Thursday, December 07, 2006

Common Hacking and Data Theft Tactics, a Spotters Guide #1, Brute Force Attacks

If I were to limit the blog entirely to ID cards it's probably going to get a bit dull, so i'll intersperse it a few posts on computer and data security. I wouldn't count myself as an expert on the subject, but I've written a few authentication systems in my time and know some of the common tactics hackers use.

Brute Force Attacks
I remember an episode of The New Adventures of Superman where when confronted with a password screen superman keeps typing words ant super speed until he gets the right password, this is essentially a brute force attack. An automated computer program fires off login attempts using a dictionary to provide potential passwords.

As an example, assuming it takes about 30,000 attempts to arrive at a password and you can make 5 attempts a second, you should arrive at a password in about over 100 minutes.

Prevention Tactics
Ambiguous Error Messages
In most situations when trying to gain access to a system you need to supply a username and a password. Often the error message will be something in the form of "Your username or password was incorrect" it does not say which is wrong since this could provide additional feedback to a hacker. As in the following example.

Username: johnsmith
Password: aardvark
Your username is incorrect

Username: johnjones
Password: aardvark
Your username is incorrect

Username: johnanderson
Password: aardvark
Your password is incorrect

Username: johnanderson
Password: abacus
Your password is incorrect

Timing
A simple tactic is to pad out the time it takes to make a login attempt, force the computer to wait say 2 seconds before performing the actual check. In the example above this would increase the amount of time to gain access to 16 hours and 20 minutes

Strong Passwords
A common tactic is to make a password a combination of letters and numbers, this drastically increases the number of potential combinations.

Lockouts
Another tactic is to only allow a limited number of access attempts before locking the user out of the system. After 10 failed access attempts to an account the system might disable any further attempts for a period of time (say 3 hours), or until a system administrator is called in to re-enable the account.

No comments: