Skip Navigation
/c/cybersecurity - Cybersecurity News & Discussion @lemmy.ml Jimmycrackcrack @lemmy.ml

to what extent does obscurity mitigate risk?

I only wonder because, while I know no one could advise per se that people deliberately make bad security decisions, I don't feel as a layman that the nature of the risk is adequately explained.

Specifically, if you use a really old OS or an old now unsupported phone. The explanations for why this is dangerous tend to focus on the mechanism by which it creates a security flaw (lack of patches, known hardware security flaws that can never be patched).

If we use an analogy of physical security whereby the goal is to prevent physical intrusion by thieves or various malicious actors, there's a gradient of risk that's going to depend a bit on things like who and where you are. If you live in a remote cabin in the woods and left your door open, that's bad, but probably less bad than in a high crime area in a dense city. Similarly, if you're a person of note or your house conspicuously demonstrates wealth, security would be more important than if it you're not and it doesn't.

I would think, where human beings are making conscious choices about targets for cybercrime some parralells would exist. If then, you turn on an old device that's long obsolete for the first time in years and connect to the internet with it, while I know you are theoretically at great risk because your doors and windows are essentially wide open, how risky is that exactly? If you just connect, at home on your wifi and don't do anything? Is someone inevitably going to immediately find and connect to this device and exploit it's vulnerabilities? Or does there have to be a degree of bad luck involved?

I've brought up the idea of malicious actors who are human beings making conscious decisions, (hackers), but I was once told the concern is more to do with automated means of finding such devices when they're exposed to the internet. This makes more sense since a theoretical hacker doesn't have to sit around all day just hoping someone in the world will use an outdated device and that they'll somehow see this activity and be able to exploit the situation, but I guess, it seems hard for me to imagine that such bots or automated means of scanning, even if running all day will somehow become aware the minute anyone, anywhere with an insecure device connects to the internet. Surely there has to be some degree coincidental happenstance where a bot is directed to scan for connections to a particular server, like a fake website posing as a bank or something? It just doesn't seem it could be practical otherwise.

If I'm at all accurate in my assumptions, it sounds then like there's a degree to which a random person, not well known enough to be a specific target, not running a website or online presence connecting an insecure device to the internet, while engaging in some risk for sure, isn't immediately going to suffer consequences without some sort of inciting incident. Like falling for a phishing scam, or a person specifically aware of them with mal intent trying to target them in particular. Is that right?

9

You're viewing a single thread.

9 comments
  • You're pretty well on the right track. It might help if I explain what the attack is doing more. So an attacker starting out knows nothing about you or even where you are. So they need to figure these things out. The most optimal way to do this is by scanning everything and I do mean everything. There are automated scans that get information on literally everything that is open on the web. An unconfigured device that's capable of ssh can get hit with login attempts after just 30 seconds of being plugged in. So first they try to find someone and let's say by random they get you, they don't know who you are yet but they have an IP now. First they run scans to see what's available, what services are internet capable and talking to anyone who asks. Once they know what services they will do banner grabbing to try to find out specifics about the service like version number. Once they have this information they can dig for more or look for vulnerabilities specific to that service and version. Metasploit will actually tell you which attacks work for the version numbers you've discovered, pretty handy. If they decide to proceed they send the correct exploit to you computer and bam they're in to do whatever. If you're running something out of date there are usually vulnerabilities that just will allow access to attackers, this is why updating is important.

    Security through obscurity first relies on not being seen in the first place whether through not connecting to much or being something no one cares about hacking in the first place. Second it relies on being uncommon enough to not have a bunch of known vulnerabilities. A random GitHub program with 10k downloads is going to have a lot less known vulnerabilities than Microsoft office. Third it relies on being so little known that even if someone can figure out how to hack in they won't know what to do. Imagine trying to find important documents on someone's heavily customized Linux box as opposed to a Windows box.

    Tldr: security through obscurity is first hoping you don't get seen then hoping if you are seen that they don't care. It's not good security but it might work.

9 comments