InfoWorld on 2015 in Security
-
@scottalanmiller said:
@BRRABill said:
@scottalanmiller said:
Definitely. Just like how changing common port numbers can tip people off that you have something worth attempting to get. The illusion of security is one of the most dangerous things because it makes people do things that they would not otherwise do without being as secure as they think that they are.
But, the illusion of security never works against people destined to get what they want.
Take a real world example ... locking your car. Sure, if they want to get inside, they can just break the windows. SO you put it in your garage. So they break into the house, then break the windows. There is always a way.
But how many thieves are just going to move on to the next car? Most.
Those things are not illusions of security. They are actual security. Yes, all security can be overcome but that doesn't mean that they are not functional security measures. Real security measure deter or slow break ins. Locking a car door is real security - unless you leave the windows open or the top down, of course. It means someone has to hide the fact that they are breaking in and put effort into picking the lock and in court they can't claim that they thought it was their car. It's not entering, it is breaking and entering.
Changing ports is not security. Someone looking to access your system would never even know that the port was changed. The idea that the port is static is one of convenience in most cases, nothing more. Port 22 doesn't actually mean SSH, it's just the common place to put it so that tools don't require you to specify a different port. But all ports are available for all purposes and someone trying to break in or even just someone wanting to catalogue your services would never know, unless they specifically looked it up, that you had changed the port and even if they saw that you did that they would be unable to determine if you did it thinking that it was some sort of security or if you just needed to use a different port.
It's literally not security in any way. There is nothing more secure over "having done nothing." It's literally - nothing.
Locking a car door is the simplest of security. It is easily overcome. It's literally like doing nothing if they want in your car.
-
@BRRABill said:
@scottalanmiller said:
@BRRABill said:
@scottalanmiller said:
Definitely. Just like how changing common port numbers can tip people off that you have something worth attempting to get. The illusion of security is one of the most dangerous things because it makes people do things that they would not otherwise do without being as secure as they think that they are.
But, the illusion of security never works against people destined to get what they want.
Take a real world example ... locking your car. Sure, if they want to get inside, they can just break the windows. SO you put it in your garage. So they break into the house, then break the windows. There is always a way.
But how many thieves are just going to move on to the next car? Most.
Those things are not illusions of security. They are actual security. Yes, all security can be overcome but that doesn't mean that they are not functional security measures. Real security measure deter or slow break ins. Locking a car door is real security - unless you leave the windows open or the top down, of course. It means someone has to hide the fact that they are breaking in and put effort into picking the lock and in court they can't claim that they thought it was their car. It's not entering, it is breaking and entering.
Changing ports is not security. Someone looking to access your system would never even know that the port was changed. The idea that the port is static is one of convenience in most cases, nothing more. Port 22 doesn't actually mean SSH, it's just the common place to put it so that tools don't require you to specify a different port. But all ports are available for all purposes and someone trying to break in or even just someone wanting to catalogue your services would never know, unless they specifically looked it up, that you had changed the port and even if they saw that you did that they would be unable to determine if you did it thinking that it was some sort of security or if you just needed to use a different port.
It's literally not security in any way. There is nothing more secure over "having done nothing." It's literally - nothing.
Locking a car door is the simplest of security. It is easily overcome. It's literally like doing nothing if they want in your car.
But it must be overcome. Port changing does not need to be overcome. That is why one is security and one is not. Fundamentally different. No matter how little you consider locking a door to be, it makes it harder to enter the car. Port changing does not such thing.
-
@scottalanmiller said:
But it must be overcome. Port changing does not need to be overcome. That is why one is security and one is not. Fundamentally different. No matter how little you consider locking a door to be, it makes it harder to enter the car. Port changing does not such thing.
If some high school kid is looking for certain apps on certain ports, maybe they just don't find yours. Or if you make your password 123.
Granted, this would be a pretty rudimentary hacker. But its the same point as basic passwords. I feel something is better than nothing.
It's an allusion of security against an experienced thief/hacker. Against someone just curious, maybe it's enough.
In our neighborhood, almost every week stuff is stolen from cars that are unlocked. They go around, see if it is locked, and go to the next one. They are not looking to make millions, just get the low hanging fruit.
-
@BRRABill said:
If some high school kid is looking for certain apps on certain ports, maybe they just don't find yours. Or if you make your password 123.
You are grasping at straws. One is security that must be overcome. One is not. There is nothing at all. That the kid was looking at one port or another is his own business. That's random, not security. That's like having the door on the side of the house rather than the front. Do you call that security? No, it's just the door on the side of the house.
Things like passwords ARE a form of security no matter how weak you feel it is. Things like "arbitrarily picking a port that has to be arbitrarily picked" is not since any port is arbitrary and there is nothing to overcome.
-
@scottalanmiller said:
Things like passwords ARE a form of security no matter how weak you feel it is. Things like "arbitrarily picking a port that has to be arbitrarily picked" is not since any port is arbitrary and there is nothing to overcome.
I thought we were talking about known ports.
-
@BRRABill said:
Granted, this would be a pretty rudimentary hacker. But its the same point as basic passwords. I feel something is better than nothing.
You didn't feel that way about a door lock on a car. You said it was nothing. Nothing is no better than nothing. Nothing has to be the same as nothing.
Port changing is literally nothing. There is no security of any sort. None, nada. It's an illusion. That's what makes it bad, that it is completely fake. Passwords, even weak ones, add measurably delay and a need to "overcome". Port changing does nothing of the sort.
-
@BRRABill said:
@scottalanmiller said:
Things like passwords ARE a form of security no matter how weak you feel it is. Things like "arbitrarily picking a port that has to be arbitrarily picked" is not since any port is arbitrary and there is nothing to overcome.
I thought we were talking about known ports.
Known ports are arbitrary as well, just the commonly used ones. Anything can be on any port. There are places you generally expect services to most likely be, that's like the door in the front of the house. Sure, that is more common than the side of the house. But it would be utterly ridiculous to say that having the door on the side and making an attacker "walk around" was a form of security. You would never say someone broke into your house based solely on the entrance having been on the side of it.
Well yes, officer, the door was wide open but the house was well secured, the open doorway didn't even face the main sidewalk!
See how silly that sounds?
-
@BRRABill said:
In our neighborhood, almost every week stuff is stolen from cars that are unlocked. They go around, see if it is locked, and go to the next one. They are not looking to make millions, just get the low hanging fruit.
Right, and port changing does nothing for this. People looking for low hanging fruit would never know that the port was changed. It presents zero challenge. It's not security in any sense of the word. The only thing it can do is negative by flagging you as a target that doesn't understand security. But even that is very unlikely as no one would notice.
Someone looking to see which doors are open on your house are not going to close their eyes and try blindly. They are going to look at the house to see where the door is. Same with trying to access a computer. They will look first before knocking. In which case, they already know where the port is before any attempt at entering it.
-
I guess I am thinking of people so rudimentary they are searching for known services on known ports.
Hmmm, is RDP open on this firewall? OK, let me take a look. Versus someone scanning all the ports, which is indeed what anyone would do.
-
@BRRABill said:
I guess I am thinking of people so rudimentary they are searching for known services on known ports.
That's not rudimentary, that's lazy. That's literally like saying that you want to break into a house but look and don't see the front door so move on because you assume that there isn't one. Um..... no.
-
@scottalanmiller said:
That's not rudimentary, that's lazy. That's literally like saying that you want to break into a house but look and don't see the front door so move on because you assume that there isn't one. Um..... no.
Sooooooooo in my car example, this would be the their being too lazy to even try the door?
-
@BRRABill said:
Hmmm, is RDP open on this firewall? OK, let me take a look. Versus someone scanning all the ports, which is indeed what anyone would do.
Yes, the first step is seeing what is open. That's the lowest hanging fruit, the easiest step. Once things respond you decide if you want to attack or not.
-
@BRRABill said:
@scottalanmiller said:
That's not rudimentary, that's lazy. That's literally like saying that you want to break into a house but look and don't see the front door so move on because you assume that there isn't one. Um..... no.
Sooooooooo in my car example, this would be the their being too lazy to even try the door?
RIght. It would be like painting the door handles the same colour as the rest of the car thinking that that would confuse someone into thinking that there was no way in.
-
@scottalanmiller said:
RIght. It would be like painting the door handles the same colour as the rest of the car thinking that that would confuse someone into thinking that there was no way in.
You never know with some of these thieves!
-
Security via obfuscation. I like it!