On-demand cloud computing is a wonderful tool for companies that need computing capacity, but don’t want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers — a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive.
For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing-on-demand for the purpose of brute-force computation. Botnets are unreliable, heterogeneous and will take longer to “provision.” But they cost nothing to use and can scale to enormous size; researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud-computing offering will be faster to provision, have predictable performance and can be billed to a stolen credit card.
The balance of power between security controls and attack methods shifts quite dramatically if you assume the attacker has high-performance computing available at low cost. Take passwords, for example. The length and complexity of a password determines the effort required to mount a brute force attack. Assume an attacker has access to the “hashed” value of a password database, a database that can be compromised through a vulnerable Web server or authentication server. The hash, usually based on an algorithm cannot be reversed but it can be brute-forced by trying all possible values of a password. This brute-force calculation happens far from the authentication server and therefore is not limited by a three-tries-lockout mechanism.
It would take forever to try every possible combination of an eight-character password on a single core CPU — probably months, perhaps years, depending on the algorithm and password complexity. But the problem is highly parallelizable: the search space can be broken into as many “batches” as needed and farmed out to multiple CPUs to try out in parallel. Using a botnet or IaaS cloud, an attacker can now achieve in minutes or hours what would have taken years.
With the advent of cloud computing, like with any other technology, the bad guys have also found a new tool. When we consider the balance of risk and reward, the cost/benefit evaluation of a security control we have to consider the significantly lower cost of computing for everyone — attackers included. Passwords, wireless encryption keys, at-rest encryption and even old SSL algorithms must be reevaluated in this light. What was thought to be “infeasible” may be well within the means of “average” hackers.