Empathy List Archives

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] How to recognize brute force attack

Paolo Luise

Tue, May 21, 2013 7:26 AM

combined with the response actions
https://www.owasp.org/index.php/AppSensor_ResponseActions

Paolo

Date: Mon, 20 May 2013 09:54:45 +0100

From: Paul Johnston paul.johnston@pentest.co.uk
To: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] How to recognize brute force attack
Message-ID: 5199E4D5.8070303@pentest.co.uk
Content-Type: text/plain; charset="iso-8859-1"

Hi,

A common approach is this:

Lock account after three bad login attempts - this prevents vertical
attacks (using Nuno's terminology)
User names are random numbers, with 12 digits or so - this prevents
horizonal attacks

Most financials do not use captchas as it's generally accepted that a
determined attacker can break them, either through AI software or even
mechanical turk.

If your user names are not random numbers, asking a supplemental
question servers a similar purpose. e.g. user is asked for: user name,
surname, and password. The (user name, surname) pair is treated as the
user name.

Using IP addresses at all is a minefield as sometimes many users will
come from the same IP address - think of the bank's own outgoing IP
address, and all the thousands of staff that will login to their own
account at lunchtime. It does have a place, but a determined attacker
can easily bounce through proxies or botnets.

Most financials now use a risk engine, which looks at a lot of variables
related to the login, e.g. time of day, geolocation, machine
fingerprint, etc. (commercial risk engines have up to 90 variables). If
the engine deems the login high risk then supplemental authentication is
required, e.g. an SMS code.

Paul

On 19/05/2013 16:13, ? ?? wrote:

Dear all:

I work for a online financial company. As a financial company, we
accept little risk. So,our strategy was designed strictly that our
clients always need to input the recaptcha code to login, and the
account will be locked if the password errors exceed the limit. But
nowadays, we want to improve the user experience somehow, like google
who avoids the recaptcha code if the login is normal. If we choose to
show the recaptcha image by the rule of ID login error sum and
IP login error sum, hacker can still run the attack by switching the
proxy and reducing the trial times per ID.
Is there any better way to recognize the brute force attack? Thanks.

Eric Tan

--
Pentest - The Application Security Specialists

Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

Hi, I'm not sure however I think it could be of help also the AppSensor Owasp Project with its detection points https://www.owasp.org/index.php/AppSensor_DetectionPoints especially some of them, such as AE2: Multiple Failed Passwords AE3: High Rate of Login Attempts STE2: High Number of Logins Across The Site combined with the response actions https://www.owasp.org/index.php/AppSensor_ResponseActions Paolo Date: Mon, 20 May 2013 09:54:45 +0100 > From: Paul Johnston <paul.johnston@pentest.co.uk> > To: websecurity@lists.webappsec.org > Subject: Re: [WEB SECURITY] How to recognize brute force attack > Message-ID: <5199E4D5.8070303@pentest.co.uk> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > A common approach is this: > > 1) Lock account after three bad login attempts - this prevents vertical > attacks (using Nuno's terminology) > 2) User names are random numbers, with 12 digits or so - this prevents > horizonal attacks > > Most financials do not use captchas as it's generally accepted that a > determined attacker can break them, either through AI software or even > mechanical turk. > > If your user names are not random numbers, asking a supplemental > question servers a similar purpose. e.g. user is asked for: user name, > surname, and password. The (user name, surname) pair is treated as the > user name. > > Using IP addresses at all is a minefield as sometimes many users will > come from the same IP address - think of the bank's own outgoing IP > address, and all the thousands of staff that will login to their own > account at lunchtime. It does have a place, but a determined attacker > can easily bounce through proxies or botnets. > > Most financials now use a risk engine, which looks at a lot of variables > related to the login, e.g. time of day, geolocation, machine > fingerprint, etc. (commercial risk engines have up to 90 variables). If > the engine deems the login high risk then supplemental authentication is > required, e.g. an SMS code. > > Paul > > > On 19/05/2013 16:13, ? ?? wrote: > > Dear all: > > > > I work for a online financial company. As a financial company, we > > accept little risk. So,our strategy was designed strictly that our > > clients always need to input the recaptcha code to login, and the > > account will be locked if the password errors exceed the limit. But > > nowadays, we want to improve the user experience somehow, like google > > who avoids the recaptcha code if the login is normal. If we choose to > > show the recaptcha image by the rule of ID login error sum and > > IP login error sum, hacker can still run the attack by switching the > > proxy and reducing the trial times per ID. > > Is there any better way to recognize the brute force attack? Thanks. > > > > Eric Tan > > -- > Pentest - The Application Security Specialists > > Paul Johnston - IT Security Consultant / Tiger SST > PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982) > > Office: +44 (0) 161 233 0100 > Mobile: +44 (0) 7817 219 072 > > Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy > Registered Number: 4217114 England & Wales > Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK > >