fbpx
Wikipedia

Security through obscurity

January 01, 1970

In security engineering, security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security. This approach relies on the principle of hiding something in plain sight, akin to a magician's sleight of hand or the use of camouflage. It diverges from traditional security methods, such as physical locks, and is more about obscuring information or characteristics to deter potential threats. Examples of this practice include disguising sensitive information within commonplace items, like a piece of paper in a book, or altering digital footprints, such as spoofing a web browser's version number. While not a standalone solution, security through obscurity can complement other security measures in certain scenarios.[1]

Obscurity in the context of security engineering is the notion that information can be protected, to a certain extent, when it is difficult to access or comprehend. This concept hinges on the principle of making the details or workings of a system less visible or understandable, thereby reducing the likelihood of unauthorized access or manipulation.[2]

History edit

An early opponent of security through obscurity was the locksmith Alfred Charles Hobbs, who in 1851 demonstrated to the public how state-of-the-art locks could be picked. In response to concerns that exposing security flaws in the design of locks could make them more vulnerable to criminals, he said: "Rogues are very keen in their profession, and know already much more than we can teach them."[3]

There is scant formal literature on the issue of security through obscurity. Books on security engineering cite Kerckhoffs' doctrine from 1883, if they cite anything at all. For example, in a discussion about secrecy and openness in Nuclear Command and Control:

[T]he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy. This is a modern reincarnation of Kerckhoffs' doctrine, first put forward in the nineteenth century, that the security of a system should depend on its key, not on its design remaining obscure.[4]

Peter Swire has written about the trade-off between the notion that "security through obscurity is an illusion" and the military notion that "loose lips sink ships",[5] as well as on how competition affects the incentives to disclose.[6][further explanation needed]

There are conflicting stories about the origin of this term. Fans of MIT's Incompatible Timesharing System (ITS) say it was coined in opposition to Multics users down the hall, for whom security was far more an issue than on ITS. Within the ITS culture the term referred, self-mockingly, to the poor coverage of the documentation and obscurity of many commands, and to the attitude that by the time a tourist figured out how to make trouble he'd generally got over the urge to make it, because he felt part of the community. One instance of deliberate security through obscurity on ITS has been noted: the command to allow patching the running ITS system (altmode altmode control-R) echoed as $$^D. Typing Alt Alt Control-D set a flag that would prevent patching the system even if the user later got it right.[7]

In January 2020, NPR reported that Democratic party officials in Iowa declined to share information regarding the security of its caucus app, to "make sure we are not relaying information that could be used against us." Cybersecurity experts replied that "to withhold the technical details of its app doesn't do much to protect the system."[8]

Criticism edit

Security by obscurity alone is discouraged and not recommended by standards bodies. The National Institute of Standards and Technology (NIST) in the United States recommends against this practice: "System security should not depend on the secrecy of the implementation or its components."[9] The Common Weakness Enumeration project lists "Reliance on Security Through Obscurity" as CWE-656.[10]

A large number of telecommunication and digital rights management cryptosystems use security through obscurity, but have ultimately been broken. These include components of GSM, GMR encryption, GPRS encryption, a number of RFID encryption schemes, and most recently Terrestrial Trunked Radio (TETRA).[11]

One of the largest proponents of security through obscurity commonly seen today is anti-malware software. What typically occurs with this single point of failure, however, is an arms race of attackers finding novel ways to avoid detection and defenders coming up with increasingly contrived but secret signatures to flag on.[12]

The technique stands in contrast with security by design and open security, although many real-world projects include elements of all strategies.

Obscurity in architecture vs. technique edit

Knowledge of how the system is built differs from concealment and camouflage. The effectiveness of obscurity in operations security depends on whether the obscurity lives on top of other good security practices, or if it is being used alone.[13] When used as an independent layer, obscurity is considered a valid security tool.[14]

In recent years, more advanced versions of "security through obscurity" have gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.[15] NIST's cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.[16]

See also edit

References edit

  1. ^ Zwicky, Elizabeth D.; Cooper, Simon; Chapman, D. Brent (2000-06-26). Building Internet Firewalls: Internet and Web Security. "O'Reilly Media, Inc.". ISBN 978-0-596-55188-9.
  2. ^ Selinger, Evan and Hartzog, Woodrow, Obscurity and Privacy (May 21, 2014). Routledge Companion to Philosophy of Technology (Joseph Pitt & Ashley Shew, eds., 2014 Forthcoming), Available at SSRN: https://ssrn.com/abstract=2439866
  3. ^ Stross, Randall (17 December 2006). "Theater of the Absurd at the T.S.A." The New York Times. from the original on 8 December 2022. Retrieved 5 May 2015.
  4. ^ Anderson, Ross (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley & Sons, Inc. p. 240. ISBN 0-471-38922-6.
  5. ^ Swire, Peter P. (2004). "A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?". Journal on Telecommunications and High Technology Law. 2. SSRN 531782.
  6. ^ Swire, Peter P. (January 2006). "A Theory of Disclosure for Security and Competitive Reasons: Open Source, Proprietary Software, and Government Agencies". Houston Law Review. 42. SSRN 842228.
  7. ^ "security through obscurity". The Jargon File. from the original on 2010-03-29. Retrieved 2010-01-29.
  8. ^ "Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App". NPR.org. from the original on 2022-12-23. Retrieved 2020-02-06.
  9. ^ "Guide to General Server Security" (PDF; 258 kB). National Institute of Standards and Technology. 2008-07-01. (PDF) from the original on 2017-08-09. Retrieved 2011-10-02.
  10. ^ "CWE-656: Reliance on Security Through Obscurity". The MITRE Corporation. 2008-01-18. from the original on 2023-09-28. Retrieved 2023-09-28.
  11. ^ Midnight Blue (August 2023). ALL COPS ARE BROADCASTING: Breaking TETRA after decades in the shadows (slideshow) (PDF). Blackhat USA 2023. (PDF) from the original on 2023-08-11. Retrieved 2023-08-11.
    Carlo Meijer; Wouter Bokslag; Jos Wetzels (August 2023). All cops are broadcasting: TETRA under scrutiny (paper) (PDF). Usenix Security 2023. (PDF) from the original on 2023-08-11. Retrieved 2023-08-11.
  12. ^ KPMG (May 2022). "The cat and mouse game of antivirus evasion". from the original on 2023-08-28. Retrieved 2023-08-28.
  13. ^ "Obscurity is a Valid Security Layer - Daniel Miessler". Daniel Miessler. from the original on 2022-12-08. Retrieved 2018-06-20.
  14. ^ "Cyber Deception | CSIAC". www.csiac.org. from the original on 2021-04-20. Retrieved 2018-06-20.
  15. ^ "CSD-MTD". Department of Homeland Security. 2013-06-25. from the original on 2022-12-08. Retrieved 2018-06-20.
  16. ^ Ross, Ron; Graubart, Richard; Bodeau, Deborah; McQuaid, Rosalie (2018-03-21). Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems (Report). National Institute of Standards and Technology. from the original on 2023-12-06. Retrieved 2024-04-05.

External links edit

  • Eric Raymond on Cisco's IOS source code 'release' v Open Source
  • by Ethan M. Preston and John Lofton
  • at the Wayback Machine (archived February 2, 2007) by Jay Beale
  • Secrecy, Security and Obscurity & The Non-Security of Secrecy by Bruce Schneier
  • "Security through obsolescence", Robin Miller, linux.com, June 6, 2002

January 01, 1970
security, through, obscurity, security, engineering, security, through, obscurity, practice, concealing, details, mechanisms, system, enhance, security, this, approach, relies, principle, hiding, something, plain, sight, akin, magician, sleight, hand, camoufla. In security engineering security through obscurity is the practice of concealing the details or mechanisms of a system to enhance its security This approach relies on the principle of hiding something in plain sight akin to a magician s sleight of hand or the use of camouflage It diverges from traditional security methods such as physical locks and is more about obscuring information or characteristics to deter potential threats Examples of this practice include disguising sensitive information within commonplace items like a piece of paper in a book or altering digital footprints such as spoofing a web browser s version number While not a standalone solution security through obscurity can complement other security measures in certain scenarios 1 Obscurity in the context of security engineering is the notion that information can be protected to a certain extent when it is difficult to access or comprehend This concept hinges on the principle of making the details or workings of a system less visible or understandable thereby reducing the likelihood of unauthorized access or manipulation 2 Contents 1 History 2 Criticism 3 Obscurity in architecture vs technique 4 See also 5 References 6 External linksHistory editAn early opponent of security through obscurity was the locksmith Alfred Charles Hobbs who in 1851 demonstrated to the public how state of the art locks could be picked In response to concerns that exposing security flaws in the design of locks could make them more vulnerable to criminals he said Rogues are very keen in their profession and know already much more than we can teach them 3 There is scant formal literature on the issue of security through obscurity Books on security engineering cite Kerckhoffs doctrine from 1883 if they cite anything at all For example in a discussion about secrecy and openness in Nuclear Command and Control T he benefits of reducing the likelihood of an accidental war were considered to outweigh the possible benefits of secrecy This is a modern reincarnation of Kerckhoffs doctrine first put forward in the nineteenth century that the security of a system should depend on its key not on its design remaining obscure 4 Peter Swire has written about the trade off between the notion that security through obscurity is an illusion and the military notion that loose lips sink ships 5 as well as on how competition affects the incentives to disclose 6 further explanation needed There are conflicting stories about the origin of this term Fans of MIT s Incompatible Timesharing System ITS say it was coined in opposition to Multics users down the hall for whom security was far more an issue than on ITS Within the ITS culture the term referred self mockingly to the poor coverage of the documentation and obscurity of many commands and to the attitude that by the time a tourist figured out how to make trouble he d generally got over the urge to make it because he felt part of the community One instance of deliberate security through obscurity on ITS has been noted the command to allow patching the running ITS system altmode altmode control R echoed as D Typing Alt Alt Control D set a flag that would prevent patching the system even if the user later got it right 7 In January 2020 NPR reported that Democratic party officials in Iowa declined to share information regarding the security of its caucus app to make sure we are not relaying information that could be used against us Cybersecurity experts replied that to withhold the technical details of its app doesn t do much to protect the system 8 Criticism editSecurity by obscurity alone is discouraged and not recommended by standards bodies The National Institute of Standards and Technology NIST in the United States recommends against this practice System security should not depend on the secrecy of the implementation or its components 9 The Common Weakness Enumeration project lists Reliance on Security Through Obscurity as CWE 656 10 A large number of telecommunication and digital rights management cryptosystems use security through obscurity but have ultimately been broken These include components of GSM GMR encryption GPRS encryption a number of RFID encryption schemes and most recently Terrestrial Trunked Radio TETRA 11 One of the largest proponents of security through obscurity commonly seen today is anti malware software What typically occurs with this single point of failure however is an arms race of attackers finding novel ways to avoid detection and defenders coming up with increasingly contrived but secret signatures to flag on 12 The technique stands in contrast with security by design and open security although many real world projects include elements of all strategies Obscurity in architecture vs technique editKnowledge of how the system is built differs from concealment and camouflage The effectiveness of obscurity in operations security depends on whether the obscurity lives on top of other good security practices or if it is being used alone 13 When used as an independent layer obscurity is considered a valid security tool 14 In recent years more advanced versions of security through obscurity have gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception 15 NIST s cyber resiliency framework 800 160 Volume 2 recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment 16 See also editSteganography Code morphing Need to know Obfuscation software Presumed security Secure by design AACS encryption key controversy Zero day computing Code talker ObfuscationReferences edit Zwicky Elizabeth D Cooper Simon Chapman D Brent 2000 06 26 Building Internet Firewalls Internet and Web Security O Reilly Media Inc ISBN 978 0 596 55188 9 Selinger Evan and Hartzog Woodrow Obscurity and Privacy May 21 2014 Routledge Companion to Philosophy of Technology Joseph Pitt amp Ashley Shew eds 2014 Forthcoming Available at SSRN https ssrn com abstract 2439866 Stross Randall 17 December 2006 Theater of the Absurd at the T S A The New York Times Archived from the original on 8 December 2022 Retrieved 5 May 2015 Anderson Ross 2001 Security Engineering A Guide to Building Dependable Distributed Systems New York NY John Wiley amp Sons Inc p 240 ISBN 0 471 38922 6 Swire Peter P 2004 A Model for When Disclosure Helps Security What is Different About Computer and Network Security Journal on Telecommunications and High Technology Law 2 SSRN 531782 Swire Peter P January 2006 A Theory of Disclosure for Security and Competitive Reasons Open Source Proprietary Software and Government Agencies Houston Law Review 42 SSRN 842228 security through obscurity The Jargon File Archived from the original on 2010 03 29 Retrieved 2010 01 29 Despite Election Security Fears Iowa Caucuses Will Use New Smartphone App NPR org Archived from the original on 2022 12 23 Retrieved 2020 02 06 Guide to General Server Security PDF 258 kB National Institute of Standards and Technology 2008 07 01 Archived PDF from the original on 2017 08 09 Retrieved 2011 10 02 CWE 656 Reliance on Security Through Obscurity The MITRE Corporation 2008 01 18 Archived from the original on 2023 09 28 Retrieved 2023 09 28 Midnight Blue August 2023 ALL COPS ARE BROADCASTING Breaking TETRA after decades in the shadows slideshow PDF Blackhat USA 2023 Archived PDF from the original on 2023 08 11 Retrieved 2023 08 11 Carlo Meijer Wouter Bokslag Jos Wetzels August 2023 All cops are broadcasting TETRA under scrutiny paper PDF Usenix Security 2023 Archived PDF from the original on 2023 08 11 Retrieved 2023 08 11 KPMG May 2022 The cat and mouse game of antivirus evasion Archived from the original on 2023 08 28 Retrieved 2023 08 28 Obscurity is a Valid Security Layer Daniel Miessler Daniel Miessler Archived from the original on 2022 12 08 Retrieved 2018 06 20 Cyber Deception CSIAC www csiac org Archived from the original on 2021 04 20 Retrieved 2018 06 20 CSD MTD Department of Homeland Security 2013 06 25 Archived from the original on 2022 12 08 Retrieved 2018 06 20 Ross Ron Graubart Richard Bodeau Deborah McQuaid Rosalie 2018 03 21 Systems Security Engineering Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems Report National Institute of Standards and Technology Archived from the original on 2023 12 06 Retrieved 2024 04 05 External links editEric Raymond on Cisco s IOS source code release v Open Source Computer Security Publications Information Economics Shifting Liability and the First Amendment by Ethan M Preston and John Lofton Security Through Obscurity Ain t What They Think It Is at the Wayback Machine archived February 2 2007 by Jay Beale Secrecy Security and Obscurity amp The Non Security of Secrecy by Bruce Schneier Security through obsolescence Robin Miller linux com June 6 2002 Retrieved from https en wikipedia org w index php title Security through obscurity amp oldid 1217326070, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.