On-demand cloud computing is a valuable tool for companies needing temporary computing capacity without long-term investment in fixed capital. However, this same convenience makes cloud computing useful to hackers.
Many hacking activities involve cracking passwords, keys, or other forms of brute force attacks. These processes are computationally intensive but highly parallelizable.
Hackers have two main sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from service providers. Both can deliver computing power on demand for brute force attacks. Botnets are unreliable and heterogeneous, taking longer to "provision." However, they are free to use and can scale to enormous sizes, with some botnets comprising hundreds of thousands of PCs. On the other hand, commercial cloud computing offers faster provisioning, predictable performance, and can be billed to a stolen credit card.
The balance of power between security controls and attack methods shifts dramatically when attackers have access to high-performance computing at low costs. Consider passwords: the length and complexity determine the effort required for a brute force attack.
If an attacker gains access to a "hashed" password database, compromised through a vulnerable web or authentication server, they can perform a brute force attack. Although the hash, often based on the Secure Hashing Algorithm, cannot be reversed, it can be brute-forced by trying all possible values. This process occurs far from the authentication server, bypassing any three-tries-lockout mechanism.
Cracking every possible combination of an eight-character password on a single-core CPU would take months or even years, depending on the algorithm and password complexity. However, this problem is highly parallelizable. The search space can be divided into multiple "batches" and processed in parallel by many CPUs. Using a botnet or IaaS cloud, an attacker can accomplish in minutes or hours what would otherwise take years.
A German researcher demonstrated this technique using Amazon's Elastic Compute Cloud and their cluster computing service designed for CPU-intensive graphics. The researcher cracked passwords up to six letters long in just 49 minutes, costing only $2.10 for one hour of computing.
With the advent of cloud computing, like any technology, malicious actors have found new tools. When assessing the balance of risk and reward in security controls, we must consider the significantly lower cost of computing available to everyone, including attackers.
Passwords, wireless encryption keys, at-rest encryption, and even old SSL algorithms must be reevaluated in this context. What was once considered "infeasible" might now be within reach of "average" hackers.
