Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Security through obscurity

I’m not sure about you, but every time I connect to a web-server during a test I check the response headers for interesting information. It’s not hard to do, Nikto does it, there are even some plugins for Firefox that will display this on your toolbar for you (very useful and fun to see who’s using what). Sometimes this information is as a simple as Apache, or Apache (RedHat) but then again sometimes this information is as complex as

Apache/2.0.54 (Debian GNU/Linux) PHP/5.2.3-0.he.3 mod_ssl/2.0.54 OpenSSL/0.9.7e

I know some people will see nothing wrong with this, but personally I do. In 2008 we shouldn’t be making things easy for the attacker. You don’t stick up a note on your door with the specs for your door locks and alarm manufacturer on them do you. Of course not, that’s just asking for trouble. It’s giving an attacker the chance to research what might and might not work on your server when it comes to attacks. After all, no point in trying those IIS vulnerabilities if you’re using Apache 2.0.54. Suddenly the thousands of possible exploits for your server become a more focused handful that are much more likely to work. Will it save you from being hacked if you don’t give out this information… probably not. A determined hacker (or mindless Skiddie) will try everything to get in, and probably find the right path without your help. With this said, why make things easy. Attackers that are looking for easy targets are looking at this stuff and exploiting targets based on it. Why add your servers to the list when all you need to do is change some configuration file and make things hard for them.

Nothing annoys me more than a vendor that says this stuff is unimportant. Security through obscurity on it’s own is a fail waiting to happen. Security in-depth is about using every layer you can find to stop, hinder, or misdirect an attacker. Security through obscurity is another piece in that puzzle. It may not save you, but for the level of work required to block this information leakage, it’s probably 5 minutes well spent.


One response to “Security through obscurity

  1. Pingback: Defense in depth « Ramblings of the änal security guy

%d bloggers like this: