Today there are more ways for attackers to share passwords than ever before. Years ago, webmasters only needed to be concerned with password sites. Today, there are old fashioned password sites with links, Yahoo! Groups for sharing passwords, password message boards, sites with sophisticated ActiveX controls to circumvent your protection, and many other methods for password distribution. In today's web environment you need the protection of the Strongbox security systemtm to keep people from stealing your bandwidth by using these passwords. In some cases the Strongbox security systemtm has been able to save webmasters 6 GB per day in bandwidth used by password traders. The average site that doesn't use proper security software like the Strongbox security systemtm seems to be losing about 1 GB per day this way. By eliminating this theft of service, the Strongbox security systemtm will pay for itself the first month you use it.
Brute force describes an attack in which many
thousands of possible username/password combinations
are attempted very quickly. This type of attack will
often compromise a site protected with basic username /
password pairs. This is particularly true because hackers
use lists that include very predictable user names such
as admin with thousands of likely passwords.
To prevent a brute force attack from succeeding, the
traditional advice has been to choose long, difficult to guess
(and difficult to remember) user names and passwords such
as 8x!O;9&)>Mej9gC<. Even if all your
subscribers did use such passwords, preventing a compromised
password is not enough. Looking over server
logs, we've seen that failed attacks are fairly common.
Because the attack may or may not compromise any passwords,
the site owner often is none the wiser. But you may notice
a drop in sales or more customer complaints as your
server is significantly overloaded during the course of
an attack. One popular adult web host advised us that
failed brute force attacks regularly
bring servers to their knees. For that reason,
you need to prevent a brute force attack, along with it's effects
on your server, from ever occurring. If it does occur,
you need to keep the attacker from using up all of your
server resources in the process. the Strongbox security systemtm provides both
technology to discourage anyone from even attempting such
an attack and a defense against the crippling overload
if they attack anyway. To be precise, Strongbox uses a
52 bit session ID. If an attacker were to send your
server 100 requests per second, they could expect to correctly
guess one the Strongbox security systemtm session ID after 1,425,000 years of trying.
The Strongbox security systemtm also allows you to link between sites securely. That is, you can have links in the members section of one domain that can securely bring your members to the members section of another domain, which may be on a different server. You guys with AVS sites know how much of a problem referrer spoofing has become, so it's no longer wise to have that kind of setup with just a referrer check.
The Strongbox security systemtm is also designed to allow easy integration of a script to protect against "slurping", or bulk downloading of your whole site. While there have always been software programs that would allow a user with even a short term trial membership to download your whole site, this functionality is now built in to major browsers such as IE. In the worst case, after the thief downloads your whole site with the click of a button they will change the referral links and upload the copy to their own server, effectively stealing your business. I can't imagine the uproar there would be if this happened in the offline world - somebody breaking into a store, stealing all of the merchandise, the display racks, signs, etc. and using it all to open an identical store across the street. Yet, many webmasters allow this to happen to them and don't do anything to prevent it. With the Strongbox security systemtm, you can choose from several techniques for detecting the slurping and then ask the Strongbox security systemtm to kick that user out. If they want to look at the rest of your content next month, they'll have to keep their membership current, rather than having a copy on their hard drive.
This module provides reports of the most active users over any chosen time period, the most active usernames, etc. You can look up any username to see the exact times, dates, and IPs when they logged in to your site. You can also see what the Strongbox security systemtm determined about the attempted logins. If a username or IP range is suspended or disabled you'll be able to see exactly why. This is also helpful with users who claim to have never used your site and ask for a refund. More than once the Strongbox security systemtm webmaster has had a hearty laugh as they emailed a user a complete record of the 22 times the person "used" the site over the last 5 weeks. The users generally apologize and comment on how much they really do like the site. This module also shows any errors that may have occurred, to help in resolving customer complaints. You can see some of what it provides in the screenshots.
Each day, our bettercgi.com spider analyzes all known password sites, retrieving tens of thousands of compromised passwords. As a subscriber to our proactive spider service, your system will be notified immediately when one of your passwords is posted on a password site. The Strongbox security systemtm will then disable that password even before anyone is able to use it to access your site. Just as when anything else of note occurs, our system will also email you to let you know which username was found posted on which password sites. This optional service is only $5 per month.