Skip links

Why Brute Force Attacks are getting brutal and fatal: – The Science behind Brute Force Attacks.

Blog by

Corrine Kiwanuka,

 Cybersecurity Risk Analyst

South-End Tech Limited, Nairobi Kenya.

November 28th, 2024.

When someone is stealing from you, they won’t tell you, “Kindly assist me with your belongings, it’s a robbery.” There is a certain roughness that is associated with robbery. This roughness is brute force. And no one will ever take something that belongs to them with brute force.

Now let’s get into the thick of it in cybersecurity:

If you have read the National KE-CIRT/CC report for the year 2024, then you have seen the attacks that were detected. I’ll attach a screenshot.

These attacks have also increased by 42.01% from the previous period of April to June 2024.

These attacks mainly targeted organizations that held sensitive data like login credentials and financial information. If access is gained from the login credentials, then it is quite easy to gain access to the finances of the person affected. Kenya has taken to mobile payment and the use of online banking systems such as M-Pesa being one of its kind worldwide.

What do we mean by Brute Force Attacks?

A brute force attack is a hacking method, this method uses trial and error to be able to crack passwords, access login credentials, and also encryption keys.

It may seem difficult but brute force has a surprisingly high success rate as it also has accounted five percent confirmed breaches, this was in 2017 by Verizon research.

Brute force attacks can be performed using scripts that have a list of commonly used user credentials and passwords and tools, bots as well as manually too which can be a surprise as its mostly the people who give the attackers an easy time to perform an attack.

The Science behind Brute Force Attacks.

There is actually a science behind how brute force attacks work and I won’t go into details but just give a good summary just to have an idea of how they work.

  1. Algorithmic Approach:

There is a systematic approach to it, this is where there is a trial of all possible combinations of passwords or keys until the correct one is found. This mostly relies on the computational power and efficiency of the algorithms used.

Use of advanced algorithms helps to optimize the search process to prioritize more likely combinations in cases of like password before trying less likely options.

  • Computational Power:

This means that the success of a brute force attack will depend on the attackers processing speed, the more powerful the computer and more specialized the hardware the faster that they can test combinations.

  • Password Complexity:

 The complexity and length of a password plays a very crucial and significant role in how fast a password can be cracked. A password like “admin 123” can be cracked easily while something like “QFG$# HYSJfg865b%” can take a while which means that a lot of time and resources will be required.

Types of Brute Force Attacks

Several types of brute force attacks enable an attack to happen.

  1. Simple Brute Force Attacks:

This occurs when an attacker attempts to guess a user’s credentials manually without using any typical software. This method succeeds when the user uses a standard password combination or a Personal Identification Number (PIN).

  1. Dictionary Attack

We all love a good dictionary; this is because it helps us find the pronunciation of words, we were not aware of and also their meaning.

Walk with me in this scenario, so…are you aware that there a hacker can create or find a premade list of usernames that are commonly used and also passwords?

Well, lisa001, admin1245, and Boss2024 are really not good usernames after all… also @dm1n00123, P@ssw0rd is also not a strong password and they are found in the list.

A dictionary attack occurs when an attacker leverages a list of common usernames and passwords to conduct an attack. It’s basically playing “Pick it! Pick it! Point it!” and hoping to pick the correct one.

  1. Hybrid Attacks

Hybrid is a combination of dictionary attack and brute force techniques. What makes this method successful is when the attacker already knows the username of the prey or has an idea of what the password used maybe.

What may start as a dictionary attack may advance to a brute force attack, an example of this is if an attacker knows that the password of Admin1 is something to do with the animal “elephant” from this he may try a different set of combinations to find the correct password. They can be El3ph@nt001 or Eleph@nt123.

  1. Reverse Brute Force Attack

This is the complete opposite of the hybrid brute force attack. In this case, the attacker may know the password of their target beforehand and only need to find out the username.

The attacker tries the password against multiple usernames or accounts until they get the correct one.

  1. Credential Stuffing

How many of you are guilty of using your TikTok username and password to set up an account in let’s stay Instagram? It may not be the examples I have given but you know that you have used your password and username in two different accounts. Same logins with no changes made.

In case of a data breach, attackers may harvest your logins and reuse the logins across different accounts. If by good luck to them and bad luck to you they get it correct, they will use your account for whatever purpose they want to.

This is credential stuffing. It is mainly conducted through automated tools to try thousands of combinations quickly.

  1. Rainbow Table Attacks

A rainbow table is used to store passwords in hashes.  Websites and apps use hashing to protect passwords. When you log in, your password is converted into a hash, a unique string of characters. The server then compares this hash to the one stored from your previous login. If they match, you’re authenticated.

The hacker launching a rainbow table attack would need to have the rainbow table at their disposal. Often these can be bought on the dark web or stolen. During the attack, bad actors use the table to decrypt the password hashes and so gain access to a plaintext password.

Let me give you time to digest this and then we will delve into motives and how to prevent brute force attacks.

Please do not hesitate to contact us for your Data Governance Solutions and Cybersecurity Service needs.

Tel:

 +254115867309 | +254740196519

OR

Email:

ckiwanuka@southendtech.co.ke; info@southendtech.co.ke; cybersecurity@southendtech.co.ke; dataprotection@southendtech.co.ke.

This website uses cookies to improve your web experience. Privacy Policy