Security By Obscurity

The principle of Security By Obscurity, or hiding yourself from the bad guys, has been around for quite a few years. The English comedy troupe Monty Python provided a light-hearted, yet not entirely irrelevant, discussion about this issue, How Not To Be Seen.

In this film we hope to show how not to be seen. This is Mr. E.R. Bradshaw of Napier Court, Black Lion Road London SE5. He can not be seen. Now I am going to ask him to stand up. Mr. Bradshaw, will you stand up please? (In the distance Mr. Bradshaw stands up. There is a loud gunshot as Mr. Bradshaw is shot in the stomach. He crumples to the ground.) This demonstrates the value of not being seen.

Years back, folks would claim that they were never online for more than a few minutes, and they turned their computer off when they weren't online.

They would claim safety by using dial-up, and later by using dynamically addressed broadband. Dynamic addressing was thought to be safer, because with a frequently changed IP address, the bad guys could never find you.

One of the selling points of PPPoE, which let the DSL Broadband ISPs oversell their customer base against their IP pools, was the "dial-up experience", as if PPPoE customers wanted a new IP address every day. Some customers actually believed that argument. Remember that Cable Broadband is that way routinely.

Nobody ever talked explicitly about getting a new IP address that had apparently already been noticed by the bad guys. Yet that was always a possibility; any "new" address that you get has probably been used by somebody. In any mature pool of dynamic addresses, most or all have probably been noticed by the bad guys in some way.

A well known and controversial security consultant provides a free scanning service, to check out your computer or router. His service will tell you if your computer or router is providing information to the internet, gratuitously, which would make you visible to those with dishonourable intent.

Steve Gibson's Shields Up! will probe your public ip address, whether your computer or router, checking for open and replying ports. It will then advise you how exposed you are, from observing how many of your ports are open, or are replying to his probes.

To the Shields UP! scanning service, the most secure configuration is a computer or router that does not respond to any probes, simply discards them. This condition is called, by Steve, "Stealth Mode". The idea about "stealth" is that your computer or router shouldn't reply to any connection attempt, to say "no connection available here", which would obviously verify to a bad guy that there is a host at your ip address.

(Cut to another area, however this time there is a bush in the middle.) This is Mr. Nesbitt of Harlow New Town. Mr. Nesbit, would you stand up please. (Nothing happens.) Mr. Nesbitt has learned the first lesson of not being seen - not to stand up. However, he has chosen a very obvious piece of cover. (The bush explodes and you hear a muffled scream).

Unfortunately, if there was no host at your ip address, a router upstream from you would respond, with "Destination address unreachable", to any probes. By not replying to probes at all, you are confirming that your ip address is in use (and the router has been routing the probes to you), but you simply chose not to answer. To a bad guy, this may make you even more interesting.

Also unfortunately, there are many ways to probe your ports. Just because your computer / router doesn't respond to a proper "TCP connect" request doesn't mean that it won't necessarily respond to (or can't be detected from) a SYN, FIN, or UDP scan.

(Cut to another scene with three bushes.) Mr. E.V. Lambert of Homeleigh, The Burrows, Oswestly, has presented us with a poser. We do not know which bush he is behind, but we can soon find out. (The left-hand bush explodes, then the right-hand bush explodes, and then the middle bush explodes). (There is a muffled scream as Mr. Lambert is blown up.) Yes, it was the middle one.

Bad guys, that don't care whether there is anything at your ip address, will attempt to hit you anyway. Security By Obscurity became still less relevant on January 25, 2003, with Slammer!. Slammer didn't check for anything at any given ip address, it just sent itself to randomly chosen addresses. It infected 90% of its potential targets - worldwide - in 10 minutes, by simply not caring what it was invading. By its very simple design, its code became lean, mean, and very fast.

Slammer's target base was fortunately limited, as it was aimed at a special type of server. Even so, it brought down massive portions of the internet infrastructure, with the huge volume of traffic that it had generated, within 15 minutes after it hit the internet.

  • The tiny worm hit its first victim at 12:30 am Eastern standard time.
  • By 12:33 am, the number of slave servers in Slammer's replicant army was doubling every 8.5 seconds.
  • By 12:45 am, huge sections of the Internet began to wink out of existence.

Read more about this milestone in the history of malware, in this fascinating tale by Wired Magazine Slammed! An inside view of the worm that crashed the Internet in 15 minutes.

Blaster, a successor to Slammer, that uses an RPC service vulnerability that was present in Windows NT operating systems (KB823980): until it was patched, continues to infect (unpatched) hosts occasionally. Look at any of the Microsoft.public.*.* Usenet discussion groups. Even now, occasionally somebody asks about their computer shutting down with "NT Authority..." or "RPC Call...".

Sasser, a successor to Blaster, uses an LSASS vulnerability that was present in Windows NT operating systems until it was patched. Sasser was featured on TV in 2005 - in the BBC Video Jacques' Hack Attack. The computer featured in the video was online for less than 30 minutes, because it crashed after loading 3 worms (Sasser being just 1 of the 3), and the resulting network and system traffic overloaded it. The first worm hit that unprotected computer almost immediately after it was connected to the internet.

In typical british melodrama (and to us Yanks, Spencer Kelly, of the BBC, may sound vaguely similar to John Cleese, but the BBC is not Monty Python):

How long would it be before we were hit by something nasty on the net? Hours, minutes? As it turned out - eight seconds!

If your computer is vulnerable to an attack, and a Blaster or Slammer type worm is sent in your direction, you WILL be infected. Stealth or not.

I've been trying to make an anagram out of "security by obscurity", to something evocative, like "botnet membership" - but no luck so far. Anybody out there want to help? I'll send you a t-shirt (and attach a link here to your blog), if you can come up with an interesting anagram.

Regardless of whether it makes an anagram or not, Security by Obscurity, if it's your main protection, will surely lead into botnet membership. Making your computer into yet another distributor of important email - like "Your l0an has been @pproved", "che@p mesdctations", and "V!agra".

>> Top