Cracking in the Cloud
Looks like password cracking is moving to the cloud. In this case, it’s cracking WPA Wireless encryption from a simple protocol sniff. In this case, the attacker only needs about $17 and the ability to intercept some network packets. Not difficult..
A cloud-based password “auditing” service clearly makes sense.. of course, only for auditors and testers… since modern password cracking is based upon the attacker having (a) access to hashes, encrypted values, or handshake data, (b) knowledge of algorithm (c) enough cpu to do something with it and/or/if needed (d) large enough datastores to use precomputed tables [rainbow tables].
quote:
WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.
WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.
That said, we’ll likely see the magic of the cloud challenge many of the past security assumptions and tasks which have been infeasible due to resources or lack of ability to execute.
On this note, another interesting article arose this week. It involves wireless, but not our home networks. Instead, it’s about cracking GSM and telephone conversations.
quote:
The problem was highlighted in August when German hackers announced a project to create a code table that cracked the standard GSM cell phone A5/1 encryption. Then, Cellcrypt CEO Simon Bransfield-Garth claimed that the development was worrying, as it marks a massive lowering of the bar for criminal organisations to illegally tap mobile phone conversations.
Here he claimed that the ‘lack of security is particularly worrying’. He said: “Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next six months. A ‘policy of hope’ towards mobile phone security is not adequate, voice is another data service and should be afforded the same security considerations as email and other corporate communications.”
Will we see an analogous service that focuses on GSM conversations rather then wireless networks?
For my home network, I have the ability to use encryption that’s higher in the stack (TLS/SSL) to help ensure security (well, perhaps with TLS v1.3 that addresses the recent vulnerabilities to to session protocol renegotiation).
For my GSM phone, I don’t have this luxury (well, not without making the phone unstable and dependent on various VOIP apps/availability of wireless networks). So, cell phone interception may be soon available to the masses.
