[nycphp-talk] Basic security question
Mitch Pirtle
mitchy at spacemonkeylabs.com
Wed Jul 14 15:46:34 EDT 2004
Paul Reinheimer wrote:
>Every attack wether web or otherwise I have heard about starts with
>learning as much as you can about the target's systems, then seeking
>to exploit some either known or unknown security holes in the software
>that system is running.
>
>Knowing that, why reveal anything? Make the potential attacker work
>for every peice of information they want. Set the apache server string
>to claim it is some recent release of IIS, tell all the services not
>to advertise they are running, save your .php files as .exe and tell
>apache just to interpret apropriatly. etc. Obviously if you choose to
>run some off the shelf application (ie phpBB) you will let the cat out
>of the bag, but seperating it to a subdomain may only add to the
>confusion.
>
>Does anyone see any real advantage to this approach?
>
>
This is called 'security through obscurity', and can be effective as
part of a LAYERED approach, but certainly cannot achieve better results
than hardened operating systems and carefully configured application
services.
-- Mitch
More information about the talk
mailing list