Password cracking in the cloud

Cloud computing gives bad guys a new tool

On-demand cloud computing is a wonderful tool for companies that need some computing capacity for a short time, but don't want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers -- a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive but highly parallelizable.

For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing-on-demand for the purpose of brute-force computation. Botnets are unreliable, heterogeneous and will take longer to "provision." But they cost nothing to use and can scale to enormous size; researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud-computing offering will be faster to provision, have predictable performance and can be billed to a stolen credit card.

The balance of power between security controls and attack methods shifts quite dramatically if you assume the attacker has high-performance computing available at low cost. Take passwords, for example. The length and complexity of a password determines the effort required to mount a brute force attack. Assume an attacker has access to the "hashed" value of a password database, a database that can be compromised through a vulnerable Web server or authentication server. The hash, usually based on an algorithm such as the Secure Hashing Algorithm, cannot be reversed but it can be brute-forced by trying all possible values of a password. This brute-force calculation happens far from the authentication server and therefore is not limited by a three-tries-lockout mechanism.

It would take an eternity to try every possible combination of an eight-character password on a single core CPU -- probably months, perhaps years, depending on the algorithm and password complexity. But the problem is highly parallelizable: the search space can be broken into as many "batches" as needed and farmed out to multiple CPUs to try out in parallel. Using a botnet or IaaS cloud, an attacker can now achieve in minutes or hours what would have taken years.

A German researcher demonstrated the technique using Amazon's Elastic Compute Cloud and their new cluster-computing service that is designed for CPU-intensive graphics. Graphics and password cracking are remarkably similar from an algorithmic perspective: matrix and vector math. The results are quite instructive: using just 49 minutes of a single cluster instance, the researcher was able to crack passwords up to six letters in length. The total cost of the experiment: $2.10 for one hour of computing (the minimum charge is one hour).

With the advent of cloud computing, like with any other technology, the bad guys have also found a new tool. When we consider the balance of risk and reward, the cost/benefit evaluation of a security control we have to consider the significantly lower cost of computing for everyone -- attackers included. Passwords, wireless encryption keys, at-rest encryption and even old SSL algorithms must be reevaluated in this light. What you thought was "infeasible" may be well within the means of "average" hackers.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10