Word Notes 4.20.21
Ep 46 | 4.20.21

brute-force attack (noun)

Transcript

Rick Howard: The word is: brute-force attack.

Rick Howard: Spelled: brute as in crudee, force as in to compel, and attack as in to set upon in a hostile way. 

Rick Howard: Definition: A cryptographic hack that relies on guessing all possible letter combinations of a targeted password until the correct code word is discovered. 

Rick Howard: Example sentence: Several brute-force password cracking applications exist that make it easier for the hackers who don't want to write their own and go by the colorful names of Aircrack-ng, John the Ripper, L0phtCrack, and RainbowCrack.

Rick Howard: Origin and context: According to Dr. Fernando Corbató, he invented the idea of passwords in the 1960s to stop MIT students and teachers who shared the same mainframe and file system from needlessly nosing around in everybody's files and to limit their computer time. They imposed a four hour limit. 

By the late 1970s, it became clear that the computer systems he designed the passwords to protect could be used to discover the secret phrases. 

The famous team of Diffie and Hellman, these are the same guys that invented the method of security exchanging cryptographic keys over a public channel called the Diffie-Hellman key exchange the same model that drives all internet commerce today, these guys wrote a paper anticipating brute-force attacks.

They said that the computer power would rise and the cost of computing would go down so much that it would be possible to brute-force guess the keys created by the Data Encryption Standard or DES. Today brute-force attacks are also known as an exhaustive search and brute-force cracking and there are several methods that can be used. 

  • Dictionary attacks: The attacker builds a dictionary of possible words like password1234 and admin. Then they automate a cracking program using each password in turn for the system they are trying to break into. 
  • Credential stuffing: Hackers use userID and passwords stolen from other compromised sites to break into new systems because many users reuse passwords across different accounts. 
  • Hybrid brute-force attacks: A dictionary attack that makes educated guesses on word variations, like taking the original password1234 and trying the opposite 1234password. 
  • Reverse brute-force attacks: Instead of a dictionary of potential passwords, the hacker creates a dictionary of potential usernames and then runs a list of generic and common passwords against them. 
  • Rainbow table attacks: Modern operating systems typically don't store clear text versions of user passwords. Instead of the OS stores a standard cryptographic hash of the password. Hackers will create a word dictionary, or rainbow table, add the hash versions to the table and then use the hash versions to try to log in. 

Rick Howard: Nerd reference: In the classic Cybersecurity Canon  Hall of Fame book, "The Cuckoo's Egg: Tracking a Spy  Through the Maze  of Cup of East German mercenary hackers, working for the Russians, targeting the unix computer systems at the Lawrence Berkeley Lab in California.

They used a rainbow table attack that, at the time, had never been seen before. Since the hackers were working out of Europe and didn't have local access to the targeted systems, they legitimately logged into the Berkeley Lab through other means and copied the Berkeley password file to their local machines in Europe. 

Since the password file didn't store the clear text phrases, the East German hackers only had the hashed versions of the passwords available. But since all unix systems at the time used the same one-way hash function to transform passwords, the hackers use that function locally to transform every word in a dictionary, and then compare the dictionary hashes to the downloaded password hashes looking for a match. If they got one, they used the account to legitimately log in.