STO

STO: Admin Accounts

Leave a comment

Security Through Obscurity: Admin Accounts

      Wiser men then I have pointed out how ‘security through obscurity isn’t security’, and they are right. On it’s own, obscurity does not create security, although it may grant the illusion of such. But as part of a more comprehensive system, obscurity can be a useful tool.

      Take administrative logins, be they to your personal computer or websites (such as this one). Generally speaking, the account name is easy enough to find. Many organizations use standard such as FirstName.LastName, FirstInitialLastName, etc. In which case, if you know someone in the system, you already have half of what you need to login as them.

      This can actually be used for security benefits. For ‘important’ people (bosses, admins, etc), have the account that fits the pattern, but restrict that account such that it can’t do anything meaningful. Then have a second account that breaks the naming pattern (ideally these accounts all uniquely break the pattern, and don’t just use a different pattern). This second account would have the actual admin abilities.

      Thus anyone trying to log on as someone they ‘know’ is an administrator, spend their time trying to get into the known (and therefor restricted) account. And if they succeed, they haven’t gained anything.



      I actually do a variant of this on my website. All the posts show themselves as being created by a user account that can’t post. A different account creates the posts, and assigns the authorship to the ‘public’ account.



      Not a perfect system, but there are no silver bullets when it comes to security. Just many layers, each covering particular issues. All have their weaknesses, but when (not if) a layer fails, another should cover. At least if implemented well.

      At the end of the day, this won’t stop a determined attacker, because not much will. It may delay and distract, which can be enough for more casual attackers.





      Mentioning this now due to a recent ‘Computer Trespass‘ at school. While I don’t know if this is how things are done there, it does fit the available information. Would also have the benefit of making ‘containment’ trivia. Obvious account compromised? Disable it, it didn’t do anything important anyways. Just bait for the ‘enemy’.

Leave a Reply