Dictionary Attack

Dictionary Attack

Of course, one Administrator can build the best protections to avoid intrusion on your system, but if your users use always the same predictable passwords there’s no way out.


 

According to a Keeper Security study, here is a list of the most common passwords ever produced consciously by users:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111
  • 1234567890
  • 1234567
  • password
  • 123123
  • 987654321
  • qwertyuiop
  • mynoob
  • 123321
  • 666666
  • 7777777
  • 1q2w3e4r
  • 654321
  • 555555
  • google
  • 1q2w3e4r5t
  • 123qwe
  • zxcvbnm
  • 1q2w3e

But there’s more. If a user uses a “single word” included in any languages’ vocabulary, his password can be easily detected using the Dictionary attack.

It could be implemented thanks to a script that progressively tries all the words of all languages’ vocabulary. An approximate number of all words known in the world is 5,000,000 considering Chinese and Italian languages. But the list of most common words is lighter: it consists in a dictionary of 60-100,000 words.

How much time does a script take to test all of them to penetrate your system? Minutes.

 

It’s an easy but effective technique.
In order to protect your system against this kind of attack you should force users to have at least a number, a special character or an uppercase letter in their password.
A preventive test could be done here: Password Checker.

Thanks to a user of ours: Emma Roberts, we would like to suggest a Free Password Generator Tool:  VPNMentor’s Secure Password Generatorplease find which fits you best!

Contact us

Feel free to contact us for commercial or technical questions

SugarCRM 7 is Now


SugarCRM 7 is Now





NEWS: the SugarCRM7 version of CRM Defender is available now!

For On Demand environment also!

Secure your SugarCRM 7 system:

  • Find a great Protection against brute force attacks.
  • Track users’ logins and protect your data.
  • Detect and Defend your CRM system from threats coming from hostil IPs.

Contact us

Feel free to contact us for commercial or technical questions

Brute Force Attack


Brute-force Attack





What is actually a Brute-force Attack, and how can i protect my CRM system against it?

A Brute-force attack is the most simple way to try to access in a system without being authorized; but it’s effective. With this technique, an attacker has the mathematical certainty to find a way to go inside.

Definition

A Brute-force attack satisfies the following characteristics:

  • guess every possible password;
  • time to break the system depends on the length and complexity of the password choosen;
  • usually ine system could be considered safe if it forces users to adopt  long and complicated passwords.

How it works

A Brute-force attack consists of an enormous continued repetition of attempts to find the right combination of user names and passwords.
It’s usually conducted by bots, automatic programs that replicates human enterings.

Like in every battle, there are some factors that could help the attacker while others help the defender; let’s focus on the first ones in order to strengthen the protections:

Admin user

If the Crm Administrator uses “admin” as its username, half of the attacker’s job is already done, because it has only to try all the combinations of passwords with any length and any carachter.

CRM URL

If your CRM system location is predictable, like:

  • crm.yourcompanyname.com
  • www.yourcompanyname.com/crm

then the attacker knows where to intervene and how to set its automatic bots.

In case the attacker is an old workmate or a former employee, the CRM URL is obviously known. It’s “overkill” to change URL:  think of the disorder that would be caused to the colleagues that should save the new link in their browsers or Apps.

But don’t worry; there are easier solutions.

Protection in Passwords

One classical way to protect your system is to oblige your employees to use a strong password. You can easily set the password requirements in the Password Management panel in the admin page: https://support.sugarcrm.com/Documentation/Sugar_Versions/6.5/Ent/Administration_Guide/Password_Management/index.html

Please note that some of the settings showed in the previsious link are related to SugarCrm paid versions. You can always achieve that with custom development.

Think different

Instead of wasting precious energy, fighting against potential threats and trusting the procedures to ensure that employees adopt strong passwords and\or renew them often, you can introduce an automatic barrier that bans any potential intruder as soon as you exceed the maximum number of allowed attempts.

With a solution like CRM Defender there will be no way to hijack your system, because the Web Server itself, duly instructed by CRM Defender, will block intruders.

Contact us

Feel free to contact us for commercial or technical questions

CRM Defender available on SugarOutfitters


CRM Defender available on SugarOutfitters



CRM Defender is now available on SugarOutfitters marketplace :

SugarOutfitters

Get in touch there to get a free trial and experiment the package as you wish.

Feel free to open there a Support Case or contact us via the following form. We are here to help you to feel confident and secure about your SugarCRM and SuiteCRM system.

You can also contact us if you want any help testing your system against a brute-force attack, because we can simulate it for you.

Contact us

Feel free to contact us for commercial or technical questions

Data Protection


Data Protection



In an increasingly connected world, where competitiveness is the dominant value, Data protection plays a crucial role. First of all it’s a must to keep a way to have back your data in case of emergency.

One of the key challenge for a Small Medium Business is to keep its own data as much safe as possible. And reducing the amount to invest in defense.

For a startup business the first target to reach is to survive but after reaching this out, it’s important to start thinking about the potential losses caused by a breach in the system.

Contact us

Feel free to contact us for commercial or technical questions

CRM Security

CRM Security

Your CRM Data are vital for your business. To protect them is an obvious priority. No mather if your CRM runs on Premise or on a Cloud service: if someone tries to force your passwords, and you don’t take any countermeasure, soon or later, your CRM Data will at the mercy of the attacker.
But if you act properly there’s nothing to worry about.

The first thing in order to achieve that is to enforce users to use strong passwords or to generate them using autocreation tools.
You can also ask to your IT manager to ban some IP addresses from where suspicious attempts come. This require that you or your workmate keep an eye on potentially fraudulent login attempts tracking such behavior on your Server or on your Local Net proxy.
If you are on a hosted environment, you can use a tool like cPanel > IP Address Deny Manager:

This obviously requires that you are aware of which is the IP of the attacker, or its IP range. So it could take time to prevent further intrusions. Best choice is always to automate this flow; this will let your system protected even if the “IT Manager is on holydays”.

Another difficult task you can experience, if your system is accessed from a large set of IPs, potentially from different country, is to check for failed login attempts.  To do so, one would need to check directly on the CRM log. But there is another problem: SugarCRM itself doesn’t allow you to know from where a suspicious attempt came.

I.e. a failed attempt on “admin” user would add on sugarcrm.log two rows like:

Fri Mar 3 19:00:00 2017 [35403][-none-][FATAL] SECURITY: User authentication for admin failed
Fri Mar 3 19:00:00 2017 [35403][-none-][FATAL] FAILED LOGIN:attempts[1] - admin

that is simply ineffective.

Contact us

Feel free to contact us for commercial or technical questions

Copyright All Rights Reserved 2018 CRM Defender - Lion Solution Srls