Brute force attack

This should never be us first choice when it comes to cracking a password.

It is an inefficient and extremely time-consuming technique. It is considered
a fall-back option that is used when all other methods have failed. It is
primarily used to crack passwords that are 6 characters or less, which is why
we are always advised to make our passwords 8 characters or more. The
more characters a user puts into their password, the harder it is to crack
using a brute-force attack. However, a brute force attack is very exhaustive,
which means that sooner or later the password will be cracked.
Unfortunately, nobody can predict when this will happen. The above
methods are the simplest and most commonly used ways to crack
passwords. There are other approaches that are available.
In a brute-force attack, the hacker uses all possible combinations of letters,
numbers, special characters, and small and capital letters to break the
password. This type of attack has a high probability of success, but it
requires an enormous amount of time to process all the combinations. A
brute-force attack is slow and the hacker might require a system with high
processing power to perform all those permutations and combinations faster.

One example of a type of brute force attack is known as a dictionary attack,

which might try all the words in a dictionary. Other forms of brute force
attack might try commonly-used passwords or combinations of letters and
numbers.
An attack of this nature can be time- and resource-consuming. Hence the
name "brute force attack;" success is usually based on computing power and
the number of combinations tried rather than an ingenious algorithm.
The following measures can be used to defend against brute force attacks:

 Requiring users to create complex passwords

 Limiting the number of times a user can unsuccessfully attempt to log
in
 Temporarily locking out users who exceed the specified maximum
number of failed login attempts

John the Ripper or Johnny is one of the powerful tools to set a brute-force
attack and it comes bundled with the Kali distribution of Linux.

HISTORY OF THE NAME ‘BRUTE-FORCE’

Brute-force was actually a game for PC released in 2000. Brute Force was a
third-person shooter and consisted of several characters. Each with their
own strengths and capabilities. The aim was to find several other characters
who were reliable to the union. A team was formed named “brute-force
team” to answer the union. Mission of the team was to find and fought with
the aliens and armed force. Whenever any of these aliens are seen, the
members of the Brute force team battled with them.

Simple example for Brute Force Attack

Let’s assume we have an encryption algorithm which is the XOR of each n

bit sequence with a k bit key. The key is repeated where necessary.
The message “Steve” can be represented in binary using an ASCII conversion
Character Decimal Binary
s 83 1010011
 t 116 1110100
e 101 1100101
v 118 1110110

So the plaintext is:

P = 10100111110100110010111101101100101
Consider a 2-bit key, say K = 01
The corresponding cipher text is:
P = 10100111110100110010111101101100101 XOR
K = 01010101010101010101010101010101010
C = 11110010100001100111101000111001111
If this was converted to ASCII, we would have:
Binary Decimal Character
1111001 121 y
0100001 33 !
1001111 79 O
0100011 35 #
1001111 79 O

If the attacker new the cipher text only, then a brute force attack would
reveal the following.

Try key k = 00 on the ciphertext C gives:

C = 11110010100001100111101000111001111 XOR
K = 00000000000000000000000000000000000
P = 11110010100001100111101000111001111
Converting to ASCII characters gives:
Binary Decimal Character
1111001 121 y
0100001 33 !
1001111 79 O
0100011 35 #
1001111 79 O

Try key = 10:

C = 11110010100001100111101000111001111 XOR
K = 10101010101010101010101010101010101
P = 01011000001011001101000010010011010
Binary Decimal Character
0101100 44 ,
0001011 11 VT
0011010 26 SUB
0001001 9 TAB
0011010 26 SUB

Try key, k =11:

C = 11110010100001100111101000111001111 XOR
K = 11111111111111111111111111111111111
P = 00001101011110011000010111000110000
Binary Decimal Character
0000110 6 ACK
1011110 94 ^
0110000 48 0
1011100 92 \
0110000 48 0

So the results of the brute force attack are:

Key Plaintext ASCII
00 11110010100001100111101000111001111 y!O#O
O1 10100111110100110010111101101100101 Steve
10 01011000001011001101000010010011010 ,[VT][SUB][TAB][SUB]
11 00001101011110011000010111000110000 [ACK]^0\0

The attacker would guess the original plaintext was “Steve”

Brute Force Attack Prevention & Protection

Since no special logic is applied in brute force attacks except for trying out
different combinations of characters used for creation of a password,
prevention on a very basic level, is relatively easy.
Apart from using a fully updated Windows operating system and security
software, you should use a password that has some of the following
characteristics:
1. At least one upper case letter
2. At least one digit
3. At least one special character
4. The password should be minimum of 8-10 characters
5. ASCII characters, if you wish.
The lengthier a password is, the more time it will take to crack the password.
If your password is something like ‘PA$$w0rd”, it will take more than a 100
years to crack it with currently available brute force attack apps. Please do
not use the suggested password in example, as it is very easy to break it
using some intelligent software that falls out of the realm of brute force
attacks.
Our freeware PassBox is a handy little tool that will remember all your
passwords and even generate strong passwords for your account – or you
could use some free online password generator to create strong passwords
anonymously. Having done that, test your new password with Microsoft’s
Password Checker. The Password Checker evaluates your password’s
strength as you type.
If you are using WordPress website software, then there are also many
WordPress security plugins that automatically block brute force attacks.
Using a web firewall like Sucuri or Cloudflare is another option you can
consider. One way to block brute-force attacks is to lock out accounts after
a defined number of failed password attempts. The Limit Logins WordPress
plugin is good for stopping brute force attacks on your blog. Other measures
include allowing logins from only select IP addresses, changing default login
URLs to something else and using Captcha’s to harden your WordPress blog
security.

Brute force WordPress Attack Report for March,

2017.

This report contains the top attacking IPs for the month of March and their
details. It also includes charts of brute force attack activity for the period.
We also include the countries generated the most attacks for the period.

Brute force attacks are login guessing attacks. What we refer to as ‘complex’
attacks are attacks that were blocked by a rule in the Wordfence firewall.

The hostname included is the PTR record (reverse DNS record) that the IP
address owner created for their IP, so this is not reliable data but we include
it for interest. For example, we have seen PTR records that claim the IP is a
Tor exit node, but it is clearly not, based on traffic.]

The Top Attacking IPs

The top two attacking IPs are in Russia and Ukraine respectively. Both of
them are only launching complex attacks on WordPress. Our top IP has
doubled its attacks from 7 million to 15 million attacks. The second place IP
went from 7 million to 12 million attacks per month.

The total number of complex attacks from the top 25 IPs went from 63
million in February to 85 million in March. The total brute force attacks from
the top 25 IPs increased from 18 million in February to 32 million in March.
This indicates an increase in how aggressively these top 25 IPs are attacking
sites.

Brute Force Attacks on WordPress in March 2017

Attacks by Country for March 2017
The table below shows the top countries that attacks originated from in the
month of March on WordPress sites that we monitor.
 Ss7 Attack

Signaling system 7 (ss7) is an architecture for performing out-of-band

Signaling in support of the call-establishment, billing, routing, and
information-exchange function of the public switched telephone network
(PSTN). It identifies function to be performed by a Signaling-system network
and a protocol to enable their performers.

What is the Signaling?

Signaling refers to the exchange of information between call components

required to provide and maintain service.
As users of the PSTN, we exchange signaling with network elements all the
time. Examples of Signaling between a telephone users and the telephone
network include: dialing digits, providing dial tone, accessing a voice
mailbox, sending a call-waiting tone, dialing *66 (to retry a busy numbers),
etc.
Ss7 is a means by which elements of the telephone network exchange
information. Information is conveyed in the form of messages. Ss7 messages
can convey information such as:

I’m forwarding to you a call placed from 212-555-1234 to 718-555-5678.

Look for it on trunk 067.
Someone just dialed 800-555-1212. Where do I route the call?
The called subscriber for the call on trunk 11 is busy. Release the call and
play a busy tone.
The route to XXX is congested. Please don’t send any messages to XXX
unless they are of priority 2 or higher.
I’m taking trunk 143 out of service for maintenances.
Ss7 is characterized by high-speed packet data out-of band Signaling

Example of SS7 Attacks

 Theft of service, interception of calling cards numbers, privacy concerns
 Introduce harmful packets into the national and global SS7 networks
 Get control of call processing, get control of accounting reports
 Obtain credit card numbers, non-listed numbers, etc.
 Messages can be read, altered, injected or deleted
 Denial of service, security triplet replay to compromise authentication
 Annoyance calls, free calls, disruption of emergency services
 Capture of gateways, rerouting of call traffic
 Disruption of service to large parts of the network
 Call processing exposed through Signaling Control Protocol
 Announcement service exposed to IP through RTP
 Disclosure of bearer channel traffic

Important SS7 protocols

MTP (Message Transfer Part)
Layers 1-3: lower level functionality at the Physical, Data Link and Network
Level. They serve as a signaling transfer point, and support multiple
congestion priority, message discrimination, distribution and routing.
ISUP (Integrated Services Digital Network User Part):
Network side protocol for the signaling functions required to support voice,
data, and text and video services in ISDN. ISUP supports the call control
function for the control of analog or digital circuit switched network
connections carrying voice or data track.

SCCP (Signaling Control Connection Part):

Supports higher protocol layers such as TCAP with an array of data transfer
services including connectionless and connection oriented services. SCCP
supports global title translation (routing based on directory number or
application title rather than point codes), and ensures reliable data transfer
independent of the underlying hardware.
TCAP (Transaction Capabilities Application Part):
provides the signaling function for communication with network databases.
TCAP provides no circuit transaction based information exchange between
network entities.
MAP (Mobile Application Part):
provides inter-system connectivity between wireless systems, and was
specifically developed as part of the GSM standard.
INAP (Intelligent Network Application Part):
Runs on top of TCAP and provides high-level services interacting with SSP,
SCP and SDP in an SS7 network.
 Ss7 network

The “walled garden” paradigm is outdated. Nearly all operators now admit
that attackers have penetrated SS7 (Signaling System 7) networks by
exploiting a whole range of signaling network vulnerabilities. The SS7
signaling system is often called the nervous system of a phone network.
Before the invention of SS7, service commands for subscriber connection
and data packet delivery were transferred via a speaking channel. This
approach was upgraded and replaced with the global signaling system (SS7)
over 30 years ago. Today the SS7 standard determines the procedures and
data exchange protocols across network devices of telecom companies. SS7
serves as a base for a signaling infrastructure in local, national, international,
and wireless networks.

Femto-cell attack vectors

Unaudited Proprietary software from Alcatel
 Attack: Binary vulnerability audit gives 0day
 Attack: Vulnerable Linux 2.6 kernel
Global settings for IPsec tunnels
 Attack: Border access
Lack of SS7 and SIGTRAN filtering
 Attack: Injection of RANAP and SS7 in the Core Network

SS7 is not closed anymore

SS7 security solution are industrializing
 Pentest to continuous scanning
 Security services and products
Mindset are changing: more open to manage the SS7 security problem,
education still needed.
Governments put pressure on telco, National Critical Infrastructure
Protection initiatives

Simple example for ss7 attack

SS7 have the following issues:

• Attackers can gain access to the SS7 based core network using other
Internet protocols.
• Once they are inside the core network, they can exploit the routing layer
to map the periphery of the network, scan for open ports and send hostile
communication messages.
• Since there is no authentication check or any other cryptographic
protection within the network, the attackers can impersonate as the network
internal nodes and query for subscriber information from other nodes.

What can I do to protect myself from snooping via

SS7?
Given that the vulnerabilities and the possibilities of spying on users relies
on systems outside of user control, there is very little you can do to protect
yourself beyond not using the services.
For text messages, avoiding SMS and instead using encrypted messaging
services such as Apple’s iMessage, Facebook’s WhatsApp or the many others
available will allow you to send and receive instant messages without having
to go through the SMS network, protecting them from surveillance.

For calls, using a service that carries voice over data rather than through the
voice call network will help prevent your calls from being snooped on.
Messaging services including WhatsApp permit calls. Silent Circle’s end-to-
end encrypted Phone service or the open-source Signal app also allow secure
voice communications.

Your location could be being tracked at any stage when you have your mobile
phone on. The only way to avoid it is to turn off your phone or turn off its
connection to the mobile phone network and rely on Wi-Fi instead

Real-World SS7 Attack — Hackers Are Stealing

Money from Bank Accounts

Security researchers have been warning for years about critical security
holes in the Signaling System 7 (SS7)that could allow hackers to listen in
private phone calls and read text messages on a potentially vast scale,
despite the most advanced encryption used by cellular networks.

Cellular networks, on the other hand, have consistently been ignoring this
serious issue, saying that it is a very low risk for most people, as
the exploitation of the SS7 flaws requires significant technical and financial
investment.

But some unknown hackers have just proved them wrong by recently
exploiting the design flaws in the SS7 to drain victims' bank accounts,
according to a report published by German-based newspaper Süddeutsche
Zeitung.

Germany's O2 Telefonica has confirmed that the same SS7 weaknesses have
recently been exploited by cybercriminals to bypass two-factor
authentication (2FA) banks used to prevent unauthorized withdrawals from
users bank accounts.

The attackers first spammed out traditional bank-fraud Trojans to infect

account holders' computers and steal passwords used to log into bank
accounts, view accounts balance, along with their mobile number.

But what prevented the attackers from making money transfers is the one-
time password the bank sent via a text message to its online banking
customers in order to authorize the transfer of funds between accounts.

To overcome this issue, the cyber crooks then purchased the access to a
fake telecom provider and set-up a redirect for the victim's phone number
to a handset controlled by them. Specifically, they used SS7 to redirect the
SMSes containing OTPs sent by the bank.

Next, the attackers logged into victims' online bank accounts and transferred
money out, because as soon as the authorization codes were sent by the
bank, instead of designated account holders, they were routed to numbers
controlled by the attackers, who finalized the transaction.
This latest SS7 attack once again shed light on the insecurity by design and
lack of privacy in the global telephone network protocol, making it clear
that real-world SS7 attacks are possible. And since the SS7 network is used
worldwide, the issue puts billions of users in danger.

The incident also underscores the risks of relying on SMS-based two-factor

authentication.

Although the network operators are unable to patch the hole anytime soon,
there is little the smartphone users can do. Avoid using two-factor
authentication via SMS texts for receiving OTP codes. Instead, rely on
cryptographically-based security keys as a second authentication factor.
 CopyCat Malware Attack
CopyCat is a sophisticated form of mobile malware that has infected more
than 14 million Android devices, according to some sources. The fully
developed malware was discovered and named CopyCat by Check Point
mobile threat researchers as a result of the malware taking credit (and
generating revenue) for Android installations it didn't create.
The CopyCat malware roots, or gains access to key subsystems of
the Android mobile operating system, more than half of the mobile devices it
infects, which helped enable the hackers that created the malware to
generate more than $1.5 million in revenues from fake ads over the first two
months of CopyCat's release into the wild.

How CopyCat Does Its Damage and Makes Money

In addition to being able to root Android devices, CopyCat can establish

persistency, which means the malware can remain in the device essentially
forever unless a patch is installed for the device. CopyCat is also able to
inject code into Zygote, a daemon responsible for launching apps in the
Android operating system, which enables CopyCat to control any activity on
the Android device.
These capabilities have made it possible for CopyCat to generate revenue by
fraudulently installing apps using a bogus referrer ID that awards credit for
the install to the CopyCat hackers. CopyCat can additionally display
fraudulent ads to users to generate additional revenue for the hackers.

How CopyCat Infects Android Devices

In terms of how it gets onto Android devices in the first place, the CopyCat
malware can infect a device when a user downloads an infected app from a
third-party app store (as opposed to the official Google Play store) or when
the user clicks on a bogus phishing email.
Once infected, over 54% of the devices CopyCat infiltrates are successfully
rooted by the mobile malware. CopyCat exploits numerous security
vulnerabilities in older versions of the Android mobile operating system
(Android 5 “Lollipop” and earlier) that haven’t been updated with the most
recent security patches.
As a result, newer Android devices running Android Marshmallow and later,
as well as older devices updated with the latest security patches, are
completely protected from CopyCat.

The mobile malware spread through five exploits that hit devices running
Android 5.0 and earlier and had been discovered and patched more than two
years ago. Android users on older devices are still vulnerable to the attack,
if they're downloading apps off third-party markets.

How does the malware operate?

Once installed, the malware lies in waiting until the device is restarted, so
that a connection isn’t made between the installation of the app and the
malicious activity. Once the device has restarted, CopyCat downloads an
“upgrade” pack from an S3 bucket, a web storage service provided by
Amazon. This pack contains six common exploits with which the malware
attempts to root the device. If successful, CopyCat installs another
component to the device’s system directory, an activity which requires root
permissions, and establishes persistency, making it difficult to remove.
CopyCat then injects code into the Zygote process, from which all Android
apps are launched. Since all apps in Android are processes launched from
Zygote, injecting code directly into it allows the malware to infiltrate the
activity of all running apps. This is the first adware discovered using this
technique, which was first introduced by the financial malware Triada.
After CopyCat compromises the Zygote process, it injects into the system
server process, and contains all Android services, such as Phone Manager,
Package manager, etc., including Activity Manager. CopyCat then registers
for several events on the system server. The malware uses two tactics to
steal ad revenue – displaying fraudulent ads and stealing referrer IDs of apps
installed from Google Play.

CopyCat Malware Attack July 2017

CopyCat, the mobile malware that infected more than 14 million devices
around the world, made millions of dollars by taking advantage of outdated
devices with fake apps. It earned the hackers behind the campaign
approximately $1.5 million in fake ad revenues in just two months. In
addition, a new variant of Android Malware, dubbed Expensive Wall, that
registered mobile-device users for paid services without their permission was
discovered in the Google Play Store. The malware had infiltrated the Google
Play app store and infected at least 50 apps. The infected apps were
downloaded between 1 million and 4.2 million times before Google removed
them.

The majority of victims were in India, Pakistan, Bangladesh, Indonesia and

Myanmar. More than 381,000 devices in Canada were infected with CopyCat.

While the majority of victims of CopyCat are in Asia, more than 280,000
Android devices in the US have been hit by the attack. Therefore, no
matter where you are, it’s important to start thinking of how to protect
your Android device from this attack.
To do just that, follow these tips:
-Always use legitimate app stores. Many victims of CopyCat were
infected by downloading apps from third-party stores unaffiliated with
Google Play. It’s crucial users only download applications from official stores,
like Google Play or the Apple App store, to ensure they don’t become part of
larger malware schemes like CopyCat.
-Keep your software updated. Even if you do avoid third-party app
stores, remember that CopyCat can still spread through phishing scams.
Therefore, to protect your devices from the attack, ensure all software is up-
to-date, as updates typically include additional protection against emerging
malware strains, such as CopyCat.
-Use a mobile security solution. As malware and adware campaigns
continue to infect mobile applications, make sure your mobile devices are
prepared for any threat coming their way. To do just that, cover these
devices with a mobile security solution, such as McAfee Mobile Security.