Blocking version information
RParkin at ldmi.com
Mon Jun 20 18:32:26 UTC 2005
I wasn't going to weigh in on this, but why not? Everyone else seems to =
be, and I might as well kill some time while I'm hoping for an answer to =
my stats question.
There is one - and to my mind only one - good argument for concealing the =
version number of any software. And that is, concealing the most =
What I mean by that is, if I were a worm-hacker and wanted to figure out =
how I could get the most bang for my buck, knowing which versions are most =
in production is useful information. I could focus my efforts on =
developing exploits for those. Or if I'm specifically trying to penetrate =
certain financial institutions, for example, knowing what versions of web =
server, mail server and dns server they're running might give me a pretty =
good idea of the best path of attack. If they can compromise your DNS =
server, they inarguably get some pretty useful information about your =
organization and have a window of opportunity to phish some of your users =
and customers with poisoned DNS information.
You're right in that concealing version information from script kiddies is =
of no practical use whatsoever. They just run the exploit code du jour =
and get what they get. If you have the bad luck to be vulnerable to that =
particular exploit, congratulations. =20
Concealing that information from the real pros might slow them down a =
little, which might mean the difference from detecting and thwarting an =
attack and having my credit card number sold along with a few hundred =
thousand others to the highest bidders. Or maybe even convincing them to =
go look for an easier target.
So, concealing version numbers might help me a little bit. Maybe not =
enough to really justify the hassle, but a little. If most of the =
operators did it, though, we might defeat or at least slow down the kind =
of statistical analysis that could tell the bad guys where to focus their =
efforts. Again, is it worth the hassle? I don't really know, and I don't =
think anyone who isn't plugged into the black hat community does either.
I'm not going to argue the point either way, just playing Devil's Advocate =
for the white hats. I can see the points for and against on both sides of =
the argument. Few people still agree that security through obscurity is =
really effective. On the other hand, you don't flash your hand to =
everybody at the poker table either. And, as Bill Larson says, sometimes =
you have to keep up appearances whether you agree with it or not.
>>> Bill Larson <wllarso at swcp.com> 06/20/05 12:05 PM >>>
On Jun 20, 2005, at 9:04 AM, Barry Finkel wrote:
> I would assume that most of the script users would follow path 2),
> as it is finds more exploits more quickly than path 1). If this is
> the case, then why hide the version number if the script users do not
> use that version number?
I completely agree that trying to hid the version information of the=20
copy of "named" is futile, but there is one other side.
There are many "security" checks that simply report that the version=20
number is available and that this is a "security issue". Often these=20
checks are performed by an outside organization that is being paid for=20
by management, and management isn't going to listen to philosophical=20
arguments or logic or even facts. What these consultants say WILL be=20
implemented no matter what.
So, this is an argument that I will not take on. I know that this=20
version information will NOT "secure" a system, and in fact it may make=20
troubleshooting more difficult, but management says to hide the version=20
information and I will do it. Hiding of version information appears to=20
be SOP for the security people and "security" is a magic word.
When discussing this issue with the security people, they are generally=20
inflexible. At best they will admit that this doesn't provide any=20
"security" but that this is simply a common security practice. At=20
worst, they will quote someone else saying that this is a "good thing",=20
someone else that I completely respect like Cricket Liu in "DNS & BIND"=20
(4th edition, pg 313-314), and Rob Thomas in "Secure BIND Template"=20
All I am saying is that even though I completely agree with you that=20
hiding the version number of "named" that is currently running does NOT=20
provide any additional security, I will comply with my management=20
telling me to hide the version because some "security" person told them=20
that this must be done. It is not worth arguing about. The idea is=20
too deeply entrenched to fight.
More information about the bind-users