Cloud404 :: Cloud Computing, Risk Management, Security, Compliance

Looks like password cracking is moving to the cloud.  In this case, it’s cracking WPA Wireless encryption from a simple protocol sniff.  In this case, the attacker only needs about $17 and the ability to intercept some network packets.  Not difficult..

A cloud-based password “auditing” service clearly makes sense.. of course, only for auditors and testers… since modern password cracking is based upon the attacker having (a) access to hashes, encrypted values, or handshake data, (b) knowledge of algorithm  (c) enough cpu to do something with it and/or/if needed (d) large enough datastores to use precomputed tables [rainbow tables].

quote:

WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.

WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

That said, we’ll likely see the magic of the cloud challenge many of the past security assumptions and tasks which have been infeasible due to resources or lack of ability to execute.

On this note, another interesting article arose this week.  It involves wireless, but not our home networks.  Instead, it’s about cracking GSM and telephone conversations.

quote:

The problem was highlighted in August when German hackers announced a project to create a code table that cracked the standard GSM cell phone A5/1 encryption. Then, Cellcrypt CEO Simon Bransfield-Garth claimed that the development was worrying, as it marks a massive lowering of the bar for criminal organisations to illegally tap mobile phone conversations.

Here he claimed that the ‘lack of security is particularly worrying’. He said: “Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next six months. A ‘policy of hope’ towards mobile phone security is not adequate, voice is another data service and should be afforded the same security considerations as email and other corporate communications.”

Will we see an analogous service that focuses on GSM conversations rather then wireless networks?

For my home network, I have the ability to use encryption that’s higher in the stack (TLS/SSL)  to help ensure security (well, perhaps with TLS v1.3 that addresses the recent vulnerabilities to to session protocol renegotiation).

For my GSM phone, I don’t have this luxury (well, not without making the phone unstable and dependent on various VOIP apps/availability of wireless networks).  So, cell phone interception may be soon available to the masses.

MIT Technology review recently posted a interview with crypto-hero Whitfield Diffie.

Although the entire interview is great, one stands out…

Technology Review: What are the security implications of the growing move toward cloud computing?

Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.

There’s another dimension to his analogy that we need to consider.  When airplanes fail (i.e. hijacked), human lives may be lost and panic ensues.   We haven’t yet, to my knowledge, have had a visible electronic attack that has such significant consequence (albiet the “Cyberterror” concern has been felt by Estonia).   We’ve seen a few headaches, but nothing life theatening.Clearly, given the amount of control computers have over our lives, it’s only a matter of time.  When that unfortunate time comes, what will occur?  New laws and regulations?  Direct government oversight? Will the industry police itself into innovating new technologies as a competitive advantage?

Let’s hope the latter.  One of the key differences is that it’s hard to sell airline security.  Would a consumer fly on Airline A rather then Airline B, knowing that the pilot of airline A could carry a gun, or had a more secure cockpit door?  Do these things even really make us more secure?

The other difference is that air travel is a commodity and there’s not that much growth left.  In fact, most businesses (the sweet spot customer of the airline industry) are cutting back travel.  The airline industry is focused on taking share from each other, and the primary factor is “who can supply at the lowest price.” It’s hard for the airline business to change,  since profits are scarce and growth is inhibited (new continents don’t seem to be popping up on the planet earth anymore).

In the IT/Internet/technology arena, there’s a few big differences:

• First, the computer security industry has proven that you can sell security to the end user — and you can certainly sell it to the business market.  If I were building a company on a cloud platform, I’d pay a premium for the provider who could offer better security features.
• Second,  with the cloud movement, the “right things” (storage, compute, network) are reverting to a commodity posture, which will lower the barriers for new, higher level,  services to be built at scale.  Lowing the barriers will ignite opportunity, and a rush to use cloud-based applications.  Putting it another way, a few entrepreneurs can build a company on a cloud provider without buying datacenters, servers, power, gigantic network connections, and even hiring IT staff to build the servers out.  In the cloud, all of this is done with a credit card and a few clicks of the mouse.  If security issues emerge, the profit-motive will drive the cloud provider to quickly retool an offering to respond to a threat, or, they’ll be passed by.

However, in the meantime (and with the constant media attention focused on “cloud failures”)  it will be a turbulent ride.

- Craig