Security Through Obscurity (STO): A fundamental fallacy

June 15, 2018

When a company’s password policy is too complex, employees tend to write their passwords on a piece of paper and put it under their keyboard — similar to hiding a house key under the doormat — which is the first place an intruder looks.  This gives a false sense of security in the sense that if no one knows where to find the key, then no one can get in your house. This is an example of Security Through Obscurity (STO) or a “security theater,” which creates an illusion of security. It is the act of relying on the secrecy of the design and implementation details to provide security.

In simple terms, STO is no security at all. It’s telling cyber criminals "Hack me when you can" instead of "Hack me if you can." While implementing STO techniques has its own benefits, it certainly does not guarantee security. Unfortunately, , during most of our network security engagements, we have seen examples of STO much too often.

Here are a few real-life examples of STO that we can all learn from.

Hard-coded credentials

To simplify the process of building a secure authentication system, developers often default to hard-coded passwords within the source code. The notion is no one is going to "view source" on a web page, decompile an application, or reverse engineer a software product. The dating site, Ashley Madison, was built using this theory. Developers wrote credentials directly into their source code including SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. Suffice it to say this was a bad idea.

Saving passwords or credit card details into browsers

We’ve all received those prompts asking if we’d like a website to remember our password. Many people say “yes,” knowing it will be one less thing they have to remember. But every “yes” click is an example of STO. When you tell a site to remember your password, the browser stores your password in cache. Anyone with physical or remote access to your computer will have the ability to log into the sites with stored passwords.  

Then there are those who sync their passwords using their Google accounts. (If you do this, you can see the list at This is an even easier solution, but remember—if your Google account gets compromised, then so are all the accounts you synced with it. There are also tools available online, such as The LaZagne Project, which can be used to obtain passwords stored within browsers in clear text.

We’ve successfully obtained domain admin privileges during penetration and ethical hacking testing for several clients because end users saved passwords in their browsers. Know that it takes cybercriminals less than two minutes to access a remote shell or find an unattended, unlocked computer where they can connect a pen drive and run a utility to dump passwords.

Relying on client-side scripting

A client-side script refers to code embedded onto a web page that’s executed client-side by the user’s browser instead of server-side or on a web server. During web application penetration testing, our cybersecurity specialists have come across several websites that sanitize inputs or disable buttons when using client-side scripting. By using browser add-ons, a penetration tester can easily enable the buttons and remove client-side scripts to perform functions that are otherwise not allowed. This is why it’s important to implement server-side scripting rather than relying on client-side scripting.

Port re-allocation: Putting an application at a random port without proper authentication

While port re-allocation may get you out of the line of fire when facing automated default port scanning attacks, a determined hacker will scan all 65,535 ports on your system and find the application they wish to attack.

While conducting penetration tests, we’ve discovered several internet-facing applications that lacked authentication but were hidden on random ports hosting closed circuit TV camera systems, digital door locks, interactive voice recognition systems, intranet portals, and several other unauthenticated device management interfaces. While such applications should have access restrictions, they should not be internet facing.

Using random filenames or hiding specific URLs

Did you know that photos uploaded to Facebook have a static filename? In fact, if you right click on a photo that only you should be able to see, go to properties, and copy its link, you can paste the link in a browser and see it — even if you’re signed out.  This means the photos you thought were locked down using Facebook's privacy settings can still be accessed by anyone who has the photo URL. The WannaCry ransomware was able to create a worldwide havoc because its encryption algorithm was kept secret, but when a young security researcher disassembled the virus and found a domain that when registered, it would activate a kill switch that stopped the ransomware from spreading immediately.

Applications often have the ability to create user accounts having different privileges. Developers often rely on simply hiding the links that allow higher privilege functions from an account with lower privileges. Such obscurity has been the root cause of several fraudulent transactions in major corporate industries. While hiding web pages using random, unique, and lengthy URLs might weed out casual surfers from finding them, it’s likely that a sophisticated hacker can discover and access these hidden pages. On a number of occasions our team was able to download confidential information and upload malicious code on hidden writeable directories, allowing them to execute arbitrary code and deface websites to find hidden areas on a web server.

Hidden Service Set Identifiers (SSIDs)

Hiding your Wi-Fi SSID is a good idea to avoid war drivers from locating and exploiting your Wi-Fi networks, but it won’t stop a determined hacker from hunting down your SSID name and cracking your password. While it’s a good measure to stay hidden, it’s equally important to configure strong passwords over a robust encryption standard.

Systems hosted on a random internal network

Thanks to IDS/IPS sensors, scanning a private IP address range sounds an alarm that someone is trying to hack the network and alerts network administrators before an IP address hosting critical applications can be discovered. This is the reason critical applications and systems are often hidden on a separate network. But unfortunately, scanning is not the only way to discover a network. While hiding critical systems on a random network is another defense in depth approach, it’s equally important to monitor all system’s activities, review logs, keep them patched and implement enhanced security.

Using honeypots on the network

One of the most effective, efficient, and impactful ways to keep hackers off your network is to make use of honeypots. This is an obscure practice to trick hackers into thinking that they’ve found their holy grail (even if they do eventually realize that it was a trap). Use of honeypot as an STO technique is a great tool to identify and learn the types of attacks a target company is up against as long as its perimeter security is hardened, patched, and access controlled to only authorized, restricted, and legitimate individuals. 

In conclusion

While STO can enhance the security of an organization's IT infrastructure, it’s important to realize that security "exclusively" through obscurity is a poor method to keep hackers off your network. Security should be strong enough that it doesn’t need obscurity — when that’s achieved, you can have confidence in your systems and its implementation.


I Don't Need Any Security! Who Wants to Hurt Me?

April 15, 2012

Imagine a world free of criminals where every single soul would obey the "law" and never resort to manipulate or break it. If there were no criminals, there would be no crime and hence the world would never think of having the need of security. But unfortunately, that is not the case in the real world as we know it. We all need security, right from having a password on our cell phones to building the most sophisticated defense system through Air force, the Navy or the Marines to protect the n...

Continue reading...

The Armageddon of Cyber Security

November 23, 2010

War...Huh! What is it good for? Absolutely SOMETHING! The question on everybody's mind "When will it end?" is now slowly changing to "How will it end?". A security professional lives more like a life of a soldier fighting at the border, only difference is, the enemies shoot syn packets at our computers which bleeds from their open ports. Once bled, they keep shooting all kinds of probes untill its hacked or all bled out (DoS).

An evident fact in our cyber society is that the "Bad" is always ...

Continue reading...

You Can Hack But You Can't Hide

July 7, 2010

I thought this is a very interesting title for discussion but the whole idea is to debate on whether "you can" or "you can't hide". Now that the hackers around the globe have more sophisticated Hack tools under their belt, spoofing your identity has become even more easier than ever.

Mature hackers, unlike script kiddies, will always think twice before trying to break in a target system. They only fear what could happen if at all they get caught. “Law enforcement relies on the corporate s...

Continue reading...

1981 Indian Websites Defaced In Just Three Months

April 12, 2010

As per the data collected by CERT-In, a government agency of the Indian Community for responding to computer security incidents as and when they occur, reported that a total of 1981 websites were defaced in the first three months of 2010.

Website defacement in general is a kind of an attack by hackers that changes the visual apperance of a web page or replaces the real webpage of a website with their own.
Comparing the results with past trends, I am not really surprised at these statistics...

Continue reading...

Gmail Introduces Suspicious Activity Warning

March 26, 2010

Recently, My gmail account was hacked by some botnet which sent out e-mails to all my contact asking them to check out a website. I only realized this when I checked my gmail "Sent Mail" folder and had to immediately send a warning message to all my contacts telling them that my account was hacked and not to click on any links from my previous mails.

I changed the password which solved the issue, but who knows, some other botnet might just be able to bruteforce My password and get me in trou...

Continue reading...

China warns Google to obey law

March 15, 2010

Promising consequences if Google flouts China's censorship laws, Chinese authorities also chide the U.S. for its human rights record
By Thomas Claburn, InformationWeek USA

A top official of the Chinese Ministry of Industry and Information Technology (MIIT) recently warned Google that it will face consequences if it fails to obey Chinese laws.

According to an Associate Press report, Li Yizhong, head of the MIIT, said, "If you want to do something that disobeys Chinese law and regulations, you ...

Continue reading...

Oscars – the new vehicle for hackers to spread attacks

March 9, 2010

IT security and control firm Sophos is warning that hackers are exploiting interest in last night's Oscar film awards ceremony to infect the computers of unsuspecting computer users.

According to the report "movie-loving Internet users are searching the web for information and gossip about the Academy Award winners, making phrases like "Oscars Winners" one of the most commonly searched for phrases on the Internet.  However, using SEO (search engine optimisation) techniques, hackers have create...

Continue reading...

Census Is Getting Too Personal

March 8, 2010

Over the next couple weeks you're gonna be getting a 2010 census letter in your mailbox and then a follow up call or visitor from a census worker. But beware, there are con artists out there that are looking this year as the census year and thinking as a gold mine opportunity to steal your private information. Apparently this happens every ten years. Now the big question is that what level of authorization do these Bureaucrats have to access our private/confidential information.


Continue reading...

United States Department of Defense Embraces Hacker Certification to Protect US Interests

March 2, 2010
The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is required for the DoD's computer network defenders (CND's), a specialized personnel classification within the DoD's information assurance workforce.
The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 I...

Continue reading...

Saumil's Infosec Blog

Information Security Hi, welcome to my blog. It started out as a place to be able to post links and news so I could find them again. I welcome you to share your thoughts or any opnions you may have on any of the posts by me. Thanks for stopping by. Dont forget to use the search on the home page if you dont see what you're looking for.

Make a free website with Yola