Security by Obscurity vs the Obscurity Security Layer

with No Comments

I have on my desk about a dozen website projects to develop. Amazingly, they have a few things in common such as:

  • Dynamic user written.
  • Database driven.
  • Member and Admin Login.
  • Security Concerns.

Ever since Sony had their servers cracked open by what the press seems to report was the North Koreans, people have become a lot more aware of Security!  Security by Obscurity (or Security through Obscurity, or Security via Obscurity) has proven to be very little security at all.  This is because if the Obscurity is ever discovered (and usually can be discovered in a number of ways), the security becomes “totally compromised.” But does it really?  Well, yes and no! You may want to strengthen your security, by using the Obscurity Security Layer!

As Shrek the Wise would say, Ogres Are Like Web Security! They both have layers!

http://youtu.be/_bMcXVe8zIs

Web Security and Onions

Web Security (and Ogres) are like Onions, they have layers of security. The Obscurity Security Layer adds another layer of security. It doesn’t replace a good key based or password based security, instead, it makes it more difficult to attack that security.

Let me give you a few different examples of the difference between adding an Obscurity Security Layer and trying to get by with Security by Obscurity!

My Neighbor’s House

My Neighbor in California did not like carrying (losing) keys. While looking for a solution, he chose Security by Obscurity. After losing some amount of money, he chose to switch to a different security system with an Obscurity Security Layer. Let’s compare the two…

Security by Obscurity

Instead of hiding a spare key under a mat or in a flower pot, he realized that people would see him get the key and that would compromise his security by obscurity. Instead he put the spare key inside and above the door of his backyard shed. He reasoned that by first passing through the fence gate, and into the backyard with a 6 foot high solid fence, no one would see him reach into the shed and get the key.

His Security by Obscurity worked for a few month. However, he was in the habit of putting whatever change or a few bills he had on his dresser at night. He started to notice that some money started disappearing. He also noticed that it seemed to happen every Monday, but never on Saturday or Sunday when he was home. However, he still was not sure if it was just his own faulty memory. Therefore, one day, he wrote down exactly how much money was there and put the paper in his pocket. When he returned home, there was $2.26 missing. He went and talked to the police. There first question was, “do you have a spare key hidden anywhere on your property?” Yes! he replied. The police told him that was not very secure. They also told him the thief was likely a child as only a small amount was taken.

He borrowed a friend’s car and parked it a couple houses down where he could see the gate. It was Monday! He got in his car and drove it around the corner and parked and walked back to the friends car. Soon he saw the neighbor boy enter his gate to the back yard, He let a few moments pass and then followed. The shed door was open, as was the back door of his house. He arrived at his bedroom as the boy was putting some of his money into his pockets.

The boy who was playing on the top of his back yard slide was tall enough to see the strange behavior of his neighbor. So he also tried it! Only one person ever saw where the key was hidden, but that one person defeated the Security by Obscurity.

Obscurity Security Layer

Trying to fix the problem instead of only fixing the blame, he ask the police for advice. They suggested a small safe! As it turned out, my neighbor was storing a small safe in his storage shed. He began keeping the key in the safe, that required a combination to be entered.

The safe became the main security, however, the backyard shed added to that security by adding an Obscurity Security Layer that prevented most people from even knowing the key was on the property.

Abrams M1 Combat Tank

The Abrams M1 Combat Tank is still a standard in the US Military. It has proven it’s combat ready in real world examples over and over again.

Main Security Layer

The main security feature of the Abrams M1 Tank is it’s heavy armor. Without a doubt the heavy armor protects not only the tank, but also the servicemen inside of it. This armor is a formidable tactical advantage. But no armor is 100% secure…

Obscurity Security Layer

Therefore, the Abrams M1 has six tubes near the top, pointed in all directions. These tubes fire smoke bombs that not only obscure the tank from the vision of the enemy, but also obscures the tank from thermal imaging.

In other words, the armor is the security for the tank, but the smoke bombs are the Obscurity Security Layer!

SSH on Your Server

Let’s consider your web server as an Abrams M1 Tank!

Your main armor is SSH. Wow! Cool, that is heavy duty armor. Almost unbreakable (even though people will try!). SSH allows you, and maybe only you, to login and control your server. However, SSH usually uses port 22. Everybody knows that, but the only person that NEEDS to know that is you!

I have seen some people say change your SSH port to 24 (reserved for strange email that almost no one uses!). Well, me talking SSH to my server on port 24 is no problem at all for my server, or for me! But does it help???

I have read where a small web server was configured to listen for SSH calls on ports 22, 24, and 32 for a weekend. At the end of the weekend, nearly 19,000 attempts were made for SSH on port 22 – shocking when there was no valid reason for even one attempt! Here is a comparison…

  • Port 22: 19,000 false attempts
  • Port 24: 5 false attempts
  • Port 32: 0 false attempts

Obscurity Security Layer

Wow, not even one attempt to do SSH on port 32!

Now what if you configured your SSH to ignore port 22?  19,000 false attempts were made in one weekend.  Nineteen Thousand error handlers in one weekend.   Perhaps 19,000 evil website crackers know you have SSH on port 22!

Switching your SSH to port 24 (or 32) is like the smoke bombs on Abrams M1 Tanks!  It adds an Obscurity Security Layer!  Our security is still SSH,, but we have ceased to advertise where our armor is, and we no longer tell people where to attack us at.  That improves our SSH security!

Likewise, if we are ignoring port 22 then our CPU is not having to work so hard to service these unnecessary errors.

Additional Obscurity Security Layer Ideas

If you are on shared hosting you may not be able to set the SSH port number, but there are a number of other things you can use to build your Obscurity Security Layer.  Let me close with a list of things you add to your custom built dynamic website.  This is not for use on sites like WordPress, although some of these suggestions could be used there too.

Start your site on a php page that is included from the default page.

By doing this, if someone hacks your site, they can only see one include!

Make all files and folders unreadable.

They should be blocked from directly reading them, The client should receive an error, like forbidden, if anyone tries to access this directly.

Never reveal a file name.

index.php or home.php should be changed to something like kljhrep28934rlqkdwfh.php – fifteen char random string would be swell!

Run everything through a highly secure SINGLE page.

This will help you catch mistakes.

Put all files under a random filename, that is never revealed.

More to Come!

  • Easy Database Class (uses PDO and bindings to avoid SQL injection.
  • Simple CRUD Class (Create, Read, Update, and Delete) with a login using Read (this uses the above DataBase class).
  • A login / logout page example.
  • An Admin CRUD Grid Example, using the above CRUD class.
  • A user extension of the CRUD class to make setting up your database easy.
  • An example profile and website to see how everything goes together.
  • Setup and examples of how to make an .htaccess file to set up fake (pretty) directories.

Leave a Reply