While obscuring website code, server architecture, and security mechanisms doesn’t provide bullet-proof security on its own, it can be effective…
By this point, everyone has probably heard the phrase, “Obscurity is not security.” Or some variation thereof. Technically, it’s true. No matter how obscure you make something, it doesn’t make it impossible to “crack.” It just makes it more difficult. That’s because whatever you do to obscure something, you can always reverse your way out of it to get the clear picture again. The time it takes to achieve clarity just depends on how obscure you make it.
I bring this up because there seemed to be a shift in thinking at DEFCON this year—almost like a subtle revival of an old idea (and one that Juniper and others have held for some time). And that is the idea of obscurity actually benefiting security.
The question is: What happened to get more people thinking this way?
A Hacker’s Hourly Rate
From my perspective, the core driver is a shift in hacker motivations. In the past, we were primarily dealing with hobby hackers with unlimited time on their hands for problem solving. In that context, no matter how obscure you make something, someone will eventually figure it out.
Today, though, that’s all changed. The majority of attackers are motivated not by curiosity and intellectual gratification, but, instead, by money and concrete goals. Attackers see hacking as a job. Nay, a career. They invest time and resources, and expect to get a respectable return.
Put simply, if an attacker can spend 10 hours attacking one target to get $10,000 (or, $1,000 an hour), why would the same attacker opt to spend 40 hours on a second target for just a $20,000 return (or half the hourly rate)? The answer is, he wouldn’t. He’d go where the most—and fastest—money is.
This works even if we aren’t talking about money. Let’s say the attacker’s idea of value is to humiliate someone publically. Now we’re not talking money/hour, we’re talking effort/effectiveness. If the attacker can achieve his goal on the first site in eight hours (break into email and leak info), or he can achieve the goal in 15 hours on a second site (break into medical records and leak those), then the attacker is more likely to choose the first route. There’s more than one way to skin a cat, and the attacker is going to choose the easiest route.
Aloha, Hypothetical Hawaiian Situation!
To really drive the point home, let’s consider a hypothetical situation.
I approach you one day, and tell you that I’ve hidden a valuable antique iron coin on a beach in Kauai. The coin is worth $80,000, which coincidentally is how much you hypothetically make in one year. A year or less strolling around the beaches of Kauai and getting paid the same as working at your job sounds pretty good. Since there is a finite amount of beach in Kauai, your odds of finding the coin within a year are pretty good. Thus, you are almost assured to break even at the end of a year, if not make extra.
What I didn’t tell you is that I also planted 10,000 replicas of the same composition on the beach. They cost me 10 cents each, so in total, I only wasted $1,000 to “obscure” my real coin. You, on the other hand, must pay an appraiser to authenticate the coins at $20 a pop. So even if you find my coin, it’ll cost you more to authenticate it from the rest then you’d ultimately get selling it. I’ve just obscured you out of your ROI. Guess who’s going back to work on Monday and not looking for my coin?
Obscurity to the Rescue!
Now take that example and apply it to a website. The attacker knows there are probably SQL injection vulnerabilities somewhere on the site. He grabs a vulnerability scanner like Grendel and tests the site. Grendel produces a report and highlights all of the SQL vulnerabilities. Now, the attacker has what he wants and he didn’t have to spend much time getting it.
But then . . . Let’s say I now mix in 10,000 fake SQL vulnerabilities. The attacker runs the scanner and now there are 10,000 false positives and one real vulnerability. It’s going to take the attacker just as long to weed out the false positives as it would if he manually tested the site without Grendel. In other words, we’ve just made the attacker’s job more expensive.
So while obscuring your website code, server architecture, and security mechanisms doesn’t provide bullet-proof security on its own, it is actually pretty effective. Once you tip the balance of ROI against the attackers, you will find that the number of serious attack attempts dramatically declines.
I’m excited to see the rest of the security industry entertain this approach, and think it should yield some extremely interesting products over the coming years. Obfuscation is not a comprehensive solution, but it can greatly amplify the cumulative efficacy of the entire security stack. So the next time someone cleverlyW chimes in, “Obscurity is not security,” tell them to think outside the box, shift a few more paradigms, and most importantly . . . synergize.