Home / Blogs

Security by Obscurity?

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.

A response by Bob Alberti, CISSP President of Sanction, Inc. to MSNBC’s report by Brock N. Meeks titled “Fort N.O.C.‘s” [Network Operating Center].

Ah yes, “Security by obscurity”:

“Many people believe that ‘security through obscurity’ is flawed because… secrets are hard to keep.”

I’m glad the guys guarding the A Root Servers are up on the latest security trends. Of course, you could hide the A Root Servers at the heart of the Minotaur’s maze, but they’re still going to be “right over there” in cyberspace, at 198.41.0.29,

7 so1-3-0-2488M.ar1.DCA3.gblx.net (67.17.68.33)  52.274 ms
8 InterNAP-Ken-Schmid-Ashburn-3.ge-2-3-0.ar1.DCA3.gblx.net (208.50.25.194) 50.903 ms
9 border12.ge2-0-bbnet1.wdc.pnap.net (216.52.127.17)  50.888 ms
10 verisign-9.border12.wdc.pnap.net (216.52.118.78)  50.227 ms
11 65.205.32.154 (65.205.32.154)  51.598 ms
12 65.205.32.42 (65.205.32.42)  52.234 ms
13 198.41.0.29 (198.41.0.29)  70.563 ms

Reminds me of a local ISP, “Glasspath” (a casualty of the DotCom Crash), which bragged that it was safer from hackers because it was situated inside an old bank vault.

Once you run that fiber through the wall of the vault, you’re letting in a lot of the world.

”’...If this site just vanished off the Internet, it would automatically [switch] over to one or two other locations,’ Silva said.  These are the so-called ‘warm back-ups’ that VeriSign has on stand-by at all times.  The Internet never sees them, Silva says, but they can be up and running within 15 minutes and in that time Internet users wouldn?t even notice a hiccup in traffic.”

And this process is tested… how? when? This testing is independently audited… when? by whom? These audit results are compared against what criteria? These criteria are set by what body?

Or are we playing fast and loose and depending on the word of a fellow who could be laid off tomorrow at the whim of a “volunteer” corporation?

I’m sure that Sean Gorman would have something to say about the security value of “security by obscurity”...

“Using mathematical formulas, he probes for critical links, trying to answer the question: “If I were Osama bin Laden, where would I want to attack?” In the background, he plays the Beastie Boys.

For this, Gorman has become part of an expanding field of researchers whose work is coming under scrutiny for national security reasons. His story illustrates new ripples in the old tension between an open society and a secure society.”

So while we can rest easy that the VeriSign A Root Server is protected by “obscurity”, the Internet itself remains vulnerable to network-based attacks and well-placed backhoes.  And the organization that’s supposed to be “managing” the Internet?  Too busy playing politics, consolidating power, and forging Afghani ccTLD contracts…

By Robert Alberti, CISSP, Founder and President

Filed Under

Comments

Stephane Bortzmeyer  –  Jan 29, 2004 4:09 PM

Since I work as a contractor for the “.af” ccTLD (Afghanistan), I would like to learn more about the last (cute but undecipherable) sentence. Facts?

Robert Alberti, CISSP  –  Jan 29, 2004 5:29 PM

A good point.  The editors left out the hotlink under the cute but indecipherable comment, which should have pointed to
http://www.theregister.co.uk/content/6/34883.html

The relevant paragraph:
“There a few redelegations that stand out. Afghanistan?s for example. The .af domain was handed over almost as soon as US forces had taken over the country to a company run by the US-created government. Incredibly, the former owner appeared from nowhere having been missing for months, signed a piece of paper saying he agreed to the transfer and promptly vanished from the face of the earth again.”

bravotango  –  Sep 23, 2004 11:55 PM

Im no techy so would appreciate some advice from anyone… I did a trace route, as my email forwarding no longer works from my NetSol email acct. to desktop Outlook Express (but I cand send out), and found that it ends at nbr. 18 > 65.205.32.50

Now, I dont understand your above article, but excuse my lack of in depth techy stuff, but are you saying that this is a vulnerable server ?

I also contact my broadbrand provider (NDO in UK) who inform me this is UUNET’s server, so I emailed them, but await tehir reply…I also was able to talk to them, but they confirm none of their servers are down.

Last few questions, is this Network Soltions, UUNET, or my broadbands problem ? who should be responsible for this fixing ?

Thanks for any advice.

Martin Hannigan  –  Feb 1, 2006 9:21 PM

Looks like this security through obscurity is
everywhere:

InterNAP-Ken-Schmid-San-Jose-3.ge-0-1-0.106.ar1.SJC2.gblx.net

INTERNAP controls the reverse resolution, not VeriSign.
That’s upstream. There’s no value in hiding in the DNS.
The IP Address is public. In fact, that resolution is
inside of the INTERNAP core. It would show up in many
companies traceroutes via that PNAP.

Could you restate your technical facts related to this?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix