I think you misunderstand my contention. My comment was not meant to be within the context of wireless security, it was to exercise what is a pet peeve of mine, and to attempt to educate other professionals that discounting any tool which can be used to enhance security is limiting the security you can provide.
There is a role for obscurity in the security process. It's deals with 90% of the riff-raff one wouldn't have to deal with otherwise. Then you add extra layers of security until you're comfortable with the amount of risk you're taking in relation to the security costs. Take for example, I have automated lights which come on in the evening and switch off later on, around my fairly predictable bedtime. If I'm away, the lights coming on obscures the fact that I am away and will deter the casual burglar looking for the easy score, it will not deter the drug induced paranoid stricken gunman who breaks into the house on a hunt for money. However, there are for more of the former than the latter so I've achieved a measurable amount of security by enacting a simple measure which obscures the target. I can have varying levels of obscurity too. I could steal a neighbors protected by ADT sign, and might might scare off a more determined burglar, or it might not. When you say you discount Art of War comparisons, what you are really saying is you discount human behavior. If you discount human behavior, then you're not taking a holistic view of security. By the way, you completely ignored my point that honeypots would have no value if it weren't for obscurity. By making a target so attractive it has to be investigated you've effective obscured other targets to a large group of attackers. Take my home example above a step further, I decide to purchase an alarm system, but decline the ADT sign. My house is now a sort of honeypot. The burglar thinks the target is soft, which is maybe what I want, because I've been targeted by the burglar on a repeated basis, and suspect that it's a neighbor kid and want to catch him in the act. Or in the case at the high school I used to work at, we were being targeted by a repeat burglar going after vending machines. We requested the state police station troopers inside the school to catch the guy. It worked, because we obscured the fact that they were there by not having their vehicles in the parking lot. Security systems, as all systems designed by human beings, are prone to failure. There will always be individuals who will due their due dilligence in investigating a system for weaknesses and then exploiting those weaknesses. Any effort you can make to minimize weakness should not be ignored, and that includes obscuring the target. That obscurity may be enough to buy you time to analyze logs and prevent intrusion. I will stipulate that security only by obscurity is false security. But likely to remain unconvinced that there is no role or value for obscurity in the security process. YMMV On Thu, Feb 19, 2009 at 5:11 PM, Micheal Espinola Jr < [email protected]> wrote: > Well, sure it fails to value it - it is completely against it. As are > many of us who have dealt with issues related to this over the years. > We arent just following the band wagon here... many of us are in the > band, and find no value in it. > > The Art of War, etc, comparisons dont fly in my book. When someone is > snooping Wi-Fi, they are still going to see your traffic regardless if > it doesnt have an SSID. I have an app on my iPhone that will show > this. If I am looking to break in to your network, I'm still going to > hack your packets - SSID or not. SSID's just make it easier for the > end-user to identify which network they might want to join. > > The SSID hiding isnt going to add any value to the security of your > network. Its only going to make it combersome for your users to use > it. Obscurity of such information only elevates your level of > *perceived* security. You are not more secure by hiding something. > Obscurity does not elevate your level of security in any way shape or > form. > > I'd further suggest that promoting obscurity as an increase in > security is a disservice to any client or customer. They days of > security by obscurity are passed. You should never have any faith in > obscurity as a level of security. Microsoft was a laughing stock with > obscurity in the 90's. Many company's have been caught with their > pants down in recent years over security failures that involved > obscurity. > > Security is an aspect of protection. Obscurity offers no protection > whatsoever. Its not tangible. Its not manageable. Its not real. > > My opinion. YMMV. > > -- > ME2 > > > > On Thu, Feb 19, 2009 at 4:04 PM, Jonathan Link <[email protected]> > wrote: > > I really hate this trite expression. It's filled with condecension and a > my > > way is the only right way point of view. It fails to value the role of > > obscurity in security. > > > > If obscurity had no value, honeypots would be useless. > > > > If obscurity had no value, Sun-Tzu wouldn't have said " if you are > formless, > > the most penetrating spies will not be able to discern you, or the wisest > > counsels will not be able to do calculations against you." > > > > Obcurity is part of security, security is a process, and just like any > > process, a missing piece is a missing piece and leave you more > vulnerable. > > Arguments for security should not begin with security through obscurity > is > > false security, but should begin with security through obscurity is not > > enough security. > > > > > > On Thu, Feb 19, 2009 at 3:54 PM, Sean Rector <[email protected]> > > wrote: > >> > >> He's right on the money. Security through obscurity is a false > security. > >> > >> > >> > >> Sean Rector, MCSE > >> > >> > >> > >> From: Carl Houseman [mailto:[email protected]] > >> Sent: Thursday, February 19, 2009 3:47 PM > >> > >> To: NT System Admin Issues > >> Subject: RE: SECURING WIFI ROUTER > >> > >> > >> > >> No no no. Those recommendations should be dismissed, they are so > >> "yesterday's idea of security". For anyone who really wants to get in, > >> working around MAC filtering and non-broadcast SID's is a piece of cake. > >> Secure the router or access point with WPA2 and a strong PSK if you > can't do > >> 802.1x authentication. When properly secured, it doesn't matter if > you're > >> visible or whether your MAC is allowed or not. > >> > >> > >> > >> Further reading: > >> > >> http://blogs.zdnet.com/Ou/index.php?p=43 > >> > >> http://blogs.zdnet.com/Ou/?p=454 > >> > >> > http://www.icsalabs.com/icsa/docs/html/communities/WLAN/wp_ssid_hiding.pdf > >> > >> > >> > >> Carl > >> > >> > >> > >> From: Lee Douglas [mailto:[email protected]] > >> Sent: Thursday, February 19, 2009 3:14 PM > >> To: NT System Admin Issues > >> Subject: Re: SECURING WIFI ROUTER > >> > >> > >> > >> In terms of securing, I've seen recommendations to NOT have the router > >> broadcast its SID as well as using MAC filtering. I'm sure all can > likely be > >> circumvented, but they just add extra layers and make your neighbors > that > >> much more attractive.. > >> > >> On Thu, Feb 19, 2009 at 3:02 PM, Webb, Brian (Corp) > >> <[email protected]> wrote: > >> > >> I've seen the same message as well with an HP laptop going to a D-Link > >> WIFI using WPA. The message seems to indicate that you are connected to > >> unsecured network, but I've always been connected to my secured network > when > >> I've checked. > >> > >> -Brian > >> > >> -----Original Message----- > >> From: Andy Ognenoff [mailto:[email protected]] > >> Sent: Thursday, February 19, 2009 1:57 PM > >> To: NT System Admin Issues > >> Subject: RE: SECURING WIFI ROUTER > >> > >> I've seen that happen too, with the plain old Windows wireless client. > >> WPA2 in my instance, as well. I never did figure out what the problem > was > >> but I stopped using WIFI a year ago and just wired my house with CAT5e. > At > >> the time it was a Linksys WRT54GL with DD-WRT and an Intel integrated > wlan > >> card in a ThinkPad T60. > >> > >> - Andy O. > >> ________________________________________ > >> > >> From: Sam Cayze [mailto:[email protected]] > >> Sent: Thursday, February 19, 2009 1:40 PM > >> To: NT System Admin Issues > >> Subject: RE: SECURING WIFI ROUTER > >> > >> Mmm... this doesn't sound like a popup that I am familiar with Windows > >> being capable of generating. It won't even pop up that message with a > Wide > >> Open wireless connection (No password needed). > >> > >> Could it be the security center letting you know that the firewall is > off, > >> windows update is off, or that virus defs are old? > >> > >> If not that, I suspect it's your AV telling you something, or spyware. > >> > >> ________________________________________ > >> From: Murray Freeman [mailto:[email protected]] > >> Sent: Thursday, February 19, 2009 1:33 PM > >> To: NT System Admin Issues > >> Subject: SECURING WIFI ROUTER > >> I hope this is on topic. I have a Dell 700m laptop and a Netgear > rangemax > >> mimo "G" router. I'm using WPA2, but from time to time, a baloon pops up > >> from the icon in the systray stating that my connection is unsecure. If > I > >> right click and select "view wireless networks" it indicates that my > network > >> is in fact secured with WPA2. Any ideas why I get the baloon, and is > there > >> another way to insure that I am WPA2 secured in fact? I've noticed this > for > >> months now. > >> > >> Murray > >> > >> > >> > >> > >> > >> > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> Information Technology Manager > >> Virginia Opera Association > >> > >> E-Mail: [email protected] > >> Phone: (757) 213-4548 (direct line) > >> {+} > >> > >> > 2008-2009 Season: Tosca | The Barber of Seville > >> > Recently Announced: Virginia Opera's 35th Anniversary Season > 2009-2010 > >> Visit us online at www.vaopera.org or call 1-866-OPERA-VA > >> ________________________________ > >> This e-mail and any attached files are confidential and intended solely > >> for the intended recipient(s). Unless otherwise specified, persons > unnamed > >> as recipients may not read, distribute, copy or alter this e-mail. Any > views > >> or opinions expressed in this e-mail belong to the author and may not > >> necessarily represent those of Virginia Opera. Although precautions have > >> been taken to ensure no viruses are present, Virginia Opera cannot > accept > >> responsibility for any loss or damage that may arise from the use of > this > >> e-mail or attachments. > >> > >> {*} > >> > >> > >> > >> > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
