Safe to give out your IP address? - Page 2 - DiscussWorldIssues - Socio-Economic Religion and Political Uncensored Debate

**Flefebleaft** · 10-16-2009, 01:50 AM

So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better.

Don't remember ever saying that and I completely agree with the last sentence in that post. Looking through my posts I don't see that either. I'm saying that basing your security on obscurity is a very rookie mistake. You can even see in my first post in this thread that I said advertising information is not something I would do. With network security, however, a good admin already assumes people are trying to get in and have public information like IP addresses. Just because one doesn't advertise, it doesn't mean that information isn't out there.

**masterso** · 10-16-2009, 02:05 AM

Obscurity is exactly what security is about.

Well thought out indeed.

**Kamepherype** · 10-16-2009, 02:17 AM

Had mine plastered all over a forum once, never had a problem, mind I did have to grovel

**triardwonvada** · 10-16-2009, 02:34 AM

So have a company you want to hack, but don't know their IP(s)?

1. Look for their domain names... If they have anything public that's not on a 3rd party host, duh?
2. If they have ANYTHING they host themselves, they're open.
3. Do a couple searches and see if their name is registered to their IP blocks...
4. Even if they relay mail through a third party, you can trace that, too.
5. Social engineering anyone?
6. Dumpster diving... Knowing who their ISP is can tell a world of information and drastically narrow down a scan.
7. And if you really don't mind physical intrusion, inline network tap. Nuff said.

Security through obscurity is for hapless idiots who simply don't know any better. Just because you don't ADVERTISE what you have doesn't make it any more secure!!! It's like people thinking that not broadcasting their SSID makes their wireless any more secure.

Software and hardware both can be fingerprinted remotely. Hell, with the right knowledge you can map the ACLs of a firewall with little to no difficulty in a completely undetectable manner... REMOTELY!

Does obscurity make ANYTHING more secure? Maybe if it's some script-kiddie who downloaded some canned apps and has no idea what he is doing. But for everyone else, it's ABSOLUTELY USELESS!!!

**Flefebleaft** · 10-16-2009, 02:37 AM

So have a company you want to hack, but don't know their IP(s)?

1. Look for their domain names... If they have anything public that's not on a 3rd party host, duh?
2. If they have ANYTHING they host themselves, they're open.
3. Do a couple searches and see if their name is registered to their IP blocks...
4. Even if they relay mail through a third party, you can trace that, too.
5. Social engineering anyone?
6. Dumpster diving... Knowing who their ISP is can tell a world of information and drastically narrow down a scan.
7. And if you really don't mind physical intrusion, inline network tap. Nuff said.

Security through obscurity is for hapless idiots who simply don't know any better. Just because you don't ADVERTISE what you have doesn't make it any more secure!!! It's like people thinking that not broadcasting their SSID makes their wireless any more secure.

Software and hardware both can be fingerprinted remotely. Hell, with the right knowledge you can map the ACLs of a firewall with little to no difficulty in a completely undetectable manner... REMOTELY!

Does obscurity make ANYTHING more secure? Maybe if it's some script-kiddie who downloaded some canned apps and has no idea what he is doing. But for everyone else, it's ABSOLUTELY USELESS!!!

Summed up brilliantly, thanks LM. That's what I was trying to get across.

**triardwonvada** · 10-16-2009, 02:46 AM

So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better.

Ummm... you do realize the instant you hook something up to the internet that is accessible publicly in any manner, you've just advertised all of that... right? [surrender]

**bpejjssoe** · 10-16-2009, 03:25 AM

So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better.

Do you by chance work for the US government, because that's exactly some of the idiotic excuses I've heard from them.

"Let's use an obfuscated naming scheme on our servers so people can't figure out what they're for!"

"Don't broadcast out our SSID! Without it, someone will never know our wireless network is there!"

"No no, don't set it up so that the organization has to come through our main firewall. We don't want to mess with it and open yet another way into our network. Instead, we'll just hook up that organization straight to our LAN with a firewall between us."

"Static IPs, by nature, are more secure than DHCP. With DHCP you can just hook up and get an IP; with static IPs, someone has to assign you an IP."

/me head plants into desk repeatedly

**tattcasetle** · 10-16-2009, 03:41 AM

So have a company you want to hack, but don't know their IP(s)?

1. Look for their domain names... If they have anything public that's not on a 3rd party host, duh?
2. If they have ANYTHING they host themselves, they're open.
3. Do a couple searches and see if their name is registered to their IP blocks...
4. Even if they relay mail through a third party, you can trace that, too.
5. Social engineering anyone?
6. Dumpster diving... Knowing who their ISP is can tell a world of information and drastically narrow down a scan.
7. And if you really don't mind physical intrusion, inline network tap. Nuff said.

Security through obscurity is for hapless idiots who simply don't know any better. Just because you don't ADVERTISE what you have doesn't make it any more secure!!! It's like people thinking that not broadcasting their SSID makes their wireless any more secure.

Software and hardware both can be fingerprinted remotely. Hell, with the right knowledge you can map the ACLs of a firewall with little to no difficulty in a completely undetectable manner... REMOTELY!

Does obscurity make ANYTHING more secure? Maybe if it's some script-kiddie who downloaded some canned apps and has no idea what he is doing. But for everyone else, it's ABSOLUTELY USELESS!!!

But let's face it, 99% of so-called hackers are script-kiddies. So yes, I would say it technically makes you more secure. Broadcast your SSID for your unsecured WAP in the majority of areas, and you will probably find someone using your internet connection. Disable broadcasting of the SSID, and it is very unlikely that you will find anyone using your internet connection in most places. However, it is extremely easy to find these networks if you have any will to try.

If you want to protect against someone who knows what they are doing, then yes it is absolutely useless. At my work, we hired someone to try and break into our system. We gave them all the information they asked for, details about how the permissions are set up on our servers (mostly web servers, where you can get a site and run ASP or ASP.NET code), user names, network diagrams, etc. If they can break into it with that information, they can probably break into it without that information. It would just take a few more steps.

**triardwonvada** · 10-16-2009, 03:52 AM

At my work, we hired someone to try and break into our system. We gave them all the information they asked for, details about how the permissions are set up on our servers (mostly web servers, where you can get a site and run ASP or ASP.NET code), user names, network diagrams, etc. If they can break into it with that information, they can probably break into it without that information. It would just take a few more steps.

Wait... your company hired someone to pentest your network, but gave them all of that information? You just did most of their work for them!

I hope they were cheap!

**tattcasetle** · 10-16-2009, 03:55 AM

Wait... your company hired someone to pentest your network, but gave them all of that information? You just did most of their work for them! I hope they were cheap!

It was pretty much just physical layout. Not details on the subnets or anything like that.

**VIAGRA-VIAGRA** · 10-16-2009, 04:07 AM

If they can break into it with that information, they can probably break into it without that information. It would just take a few more steps.

Maybe I am just really tired but that made a startlingly small amount of sense.

**bpejjssoe** · 10-16-2009, 04:11 AM

Maybe I am just really tired but that made a startlingly small amount of sense.

Cracking/hacking is about 90% social engineering and 10% technical skill.

Hard to explain, but if you give them the keys to your kingdom and they can break in from the outside without knowing where the doors are, they'd be able to break in regardless.

**VIAGRA-VIAGRA** · 10-16-2009, 04:23 AM

Cracking/hacking is about 90% social engineering and 10% technical skill.

Hard to explain, but if you give them the keys to your kingdom and they can break in from the outside without knowing where the doors are, they'd be able to break in regardless.

Ah OK, that makes more sense.

10-16-2009, 01:50 AM	#21
Flefebleaft Join Date Oct 2005 Posts 409 Senior Member	So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better. Don't remember ever saying that and I completely agree with the last sentence in that post. Looking through my posts I don't see that either. I'm saying that basing your security on obscurity is a very rookie mistake. You can even see in my first post in this thread that I said advertising information is not something I would do. With network security, however, a good admin already assumes people are trying to get in and have public information like IP addresses. Just because one doesn't advertise, it doesn't mean that information isn't out there. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 02:05 AM	#22
masterso Join Date Oct 2005 Posts 546 Senior Member	Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Obscurity is exactly what security is about. Well thought out indeed. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 02:17 AM	#23
Kamepherype Join Date Oct 2005 Posts 461 Senior Member	Had mine plastered all over a forum once, never had a problem, mind I did have to grovel Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 02:34 AM	#24
triardwonvada Join Date Oct 2005 Posts 448 Senior Member	So have a company you want to hack, but don't know their IP(s)? 1. Look for their domain names... If they have anything public that's not on a 3rd party host, duh? 2. If they have ANYTHING they host themselves, they're open. 3. Do a couple searches and see if their name is registered to their IP blocks... 4. Even if they relay mail through a third party, you can trace that, too. 5. Social engineering anyone? 6. Dumpster diving... Knowing who their ISP is can tell a world of information and drastically narrow down a scan. 7. And if you really don't mind physical intrusion, inline network tap. Nuff said. Security through obscurity is for hapless idiots who simply don't know any better. Just because you don't ADVERTISE what you have doesn't make it any more secure!!! It's like people thinking that not broadcasting their SSID makes their wireless any more secure. Software and hardware both can be fingerprinted remotely. Hell, with the right knowledge you can map the ACLs of a firewall with little to no difficulty in a completely undetectable manner... REMOTELY! Does obscurity make ANYTHING more secure? Maybe if it's some script-kiddie who downloaded some canned apps and has no idea what he is doing. But for everyone else, it's ABSOLUTELY USELESS!!! Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 02:37 AM	#25
Flefebleaft Join Date Oct 2005 Posts 409 Senior Member	So have a company you want to hack, but don't know their IP(s)? 1. Look for their domain names... If they have anything public that's not on a 3rd party host, duh? 2. If they have ANYTHING they host themselves, they're open. 3. Do a couple searches and see if their name is registered to their IP blocks... 4. Even if they relay mail through a third party, you can trace that, too. 5. Social engineering anyone? 6. Dumpster diving... Knowing who their ISP is can tell a world of information and drastically narrow down a scan. 7. And if you really don't mind physical intrusion, inline network tap. Nuff said. Security through obscurity is for hapless idiots who simply don't know any better. Just because you don't ADVERTISE what you have doesn't make it any more secure!!! It's like people thinking that not broadcasting their SSID makes their wireless any more secure. Software and hardware both can be fingerprinted remotely. Hell, with the right knowledge you can map the ACLs of a firewall with little to no difficulty in a completely undetectable manner... REMOTELY! Does obscurity make ANYTHING more secure? Maybe if it's some script-kiddie who downloaded some canned apps and has no idea what he is doing. But for everyone else, it's ABSOLUTELY USELESS!!! Summed up brilliantly, thanks LM. That's what I was trying to get across. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 02:46 AM	#26
triardwonvada Join Date Oct 2005 Posts 448 Senior Member	So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better. Ummm... you do realize the instant you hook something up to the internet that is accessible publicly in any manner, you've just advertised all of that... right? [surrender] Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 03:25 AM	#27
bpejjssoe Join Date Oct 2005 Posts 498 Senior Member	So you freely advertise what equipment you have, what OS revisions etc... to anyone? The least amount of information you give out the better. Do you by chance work for the US government, because that's exactly some of the idiotic excuses I've heard from them. "Let's use an obfuscated naming scheme on our servers so people can't figure out what they're for!" "Don't broadcast out our SSID! Without it, someone will never know our wireless network is there!" "No no, don't set it up so that the organization has to come through our main firewall. We don't want to mess with it and open yet another way into our network. Instead, we'll just hook up that organization straight to our LAN with a firewall between us." "Static IPs, by nature, are more secure than DHCP. With DHCP you can just hook up and get an IP; with static IPs, someone has to assign you an IP." /me head plants into desk repeatedly Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 03:41 AM	#28
tattcasetle Join Date Oct 2005 Posts 535 Senior Member	So have a company you want to hack, but don't know their IP(s)? 1. Look for their domain names... If they have anything public that's not on a 3rd party host, duh? 2. If they have ANYTHING they host themselves, they're open. 3. Do a couple searches and see if their name is registered to their IP blocks... 4. Even if they relay mail through a third party, you can trace that, too. 5. Social engineering anyone? 6. Dumpster diving... Knowing who their ISP is can tell a world of information and drastically narrow down a scan. 7. And if you really don't mind physical intrusion, inline network tap. Nuff said. Security through obscurity is for hapless idiots who simply don't know any better. Just because you don't ADVERTISE what you have doesn't make it any more secure!!! It's like people thinking that not broadcasting their SSID makes their wireless any more secure. Software and hardware both can be fingerprinted remotely. Hell, with the right knowledge you can map the ACLs of a firewall with little to no difficulty in a completely undetectable manner... REMOTELY! Does obscurity make ANYTHING more secure? Maybe if it's some script-kiddie who downloaded some canned apps and has no idea what he is doing. But for everyone else, it's ABSOLUTELY USELESS!!! But let's face it, 99% of so-called hackers are script-kiddies. So yes, I would say it technically makes you more secure. Broadcast your SSID for your unsecured WAP in the majority of areas, and you will probably find someone using your internet connection. Disable broadcasting of the SSID, and it is very unlikely that you will find anyone using your internet connection in most places. However, it is extremely easy to find these networks if you have any will to try. If you want to protect against someone who knows what they are doing, then yes it is absolutely useless. At my work, we hired someone to try and break into our system. We gave them all the information they asked for, details about how the permissions are set up on our servers (mostly web servers, where you can get a site and run ASP or ASP.NET code), user names, network diagrams, etc. If they can break into it with that information, they can probably break into it without that information. It would just take a few more steps. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 03:52 AM	#29
triardwonvada Join Date Oct 2005 Posts 448 Senior Member	At my work, we hired someone to try and break into our system. We gave them all the information they asked for, details about how the permissions are set up on our servers (mostly web servers, where you can get a site and run ASP or ASP.NET code), user names, network diagrams, etc. If they can break into it with that information, they can probably break into it without that information. It would just take a few more steps. Wait... your company hired someone to pentest your network, but gave them all of that information? You just did most of their work for them! I hope they were cheap! Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 03:55 AM	#30
tattcasetle Join Date Oct 2005 Posts 535 Senior Member	Wait... your company hired someone to pentest your network, but gave them all of that information? You just did most of their work for them! I hope they were cheap! It was pretty much just physical layout. Not details on the subnets or anything like that. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 04:07 AM	#31
VIAGRA-VIAGRA Join Date Oct 2005 Posts 528 Senior Member	If they can break into it with that information, they can probably break into it without that information. It would just take a few more steps. Maybe I am just really tired but that made a startlingly small amount of sense. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 04:11 AM	#32
bpejjssoe Join Date Oct 2005 Posts 498 Senior Member	Maybe I am just really tired but that made a startlingly small amount of sense. Cracking/hacking is about 90% social engineering and 10% technical skill. Hard to explain, but if you give them the keys to your kingdom and they can break in from the outside without knowing where the doors are, they'd be able to break in regardless. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

10-16-2009, 04:23 AM	#33
VIAGRA-VIAGRA Join Date Oct 2005 Posts 528 Senior Member	Cracking/hacking is about 90% social engineering and 10% technical skill. Hard to explain, but if you give them the keys to your kingdom and they can break in from the outside without knowing where the doors are, they'd be able to break in regardless. Ah OK, that makes more sense. Share Share this post on Digg Del.icio.us Technorati Twitter
	Quote

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)