Want to check if the password to your wireless network (or your neighbor’s) passes muster? For $34, you can do just that by using a password-cracking service that’s primarily aimed at “penetration testers”–people who are paid by a company to test its network’s security.
The service, known as WPA Cracker, is one of the first hacking services to rely on cloud computing. WPA Cracker went live on Monday–it uses pay-as-you go cloud computing resources to search for an encrypted WiFi Protected Access (WPA) password from 135 million different possibilities, says creator and hacker Moxie Marlinspike. Normally the task would take a single computer about five days, but WPA Cracker uses a cluster of 400 virtual computers and high-performance computing techniques. It takes only 20 minutes, he says.
“Security is moving into the cloud … so the attacks will follow security into the cloud as well,” says Marlinspike. “Password cracking is an obvious thing. Normally, it is cost-prohibitive to run CPU-intensive jobs. [With cloud computing] it costs a lot less money than doing it yourself.”
At its core, cloud computing is about providing services or infrastructure through the Internet that can easily be ramped up to meet demand. Online giants, including Amazon, Google, and Microsoft, all have services that offer the ability to run an application in a large data center or to rent time on a cluster of virtual computers, allowing customers to tap into large amounts of computing power more efficiently.
Security experts say the performance and costs advantages of cloud computing are already luring cybercriminals.
“We have seen attacks emanate from IP ranges associated with cloud-based computing services,” says Tom Cross, manager of advanced research at IBM’s X-Force security team. Cross would not elaborate on which services were involved, however.
Yet other real-world examples exist. In 2008, a spammer used Amazon’s Elastic Computing Cloud (EC2) service to blast out a massive campaign of porn-related junk e-mail. And last month, security firm Arbor Networks reported that a cloud application hosted on Google’s AppEngine platform appeared to be the command-and-control hub for a small botnet. However, Google removed the application for usage-policy violations and said that the malicious behavior was the result of a programming error, not criminal intent.
Even if the intent was not malicious, however, the example shows that poorly behaved applications can run in the cloud, says Danny MacPherson, chief security officer for Arbor.