Archive | October, 2011

Security By Obscurity Not So Bad After All?

Find your website's Achilles' Heel


I’m sure you’ve been taught, as have I – that security through or by obscurity is bad (changing port numbers, removing service banners and so on). I’ve personally always used it, as an additional line of defence on my systems.

As a hacker I know, the more information a system gives me straight off the bat – the easier it’s going to be for me to hack it. Well the latest news is that this tactic may not be so bad after all.

Security by obscurity may not be so bad after all, according to a provocative new research paper that questions long-held security maxims.

The Kerckhoffs’ Principle holds that withholding information on how a system works is no security defence. A second accepted principle is that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one overlooked flaw to be successful, the so-called fortification principle.

However a new research paper from Prof Dusko Pavlovic of Royal Holloway, University of London, applies game theory to the conflict between hackers and security defenders in suggesting system security can be improved by making it difficult for attackers to figure out how their mark works. For example, adding a layer of obfuscation to a software application can make it harder to reverse engineer.

I agree with this, I wouldn’t exactly say this is ground-breaking though – I’ve always believed this. It’s not that I’d use obscurity as a singular defence, but I don’t see how it makes a system any less secure – the fact is from my perspective it definitely makes it harder to attack.

I mean the way in which Pavlovic is looking at it is rather more complex (in terms of a game), but it’s the same idea – if the attacker has less information, he’s going to have a harder time. Surely this all goes way back to Sun Tzu art of war..


Pavlovic compares security to a game in which each side has incomplete information. Far from being powerless against attacks, a defender ought to be able to gain an advantage (or at least level the playing field) by examining an attacker’s behaviour and algorithms while disguising defensive moves. At the same time defenders can benefit by giving away as few clues about their defensive posture as possible, an approach that the security by obscurity principle might suggest is futile.

Public key encryption works on the basis that making the algorithm used to derive a code secret is useless and codes, to be secure, need to be complex enough so that they can’t be unpicked using a brute force attack. As computer power increases we therefore need to increase the length of an encryption key in order outstrip the computational power an attacker might have at his disposal. This still hold true for cryptography, as Pavlovic acknowledges, but may not be case in other scenarios.

Pavlovic argues that an attacker’s logic or programming capabilities, as well as the computing resources at their disposal, might also be limited, suggesting that potential shortcomings in this area can be turned to the advantage of system defenders.

Of course obscurity should never be used in cryptography, that would just be idiotic – but when it comes to defending networks, servers and systems – I’m fine with it as an additional precaution.

I think this might spawn some interesting discussion either way, what do you guys think?

You can read the paper here: Gaming security by obscurity [PDF]

Source: The Register


Posted in: Countermeasures, General Hacking

Tags: , , , , , , , ,

Posted in: Countermeasures, General Hacking | Add a Comment
Recent in Countermeasures:
- Cuckoo Sandbox – Automated Malware Analysis System
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response
- MISP – Malware Information Sharing Platform

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,091 views
- Password Hasher Firefox Extension - 117,773 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,724 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


MagicTree v1.0 Released – Productivity Tool For Penetration Testers

Your website & network are Hackable


We wrote about MagicTree back in January of this year when it was first launched – MagicTree – Penetration Tester Productivity Tool .

It’s come quite a long way and the authors are happy to announce that MagicTree version 1.0 has been released and is available for download.

MagicTree is a productivity tool for penetration testers. It allows consolidating data coming from various security tools, query and re-use the data and generate reports. It’s aim is to automate the boring and the mind-numbing work, so you can spend your time hacking.

Version 1.0 includes a lot of bug fixes and a number of new features, such as:


  • Support for Acunetix data import
  • Support for W3AF data import
  • Support for OpenVAS 4 XML format
  • Importing data from flat text files
  • Simplified manual creation of ports
  • Copy/paste and drag and drop support for tree nodes, table view data, queries and tasks
  • mt:sort() custom XPath function for sorting data, such as findings, in TableView and reports
  • More sophisticated auto-creation of tree nodes. We now support netblocks in various formats (192.168.1.1/24 , 192.168.1.0-192.168.1.255, 192.168.1.0/255.255.255.0), DNS names, IP addresses and URLs.
  • Search in output files panel
  • Creating cross-references by drag and drop
  • Better support for KDE and XFCE desktop environments on Linux. View in Browser and opening reports now works on both.

The full changelog is available here – ChangeLog-1.0.txt

You can download MagicTree v1.0 here:

MagicTree-1.0-build1615.jar

Or read more here.


Posted in: General Hacking, Security Software

Tags: , , , , , , , , , , , ,

Posted in: General Hacking, Security Software | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,169,130 views
- Hack Tools/Exploits - 624,438 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 433,497 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Anonymous Twitter Alternative Created For Protesters & Revolutionaries

Find your website's Achilles' Heel


There was a mass of news back in August about the London riots and how social media (especially Twitter) and the BlackBerry Messenger service (BBM) enabled the rioters to organize themselves via broadcast messages and tweets.

After discovering a lot of rioters got busted from their Tweets and BBM messages (which are of course traceable) – some smart fella game up with a new form of instant messaging anonymously. It works in a geographic location and allows you to broadcast messages within a certain locality that expire after a certain time.

This comes not long after the Anonymous social network Anon+/AnonPlus was announced back in July 2011.

After discovering that BBM and their Twittery playthings fed straight into the hands of the cops, smartphone-toting revolutionaries have taken up a new type of instant messaging – Vibe.

Like Twitter in that it is open and lets you mass-message, Vibe is unlike Twitter in that all messages or “vibes” are anonymous. You can set how far you want them to be available too – from 15 metres to global.

The messages self-destruct after a set period of time: from 15 minutes to forever. That makes it much more attractive to those who want to bring down the Man via the medium of street protest, but don’t want the Man, or their mothers, or the police looking at twitpics of themselves jumping up and down on burning bin-bags.

According to the New York papers, Vibe is now the instant messaging app of choice for the protesters at Manhattan’s #OccupyWallStreet.

It’s an interesting concept and I do think it has a certain place amongst anarchists, activists street protesters and rioters. Case in point – it’s been picked up by the Wall Street protesters, you can search the Twitter hashtag #OccupyWallStreet to see what’s going on with them.

If you have no idea what it’s about at all, check Wikipedia here – Occupy Wall Street

The application itself has a very ‘innocent’ description on iTunes – “Discover and join the vibe around your city, neighborhood, or building. Chat anonymously with people nearby without necessarily knowing them!”

But we all know full well, that’s not it’s main purpose.


Though it is innocently described on the iTunes store as a good way to chat to other people near you at football games or conferences, developer Hazem Sayed is actively keen for his app to be adopted by the protesters – flying out to the Manhattan protest from California with leaflets about his app explaining its uses.

It seems to be catching on:

The NY Daily News interviewed protester Drew Hornbein, a member of the camp’s Internet Committee, who explained its uses to the paper:

“Let’s say you’re protesting and someone up ahead sees that the cops are getting ready to kettle people, they can send out this vibe that only lasts a few minutes that says, ‘Cops are kettling’,” said Hornbein.

“It’s anonymous too, so not only are you able to send out relevant information to a small radius, but it also disappears, there’s no record of it, so no one can come after the person who sent it.”

It’s a pretty neat use of technology I have to say and I’m wondering if it’s going to picked up by the community and groups such as Anonymous.

The downside, it’s an iOS app so if Apple gets put under pressure or feels the app is being used under nefarious circumstances – they can just pull the plug on it.

You can read more about the app on iTunes here:

Vibe By Zami.com

Source: The Register


Posted in: Privacy

Tags: , , , , , , , , , , , , , ,

Posted in: Privacy | Add a Comment
Recent in Privacy:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Recon-ng – Web Reconnaissance Framework
- IPGeoLocation – Retrieve IP Geolocation Information

Related Posts:

Most Read in Privacy:
- Browse Anonymously at Work or School – Bypass Firewall & Proxy - 180,077 views
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,393 views
- Anonymous Connections Over the Internet – Using Socks Chains Proxy Proxies - 122,592 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95