|
| Recent
Articles |
IT And Help Desk Customer Satisfaction...
IT and help desk customer satisfaction surveys provide information and insight for achieving breakthrough increases in IT and corporate effectiveness. This article describes the reasons for and benefits from conducting IT and help desk customer satisfaction surveys.
WAS CE Vs. Apache Geronimo
Based on the number of hits this blog is getting with the search term "Geronimo vs. WAS CE", it appears that there is some confusion about the similarities and differences between Apache Geronimo and...
Configuration Management - Is it a Process?
Actually, I don't agree that Configuration Management on its own is a process in a strict BPM sense. We can demonstrate this by asking the following simple question: What is a Configuration and how do I know when I am done managing it? Not an easy...
AMD Acquires ATI, Announces CPU-GPU Combo
After several months of regulation-jumping and board-voting-formalities,
AMD has officially gotten the green light to acquire graphics-leader ATI. The acquisition, which was announced on July 24th, brought...
Intel Goes Blogging
The chipmaker has stepped into another arena, that of corporate blogging. But don't look for CEO Paul Otellini listed in the quintet of Intel bloggers, though. An engineer, a MBA grad, a cognitive psychologist, a physicist, and a computer science grad with a X-Files...
The Machine Has No Soul - Sha Doobie
I make a living in the computer world. I love gizmo's, spec's, and waxing ethereal on all things IT. I wanted to be a rock star, but this is as close as I could come. We all face intense challenges in our IT lives because of gizmo's, spec's, and widgets. We really do try to...
Small Business Development: A Must For IT Consultants
'Small business development is a make or break activity when starting out as an IT consultant. You need to get your name out there as much as you can. Business won't drop into your lap - you need to use proactive small business development techniques to get things...
|
|
|
01.11.07
Preventing A Brute Force Or Dictionary Attack
 By
Bryan Sullivan
To understand and then combat a brute force attack, also known as a dictionary attack, we must start by understanding why it might be an appealing tool for a hacker.
To a hacker, anything that must be kept under lock and key is probably worth stealing. If your Web site (or a portion of it) requires a user to login and be authenticated, then the odds are good that a hacker has tried to break into it. In terms of processing power, it is expensive for a Web site to require authentication, so it is usually only required when the site stores valuable private information. Corporate intranet sites can contain confidential data such as project plans and customer lists. E-commerce sites often store users' email addresses and credit card numbers. Bypassing or evading authentication in order to steal this data is clearly high on a hacker's priority list, and today's hackers have a large library of authentication evasion techniques at their disposal.
Session hijacking attacks such as Cross-site Scripting can steal a user's authentication token and transmit it to a malicious third party, who can then use it to impersonate the legitimate user. SQL injection attacks can also be very effective at bypassing authentication. By sending a specially-formatted username and password combination containing SQL code to the login form, an attacker can often trick the server into granting him unauthorized access. These types of attacks get a lot of attention since they are creative, elegant, and effective. However, there is another type of attack that can be just as effective, if not as elegant or creative. A brute force attack (or dictionary attack) can still be a dangerous threat to your Web site unless proper precautions are taken.
The brute force attack is about as uncomplicated and low-tech as Web application hacking gets. The attacker simply guesses username and password combinations until he finds one that works. It may seem like a brute force or dictionary attack is unlikely to ever succeed. After all, what are the odds of someone randomly guessing a valid username and password combination? Surprisingly, the odds for a brute force attack can be quite good if the site is not properly configured. There are several factors that work to the hacker's advantage, the most important of which is human laziness.
Don't Be Lazy - Choose a Password Carefully!
Generally, people do not remember complicated passwords very well. If users are allowed to create their own passwords, they will often create very simple ones like "password", "1234", their spouse's name, or their favorite sports team. Passwords like these are easy for the user to remember, but unfortunately they are also easy for someone else to guess. Furthermore, any serious hacker who attempts a brute force attack will not be sitting at a Web browser, guessing at authentication credentials and typing them in. He will be using an automated tool for the brute force attack that can make thousands of requests per minute with credentials generated from a large list of possible values. Often this list is an actual dictionary, hence the term "dictionary attack." If a user chooses a common password, such as a dictionary word, the automated tool will eventually guess it, and the user's account will be compromised.
Continue reading this article.
About
the Author:
Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers maintain application security throughout the development and testing process. He has a bachelor’s degree in mathematics from Georgia Tech and 11 years of experience in the information technology industry. Bryan is currently coauthoring a book with noted security expert Billy Hoffman on Ajax security, which will be published in summer 2007 by Addison-Wesley.
|
|
