Computer Security And Brute Force Attack Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Nowadays, all people are using the internet in their life, such as at home, office, school, and even car. However, the internet develops so fast that people cannot handle all of problems. Early, in order to let people who can share data and deliver information without limiting in different computer hardware structures or systems, people design the internet without considering too many security conditions. Actually, there are a lot of problems with TCP/IP protocol, but all of the information must follow the TCP/IP protocol. Thus, while people are delivering information, anyone can steal or alter their data. For example, Barracuda Networks which provide email and Web security appliances evaluate that spam email accounted for between 90 and 95 percent of all email sent during 2007[1]. Also, new phishing attacks raised by 18% during the first half of 2007[2], and in 2006, phishing events accounted for nearly 60% of all security event reported [3]. This trend is going to increase and may not be going down because people use network every single day, when people do banking transaction, make telephone calls or take trains and planes. Also, the utility companies manage residents' fee like electricity or water usage by using network. Even when people pay for every store, networks can check their credit or debit card transactions and billing.

If people do not use network, life must be less convenient and many activates would be impossible. Therefore, computing network becomes attacker's target because people cannot live without using internet. Actually, it causes factual and potential impact because network attacks would be interest in managers, auditors, journalists and the general public. Then, if some of people want to get some information illegal, they use terms like brute force attack, hijacking, viruses, and Trojan horse to get them. Meanwhile, in any large-scale attack, people's computer can be put in risk. After I worked on Online Banking Security in our presentation, I knew that Norwegian Internet bank had six banks was fruad in 2006 by using Brute-force attacks and Distributed Denial of Services attacks. Thus, I am interested in this topic and I will focus on Brute-force attacks in my report.

Possible attack:

In this section, I describe any possible attack in online security. According to the article "Case Study: Online Banking Security" on March-April 2006, by Hole, K.J.; Moen, V.; Tjostheim, T describes that" many Norwegian lnternet banks have requires their customers to log in to online bank accounts using a social security number (SSN) or account number the same a personal identification number(PIN) a long time." Because of using a social security number that only the customers know their own PIN, the customers do not need to worry about privacy and secrets. Besides, the bank also make a condition which is a customer try to long in to an account using the correct SSN and the wrong PIN more than a certain number of times three or five times, they will not be able to long in to that account until the bank confirms a correct identification with that accout.

In fact, there are several attacks which are Cross-site scripting, Phishing, and brute-force attacks and distributed denial- of-service (DDoS) may be used to crack account and get a password. In this case, Norwegian lnternet bank was attacked by using combining simple brute-force attacks with distributed denial- of-service (DDoS) attacks. [4] When the attackers use these two attacks to crack accounts, they not only get access to a handful accounts, but also forbid many legal customers from accessing their accounts. Therefore, I will focus on how brute-force attack can crack Norwegian lnternet bank and fraud accounts in next section.

Brute-force attacks(Case Study of Norwegian Internet bank )

Figure 1 Model of a simple brute-force attack on a Norwegian Internet bank. a cracker program atomically create a social security number (SSN) from set of all generated SSNs and try to log in using a randomly chosen PIN. [4]

In order to know how brute-force attack is used to attack online bank, I use Norwegian Internet bank example base on the article "Case Study: Online Banking Security". [4]

At first, we need to consider about Figure 1 which perform an example brute-force attack against a Norwegian Internet bank in this section. Before knowing brute-force attack, we think an attack that only uses SSNs in a bank. SSN dictionary which include all of the SSNs of the bank's online customers is used to create SSNs. Also, we need to use a computer to set up all possible PINs randomly. To set up PIN, it depends on how many digits PIN has, so when every PIN has n digits, we set include 10n values. When we start an attack, we need to use two dictionaries which are SSNs and PINs. Because of using SSNs and PINs, we can get a possible account and password to log in the bank. For instance, if the SSN is the same customer's SSN, "the success probability is only, where n >= 4 for the Internet banks. If the login is not successful, the computer uses the same SSN and a new PIN chosen at random." [4] Because the bank block access to an account "after T (> 1) trials with correct SSN and incorrect PIN, the probability of success is p = T/10n." [4] The program repeats all of the steps to recreate every SSNs from SSN dictionary. Because SSNs dictionary include all bank customer's SSNs, an attacker can get at least one account with probability

, where Q is bank customers' number. Therefore, Q p is the prospective number of accounts which an attacker captures accesses it. A bank creates customer PINs with constant arrangement base on the p probability below the practical assumption. After we know the practical assumption, still, there are two situations that we need to concern them which are arrangement and PIN arrangement are skewed. For example, in the first situation, several PIN values are significantly more likely than others, at that time the cracker's success possibility improve. In another situation, according to the article "Security Engineering", Ross Anderson reported that "one-third of customers will use a birth date as a PIN". [7] Thus, when customer can select their own PINs, it seems easily to crack their PINs because an attacker can get someone's birth date easily. In next section, I will provide some of methods that can block brute-force attacks.

Blocking Brute-Force Attacks

In previous section, I have described how brute-force attack is used on reality event. During this section, I will define brute-force attack by quoting the article "Blocking Brute-Force Attacks." [5]

Brute-force attack is a password guessing attack which is a general threat Web designer need to face attack. In order to find a password, a brute-force attack tries every likely grouping of numbers, letter, and symbols systematically until you find the a correct grouping that can be used. Brute-force attack will find a web site where request user authentication to attack because you are able to be a good target in this situation.

However, when an attacker uses brute-force attack to find a password, the problem is that attacker may need to wait years to discover it. It depends on how password's length and complexity, so trillions of possible groupings may be created.

Because of finding a password may waste a lot of time, a brute-force attack make a dictionary words because most people will not use a completely password. These attacks also called dictionary attacks or hybrid brute-force attacks. [5] In fact, brute-force attack just wants to put user accounts at risk and overflow your web site with unessential traffic.

Attacker use smart rule and wordlists to brightly and automatically guess user passwords. Even though crackers are easy to discover, brute-force attacks are not quite easy to block. For instance, many HTTP brute-force tools can deliver requests via open prosy servers' list. People cannot prevent these attacks easily by preventing the IP address because every request seems to come from a different IP address. Thus, people cannot lock out a single account for unsuccessful password attempts because several tools may try a different account and password on each attempt. In next two sections, I will provide some of methods to prevent brute-force attack.

Locking Accounts

When people find incorrect password number attempts, the easiest way is to lock account. If people lock an account, they gain a specific time like two hours, or waiting until an administrator open your account by hand. Nevertheless, because some people could easily damage the security method and lock hundreds of user accounts, account is not usually the best solution. Actually, a lot of Web sites would usually be opening customer accounts, so attacker may not able to enforce a lockout policy. The problems with account lockouts table [5]:

The problems with account lockouts


Lockout huge numbers of accounts, an cracker can lead a denial of service (DoS)


Because user cannot lock an inexistence account, only legal account will lock. A cracker could utilize this condition to collect usernames from the Web site rely on the fault response.


Lockout a lot of accounts and overflowing the help desk with support calls, a cracker can lead a diversion.


Even though administrator can open the same account several times, attacker can let the account be disables effectively because they can continuously lock the same account.


If a slow attacks just try a few passwords every hour, to lock account is not effective against.


If attacks just try one password against a huge list of usernames, to lock account is not effective against.


If the cracker is using username and password's combination list and assume correctly on the first pair of attempts, to lock account is not effective.


Administrator accounts are powerful accounts, but it usually bypasses lockout policy. Thus, their accounts are the most attractive accounts to attack because several systems can lock out administrator accounts just on network-based logins.


The attack may continually consume valuable people and computer resources, even once people lock out an account.

Sometimes, to lockout an account is effective, but just in controlled situation or in events where the risk is so huge that even continuous DoS attacks are desirable to account compromise. Nevertheless, in most events, account lockout is not enough for preventing brute-force attacks. For instance, considering that some bidders are fighting over the same product on an auction Web site. One bidder could easily lock the others' accounts in the final minute of the auction and block them from sending any successful bids because the auction Web site enforced account lockouts. Therefore, a cracker could use the same method to prevent crucial financial transactions or e-mail transmission.

Finding Other Countermeasures:

In this section, I will provide other countermeasures to block brute-force attack base on the article "Blocking Brute-Force Attacks." [5]

I have early described account lockouts are often not a practicable solution, but there are other cheats to tackle brute-force attacks. At first, in order to solve brute-force attack to check a password, a simple solution is to put in random stops because brute-force attack is dependent on time to gain a password. If user puts more stops in brute-force attack, it can reduce a brute-force attack seeking password speed. This method will not bother the most legal users when they log in to their accounts. By using an HTTP module, I offer the code in Listing 1 (C#) and Listing 2 (VB.NET) to show how to implement this stop. [5]

To lock out an IP address with manifold unsuccessful logins is another method. However, when user uses this solution, they need to consider two problems. The first problem is that you could carelessly prevent huge groups of users by preventing a proxy server used by an ISP or huge company. Another problem is that before going on to the next, numerous tools use proxy lists and submit only handful of requests from each IP address. Using throughout obtainable open proxy lists at Web site like, [5] a cracker could simply circumvent any IP blocking mechanism. A cracker can utilize two or three attacks per proxy because most Web site do not prevent after merely one unsuccessful password. Without being prevented, a cracker with a list of 1,000 proxies can attack 2,000 or 3,000 passwords. Even though this solution is weakness, in particular, adult Web sites do select to prevent proxy IP addresses because they experience a lot of numbers of attacks.

Designing your Web site not to utilize calculable behavior for unsuccessful passwords to prevent brute-force attack is an easy and effective method. For instance, in spite of some sites replace response an "HTTP 200 SUCCESS" code but directly the user to a page describing the unsuccessful password attempt, most site response an "HTTP 401 error" code with an unsuccessful password. It is also simple to circumvent because this trick several automated systems.

You may want to remind the user need to focus on the username and password and also need to respond a private question after one or two unsuccessful login attempts. Even if they do gain the username and password correct, it blocks a cracker from capturing access because this not only leads problems with automated attacks. You could also find a lot of number of attacks system-wide and below those terms reminds all users for the respond to their private question.

Other techniques user might want to concern it [5]:

Other techniques


Giving the selection to advanced users who want to defend their accounts from attack let login just from certain IP address.


Allocate unique login URLs to prevent of user, so some of users can access the Web site from the same URL.


Instead of entirely locking out an account, arrange it in a lockdown mode with limited abilities.

In fact, brute-force attacks are not easy to totally block, but you can reduce your suffer to these attacks with thoughtful of design and manifold countermeasures. Eventually, the only best protection is to insure that users use basic ideas for powerful passwords: using long length and unpredictable passwords, escaping dictionary words, escaping reusing passwords, making a complex password and usually changing password


In this report, I use Norwegian Internet bank case to show how brute-force attack works on reality world because they have a weakness SSNs. Also I describe some of attacks which can threat online bank security in section two. Besides, I define brute-force attack base on the article "Blocking Brute-Force Attacks." [5] I also provide several methods, such as locking account, using an HTTP module, lockout an IP address with manifold unsuccessful logins, or designing your Web site not to utilize calculable behavior for unsuccessful passwords to prevent brute-force attack on internet. Unfortunately, there is no the best method that can completely stop brute-force attack. Thus, an only method is that usually changing password and making a complex password.