Sunday, November 22, 2009
Banks and goverments going to Security through obscurity
Security through obscurity is something i have seen a lot of organizations using in Kenya that is Private and Government as well. But as this goes on, does it mean private and confidential data can never be compromised by the bad guys. I was doing a infosec assessment with a bank the other day and amazingly i found out that they were hiding systems behind their firewalls which were really vulnerable, but if you scanned their block very carefully without triggering the Cisco PiX you would get loads of info.
A nmap scan to the mail server reported:
PORT STATE SERVICE VERSION
25/tcp open smtp Cisco PIX sanitized smtpd
Service Info: Device: firewall
One thing the administrators didnt know is that, if you have such a disclosure just after scanning a mailserver, every attacker would know what he is dealing with. So any further attacks as from there gets blocked by an IPS which also blocks that IP and the attacker is aware of such information. Some of these organizations rarely inspects intrusions or perform incident handling so if attackers sees such info, then does research on what he has found and comes back after one year, the administrators or even the security team have no track of such attacks that must have happened 12 months ago from same range of IPs, then it becomes hard to protect such infrastructure.
This becomes a serious issue and with good luck the attacker may get into very valuable info.
After i realized that a Cisco PIX was blocking me, i decided to switch to another ISP network, and i ran through KDN and this time i was doing stealth scans going for the whole block and found mailservers and webservers, internet banking servers all gaping open to the internet. Amazingly some of these servers had MySql ports open with user root and password r00t. Several routers were also exposed to the internet,
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
79/tcp open finger Cisco fingerd
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
465/tcp filtered smtps
808/tcp filtered ccproxy-http
1002/tcp filtered windows-icfw
3918/tcp filtered unknown
4004/tcp filtered unknown
34573/tcp filtered unknown
Service Info: OS: IOS; Device: router
So as far as security through obscurity is concerned, i think its not a good option especially for fanancial institutions. For government institutions its also a bad deal, since if you look at network infrastructures like KRA, such systems aren't carefully protected, such that if there is an attack, and incidents like deletion of information or change of information etc, then there would be lack of Integrity and availability of data to authorized users and to the tax payers.