Computerworld - Security through obscurity is probably one of the oldest tricks in the security book.
The basic premise stems from the fact that people are trying to ensure security by hiding certain facts of their software or architecture design from regular users. This is equivalent to someone hiding a house key under a pot of plants in front of his house.
However, Auguste Kerckhoffs, a 19th century Flemish cryptographer, said it should be assumed that attackers know the design of the entire security system, except for the keys. This concept, known as Kerckhoffs' law, basically rejected the notion of security through obscurity (your key hidden under your potted plant) and suggested that a system should be secure even if everything's public knowledge, except the key.
Most administrators and developers these days are somewhat familiar with the various security concepts such as virus, worm, buffer or heap overflow, cross-site scripting and SQL injection. Since these concepts are fresh in their minds, they try to take explicit precaution to avoid these traps.
However, they continue to develop software and products that rely on hiding certain trivial information, such as URL, username or other session information, and hope that users won't find them. They also try to hide this information in obvious places, such as hidden fields of a Web page or a different directory on a Web server.
A case in point: Last March, Harvard Business School, along with a few other top business schools, suffered a huge embarrassment because its admission portal had a "break-in," as university officials called it (see story). ApplyYourself.com, a company that handles applications for Harvard and other elite institutions, had a Web portal where applicants could check on the status of their applications. Generally, Harvard's decisions go out on March 30. However, one applicant had figured out a way to obtain the status before that date. This applicant then posted it on a Web site for others to try. In the end, a total of 119 applicants tried this method. After finding out, Harvard decided to reject these 119 applicants regardless of their admission status (see story). Stanford University had made similar decisions recently, rejecting 41 applicants who tried this method.
We are not here to argue whether Harvard and Stanford made the right decision or whether the action taken by the 119 applicants was ethical. However, there are some lessons to be learned here.
First of all, ApplyYourself.com's method of hiding the admission status from the applicants was a great example of security through obscurity. In order to obtain the status early,
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts