NYCPHP Meetup

NYPHP.org

[nycphp-talk] Basic security question

Paul Reinheimer preinheimer at gmail.com
Wed Jul 14 15:22:27 EDT 2004


Every attack wether web or otherwise I have heard about starts with
learning as much as you can about the target's systems, then seeking
to exploit some either known or unknown security holes in the software
that system is running.

Knowing that, why reveal anything? Make the potential attacker work
for every peice of information they want. Set the apache server string
to claim it is some recent release of IIS, tell all the services not
to advertise they are running, save your .php files as .exe and tell
apache just to interpret apropriatly. etc. Obviously if you choose to
run some off the shelf application (ie phpBB) you will let the cat out
of the bag, but seperating it to a subdomain may only add to the
confusion.

Does anyone see any real advantage to this approach?


paul



More information about the talk mailing list