How to Keep the Brutes Away from Your Loot ?

To understand and then combat a brute force attack, also known as a dictionary attack,
we must start by understanding why it might be an appealing tool for a hacker. To a
hacker, anything that must be kept under lock and key is probably worth stealing. If your
Web site (or a portion of it) requires a user to login and be authenticated, then the odds
are good that a hacker has tried to break into it. In terms of processing power, it is
expensive for a Web site to require authentication, so it is usually only required when the
site stores valuable private information. Corporate intranet sites can contain confidential
data such as project plans and customer lists. E-commerce sites often store users’ email
addresses and credit card numbers. Bypassing or evading authentication in order to steal
this data is clearly high on a hacker’s priority list, and today’s hackers have a large
library of authentication evasion techniques at their disposal.

Session hijacking attacks such as Cross-site Scripting can steal a user’s authentication
token and transmit it to a malicious third party, who can then use it to impersonate the
legitimate user. SQL injection attacks can also be very effective at bypassing
authentication. By sending a specially-formatted username and password combination
containing SQL code to the login form, an attacker can often trick the server into granting
him unauthorized access. These types of attacks get a lot of attention since they are
creative, elegant, and effective. However, there is another type of attack that can be just
as effective, if not as elegant or creative. A brute force attack (or dictionary attack) can
still be a dangerous threat to your Web site unless proper precautions are taken.

The brute force attack is about as uncomplicated and low-tech as Web application
hacking gets. The attacker simply guesses username and password combinations until he
finds one that works. It may seem like a brute force or dictionary attack is unlikely to
ever succeed. After all, what are the odds of someone randomly guessing a valid
username and password combination? Surprisingly, the odds for a brute force attack can
be quite good if the site is not properly configured. There are several factors that work to
the hacker’s advantage, the most important of which is human laziness.


, , , , , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: