The Solution to Brute Force Attacks, and Where Most Malicious Sites are Hosted
A brute force attack occurs when someone with malicious intent goes though all the possible keys until the right one is found. Say for example that an attacker knows your username and needs to crack your password. He will try a gazillion combinations until the one that opens up your account is found.
To keep your account safe and protected, you need to pick a properly strong password. First of all you should avoid using simple words (because the attacker will try every word in the dictionary until the one you used is uncovered) and you should avoid using easily identifiable data (your birthday, your address, something like that). Especially during a brute force it is important that your password cannot be easily guessed. A strong password should contain more than 8 characters long, a random sequence of uppercase and lowercase letters, characters and digits.
According to Eset’s Senior Cybercrime Research Analyst, Craig Johnston, an attacker may have to try hundreds of thousands if not millions of combinations to get the password right on some systems. That might seem like a huge number, but keep in mind that on some systems the attacker can try hundreds of combinations per second.
The main protection against brute force attacks is choosing a long password that combines upper and lower case letters, numbers, and special characters. But according to Craig Johnston there is something else that could be done to prevent brute force attacks. Please note that this is not to say that you should stop using strong passwords – Johnston talks about a way of making things very hard for brute force attackers.
“Instead of a system instantly returning with a negative response if the password is incorrect, why not build a delay into the response of say, a tenth of a second? Then, when another log in attempt is name on that same username, the response comes back after a tenth of a second delay. The next failed log in attempt on the username would result in a two tenths delay, then three tenths, etcetera. After one hundred attempts, there would be a ten second delay between responses. By the one thousandth attempt, the delay would be one hundred seconds. This would render a brute force attack useless. But a legitimate user who happened to enter the wrong password would not notice a tenth of a second delay. Even a two tenths or three tenths of a second delay,” explained Johnston.
Moving on, do you have any idea where in the world most malicious sites are hosted? According to popular opinion, most malicious websites are hosted in far, far away countries like China. According to a study conducted by AVG Technologies, the developers behind the popular free antivirus solution AVG Anti-Virus Free Edition 9.0, a staggering 44% of the world’s malicious sites are hosted in the good old US of A. But you were not wrong to thing that China is also host to numerous malicious sites. AVG’s study revealed that the top 3 countries to host malicious sites are the:
"The results of this study shatter the myth that malicious code is primarily hosted in countries where e-crime laws are less developed,” said Karel Obluk, Chief Technology Officer, AVG Technologies. “Our research shows that malicious content is much more likely to show up on web servers in the U.S. than one in Asia or Eastern Europe. This makes perfect sense since the USA is a primary target market for the criminals and has rich and mature Internet infrastructure making the threats both highly accessible and cheap to host. What is most striking is the clear rise in the number of malicious servers in the last six months. Today’s hacking techniques are highly evasive so the average user cannot tell if a website is serving malware or not. A web security product is needed."
To keep your account safe and protected, you need to pick a properly strong password. First of all you should avoid using simple words (because the attacker will try every word in the dictionary until the one you used is uncovered) and you should avoid using easily identifiable data (your birthday, your address, something like that). Especially during a brute force it is important that your password cannot be easily guessed. A strong password should contain more than 8 characters long, a random sequence of uppercase and lowercase letters, characters and digits.
According to Eset’s Senior Cybercrime Research Analyst, Craig Johnston, an attacker may have to try hundreds of thousands if not millions of combinations to get the password right on some systems. That might seem like a huge number, but keep in mind that on some systems the attacker can try hundreds of combinations per second.
The main protection against brute force attacks is choosing a long password that combines upper and lower case letters, numbers, and special characters. But according to Craig Johnston there is something else that could be done to prevent brute force attacks. Please note that this is not to say that you should stop using strong passwords – Johnston talks about a way of making things very hard for brute force attackers.
“Instead of a system instantly returning with a negative response if the password is incorrect, why not build a delay into the response of say, a tenth of a second? Then, when another log in attempt is name on that same username, the response comes back after a tenth of a second delay. The next failed log in attempt on the username would result in a two tenths delay, then three tenths, etcetera. After one hundred attempts, there would be a ten second delay between responses. By the one thousandth attempt, the delay would be one hundred seconds. This would render a brute force attack useless. But a legitimate user who happened to enter the wrong password would not notice a tenth of a second delay. Even a two tenths or three tenths of a second delay,” explained Johnston.
Moving on, do you have any idea where in the world most malicious sites are hosted? According to popular opinion, most malicious websites are hosted in far, far away countries like China. According to a study conducted by AVG Technologies, the developers behind the popular free antivirus solution AVG Anti-Virus Free Edition 9.0, a staggering 44% of the world’s malicious sites are hosted in the good old US of A. But you were not wrong to thing that China is also host to numerous malicious sites. AVG’s study revealed that the top 3 countries to host malicious sites are the:
- United States
- Germany
- China
"The results of this study shatter the myth that malicious code is primarily hosted in countries where e-crime laws are less developed,” said Karel Obluk, Chief Technology Officer, AVG Technologies. “Our research shows that malicious content is much more likely to show up on web servers in the U.S. than one in Asia or Eastern Europe. This makes perfect sense since the USA is a primary target market for the criminals and has rich and mature Internet infrastructure making the threats both highly accessible and cheap to host. What is most striking is the clear rise in the number of malicious servers in the last six months. Today’s hacking techniques are highly evasive so the average user cannot tell if a website is serving malware or not. A web security product is needed."
