Forum News for 08-18-2017 ...
Brute force attack rates are increasing ...
Ever since the forums inception, it has been attacked on a daily basis by ip addresses reported to be mainly out of the Ukrane, Russia, Africa, and China. This is actually pretty typical for all websites and forums these days and is not any kind of special news. These are attacks that include attempts to gain access to the admin pages/sections, random attacks to find out the integrity of the site itself, brute force login attempts with random names and passwords, and password guessing attempts for known members.
Sound a bit shocking? -- Well, actually it is not. I have hosted my own websites, chat channels or services, and internet forums of one various type or another since the 1980's. Back in the early days of the internet, I even hosted my share of hacker chat channels over on IRC that were pretty hard core. For all of this, I can safely say at this point that "I have been around the block more than a few times".
The bulk of attacks on websites in the past always seemed to stem around a form of "breaking and Entering" sort of attack. The goal is usually to get into the computer system itself so that harm and damage or information collection can be done. Internet Trojans, Worms of all sorts, and other code-generated life forms trying to get through the front gate were always the most common.
Viruses or malicious users on computers with registered and non-registered logins that attempt to inject code into the database, or find some other kink in the armor is also common. Even the occasional disgruntled person(s) who just don't like you or your site will attack to try and bog it down to a crawl to deny access of others (known as DDOS or denial of service attacks).
These days however ...
These days however, the story is slightly different. A lot of the old hard-core "breaking and entering" type of stuff and techniques are less and less. It almost seems that those types of hard core attacks and methods are getting lost because many of those hard core old school types of "hackers" are fewer in number these days. Attacks like that still happen on occasion, but it is much less compared to what it used to be. Instead, the bulk of attacks are in the form of either really simple DDOS (denial of service) attacks, or outright brute force user-name and password guessing. This leads us to why I am writing this article today...
The password guessing is getting relentless ...
This is not unique to my forum, but it is spread everywhere across the Internet in large quantity here of late. I see many reports from websites and other forums alike where hundreds if not thousands of login attempts a day are used. I have been watching the patterns and trends of these attempts for more than a year now on my forum and see some clear intent. That intent is not so much for breaking into a site I don't think, but looks like it is more for information gathering in general.
Think about some person(s) who successfully guesses someone else's username and password combination using a password guessing program. They then get lucky on that same username a second time on some other forum or social media site that same person uses. Perhaps after months, a third correct hit, or perhaps more. -> After a while, they have a lot of data associated with that person and the passwords they use.
That data can then be sold for use by others, or simply used to find out what kinds of passwords someone might be using on maybe their bank account? -- Perhaps hold them hostage, demanding a "fee" in bitcoin for them to get back their data, accounts, etc.? - That seems to be very popular these days among those who would do such stuff.
These brute force attacks used to be very easy to stop. In the past, you simply track the ip address and the number of login attempts or other data and either lock them out of the system,.. or mis-lead them and keep them guessing endlessly, giving them a false login failed screen no matter what they try. I tend to like the false login failed screen myself. That way they will never ..
A) how many tries before my security software is on to them and thwarting their efforts in the background.
and...
B) make all their response attempts equally ineffective with no notice or change if they do accidentally happen to guess a good user and password so that they will never know it. Quite clever if you ask me, and works well.
===
Recently though, it has become almost impossible to stop this type of user-pass guessing attack though. The reason is that the ones doing the attacking have gotten smart... Very smart. They resort to only trying 3 times in a given amount of time, jumping ip and other information, erasing cookie data, and making them appear as if they were a completely different user on a completely different network, then going again. Because of this, it is no longer possible to distinguish the "attackers" from the people who are legitimately trying to log in...
screenshot of recent attempts and what it looks like ...
[
attachment=3008]
* The greyed out areas are legitimate failed login attempts from legitimate users.
=============
So how are websites dealing with this???
1) Some are using those "Captia" images ...
2) Making users use only certified, verified face-book or google account information.
or...
3) Requiring 3 or even 4 step verifications sometimes.
or...
4) Forcing users to change passwords every so often so that it "resets" all the efforts of those trying to guess them.
or...
5) Forcing users to login with only their e-mail address, so that publicly seen user-names cannot be used for password guessing.
... and other methods. This makes for problems and/or downright inconvienence for the users though, and is very annoying. Personally though ...
* I HATE CAPTIAS. They just suck!
[
attachment=3010]
* I HATE HAVING TO CHANGE MY PASSWORD ALL THE TIME. It is hard enough to keep up with the one I am already using for any given site.
* I HATE HAVING TO GIVE OUT PERSONAL REAL INFORMATION THAT HAS TO BE VERIFIED ALL THE TIME. It is intrusive and wrong in my book.
* I HATE HAVING TO REMEMBER WHAT MY DOG ATE 5 YEARS AGO FOR BREAKFAST!. Those 3 or 4 step verifications are downright impossible to remember.
* THE EMAIL LOGIN IS CUMBERSOME AND INCONVENIENT.
===
I don't know of many others who don't hate that stuff too. The e-mail thing is inconvenient and annoying in itself, but I can live with that one. Because of this, and because this relentless password guessing is problem for all forums, including my own, it makes me wonder heavily if I should implement this for the users to help protect their information.
If users logged in with their e-mail address and pass instead of nickname, it would make it exponentially more difficult for any brute login bots to guess someones password, as the e-mail name would not match their publicly seen user-name or nickname. -- Kinda makes some sense, but the problem is that the forum users need to be aware if this if a change is to be made to help protect them...
[
attachment=3009]
Currently it is set to "BOTH", so it is simply as matter of choosing "Email Only" on my end,.. but should I? -- That is the big question because it would effect every single user on my forum and how they log in.
For now, I am leaving things alone and am updating the security software that protects the website and forum, but at some point,... something has to be done to stop these bas#tasrds from being so persistent.
What do you guys think? -- Rawze