Blocking version information

Rich Parkin RParkin at ldmi.com
Mon Jun 20 18:32:26 UTC 2005


I wasn't going to weigh in on this, but why not?  Everyone else seems to =
be, and I might as well kill some time while I'm hoping for an answer to =
my stats question.

There is one - and to my mind only one - good argument for concealing the =
version number of any software.  And that is, concealing the most =
effective target.

What I mean by that is, if I were a worm-hacker and wanted to figure out =
how I could get the most bang for my buck, knowing which versions are most =
in production is useful information.  I could focus my efforts on =
developing exploits for those.  Or if I'm specifically trying to penetrate =
certain financial institutions, for example, knowing what versions of web =
server, mail server and dns server they're running might give me a pretty =
good idea of the best path of attack.  If they can compromise your DNS =
server, they inarguably get some pretty useful information about your =
organization and have a window of opportunity to phish some of your users =
and customers with poisoned DNS information.

You're right in that concealing version information from script kiddies is =
of no practical use whatsoever.  They just run the exploit code du jour =
and get what they get.  If you have the bad luck to be vulnerable to that =
particular exploit, congratulations. =20

Concealing that information from the real pros might slow them down a =
little, which might mean the difference from detecting and thwarting an =
attack and having my credit card number sold along with a few hundred =
thousand others to the highest bidders.  Or maybe even convincing them to =
go look for an easier target.

So, concealing version numbers might help me a little bit.  Maybe not =
enough to really justify the hassle, but a little.  If most of the =
operators did it, though, we might  defeat or at least slow down the kind =
of statistical analysis that could tell the bad guys where to focus their =
efforts.  Again, is it worth the hassle?  I don't really know, and I don't =
think anyone who isn't plugged into the black hat community does either.

I'm not going to argue the point either way, just playing Devil's Advocate =
for the white hats.  I can see the points for and against on both sides of =
the argument.  Few people still agree that security through obscurity is =
really effective.  On the other hand, you don't flash your hand to =
everybody at the poker table either.  And, as Bill Larson says, sometimes =
you have to keep up appearances whether you agree with it or not.

Richard Parkin
CCNA
Network Engineering
LDMI Telecommunications

>>> Bill Larson <wllarso at swcp.com> 06/20/05 12:05 PM >>>
On Jun 20, 2005, at 9:04 AM, Barry Finkel wrote:

> I would assume that most of the script users would follow path 2),
> as it is finds more exploits more quickly than path 1).  If this is
> the case, then why hide the version number if the script users do not
> use that version number?

I completely agree that trying to hid the version information of the=20
copy of "named" is futile, but there is one other side.

There are many "security" checks that simply report that the version=20
number is available and that this is a "security issue".  Often these=20
checks are performed by an outside organization that is being paid for=20
by management, and management isn't going to listen to philosophical=20
arguments or logic or even facts.  What these consultants say WILL be=20
implemented no matter what.

So, this is an argument that I will not take on.  I know that this=20
version information will NOT "secure" a system, and in fact it may make=20
troubleshooting more difficult, but management says to hide the version=20
information and I will do it.  Hiding of version information appears to=20
be SOP for the security people and "security" is a magic word.

When discussing this issue with the security people, they are generally=20
inflexible.  At best they will admit that this doesn't provide any=20
"security" but that this is simply a common security practice.  At=20
worst, they will quote someone else saying that this is a "good thing",=20
someone else that I completely respect like Cricket Liu in "DNS & BIND"=20
(4th edition, pg 313-314), and Rob Thomas in "Secure BIND Template"=20
(http://www.cymru.com/Documents/secure-bind-template.html).

All I am saying is that even though I completely agree with you that=20
hiding the version number of "named" that is currently running does NOT=20
provide any additional security, I will comply with my management=20
telling me to hide the version because some "security" person told them=20
that this must be done.  It is not worth arguing about.  The idea is=20
too deeply entrenched to fight.

Bill Larson




More information about the bind-users mailing list