The Criminal Cloud
Criminals are using cloud computing to share information and to superpower their hacking techniques.
The cloud opens a world of possibilities for criminal computing. Unlike the zombie computers and malware that have been the mainstay of computer crime for the past decade, cloud computing makes available a well-managed, reliable, scalable global infrastructure that is, unfortunately, almost as well suited to illicit computing needs as it is to legitimate business.
The mass of information stored in the cloud—including, most likely, your credit card and Social Security numbers—makes it an attractive target for data thieves. Not only is more data centralized, but for the security experts and law enforcement agencies trying to make the cloud safe, the very nature of the cloud makes it difficult to catch wrongdoers. Imagine a virtual Grand Central Station, where it’s easy to mix in with the crowd or catch a ride to a far-away jurisdiction beyond the law’s reach.
Most of all, the cloud puts immense computing power at the disposal of nearly anyone, criminals included. Cloud criminals have access to easy-to-use encryption technology and anonymous communication channels that make it less likely their activities will be intelligible to or intercepted by authorities. On those occasions that criminals are pursued, the ability to rapidly order up and shut down computing resources in the cloud greatly decreases the chances that there will be any clues left for forensic analysis.
Widely Available to Criminals
One of the most straightforward options criminals are employing is simply to register for an account (with an assumed name, of course) and “legitimately” procure services for illegal purposes. Criminals are using Gmail or the text-sharing site Pastebin to plan crimes and share stolen information with near impunity. Just navigate to Pastebin.com and type “Visa” into the search field for a vivid demonstration of how stolen credit card numbers are bought and sold in the cloud. Although such uses are prohibited by most company’s terms-of-service agreements, policing the cloud is expensive and, frankly, not very rewarding.
Criminals with greater computing needs are using stolen credit cards to purchase access to computers and storage in the cloud. One emerging use of cloud computing is password cracking. To break into encrypted files, attackers run programs that repeatedly try different passwords until the right one is found. Many of today’s security protocols were designed at a time when would-be password crackers might have access to only a few computers. Back then, security experts considered safe any security scheme capable of withstanding 30 years of brute-force guesswork. These days, computers are dozens of times faster, and thanks to services such as Amazon’s Elastic Computing Cloud (EC2), an attacker can rent time on hundreds of them at once. The result: an encryption password that used to take 30 years to break can now be cracked in a few days.
This isn’t idle speculation. The attackers who broke into Sony’s PlayStation game network last April reportedly used Amazon’s EC2 to crack some of the encryption keys, giving them access to tens of thousands of people’s credit card information. Hackers had been discussing how to use Amazon’s cloud computing service for password cracking since 2009. But things got really interesting last year, when Amazon added GPU-based supercomputing capability to its cloud offerings. German computer security specialist Thomas Roth calculated that he can use Amazon’s machines to crack the sort of encryption key used to protect most Wi-Fi networks in six minutes.
The cost, according to Roth, would be just $1.68.
One company trying to deny criminal access to its cloud-based servers is Terremark Worldwide, a subsidiary of Verizon. According to Christopher Day, its senior vice president for secure information services, the company has developed a system capable of flagging accounts that look as if they are being created by criminals. Speaking in August at a computer forensics conference in New Orleans, Day explained that criminals tend to order virtual machines that have the maximum amount of memory, processor speed, and disk storage. Terremark’s computers now automatically mark attempts to order such systems for further investigation by Terramerk’s security team, he said.
Even so, the cloud can make it difficult for authorities or companies to track digital crime. One reason is the rise of so-called virtualization technology, which assembles virtual servers from numerous real computers. That is, the computer a user rents from Terremark might actually be spread across a dozen or more physical disk drives scattered throughout the company’s data center. When the virtual machine is shut down, the storage allocated to the virtual disks is rapidly reused by other virtual machines, so the criminal information is overwritten by data from legitimate customers. Although incident response and law enforcement officials can recover forensically useful data from a running virtual machine, it is nearly impossible to recover such data after the machine has been “de-provisioned.” In a real sense, the machine no longer exists. And neither does the evidence.
Criminals may pull a disappearing act in yet another way. Many cloud vendors offer “geographical diversity”—the ability to create virtual machines that are located in different physical locations. Criminals can use this feature to achieve a kind of jurisdictional arbitrage—for instance, attacking the United States from Asia or vice versa. Such across-the-border attacks could put political and technical obstacles in the way of authorities seeking to trace an attack back to its source.
Another weakness exploited by criminals stems from the Web-based applications, or software-as-a-service offerings, provided by many cloud companies. With millions of users commingling on thousands or tens of thousands of machines, a criminal can easily mix in among legitimate users. Even more complicated for authorities and victims, these attacks emanate from within cloud programs we use and trust.
For example, researchers at the security firm F-Secure reported that they had detected several phishing sites hosted within Google Docs, the cloud-based office productivity software. What made the attacks possible is a feature within Google’s spreadsheet system that lets users create Web-based forms, with titles such as “Webmail Account Upgrade” and “Report a Bug.” These forms, located on a Google server, were authenticated with Google’s encryption certificate and asked for sensitive information like the user’s full name, username, Google password, and so on, according to the researchers. “These are nasty attacks, as the phishing pages are hosted on the real google.com, complete with a valid [security] certificate,” wrote F-Secure’s researchers.
Risk of Mass Attacks
We all share the cloud infrastructure, and that means hacking attacks could cause widespread damage affecting hundreds of companies and millions of users. We already know of some cases of “collateral damage” in the cloud. In 2009, Twitter was shut down for several hours after a single Eastern European blogger became the target of hackers. The unknown assailants used a “denial of service” attack, in which a site is blocked by aiming an overwhelming amount of Web traffic at it. Similarly, last March a similar attack originating in China disrupted the websites of the 18 million publishers whose pages are hosted by WordPress.com, including the popular blog TechCrunch.
Some experts fear that hackers will figure out some way to infect the very fabric of a cloud’s infrastructure. Many cloud systems have been designed assuming that attackers would come from the outside, and that no malicious users would be present in the software used to manage the cloud infrastructure. Terremark’s Day, for instance, said his company discovered that tools it had purchased to move virtual machines from one physical computer to another did so using an unencrypted file transfer protocol. In layman’s terms, this means that a user’s virtual machine could theoretically get infected with malware simply by moving from Server A to Server B. Day would not say if the vulnerability was merely theoretical or had been used by attackers, but he did say that Terremark modified the software once it discovered the vulnerability.
These examples may merely scratch the surface. To paraphrase the bank robber Willie Sutton, the cloud is increasingly where the data is. That means it will be the target of attacks by those seeking to steal identities and other information. Ironically, the cloud itself may provide the computing power needed to carry out these nefarious plans. For the criminal enterprise, like the legitimate one, the promise of the cloud is unlimited computing for a low, low price.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today