Security Through Obscurity, and why it fails.

Before we begin today’s lesson, we’re going to do something fun and generate your Rock Star name. Your first name will be the name of your first pet and your last name will be the name of the street you live on. Mine’s “Ernie Gregg.” Write this down or just make note of it; you’ll need it later near the end of today’s program.

Security Through Obscurity (“STO”, for short) is the concept that things will be secure if you hide them. I’ve mentioned the concept before; I covered it in detail on Episode 104 of You Don’t Know Flack. The concept is simple: if you hide things well enough, people won’t be able to find them. People do this in the real world all the time. An example would be hiding your house key inside a fake rock. By doing this, you have obscured (or hidden) the security method to open the door (the key). STO also applies to computer systems as well. Hiding your password under your mouse pad would be a very basic example.

STO is most often used to hide what security guys like to call “low hanging fruit”. For example, let’s say everybody in your office writes their password down on a sticky note and sticks it to their monitor, but you stick yours under your mouse pad. When Joe the Hacker shows up looking for passwords, he is more likely to use a password that he sees out in the open than spend the time digging around your desk looking for yours. The same concept can be applied to network security. Breaking WEP passwords on wireless routers is trivial at this point, but if Joe the Hacker needs wireless access and he sees five routers and two of them have passwords, chances are he’s going to hop on one of the open ones over a password protected one because it’s less work.

Computer people have been using Security Through Obscurity for years and years now, and time and time again it’s failed. It rarely works. The biggest enemy of STO is “time”, and there are plenty of people out there with plenty of it. STO may help you by not being a “low hanging fruit”, but if someone has specifically targeted your basket of fruit … look out. Going back to our “key in a rock” example for a moment — if a burglar is looking for the easiest house to break in on a street, he might skip yours. BUT, if he has targeted YOUR home specifically, now you’re in trouble. Burglars know where to look; after searching on top of your door frame and under the welcome mat, he’ll start looking for other places people hide keys. People don’t hide their house keys in six-foot-deep holes where it would take them an hour to recover them. Time is his advantage here.

Take that same concept and apply it to computer security. FTP runs on port 21. When someone wants to know if your server is running FTP, they’ll touch that port and look for a response. If they get a response, they’ve found it. Direct security would mean using difficult passwords, but an example of security through obscurity would be moving FTP to a different port. When a hacker scans a range of IPs looking for FTP servers, yours might not show up, and in that example, you’ve helped yourself. In a direct attack against your server however, hackers will scan every port on your server. They’ll find the FTP service in no time and, if you haven’t added any additional security methods, your server may now be in trouble.

One of the main reasons STO fails is because the average person doesn’t think like a criminal. When you hide your password under your mouse pad or your house key in a fake rock, you think you’re being pretty sneaky. The problem is, criminals know these tricks too. Hackers know those same tricks. You may think you’re being sneaky by changing a port or renaming your machine or whatever it is you’ve come up with, but the truth of the matter is, security through obscurity FAILS CONSISTENTLY.

Hey look — it only took me five (six, counting this one) to get to today’s point. It’s a new record!

One of the most common examples of STO today is your “secret answers”. We’ve all had to give (and answer) these things before. “What’s your mother’s maiden name?” “What’s your favorite color?” “What was your first car?” That stuff might have been tough to find in a world before Facebook; today, you can glean most of that stuff from a person’s Facebook page. Did you know that by default Facebook lists every woman’s maiden name? There are a lot of teens on Facebook whose mommies are on Facebook too. This is a big problem for the average person. It’s a bigger problem for celebrities.

Last September, Sarah Palin’s Yahoo e-mail account was hacked. Here’s how it was done. The “hacker” logged into Yahoo, entered Palin’s e-mail address, and clicked “reset password.” Yahoo then asked the hacker three questions: Palin’s zip code, her birth date, and where she met her spouse. The “hacker” (I keep putting that in quotes because the guy doesn’t deserve the honor) found the answer to all three questions via Google. The zip code took two tries. Her birth date was listed on Wikipedia. Where she met her husband (Wasalla High) showed up in Google. Bingo.

Last night it was reported that Celebrity Accounts on Twitter had been hacked. Read through the details though and you’ll see a few similarities to the above story; Twitter itself wasn’t hacked, an admin account was. Here’s a quote from the story:

“Hacker Croll claimed to have used social engineering techniques to access Goldman’s account: “One of the admins has a Yahoo account, I’ve reset the password by answering the secret question. Then, in the mailbox, I have found her [sic] Twitter password.”

So, a recap; the hacker reset Jason Goldman’s (Twitter’s Director of Product Management) Yahoo mail account. After doing that he logged into the Yahoo mail account and found his Twitter password sitting in his mailbox. Using that password, Hacker Croll logged in to Twitter as Goldman and then began looking at celebrity’s accounts.

In a world where everybody apparently wants to put everything online for everybody to see, this type of security is not going to work. Shaq’s mother’s maiden name is actually O’Neal. Ashton Kutcher’s favorite color is red. Brittney Spears birthday is December 2nd, 1981. Her son Jayden was born on September 12, 2006. Here’s the birth certificate. This stuff is not hard to find, and even non-celebrities are not immune. The About Me/Us link on my own website lists my birth date, pet’s name, kids’ names, and lots of information that shows up regularly on those lists of security questions. First car? That’s embedded on my website somewhere. Susan’s maiden name is on there too.

To bring this full circle … let’s take a look at my Rock Star name again: “Ernie Gregg”. Let’s say I post that on my Facebook page. Now you’ve got my name, whatever information you can get from Facebook, PLUS the name of my first pet AND the name of the street I live on. I know for a FACT many sites use “What was the name of your first pet?” as a security response. The “Rock Star name” is just one of many variations on this game. Here’s a form I found posted on Facebook recently:

THE NAME GAME

1. YOUR ROCK STAR NAME: (first pet and current street)
2. YOUR MOVIE STAR NAME: (grandfather/grandmother on your mother’s side, your favorite candy)
3. YOUR “FLY GIRL/GUY” NAME: (first initial of first name, first two or three letters of your last name)
4. YOUR DETECTIVE NAME: (favorite animal, favorite color)
5. YOUR SOAP OPERA NAME: (middle name, city where you were born)
6. YOUR STAR WARS NAME: (first 3 letters of your last name- last 3 letters of mother’s maiden name, first 3 letters of your pet’s name)
7. JEDI NAME: (last name spelled backwards, your mom’s first name spelled backward)
8. PORN STAR NAME: (friend’s middle name, street you grew up on)
9. SUPERHERO NAME: (“The”, your favorite color, the automoblie you drive)
10. EMO BAND NAME: (first word in the top banner ad above, city of the away team of the last major sporting event you went to/remember)

Take a second to read over that list. First pet? Current street? Favorite animal? Favorite color? City where you were born? Street you grew up on? Are these things ringing any bells yet? Holy Christmas, it’s like a who’s who list of security information! And you just posted it! On the Internet! For everybody to read! MY HEAD JUST EXPLODED!!! Seriously, if I couldn’t reset your AOL password before I had all that information, I’m betting I can now!! The only one they forgot is DUMBASS NAME: (what time you leave for work, where you hide your porch key).

Security Through Obscurity. Don’t count on it; it doesn’t work. Just ask Microsoft.

6 thoughts on “Security Through Obscurity, and why it fails.

  1. Which is why I use a random password generator to update my Web passwords, maintain three separate sets (one for social networking, one for casual forums, one for finance sites), and always mash keys as my answers to every “secret question”.

  2. Great article. I still find i can trip people up with a blank password. Kind of fun!
    More of a “security through . . . no way this can be true”

  3. “One of the main reasons STO fails is because the average person doesn’t think like a criminal.”

    In my very first class on Auditing, the professor admitted that two of the biggest problem with being an Auditor are age and training. Most line auditors are fresh out of college, many have not yet obtained their CPA or CIA designations and they are tasked with auditing people and procedures that have been in place for decades or longer. More importantly, auditors are trained to audit other accounting professionals when they should be trained to audit criminals.

    So, to illustrate the point, our very first project was to create some kind of plan to defraud our own employers. In all my 11 years of post secondary education, that was my second favorite project I worked on.

    My favorite? Playing Monopoly

  4. I can think of one example of security through obscurity that mostly works. I once worked somewhere that never put an Exchange server on the ‘net. They’d put a VMS box running security software on it, and have it forward mail to the Exchange server. Few people hack VMS and the architecture is ambiguous (Vax? Alpha? Itanic?), and viruses for it are hard to come by. So it worked. But you don’t want to rely solely on it–it was running AV software, mostly to keep Wintel vermin out, but also to keep the two known (I’m guessing at this) pieces of VMS malware out too.

    But yeah, you just described one reason you need to be real careful on Facebook.

Comments are closed.