Gaming security by obscurity

Shannon sought security against the attacker with unlimited computational powers: *if an information source conveys some information, then Shannon's attacker will surely extract that information*. Diffie and Hellman refined Shannon's attacker model by taking into account the fact that the real attackers are computationally limited. This idea became one of the greatest new paradigms in computer science, and led to modern cryptography. Shannon also sought security against the attacker with unlimited logical and observational powers, expressed through the maxim that "the enemy knows the system". This view is still endorsed in cryptography. The popular formulation, going back to Kerckhoffs, is that "there is no security by obscurity", meaning that the algorithms cannot be kept obscured from the attacker, and that security should only rely upon the secret keys. In fact, modern cryptography goes even further than Shannon or Kerckhoffs in tacitly assuming that *if there is an algorithm that can break the system, then the attacker will surely find that algorithm*. The attacker is not viewed as an omnipotent computer any more, but he is still construed as an omnipotent programmer. So the Diffie-Hellman step from unlimited to limited computational powers has not been extended into a step from unlimited to limited logical or programming powers. Is the assumption that all feasible algorithms will eventually be discovered and implemented really different from the assumption that everything that is computable will eventually be computed? The present paper explores some ways to refine the current models of the attacker, and of the defender, by taking into account their limited logical and programming powers. If the adaptive attacker actively queries the system to seek out its vulnerabilities, can the system gain some security by actively learning attacker's methods, and adapting to them?Comment: 15 pages, 9 figures, 2 tables; final version appeared in the Proceedings of New Security Paradigms Workshop 2011 (ACM 2011); typos correcte

EFFECTIVENESS OF SECURITY THROUGH OBSCURITY METHODS TO AVOID WEB APPLICATION VULNERABILITY SCANNERS

The concept of security through obscurity is not recommended by the National Institute of Standards and Technology (NIST) as a form of system security. Basically this concept hides assets as difficult as possible so that it is not easy for attackers to find them, so that it can be used to avoid vulnerability scanner applications that are widely used by attackers to find out web system weaknesses. This research was conducted by modifying the web application firewall (WAF) and testing using the SQLMap and OWASP Zed Attack Proxy (ZAP) vulnerability scanner applications. The results of the study show that SQLMap takes up to 1238 times longer to complete a scan on a modified web application firewall than without modification, while OWASP ZAP cannot complete a scan on the same treatment. Thus the concept of security through obscurity can be applied to web security to extend vulnerability scanning time

Enabling Auditing and Intrusion Detection of Proprietary Controller Area Networks

The goal of this dissertation is to provide automated methods for security researchers to overcome ‘security through obscurity’ used by manufacturers of proprietary Industrial Control Systems (ICS). `White hat\u27 security analysts waste significant time reverse engineering these systems\u27 opaque network configurations instead of performing meaningful security auditing tasks. Automating the process of documenting proprietary protocol configurations is intended to improve independent security auditing of ICS networks. The major contributions of this dissertation are a novel approach for unsupervised lexical analysis of binary network data flows and analysis of the time series data extracted as a result. We demonstrate the utility of these methods using Controller Area Network (CAN) data sampled from passenger vehicles

Increased security through open source

In this paper we discuss the impact of open source on both the security and transparency of a software system. We focus on the more technical aspects of this issue, combining and extending arguments developed over the years. We stress that our discussion of the problem only applies to software for general purpose computing systems. For embedded systems, where the software usually cannot easily be patched or upgraded, different considerations may apply

Theorising the ‘Security Influencer’ : speaking security, terror and Muslims on social media during the Manchester bombings

Security studies literature neglects social media’s potential for lay actors to become influential within security debates. This article develops the concept of ‘security influencers’, bringing literature from marketing into the security debate to understand how social media enables individuals to ‘speak’ and contest security and how lay actors exert influence. Methodologically, this article applies a multi-methods approach to 27,367 tweets to identify and analyse the top four most influential actors in 48 hours following the 2017 bombings by keywords ‘Manchester’ and ‘Muslims’. This article builds a typology of security influencers nuancing definitions of the passive ‘security broadcaster’ and the active ‘security engager’, both of which emerge from obscurity or influence within non-security domains. Furthermore, a dichotomy emerges within influential messages and contestation; messages discussing Muslims in banal terms as diverse individuals register high levels of agreement, whereas those discussing Islam as a world religion receive more hostility and contestation

Insecurity by Obscurity: A Review of SoHo Router Literature from a Network Security Perspective

Because of prevalent threats to SoHo based ADSL Routers, many more devices are compromised. Whilst an end-user may be at fault for not applying the appropriate security mechanisms to counter these threats, vendors should equally share the blame. This paper reveals that the lack of security related content and poor overall design could impact on end-users’ interpretation and willingness to implement security controls on their ADSL router. It argues that whilst the number of threats circulating the Internet is increasing, vendors are not improving their product literature