Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Harnessing the Cloud for Hacking

Cloud password cracker is a sign of things to come.

Want to check if the password to your wireless network (or your neighbor’s) passes muster? For $34, you can do just that by using a password-cracking service that’s primarily aimed at “penetration testers”–people who are paid by a company to test its network’s security.

The service, known as WPA Cracker, is one of the first hacking services to rely on cloud computing. WPA Cracker went live on Monday–it uses pay-as-you go cloud computing resources to search for an encrypted WiFi Protected Access (WPA) password from 135 million different possibilities, says creator and hacker Moxie Marlinspike. Normally the task would take a single computer about five days, but WPA Cracker uses a cluster of 400 virtual computers and high-performance computing techniques. It takes only 20 minutes, he says.

This story is part of our July/August 2009 Issue
See the rest of the issue
Subscribe

“Security is moving into the cloud … so the attacks will follow security into the cloud as well,” says Marlinspike. “Password cracking is an obvious thing. Normally, it is cost-prohibitive to run CPU-intensive jobs. [With cloud computing] it costs a lot less money than doing it yourself.”

At its core, cloud computing is about providing services or infrastructure through the Internet that can easily be ramped up to meet demand. Online giants, including Amazon, Google, and Microsoft, all have services that offer the ability to run an application in a large data center or to rent time on a cluster of virtual computers, allowing customers to tap into large amounts of computing power more efficiently.

Security experts say the performance and costs advantages of cloud computing are already luring cybercriminals.

“We have seen attacks emanate from IP ranges associated with cloud-based computing services,” says Tom Cross, manager of advanced research at IBM’s X-Force security team. Cross would not elaborate on which services were involved, however.

Yet other real-world examples exist. In 2008, a spammer used Amazon’s Elastic Computing Cloud (EC2) service to blast out a massive campaign of porn-related junk e-mail. And last month, security firm Arbor Networks reported that a cloud application hosted on Google’s AppEngine platform appeared to be the command-and-control hub for a small botnet. However, Google removed the application for usage-policy violations and said that the malicious behavior was the result of a programming error, not criminal intent.

Even if the intent was not malicious, however, the example shows that poorly behaved applications can run in the cloud, says Danny MacPherson, chief security officer for Arbor.

“As more people start using cloud infrastructure, I absolutely think we will see malicious uses as well,” says MacPherson. “I would encourage anyone using those infrastructures to not make security a chewing-gum, bolt-on-after-the-development sort of infrastructure.”

In some ways, criminals have already started their own cloud services by compromising users’ computers and centrally controlling them. These botnets, as such networks are called, can be used for different tasks, such as sending spam, hosting malicious content, or sending a flood of data to overwhelm a target network. Some underground entrepreneurs even created an online market, dubbed Golden Cash, where criminals could buy or lease any number of compromised computers.

If a cloud service provider does not monitor its network sufficiently, a criminal could use the service to do the same thing.

“When you are building a botnet, what you are trying to do is use a lot of computers for some purpose,” Cross says. “If you can get a hold of a credit card, you can purchase a whole slew of virtual computers from a cloud provider.”

Already, Amazon’s service has become a playground for security researchers. This past summer, security firm SensePost revealed a number of techniques for abusing cloud services. By misusing the account creation process, for example, the researchers easily avoided Amazon’s 20-computer limit per customer. SensePost’s security team also demonstrated ways that malicious developers could create virtual-machine templates that included rootkits or other malicious code. If another Amazon customer used the template, they could find themselves vulnerable to attack.

“The cloud is going to offer the serious criminal huge computing resources on tap, which has lots of interesting applications,” says Haroon Meer, director of security research for SensePost. “If nothing else, it should change a few threat models.”

AI is here. Will you lead or follow?
Join us at EmTech Digital 2019.

Register now
Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.