A so-called “brute-force” cyber attack has just hit the headlines courtesy of its high-profile target, the UK House of Parliament. The unprecedented attack reportedly lasted for more than 12 hours and sought to break into e-mail accounts used by the more than 9,000 network users on the Parliamentary estate.
The attack appears to have been only partially successful, in that less than 1% of the user accounts were successfully hacked. However, this still means that almost 100 e-mail accounts have been hacked, some of which may have been MPs, including Government Ministers.
The data that has been hacked could include sensitive private correspondence with constituents, politically sensitive conversations or even information which might subject a victim to blackmail threats. The attack is thought to be the work of a state sponsored actor, likely Russia or North Korea, both of which have previous form for politically motivated hacks.
A spokesman for Parliament has blamed the breach on the use of weak passwords by Parliamentarians who did not adhere to the guidance issued by the Parliamentary Digital Service.
So what is a “brute-force” attack and how can it be prevented?
Brute-force attacks are aimed at password breaking and work by calculating every possible combination that could make up a password and testing it to see if it is correct. The attacker systematically checks all possible passwords, using hacking software that can generate millions of possible combinations in turn.
The longer or more complex a password is, the longer it will take for a brute-force attack to succeed and such an attack is only likely to be successful for shorter, weaker passwords. So in the Parliament attack, 12 hours of sustained attack still only managed to hack into less than 1% of accounts. Of course, 1% of compromised accounts is still enough to be a major problem.
A derivation of the brute-force attack is the so-called “dictionary” attack. This is aimed at longer passwords and is based on the knowledge that most passwords start off with an actual dictionary word, which is then added to by means of numbers or symbols. Using dictionary words as the starting point for the hacking attempt cuts down considerably on the time it is likely to take to crack the code, if a real word has been used.
Dictionary attacks are also very effective in cracking passphrases style passwords. This is where a series of words are used to lengthen the password, and so make it more difficult to crack in a brute-force attack.
If you are feeling a bit confused by now that is not surprising. But here is some good advice from the National Cyber Security Centre on helping users to generate appropriate passwords:
- Put technical defences in place so that simpler passwords can be used.
- Steer users away from predictable passwords – and ban the most common.
- Encourage users to never re-use passwords between work and home.
- Train staff to help them avoid creating passwords that are easy to guess.
- Be aware of the limitations of password strength meters.
The NCSC has also produced this very helpful infographic on password security.