{"id":2910,"date":"2016-09-28T15:22:12","date_gmt":"2016-09-28T21:22:12","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2910"},"modified":"2016-09-28T15:22:12","modified_gmt":"2016-09-28T21:22:12","slug":"sucuri-doesnt-have-a-clue-what-brute-forcing-actually-refers-to","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2016\/09\/28\/sucuri-doesnt-have-a-clue-what-brute-forcing-actually-refers-to\/","title":{"rendered":"Sucuri Doesn&#8217;t Have A Clue What Brute Forcing Actually Refers To"},"content":{"rendered":"<p>One of the problems we see when it comes to people making better choices on web security is that it easy for security companies that don&#8217;t have a clue what they are talking about to\u00a0present themselves as having expertise they don&#8217;t have. For example, they can throw around technical terms that they clearly don&#8217;t understand, but that the public understandably doesn&#8217;t understand either, and it makes them sound like they actually know about security, when they don&#8217;t.<\/p>\n<p>One example we keep seeing involves the term brute force attack, which refers to trying all possible password combination in attempt to login in to an account. It isn&#8217;t some obscure or exotic term, it has a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Brute-force_attack\">Wikipedia page<\/a>, but that doesn&#8217;t stop people from using it when actually referring to other types of password attacks.<\/p>\n<p>Often times dictionary attacks, which involve trying to log in with a\u00a0set of common passwords (things like &#8220;password&#8221;), are incorrectly identified as having been brute force attacks. The distinction isn&#8217;t just semantics, how you protect against those types of attacks is very different, so anybody dealing with web security that involves either of those, absolutely should know the difference. And again the term has a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dictionary_attack\">Wikipedia page<\/a>, so it wouldn&#8217;t be hard to know what it is.<\/p>\n<p>That brings us to the security company, Sucuri, which we have seen being quite a bad security company in many ways over the years. That clearly hasn&#8217;t changed. In a recent <a href=\"https:\/\/blog.sucuri.net\/2016\/09\/ssh-brute-force-compromises-leading-to-ddos.html\">post<\/a>\u00a0describe how they did an experiment that was supposed to test how long it would take for successful brute force attacks of SSH logins:<\/p>\n<blockquote><p>A few weeks ago we ran an experiment to see how long it would take for some <strong>IPv4-only <\/strong>and <strong>IPv6-only servers<\/strong> to be compromised via SSH brute force attacks.<\/p><\/blockquote>\n<p>As they explain in the second paragraph of the post, their experiment involved them setting the password to &#8220;password&#8221;:<\/p>\n<blockquote><p>We configured <strong>five cloud servers<\/strong> on Linode and Digital Ocean with the root password set to \u201cpassword.\u201d\u00a0 The idea was to see how long it would take before the servers were hacked.<\/p><\/blockquote>\n<p>To anyone who actually know what brute force attacks and dictionary attacks are, its obvious that they don&#8217;t actually know what they are talking about since that would be a password to test for dictionary attacks, not brute force attacks, but the public is unlikely to, especially as\u00a0security companies keep referring to dictionary attacks as having been brute force attacks.<\/p>\n<p>If you are interested in actual security, Sucuri&#8217;s\u00a0lack of basic security knowledge, would be a good reason to look elsewhere.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the problems we see when it comes to people making better choices on web security is that it easy for security companies that don&#8217;t have a clue what they are talking about to\u00a0present themselves as having expertise they don&#8217;t have. For example, they can throw around technical terms that they clearly don&#8217;t understand, &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/09\/28\/sucuri-doesnt-have-a-clue-what-brute-forcing-actually-refers-to\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Sucuri Doesn&#8217;t Have A Clue What Brute Forcing Actually Refers To&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[89,68],"class_list":["post-2910","post","type-post","status-publish","format-standard","hentry","category-bad-security","tag-brute-force-attack","tag-sucuri"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2910","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2910"}],"version-history":[{"count":6,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2910\/revisions"}],"predecessor-version":[{"id":2916,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2910\/revisions\/2916"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}