5

I'm wondering what the easiest way is to explain a non-technical person (read: management) why the leakage of a simple version number is considered unnecesarry/a potential risk and should be avoided.

For example version leakage through:

  1. the HTTP X-Powered-By header,
  2. the HTTP Server header and/or,
  3. public readme and changelog files.

Is there any example or metaphor that makes this easy to explain? I usually don't get any further than "Leaked version numbers make it easier for an attacker to match with known version specific software exploits in public vulnerability databases..."

Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
  • 4
    If management where you work is typical, the only thing that will work is to find examples of leaked version numbers have actually led to successful attacks. Then sort by dollar amount (damages caused) and send them the list. – Jedi Jun 21 '16 at 00:46
  • It's like advertising you're using an older version of Windows that a savvy attacker knows has certain weaknesses they can exploit. – HTKLee Jun 21 '16 at 02:13
  • 1
    What if that person understands the danger of *leaking old and vulnerable service-versions* and want to avoid it in a way other than by removing the "leaking" part? – techraf Jun 21 '16 at 06:56
  • I prefer to send information that matches a whole different configuration to what is actually running, Oh you know an attack on IIS great, run it all you like on my Apache box. But it is security through obscurity, you should be keeping your server software up to date anyway. – ewanm89 Jun 22 '16 at 14:48

4 Answers4

4

Imagine a car robber specialized in stealing Toyota Prius models from 2010 to 2015. It will be pretty easy for him to identify this type of car, just by looking around and analyzing the model characteristics.

Now let's assume the car robber is blind and can only identify the car models by touching them. This would make it much harder for him, to spot the type of cars he is specialized in.

It's more likely that the car robber will identify and steal more cars of this type, in the first scenario.

In this metaphor:

  • The car robber is the attacker
  • The car model is the version information
  • The blind car robber is the blind attacker
Bob Ortiz
  • 6,339
  • 9
  • 45
  • 91
lepe
  • 2,194
  • 2
  • 16
  • 29
2

What he might like more is that it's less transmission and thus less costs over the long run for internet overhead and data throughput(cheaper in the long run if you pay for traffic by total size like on most cloud services or Web Server setups).

Metaphors:

  • A Locked Safe Safes operate off of pistons and solenoid. Let's say you have a solenoid based safe. This safe has a specific lock on it that has a vulnerability where someone with a magnet can open the safe. If someone knew the model of the lock, they would know that if they have a magnet they wouldn't even need to guess your code to the lock. They could just unlock the safe with a magnet.

  • XBox Live
    XBox have a problem in that if someone can mod them they can cheat and steal content from the store. Sadly techniques exist to get past this. The only problem is that the techniques are system version dependent. If you want to mod the Xbox and don't have a modifiable version you would go out and find a modifiable version.

These examples are like your scenario with the XBox one being the closest. With that example you can show that if you don't have a system you can modify you'd go out and find one. Just like with attackers that need other people's hardware to try and anonymously steal things they need servers that aren't tied to them. If they see a version of a web server with a vulnerability and take it over they can easily use it to do illegal things and you would get blamed and have to prove your server was attacked and then you'd get fined because you didn't take the best practices to prevent the attack. In any way you're losing a LOT of money.

There's a reason it's considered a security best practice after all.

Robert Mennell
  • 6,978
  • 1
  • 14
  • 38
  • 3
    I think your first metaphor is great, but the second one I don't understand at all. – Anders Jun 21 '16 at 08:14
  • 1
    I'm saying that if a vulnerability exists in that version they have no need to attack anything else, they get in and own everything. – Robert Mennell Jun 21 '16 at 08:15
1

To find and exploit a product/version specific vulnerability an attacker has to determine the product/version. This takes time and might lack accuracy.

Perhaps the attackers time is very limited and he doesn't want to invest it into enumeration. He might then run a wide variety of exploits. Most of them won't work because they are able to exploit other vulnerabilities of other products/versions. This approach is slow and loud. This helps the defenders.

But if the attacker knows these details about the target, and collecting them within a simple banner-grabbing is very easy, he might find an existing vulnerability and launching the according exploit very quickly.

Preventing software from leaking such information is usually done quickly too. And it would increase the effort requirement by the attacker by magnitudes. The ignorance regarding this kind of hardening by administrators is often just a sign of their laziness.

Marc Ruef
  • 1,080
  • 5
  • 13
0

Service version info is an advertisement. And sites like Shodan are the Penny Saver that collects all the ads from every domain across the Internet, where hackers can browse its pages for ads that interest them, ones they have an exploit or tool for. One stop shopping & it's all free.