Cloud computing security: Experts talk about the path of password cracking in the cloud

On-demand cloud computing is a fantastic tool for companies that need some computing capacity in the short term but don't want to invest long term in fixed assets. For the same reason, cloud computing is also useful for hackers-many hacking activities involve passwords, key cracking, and other forms of brute force, all of which require expensive and highly parallel computations.

For hackers, there are two main sources of computational resources on demand: The Zombie network of consumer PCs and the infrastructure of services provided by service providers (IaaS). Each of these forms can provide the required computational capacity for brute force computing. The reliability of botnets is poor, and the use of special-shaped devices, the "provision of services" required longer. But they are completely free and can be scaled to a very large scale; some researchers have found that some botnets are even made up of hundreds of thousands of PCs. Cloud computing as a commodity provides services faster, can be predictable, and can be billed with stolen credit cards.

If you truly understand how much high-performance computing the attackers are currently able to achieve at a very low cost, you will find that the balance of power between security controls and attack methods is quietly changing dramatically. Take the password as an example. The length and complexity of the password determine the energy needed to break it violently. It is possible for an attacker to gain access to the "chaos" value in the password database, which may be compromised by a Web server or authentication server that is vulnerable. Chaotic numbers are usually based on algorithms such as cryptographic chaos, and are irreversible, but can be violently cracked by trying all possible password values. This type of violence is carried out in places away from the authentication server and is therefore not subject to locking mechanisms after three attempts.

If a single core CPU is used, it takes a long time to crack a 8-character password. Depending on the complexity of the algorithm and password, it may take months or years. But this problem can be solved in a highly parallel way: The search space can be split into many "batches" as needed and handed over to multiple CPUs to be processed in parallel. When using botnets or IaaS, an attacker can calculate the results of a few years in the past in a matter of minutes or hours.

A German researcher demonstrated this by using Amazon's elastic computing cloud and a new cluster computing service designed specifically for CPU-intensive graphics computing. From the point of view of algorithm, the calculation of graphics and password cracking is very similar: matrix and vector mathematical calculation. The result was illuminating: using a single cluster instance, the researcher cracked a maximum of 6-letter passwords in 49 minutes. Total cost of the trial: 2.10 USD per hour (minimum hourly charge).

As cloud computing prevails, cloud computing, like any other technology, is found by bad people and becomes their new tool. In considering the balance of risks and benefits, we must conduct cost/benefit evaluations of security controls, taking into account that the cost of computing for all has been significantly reduced, including, of course, attackers. In this case, we have to evaluate passwords, wireless keys, static encryption, and even old-fashioned SSL algorithms. You think the "not-so-good" problem may have become a very common thing for "ordinary" hackers.