German researcher breaks into Amazon Cloud Services
January 12, 2011
A German Internet security researcher was successful in tapping into Amazon's Cloud Computing Services to crack open WiFi passwords in a fraction of the time and for a tiny percentage of the cost of using his own equipment.
Thomas Roth used custom software running on Amazon's Elastic Compute (EC) Cloud service to break into a WPA-PSK protected network in under 21 minutes. With improvements to his software, he said he could even cut the time down to about 6 minutes.
With EC2 computers available for about twenty-eight cents per minute, the cost of the hack attack came to just $1.68.
“People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a lot of money to do so. But it's relatively easy to brute force them,” said Roth.
Roth is the same researcher who in November used Amazon's cloud services to brute force SHA-1 hashes as well. He said he cracked fourteen hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes.
Roth added that at the time he'd be able to significantly reduce that time with minor tweaks to his software, which made good use of “Cluster GPU Instances” of Amazon's EC2 service.
As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a specific network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.
Roth's latest software uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a jumbo computer. He is scheduled to present his findings at next week's Black Hat security conference in Washington, DC.
In November, Matthew Anderson, a thirty-three year old Scottish hacker and email spammer was convicted and sentenced to 1 1/2 year in prison and was also ordered to pay £5,000 in costs for hijacking thousands of computers from his mother's house.
Anderson used the global network of compromised computers to send tens of millions of spam emails. The father of five, whose own home was too remote to get broadband Internet access, also stole personal data and spied on victims via their webcams.
Known in hacker circles as "Warpig", Anderson commissioned a Finnish programmer to create sophisticated, IRC-controlled bots and backdoor viruses, including "Breplibot". He disguised these Trojans as legitimate files, and used an existing list of four million email addresses to build the botnet through malicious attchments.
Anderson pleaded guilty last month and sat impassively in the dock at Southwark Crown Court as the sentence was being read earlier this morning.
"Clearly, only a custodial sentence is justified," said Judge Geoffrey Rivlin, spurning appeals by the defence for a suspended sentence.
The Judge added that had the offences been committed since October 2008, when the maximum sentence for offences under section three of the Computer Misuse act was doubled to 10 years, Anderson's sentence would be "at least" 36 months.
According to the prosecution's opening note to the sentencing hearing, Anderson made about £12,800 between September 2005 and his arrest on 27 June 2006, by sending up to 50 million junk emails in total. Winston Lay, a Suffolk businessman who didn't know Anderson was also using illegal methods to distribute marketing material, and then paid him for business "leads".
Anderson said to the Judge: "The computers that I did this from didn't come to any harm. I didn't steal information from them, I wasn't out to do identity theft or anything like that, my main aim was to support my family and generate 'leads' for Winston. Winston didn't know how I went about this, but I just provided him with a list of emails once a week, maybe twice a week sometimes."
But a closer analysis of the computer Anderson used at his mother's house showed he had stolen data. He had used his access to upload software to to log keystrokes, and to download intimate photographs, medical information, CVs, even a will and various webcam images he managed to capture.
In an Internet Relay Chat exchange with "CraDle", Anderson described how he took control of a teenage girl's computer and took pictures as she became upset.
Source: Thomas Roth.
You can link to the Internet Security web site as much as you like.