Paid Advertising
web application security lab

Cloud Cracking

id sent me a link today about how PGP zip file password cracking on Amazon EC2 could work. I’ve actually seen presentations about cloud password cracking in the past, so it wasn’t new to me, per se, but this is a great writeup on the nitty gritty details. But it occurred to me that finding a command injection vulnerability on EC2 gives an attacker a whole new shiny toy to play with.

By utilizing their command injection within the cloud, the attacker can boost their cracking abilities to unprecedented levels. When id and I started talking about it, he said, “Or you could just use a botnet.” True, but that said, this could even put companies out of business from an economic perspective, as they are forced into much higher utilization than they may have expected. However, id’s right, and yes, botnets are another viable solution to cloud cracking. Botnets are the hacker’s version of the cloud.

2 Responses to “Cloud Cracking”

  1. thrill Says:

    Back in the day, 1995ish or there abouts.. I used to ‘borrow’ cpu time from various entities to help me crack passwords.. if I had the cpu time Seti has.. umm.. yeah.. that’d be fun. :)

    But I’m sure these cloud computing companies have spent ‘countless’ hours making sure their code cannot be subverted. A huh.


  2. Michael Argast Says:

    You’ve got the right money quote - ‘Botnets are the hacker’s version of the cloud’. More specifically, botnets sell and rent dramatically cheaper (or, the hackers build their own) than similar cloud based services.

    We’ve been seeing botnets for rent for at least 4 years now - pre-dating the hype adoption of these cloud based services by quite a bit. In many ways, the criminals are the innovators and the commercial organizations are playing catch-up…

    Michael Argast, Security Analyst, Sophos