Password cracking in the cloud

Cloud computing gives bad guys a new tool

On-demand cloud computing is a wonderful tool for companies that need some computing capacity for a short time, but don't want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers -- a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive but highly parallelizable.

For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing-on-demand for the purpose of brute-force computation. Botnets are unreliable, heterogeneous and will take longer to "provision." But they cost nothing to use and can scale to enormous size; researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud-computing offering will be faster to provision, have predictable performance and can be billed to a stolen credit card.

The balance of power between security controls and attack methods shifts quite dramatically if you assume the attacker has high-performance computing available at low cost. Take passwords, for example. The length and complexity of a password determines the effort required to mount a brute force attack. Assume an attacker has access to the "hashed" value of a password database, a database that can be compromised through a vulnerable Web server or authentication server. The hash, usually based on an algorithm such as the Secure Hashing Algorithm, cannot be reversed but it can be brute-forced by trying all possible values of a password. This brute-force calculation happens far from the authentication server and therefore is not limited by a three-tries-lockout mechanism.

It would take an eternity to try every possible combination of an eight-character password on a single core CPU -- probably months, perhaps years, depending on the algorithm and password complexity. But the problem is highly parallelizable: the search space can be broken into as many "batches" as needed and farmed out to multiple CPUs to try out in parallel. Using a botnet or IaaS cloud, an attacker can now achieve in minutes or hours what would have taken years.

A German researcher demonstrated the technique using Amazon's Elastic Compute Cloud and their new cluster-computing service that is designed for CPU-intensive graphics. Graphics and password cracking are remarkably similar from an algorithmic perspective: matrix and vector math. The results are quite instructive: using just 49 minutes of a single cluster instance, the researcher was able to crack passwords up to six letters in length. The total cost of the experiment: $2.10 for one hour of computing (the minimum charge is one hour).

With the advent of cloud computing, like with any other technology, the bad guys have also found a new tool. When we consider the balance of risk and reward, the cost/benefit evaluation of a security control we have to consider the significantly lower cost of computing for everyone -- attackers included. Passwords, wireless encryption keys, at-rest encryption and even old SSL algorithms must be reevaluated in this light. What you thought was "infeasible" may be well within the means of "average" hackers.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies