Security Through Obscurity

Suddenly, I realized that if there's no such thing as security through obscurity (as some people claim), then maybe there's no such thing as strong security at all. This thought was brought on by reading an entry by George Ou in his blog at ZDNet. Ou writes about what he considers to be "the six dumbest ways to secure a wireless LAN." Although I agree with Ou that the items he lists don't offer much in the way of security, I think he's wrong that using the cited methods is dumb.

First on Ou's list of dumb wireless security measures is MAC address filtering. His reasoning is that anybody with a sniffer can grab MAC addresses, therefore filtering connectivity to a wireless Access Point (AP) based on MAC addresses is useless. Second on the list is hiding Service Set Identifiers (SSIDs). Ou states that there are five ways that SSIDs are transmitted, only one of which can be shut off through simple configuration settings. The other ways can't be shut off, thus there's no such thing as hiding an SSID. Third on the list is Lightweight Extensible Authentication Protocol (LEAP) authentication. Ou thinks that LEAP is useless because it requires the use of strong passwords to be effective and it's impossible for humans to manage strong passwords. Also, LEAP is a proprietary Cisco Systems protocol.

Next on the list is disabling DHCP. Ou's idea here is that anybody with a sniffer can determine what addresses are in use and manually assign themselves an address from the same network block. Fifth on the list is antenna placement. Some people recommend placing antennas in the center of a building and running APs at minimum power to limit their wireless network's reach. This doesn't work because hackers use strong antennas. Last on the list is the use of 802.11a or Bluetooth, neither of which actually offers added security.

A basic tenet of information security is that no security mechanism is 100 percent effective. Another alleged tenet is that there is no security through obscurity. The first tenet might be true, but the second must be false because it seems to me that all forms of security are forms of obscurity with varying degrees of effectiveness. Here's a proof: Any form of strong encryption is extremely hard to crack, but somebody with enough time and computing power can eventually break even the strongest encryption. Strong encryption provides a barrier that significantly narrows the field of potential intruders but doesn't eliminate all possible intrusion. Therefore, strong encryption is a form of obscurity, and it certainly provides a good measure of security.

By obscuring a wireless network as much as possible, you can prevent a significant number of intrusions because some potential intruders will lack the resources needed to get past the obstacles. So even the most trivial measures, such as not broadcasting SSIDs, will in fact prevent some intruders from gaining access to a wireless network.

That said, I want to mention something about strong passwords, particularly since Ou claims they are impossible for humans to manage. It can be difficult at first to memorize a strong password, but it's certainly not impossible. One creative technique for forming a difficult-to-crack password is to assemble a passphrase that includes words from different languages. Why not pick one or more words in other languages that use the same character set (even if you don't speak the language), memorize those words, and use them in some way to create strong passwords and passphrases? After all, how many intruders will guess that your strong passwords comprise a dozen different words from a dozen different languages? And how many will collect dozens of dictionaries in an effort to attempt to crack your passwords and passphrases?

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.