When a company’s password policy is too complex, employees tend to write their passwords on a piece of paper and put it under their keyboard — similar to hiding a house key under the doormat — which is the first place an intruder looks.  This gives a false sense of security in the sense that if no one knows where to find the key, then no one can get in your house. This is an example of Security Through Obscurity (STO) or a “security theater,” which creates an illusion of security. It is the act of relying on the secrecy of the design and implementation details to provide security.

In simple terms, STO is no security at all. It’s telling cyber criminals "Hack me when you can" instead of "Hack me if you can." While implementing STO techniques has its own benefits, it certainly does not guarantee security. Unfortunately, , during most of our network security engagements, we have seen examples of STO much too often.

Here are a few real-life examples of STO that we can all learn from.

Hard-coded credentials

To simplify the process of building a secure authentication system, developers often default to hard-coded passwords within the source code. The notion is no one is going to "view source" on a web page, decompile an application, or reverse engineer a software product. The dating site, Ashley Madison, was built using this theory. Developers wrote credentials directly into their source code including SSL private keys, Twitter OAuth tokens, and Amazon Web Services credentials. Suffice it to say this was a bad idea.

Saving passwords or credit card details into browsers

We’ve all received those prompts asking if we’d like a website to remember our password. Many people say “yes,” knowing it will be one less thing they have to remember. But every “yes” click is an example of STO. When you tell a site to remember your password, the browser stores your password in cache. Anyone with physical or remote access to your computer will have the ability to log into the sites with stored passwords.  

Then there are those who sync their passwords using their Google accounts. (If you do this, you can see the list at passwords.google.com.) This is an even easier solution, but remember—if your Google account gets compromised, then so are all the accounts you synced with it. There are also tools available online, such as The LaZagne Project, which can be used to obtain passwords stored within browsers in clear text.

We’ve successfully obtained domain admin privileges during penetration and ethical hacking testing for several clients because end users saved passwords in their browsers. Know that it takes cybercriminals less than two minutes to access a remote shell or find an unattended, unlocked computer where they can connect a pen drive and run a utility to dump passwords.

Relying on client-side scripting

A client-side script refers to code embedded onto a web page that’s executed client-side by the user’s browser instead of server-side or on a web server. During web application penetration testing, our cybersecurity specialists have come across several websites that sanitize inputs or disable buttons when using client-side scripting. By using browser add-ons, a penetration tester can easily enable the buttons and remove client-side scripts to perform functions that are otherwise not allowed. This is why it’s important to implement server-side scripting rather than relying on client-side scripting.

Port re-allocation: Putting an application at a random port without proper authentication

While port re-allocation may get you out of the line of fire when facing automated default port scanning attacks, a determined hacker will scan all 65,535 ports on your system and find the application they wish to attack.

While conducting penetration tests, we’ve discovered several internet-facing applications that lacked authentication but were hidden on random ports hosting closed circuit TV camera systems, digital door locks, interactive voice recognition systems, intranet portals, and several other unauthenticated device management interfaces. While such applications should have access restrictions, they should not be internet facing.

Using random filenames or hiding specific URLs

Did you know that photos uploaded to Facebook have a static filename? In fact, if you right click on a photo that only you should be able to see, go to properties, and copy its link, you can paste the link in a browser and see it — even if you’re signed out.  This means the photos you thought were locked down using Facebook's privacy settings can still be accessed by anyone who has the photo URL. The WannaCry ransomware was able to create a worldwide havoc because its encryption algorithm was kept secret, but when a young security researcher disassembled the virus and found a domain that when registered, it would activate a kill switch that stopped the ransomware from spreading immediately.

Applications often have the ability to create user accounts having different privileges. Developers often rely on simply hiding the links that allow higher privilege functions from an account with lower privileges. Such obscurity has been the root cause of several fraudulent transactions in major corporate industries. While hiding web pages using random, unique, and lengthy URLs might weed out casual surfers from finding them, it’s likely that a sophisticated hacker can discover and access these hidden pages. On a number of occasions our team was able to download confidential information and upload malicious code on hidden writeable directories, allowing them to execute arbitrary code and deface websites to find hidden areas on a web server.

Hidden Service Set Identifiers (SSIDs)

Hiding your Wi-Fi SSID is a good idea to avoid war drivers from locating and exploiting your Wi-Fi networks, but it won’t stop a determined hacker from hunting down your SSID name and cracking your password. While it’s a good measure to stay hidden, it’s equally important to configure strong passwords over a robust encryption standard.

Systems hosted on a random internal network

Thanks to IDS/IPS sensors, scanning a private IP address range sounds an alarm that someone is trying to hack the network and alerts network administrators before an IP address hosting critical applications can be discovered. This is the reason critical applications and systems are often hidden on a separate network. But unfortunately, scanning is not the only way to discover a network. While hiding critical systems on a random network is another defense in depth approach, it’s equally important to monitor all system’s activities, review logs, keep them patched and implement enhanced security.

Using honeypots on the network

One of the most effective, efficient, and impactful ways to keep hackers off your network is to make use of honeypots. This is an obscure practice to trick hackers into thinking that they’ve found their holy grail (even if they do eventually realize that it was a trap). Use of honeypot as an STO technique is a great tool to identify and learn the types of attacks a target company is up against as long as its perimeter security is hardened, patched, and access controlled to only authorized, restricted, and legitimate individuals. 

In conclusion

While STO can enhance the security of an organization's IT infrastructure, it’s important to realize that security "exclusively" through obscurity is a poor method to keep hackers off your network. Security should be strong enough that it doesn’t need obscurity — when that’s achieved, you can have confidence in your systems and its implementation.