[WEB SECURITY] Securing apache installation with PHP

Ofer Shezaf Ofer.Shezaf at breach.com
Sun May 29 06:32:38 EDT 2005

> From: Jay D. Dyson [mailto:jdyson at treachery.net]
> Sent: Monday, May 23, 2005 6:19 PM
>  	In the end, service obfuscation achieves nothing.  One of three
> things will still happen: the anklebiting scriptmonkeys will just bang
> away at it; automated intrusion agents (worms) won't give a good rip
> will still bang at it; and the truly skilled attacker will see right
> through it.  Thus, the net value of said service obfuscation is nil.

I think that this distinction between threats is very good. Obfuscation
helps in repelling the script kiddies and worms, but may not help
against targeted professional attacks. 

While I would not nullify obfuscation benefits, I think that the number
of targeted attacks is on the rise. For example, recent publications
suggest that the Vodafone/Paris Hilton hack was done by a group
researching the site for a year! (Even the actual entry to Hilton's
account, which seems to have been a result of "low tech" social
engineering would have resisted obfuscation). Another good example of
targeted attacks is the XSS driven phishing attacks flourishing this

Generally speaking, the visibility of automated attacks such as worms is
magnified due to their large spread, but the actual damage to a single
organization is relatively small. So while having a similar threat level
(higher risk but lower impact) as targeted attacks, they are much more
influential in decision makers mind.

~ Ofer

Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers at breach.com

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list