Thanks to recent events involving certain celebrities’ stolen pictures, “brute force attack” is now one of the hot buzz words making its rounds on the web. Besides the fact that it sounds painful, it might be difficult to hazard a guess as to what a brute-force attack means in the IT world. But, due to people consistently using weak and easy passwords, it has become a real issue for IT professionals who need to know what a brute force attack is, how to spot one when it happens, and especially how to prevent it.
FREE Download: CISO Data Breach Guide
A brute-force attack is an attack on a user’s login credentials that systematically checks all possible combinations until the correct ones are found. Scripts are usually used in these attacks, sometimes run from cracking machines loaded with custom chips and/or GPU arrays. In the worst-case scenario, this process involves going through every single available character in the key space, so the greater the processing and memory handling, the faster the key is generated.
In the world of cryptography and encryption, there is a theoretical limit to code-cracking, for the attendant resources grow exponentially as the key space increases. The current encryption standard (AES), in fact, has a 256-bit key length and is essentially unbreakable with today’s tech. Today’s brute force attacks, however, are carried out against web sites and personal computing devices which, more often than not, are ‘secured’ with passwords like “password” and “12345”.
The reason that these common passwords are so dangerous is that while an exhaustive search through a key space can take hours, days, etc., a dictionary attack that runs through a list of these common passwords will take a fraction of the time, allowing an attacker to get in and get out faster, possibly undetected.
Yes, users do sometimes use easily predictable passwords that make securing web-based or even local environments extremely difficult. Implementing password policies such as minimum length, required characters/numbers, password expiration, etc. is a great first step, but preventing brute force attacks can be tricky at best.
The recent “celebrity nude pictures” exploit succeeded because of a flaw in iCloud’s “FindMyiPhone” where Apple neglected to define a password retry limit. This is a true facepalm moment, as setting a retry limit is numero uno in the list of things to do to help prevent brute force attacks. You can also be tricky with how your webserver responds to failed logins, like randomizing the return code for unsuccessful login or even issuing a successful http return code but taking the user to a secondary login page to re-enter the password.
Additional countermeasures include requiring users to answer secret questions, employing CAPTCHAS (everybody loves those, right?), account lockouts, limiting access to certain accounts by binding them to an IP address, and blocking IPs related to multiple failed login attempts. While none of these methods can ensure that a brute force attack will never be successful, the good news is that it’s relatively simple to detect these kinds of attacks.
Brute force attacks are one of the few hacks detectable by their volume rather than their type. In your web (or proprietary app) logs, you’ll usually see a crazy amount of failed login attempts, usually originating from the same IP address. You might even see the same account logging in over and over with different passwords from different IP addresses. The login url will show unusually high amounts of volume, and you might see odd and/or malformed referring urls (e.g. http://user:firstname.lastname@example.org/login.html). In some cases, the attacker might run user names and/or password attempts sequentially, providing a nice identifiable trend for your host intrusion detection or log correlation systems to pick up. False positives should be considered as well but should be easy to weed out. For instance, multiple login attempts from the same IP trying to access the same account with the same password might just be a web/mobile app that has yet to be updated or was not supplied the correct credentials in the first place.
While hackers may not be interested in your nude photos, they are certainly interested in your users’ data, intellectual property, credit card data or just a way in to wreak havoc in your environment. Brute force attacks are some of the easiest to defend against. Make sure you find a solution with the best threat intelligence and streamlined user interface that can help easily detect and alert you to brute force attacks.
By Garrett Gross, Senior Technical Manager, AlienVault
AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence. Its products are designed and priced to ensure that mid-market organizations can effectively defend themselves against today’s advanced threats. By building the best open source security tools into one Unified Security Management platform, and then powering the platform with up-to-the-minute threat intelligence from AlienVault Labs and its Open Threat Exchange—the world’s largest crowd-sourced collaborative threat exchange—AlienVault provides its customers with a unified, simple and affordable solution for threat detection and compliance management.
While the perfect threat deflector shield has yet to be invented, AlienVault is able to provide its customers with an out-of-this-world threat detection product that ensures even the smallest ‘planets’ in the galaxy can fend off attackers.