Cybercriminals begin to exploit the cloud for hacking

Published 14 December 2009

Cloud password cracker is a sign of things to come: cloud computing offers advantages of scale and cost, but its reliance on the Internet makes it vulnerable to hacking; “The cloud is going to offer the serious criminal huge computing resources on tap, which has lots of interesting applications,” says one security expert; “If nothing else, it should change a few threat models”

Want to check whether the password to your wireless network (or your neighbor’s) passes muster? For $34, you can do just that by using a password-cracking service that is primarily aimed at “penetration testers” — people who are paid by a company to test its network’s security.

Robert Lemos writes that the service, known as WPA Cracker, is one of the first hacking services to rely on cloud computing. WPA Cracker went live last Monday — it uses pay-as-you go cloud computing resources to search for an encrypted WiFi Protected Access (WPA) password from 135 million different possibilities, says creator and hacker Moxie Marlinspike. Normally the task would take a single computer about five days, but WPA Cracker uses a cluster of 400 virtual computers and high-performance computing techniques. It takes only twenty minutes, he says.

Security is moving into the cloud … so the attacks will follow security into the cloud as well,” says Marlinspike. “Password cracking is an obvious thing. Normally, it is cost-prohibitive to run CPU-intensive jobs. [With cloud computing] it costs a lot less money than doing it yourself.”

Lemos writes that at its core, cloud computing is about providing services or infrastructure through the Internet that can easily be ramped up to meet demand. Online giants, including Amazon, Google, and Microsoft, all have services that offer the ability to run an application in a large data center or to rent time on a cluster of virtual computers, allowing customers to tap into large amounts of computing power more efficiently.

Security experts say the performance and costs advantages of cloud computing are already luring cybercriminals. “We have seen attacks emanate from IP ranges associated with cloud-based computing services,” says Tom Cross, manager of advanced research at IBM’s X-Force security team. Cross would not elaborate on which services were involved, however.

Lemos notes that other real-world examples exist. In 2008 a spammer used Amazon’s Elastic Computing Cloud (EC2) service to blast out a massive campaign of porn-related junk e-mail. Last month, security firm Arbor Networks reported that a cloud application hosted on Google’s AppEngine platform appeared to be the command-and-control hub for a small botnet. Google removed the application for usage-policy violations and said that the malicious behavior was the result of a programming error, not criminal intent.

Even if the intent was not malicious, however, the example shows that poorly behaved applications can run in the cloud, says Danny MacPherson, chief security officer for Arbor. “As more people start using cloud infrastructure, I absolutely think we will see malicious uses as well,” says MacPherson. “I would encourage anyone using those infrastructures to not make security a chewing-gum, bolt-on-after-the-development sort of infrastructure.”

Lemos writes that in some ways, criminals have already started their own cloud services by compromising users’ computers and centrally controlling them. These botnets, as such networks are called, can be used for different tasks, such as sending spam, hosting malicious content, or sending a flood of data to overwhelm a target network. Some underground entrepreneurs even created an online market, dubbed Golden Cash, where criminals could buy or lease any number of compromised computers.

If a cloud service provider does not monitor its network sufficiently, a criminal could use the service to do the same thing. “When you are building a botnet, what you are trying to do is use a lot of computers for some purpose,” Cross says. “If you can get a hold of a credit card, you can purchase a whole slew of virtual computers from a cloud provider.”

Already, Amazon’s service has become a playground for security researchers. This past summer, security firm SensePost revealed a number of techniques for abusing cloud services. By misusing the account creation process, for example, the researchers easily avoided Amazon’s 20-computer limit per customer. SensePost’s security team also demonstrated ways that malicious developers could create virtual-machine templates that included rootkits or other malicious code. If another Amazon customer used the template, they could find themselves vulnerable to attack.

The cloud is going to offer the serious criminal huge computing resources on tap, which has lots of interesting applications,” says Haroon Meer, director of security research for SensePost. “If nothing else, it should change a few threat models.”