What businesses need to know about brute-force attacks
Over the weekend hackers, supposedly from Russia and North Korea, launched a sustained cyber attack on hundreds of accounts belonging to MPs, Lords, aides, and other staff at the Houses of Parliament.
Up to 90 accounts had been breached, representing around one per cent of the total.
According to The Sunday Times the attack was a seemingly state sponsored brute-force attack.
Although this brute-force attack seems to be between international governments, such attacks are regularly aimed at businesses around the world.
In 2013 DDoS protection provider Cloudflare reported a significant increase in brute-force attacks against WordPress platforms, with the security company blocking 60 million brute-force requests in one hour.
In the same year Club Nintendo was targeted by hackers and faced over 15 million brute-force attempts, which affected 25,000 member accounts.
So how do brute-force attacks work?
Known as a cryptanalytic attack, the basic concept is very simple and revolves around an attacker trying as many password combinations as possible before chancing upon the correct one.
Often this is done by complex hardware that can try thousands of combinations per minute to gain access as quickly as possible.
The length of an attack can vary depending on the length of the password that it is trying to hack.
Some attacks might take a matter of minutes, whereas others could literally last for years, which is why cyber security experts always advice the use of long and complex passwords, as there could be trillions of combinations.
There’s also something called a reverse brute-force attack, which works in a similar way, but in an opposite fashion, where an attacker tries one password against multiple profiles.
This would aid an attack if a hacker were to have an idea of a popular or known password, but no concept of the necessary username or profile.
One of the few good things about brute-force attacks is that they are generally easy to detect, although they are not so easy to prevent.
For instance, HTTP brute-force tools generally relay requests through a variety of open proxy servers, which means that each request appears to come from a different ISP request.
This means that the attacks cannot be defended from the blocking of ISP addresses.
Furthermore, some tools even try a different username and password after each attempt, so single accounts do not lock after failed access attempts.
What about locking accounts?
The most obvious way to block a brute-force attack is to lock accounts after there are a defined number of incorrect password attempts.
Often these blocks are manually unlocked by an administrator once that the situation has been resolved, but there are several issues related to account lock outs.
For one, the lock out system could be easily abused and a single attack can lock out thousands of accounts with such a result being the aim of the attack.
Even if the attack fails to access any accounts, the usernames can be harvested from the site, depending on the error responses.
An account lockout is also particularly ineffective against attacks that only occasionally try passwords, or attacks that try one password against a large list of usernames.
Other measures businesses can take to protect against brute-force attacks
As mentioned earlier in this blog, CloudFlare Inc. provides a range of security services for websites across the world, including defenses against brute-force attacks.
The company’s Rate limiting service protects against brute-force attacks as well as denial-of-service attacks.
Rate Limiting is able to configure thresholds and define responses alongside a great range of other solutions.
The easiest and cheapest way to protect against brute-force attacks is of course implementing more complex passwords, which can be a mandatory requirement when accounts are being set up.
Most companies tend to require special characters, numbers, as well as a minimum character length of ten digits.
It is also possible to slow down brute-force attacks with the implementation of throttle requests, which can be done through captcha.
Although captcha requests can frustrate many users, they are particularly useful – but not invulnerable – against cyber attackers.
IP addresses can also be limited after a certain number of failed attempts from one location, but again, this can be difficult if that location happens to come from a school or university, which can also block genuine users.
If you are interest in protecting your business from brute-force attacks, or want to know a little more about cyber security, contact us at [email protected]