Attacking And Preventing Attacks.

Publicated on : 1177612660
I wrote this article because of the fact that people -included me sometimes- get confused of what security really means and how to deploy it. Complete security in the strict sense is impossible to obtain in any field constantly. It is not going to happen, it never happened and never will in the future for the simple fact that everything can be hacked, breached or smashed if it is made. Just like anything can break if one applies enough force to it. A glass plate can break, but so can a titanium enforced steel plate. So what is safer: the glass plate or the titanium one? of coarse we say it's the titanium one. But it really depends on what you use to break it. Eventually everything will break down, the only reason we use steel in safes and banks is because it slows down the attack.

A simple MD5 hash has 2^128 possible fingerprints, which is not worth the effort to crack. If you wonder how huge that number is consider this: the total number of computer hard drives that have ever been manufactured is only around 2^29. If every hard drive had a million unique files -a gross overestimation- there would still be only 2^49 individual files. That's a much smaller number than 2^128. Some then might say: Oh well it's cracked! cause I can use rainbow tables! But, it isn't cracked, the hashes are compared. And to protect against rainbow tables, one can salt the hashes making it virtually impossible to generate "practical" rainbow tables.

From my standpoint this is something that isn't understood very well amongst other security people I meet and know. A lot of security people think that analyzing a web page with a scanner and patching the flaws stops attacks and security compromises. Well, this is certainly not true. It slows down an attacker and possible gives him more reason to deep scan your server. Any attacker with enough stamina can break anything given enough time. So patching the thing won't protect you, so they invented the IDS; the intrusion detection system. Well that sounds cool, because now we can identify attackers when they enter areas there not allowed to view. But, this hold another problem: one can detect it, but one still has to take action upon the detection. So what do you got when you detected an attack? Almost nothing. And given the fact that the smartest attackers stay under the radar, it does not fix your security issues. So what must be done to secure things? What is the best solution?

I thought about it many times, and clearly this isn't easy to solve. From how I look at it it depends on what you are trying to secure. Is it possible for an attackers to reach your sensitive data through the Internet? Ouch that's bad. After all just like we know that security largely depends on slowing down attacks in order to have enough time to catch the attacker. But what can we do when this attacker TELNETs though 12 different IP's and proxies along to our server? What can we do? actually: almost nothing, other then to store very sensitive data offline or encrypt sensitive data. Sounds easy, but is tough to pull off.

In the end there are various models which we can use to assess the threat and respond to it accordingly. It's pretty useless to put something of 10$ worth into a 1.000$ safe. It's just that simple, got something of value? then you need security. Got personal data? then you need security. Next we can look at how much we got of it. Simply saying that more of it, needs more security. 100.000 times 1.000$ probably needs a stronger safe. Sounds fair doesn't it? that's the trade off we make. We should do that to work efficiently. So when we have a database with basic user information, that is not a high priority in comparison to the same user database with full identities and credit card details. So, a solution is to have more security and/or distribute the data so that it's hard to correlate it to each other. Sometimes credit card data is useless if one doesn't have the identity of the cardholder. Just like it's useless to steal some identity without knowing the social security number. Not strictly speaking, but you get the point I hope.

What would an attackers to choose to do: break a safe with 10$ in it or a safe with 100.000$ in it? in order to get 100.000$ he has to crack thousands of 10$ safes. This takes time, and so it is not worth it. With this in mind, let's say we put user information into tiny safes. Not all into one big safe but all tiny safes, which have a code in order to be unlocked. That is something that can be done and called encrypting the user data and distribute the parts over multiple databases. Like storing the SSN into another database and correlate them together with a fixed secret key. You get the point, this way it's not worth the time and effort to crack each safe.

Still, this isn't being done as much as one would like to believe. Today's focus lies mostly on securing the software. But the software can be weak if the user data is properly encrypted. In fact you can give full access to it and no one can do a thing. It still doesn't happen often which is a pity. Encryption is also a security model which deals with slowing down the attacker. It's nearly not possible to extract the plain text without knowing the secret key. So in the end all we have literally is security through obscurity. Look at a password, isn't this security through obscurity? sure it is. It's designed to slowdown attacks, and thereby to secure.