I bet you wish you could stop reading about all the different ways our cloud platforms can be compromised and breached by the bad-guys.  But no, there are loads of attacks we should be aware of in order to keep our businesses safe and secure.  So what is a brute force attack?

What?

A brute force attack is pretty much what it sounds like.  It’s not too clever, it’s not stealthy at all.  In it’s simplest form, a brute force attack is just guessing passwords.

Ever had a combination padlock and you forgot the combination to?  I have.  Luckily, it only had 3 numbers to it, and it wasn’t attached to anything when it was stuck in the locked position.  Therefore, there were 1000 possible combinations as to what the right combination must be; 000-999.  All I did was watch some TV whilst fiddling with the padlock.  Turn the least-significant digit one click around, pull the end of the padlock.  Repeat.

This exercise ended when I happen to get to the number 401, pull the end of the padlock, and it opened right up.  I had completed a brute-force attack on the padlock.  It took a long while, but it’s unlocked now.

How?

Well we just described a brute force attack on a physical padlock, so we know how that works, but how do we do the same in the cloud?  Well you could do it the same way if you wanted to.

Everyone is familiar with a username and password.  We use them all over the place.  What’s more, usernames are often email addresses, which are not secret.  Email addresses can’t be secret, otherwise how would anybody ever send you an email?  So if I know you use a particular service, like Facebook for example, I probably already know your username, because I know your email address.

What if I went to the Facebook login screen and entered your email address, with a password of aaaaaaa (8 a’s because of minimum password length rules).  If it isn’t that, shall we try 7 a’s and a b?  And so on.  Eventually, we will have tried every single combination of letters, numbers and symbols which could create an 8 character password.  If we’re still not in, we’ll just add another character onto the end, and try every 9 character password.  On and on we could go.

The beauty of this approach, if you’re on the offence, is how quickly computers can perform really repetitive tasks, like entering thousands of passwords every second.  So given enough time, we can literally try every single password there could ever be.  Without any other controls in place, a brute force attack will breach a username and password check.

Rainbow Tables

Incrementing through every letter, number and symbol on the keyboard will work, but how many people do you know who’s password might be “aaaaabac”?  It’s probably less likely than “Password123”, right?  If you happened to have a list of all the passwords which were more likely to be used, rather than random strings of characters, it would make sense to try all of those first wouldn’t it?  That’s what a rainbow table is.

Whenever there are password leaks from a compromised system anywhere on the Internet, you can bet those passwords make their way into rainbow tables.  Hackers are smart, so they will work out probability and likelihood of each password being used for a given account, then try those passwords first.  That’s why we always advise against using something that someone else might have as their password too.

Protection

I made a pretty bold statement earlier when I said that brute force attacks will get you access to any given account, given enough time.  That’s true only if there are no other controls in place.  What kinds of controls could we put in place though?

Think about the last time you couldn’t remember a password.  I mean aside from the fact this never happens because we’re all using password managers now.  But stay with me.  How many incorrect password attempts do you think you might make?  5?  10 at the absolute most, surely?  Not 40,000, like a computer might try if it were brute-forcing the account.

And how long might there be in between each time you submit a password you think it might be?  Maybe 4 seconds to type the password in, and hit enter?  Not thousands per second that the brute force attacking computer is doing then?

So now you can see the controls we can put into software which make brute force attacks unviable, because we can slow them down to such a point where it would take years to make enough guesses to get in.  Of course that’s on a well configured system.

2-Factor Authentication

An of course, if we have 2 factor authentication switched on, it doesn’t even matter if your password were to be brute force guessed – the attacker would still have to be in possession of your other authentication factor.  That might be a physical key you plug into your computer and touch, like a Yubikey, or it could be something like the Google Authenticator app.

Seriously, go and switch on 2 factor authentication for everything you can, right now!

Knowledge Is Power

As you can see, brute force attacks are pretty scary – but aren’t too hard to detect and protect from if you know what to look out for.  And now you know!  Here at Beaty Consultancy, we think knowing how your attackers think, and what tools they’re using against you, means you’re much better prepared for defence.  And now you know how brute force attacks work!