: they contain very small and capital characters, digits and special characters. 0-9! @#$%^& * () _+|- = \ `{} []: " ; '? . /They have at least 8 characters of length. They are not in any dictionary. They are not based on personal information. One is due to try to create a password easy to remember. A form to do it is to create a password based on a song, affirmation or phrase. For example " Stairway To Heaven" it could be St41rW4y2H34v3n@.
In addition we counted on tools for the generation of automatic passwords, like for example ours bot that has a service to it.
Standard of protection of passwords
- To change to the passwords every 30 days.
- Not to write the passwords and to leave them within reach of the others.
- Not to keep the passwords without basing them.
- Not to use the same password for the accounts of the organization who stops the personal accounts (email, bank…).
- Not to share the passwords in the company with anybody, including the administrative personnel, secretaries.
- All the passwords must be treated like sensible, confidential information.
- Not to give the password by telephone to anybody.
- Not to give the password by email.
- Not to give the password to the head.
- Not to say the password in front of people.
- Not to reveal the questionnaire password.
- Not to share the password with relatives or fellow workers during the vacations.
- Not to use the option " to remember password" in the applications (IE, MSN, Mozilla,…)
- If we suspected that a key could have been usurped, to report the incident to the personnel of security of YOU and to change all the passwords.
- Audits will be due to do of crackeo of password by the security personnel.
If some password is obtained during these escaneos it will have to be documented to the user so that it comes to change it.
In addition it would be necessary to see what usuary existing in the systems does not need password nor shell, so that there is not form of which they enter the systems.
The robustness of the passwords is a fundamental point that it is in forward edge for the protection of the user accounts. To choose a weak password will jeopardize of critical form the resources.
Source (Spanish): http://www.securitybydefault.com/2009/09/se-preocupa-google-twitter-facebook-y.html
Tags
Recent Posts
- Online Nmap Scanner – Scan your network quick and easily
- What’s my IP Address?
- Denial of Service to a Sony Bravia IP TV
- CXO Community – V Identity Management in the Digital Era Conference
- Lock – A simple Linux console locking tool
Archives
- April 2012 (3)
- March 2012 (2)
- February 2012 (1)
- January 2012 (1)
- October 2011 (11)
- September 2011 (13)
- August 2011 (5)
- July 2011 (7)
- June 2011 (8)
- May 2011 (3)
- April 2011 (7)
- March 2011 (2)
- February 2011 (2)
- December 2010 (2)
- November 2010 (5)
- October 2010 (3)
- September 2010 (6)
- August 2010 (3)
- June 2010 (4)
- May 2010 (3)
- April 2010 (3)
- March 2010 (2)
- February 2010 (6)
- January 2010 (16)
- December 2009 (6)
- November 2009 (2)
- October 2009 (7)
- September 2009 (12)
- August 2009 (4)
- July 2009 (4)
- June 2009 (4)
- May 2009 (4)