Security through obscurity is not Good Security. I know.
Anybody who knows anything about security knows that the worst possible kind of security is secrecy. "I'll hide my million dollars under the mattress!" Or in the Internet world, "I'll post these sensitive files without any links to them!"
You should have good access control and authentication. But obscurity can be an incredibly significant next step in securing a system.
Why?
Because obscurity buys you time and makes you less "low hanging fruit." Vulnerabilities are discovered every day. Popular systems, even the secure ones, have routine security updates. It's important to stay on top of them, but organizations make mistakes. Admins go on vacation. Updates aren't always applied as soon as they are available.
On the Internet, hackers can use Google to find every single instance of a system. When a new vulnerability is discovered, a hacker can find every site using the affected system and run an automated attack against all of them. The five percent that haven't gotten around to installing the latest update yet are all hit.
But if you've taken the step of obscuring your system, you won't show up when the hacker scans. If your site says "powered by phpBB version 1.02.3b" -- you've got a flag that will catch the attention of anyone looking. If you've removed that tag, you're invisible to the kind of scanning that would alert zero-day hackers.
Depending on the system you're using, there will be more flags like that. Description tags, certain styles in the CSS, javascript function names, whatever.
Take the time to look for those and make sure you're not going to be the first victim next time a system you're using is updated.
It's not "good security," but it's a good idea.
Comments (1)
Lunarpages has a comment about this in their formmail FAQ:
"Do not name your script using the words mail, formmail, or contact. Our servers are contantly being scanned for these names..."
Posted by Tom Dalton | April 25, 2006 4:22 PM
Posted on April 25, 2006 16:22