by Joseph Neathawk
Security Programming & Development Specialist
Fanning Communications, Inc.
Brute force attacks aimed at hacking into a website simply cannot be prevented. If your website has a login page, it is only a matter of time before a programmed bit of malware or some human hacker finds your page and attempts to break in. Given enough time, most brute force attacks will succeed, although, in the case of highly secured sites, it may take years. From a security perspective, that is the goal; to force hackers to spend so much time making failed attempts that by the time they would have succeeded, your website has already been updated and now they have to either quit or start their attack again from the very beginning.
While strong passwords will help delay breakins, clients often ask if that is all that can be done to protect their websites? In fact, if your website is being hosted by Fanning Communications, other things can and are being done, often behind the scenes, that assist in keeping bad guys out of your website. Fanning Communications is one of the few website development and hosting firms that maintains an active and on-going security program dedicated to protecting the websites we host. As part of this security effort, we often instantly black-list the IP address of a computer we find attempting to hack one of our clients’ sites. This works well if a hacker is using a single IP or a small number of static (specifically assigned) IPs. Unfortunately however, the vast majority of brute force hacks employ a wide array of dynamic (shared) IP addresses. Typically these type of attacks make a single attempt before swapping to a new IP. In the case of dynamic IP addresses, which are shared by many users of the Internet, blacklisting the IP means that innocent users assigned a dynamic IP address that has been blacklisted, may not be able to connect to websites they wish to visit.
To get around the problem associated with blacklisting dynamic IPs, one option often used is the Completely Automated Public Turing test to tell Computers and Humans Apart or “CAPTCHA”. We’ve all seen the distorted letters and numbers that we are required to copy at websites in order to prove that we are human. While this process is somewhat annoying, it is, to a great extent, effective at preventing blackhat programs from posing as humans in order to fool computers. Today however, we find the same programming tools that are used for facial recognition being employed by hackers to recognize these distorted pass-phrases.
Bots (programmed malware) used for hacking are pretty predictable. This fact is one of the things we try to exploit for our own protection. For example, we now might place some extra input fields on our client’s login pages. These extra fields are actually completely invisible to human users and to website visitors, nothing appears changed in the slightest. But to a hack-bot, these fields are recognized and they add an extra layer of complexity to the bots entry when they are attempting to hack into a site.
Another technique operates from the understanding that hack-bots are programmed to fill in every field they encounter at a website. So creating a field that is intentionally made to remain blank, stymies the hack-bot that lands there and simply doesn’t know what to do. Because most human users will not see the field in the first place, only the hack-bot gets caught in the trap. Any users who do see the field, will also see the instructions to leave the field blank.
Using these invisible field traps, we force the hack-bot to try to prove that it is human, and leave our actual human users unhindered. The biggest advantage to setting such traps is that even if a hacker uses brute force methods to successfully hack a user’s password, it doesn’t matter. If the hack-bot falls into one of the two traps we set, it still will not be permitted to login to the website. What makes this advantage so significant is that it assists in addressing a major vulnerability existing with the majority of websites – weak passwords. No matter how safe we build our websites, they will always remain vulnerable from users who choose weak passwords or use the same password at multiple sites. By embedding traps within the architecture and employing other stealthy techniques that we have to keep secret, we are able to bring greater protection to our clients’ websites and protect sensitive information stored on client servers.
There is no such thing as a hack-proof website but by staying actively involved in the cybersecurity community and working closely with agencies combating cybercrime, we work hard to bring the best security possible to our clients and the customers they serve through their websites.
We are Fanning Communications, and this is what we do.