Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

German researcher breaks into Amazon Cloud Services

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

January 12, 2011

A German Internet security researcher was successful in tapping into Amazon's Cloud Computing Services to crack open WiFi passwords in a fraction of the time and for a tiny percentage of the cost of using his own equipment.

Thomas Roth used custom software running on Amazon's Elastic Compute (EC) Cloud service to break into a WPA-PSK protected network in under 21 minutes. With improvements to his software, he said he could even cut the time down to about 6 minutes.

With EC2 computers available for about twenty-eight cents per minute, the cost of the hack attack came to just $1.68.

“People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a lot of money to do so. But it's relatively easy to brute force them,” said Roth.

Roth is the same researcher who in November used Amazon's cloud services to brute force SHA-1 hashes as well. He said he cracked fourteen hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes.

Roth added that at the time he'd be able to significantly reduce that time with minor tweaks to his software, which made good use of “Cluster GPU Instances” of Amazon's EC2 service.

As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a specific network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.

Roth's latest software uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a jumbo computer. He is scheduled to present his findings at next week's Black Hat security conference in Washington, DC.

In November, Matthew Anderson, a thirty-three year old Scottish hacker and email spammer was convicted and sentenced to 1 1/2 year in prison and was also ordered to pay £5,000 in costs for hijacking thousands of computers from his mother's house.

Anderson used the global network of compromised computers to send tens of millions of spam emails. The father of five, whose own home was too remote to get broadband Internet access, also stole personal data and spied on victims via their webcams.

Known in hacker circles as "Warpig", Anderson commissioned a Finnish programmer to create sophisticated, IRC-controlled bots and backdoor viruses, including "Breplibot". He disguised these Trojans as legitimate files, and used an existing list of four million email addresses to build the botnet through malicious attchments.

Anderson pleaded guilty last month and sat impassively in the dock at Southwark Crown Court as the sentence was being read earlier this morning.

"Clearly, only a custodial sentence is justified," said Judge Geoffrey Rivlin, spurning appeals by the defence for a suspended sentence.

The Judge added that had the offences been committed since October 2008, when the maximum sentence for offences under section three of the Computer Misuse act was doubled to 10 years, Anderson's sentence would be "at least" 36 months.

According to the prosecution's opening note to the sentencing hearing, Anderson made about £12,800 between September 2005 and his arrest on 27 June 2006, by sending up to 50 million junk emails in total. Winston Lay, a Suffolk businessman who didn't know Anderson was also using illegal methods to distribute marketing material, and then paid him for business "leads".

Anderson said to the Judge: "The computers that I did this from didn't come to any harm. I didn't steal information from them, I wasn't out to do identity theft or anything like that, my main aim was to support my family and generate 'leads' for Winston. Winston didn't know how I went about this, but I just provided him with a list of emails once a week, maybe twice a week sometimes."

But a closer analysis of the computer Anderson used at his mother's house showed he had stolen data. He had used his access to upload software to to log keystrokes, and to download intimate photographs, medical information, CVs, even a will and various webcam images he managed to capture.

In an Internet Relay Chat exchange with "CraDle", Anderson described how he took control of a teenage girl's computer and took pictures as she became upset.

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

Source: Thomas Roth.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Do it right this time. Click here and we will take good care of you!

Get your Linux or Windows dedicated server today.