Home > Articles > Security > Network Security

  • Print
  • + Share This

Security Through Obscurity

Many people believe that if you hide the details about a device, it will remain secure. This belief has been continuously disproved over the years. If a device is insecure, hiding that fact will only potentially extend the time it takes to exploit the vulnerability. It will not prevent its exploitation.

Passwords are the most prevalent form of security through obscurity. Passwords are used to access most services on networks and the Internet. Theoretically, the password should be known only by its owner. Unfortunately, password-cracking programs such as Crack and L0phtcrack have the capability to brute-force discover passwords on UNIX and Windows NT systems. Additionally, network packet sniffers can discover passwords sent over the network in the clear. Popular protocols such as Telnet, POP3, IMAP, FTP, and HTTP BASIC authentication all pass both user accounts and passwords "in the clear" (which is to say, unencrypted).

World View Versus Internal View

Your corporate network is internal. The Internet and private connections to partners should be considered external.

Normally, internal hosts have access to the full information of the internal network. Perhaps this is why an estimated 80% of information theft is done internally.

When providing the world, and your partners, with information about your internal network, you should give the most limited subset of information about your network that it's possible to give. For example, when Telneting to your server, the following prompt

SunOS UNIX (somecomputer.somewhere.com)

delivers more information than it needs to. By identifying the operating system (SunOS UNIX), you've given attackers a leg-up to breaking into your system. There is no point in providing a treasure map for intruders to follow through your network.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.