Servers

Distributed security cracking

Will the future of security cracking lie in "cloud computing"?

One of the newly popular buzzwords of the IT industry is "cloud computing", referring to the use of computational capabilities derived from the aggregate of available distributed computing resources. What qualifies resources as "available" may vary from case to case, and in fact most discussion of cloud computing -- referring to the "Internet cloud", a conceptual abstraction of the complex, heuristic infrastructure of internetworked computers -- is very inexact in its reference to how one creates, manages, and accesses this "cloud". The implementation of aggregating distributed resources into a usable infrastructure is often left as an exercise for the audience.

Steps are being taken to create a tightly controlled business model based on the concepts of cloud computing, and these steps are necessary stops on the path to ubiquitous availability of cloud computing technologies. Utility computing is such a model, where one can subscribe to distributed computational resources maintained by a given provider similarly to the way one might subscribe to a household utility like electricity or natural gas service; Amazon has stepped into this role via its EC2 service.

A more well-established, but (these days) less buzzword compliant, implementation of cloud computing technologies is BOINC, the technological foundation for volunteer participation distributed computing networks such as SETI@Home and Folding@Home, both of which started out using a less standardized cloud computing technology before adopting support for the BOINC infrastructure. In some respects more primitive, while in others adopting a more advanced approach to distributed systems, is the proliferation of peer to peer network services such as BitTorrent -- which serves as an excellent example of the early stages of participatory resource sharing, where to some extent one very directly gets out of a system what one puts into it.

Many of the IT industry buzzword followers may be shocked to have the fact pointed out to them, but one of the most venerable and successful implementations of cloud computing technologies is the proliferation of DDoS and spam botnets. Such botnets are assembled and expanded by use of self replicating mobile malicious code, which infects a computer, then sends copies of itself across the Internet to infect still other computers. These infected systems, often referred to as "zombies" -- especially if they have a certain amount of autonomy and dumbly perform simple, repetitive actions -- may then subject themselves to aggregate control, via networking protocols such as IRC, by the malicious security cracker who deployed them.

DDoS attacks and spam distribution hardly seem like the most sophisticated possible uses of cloud computing technologies, of course. On the other hand, botnets do provide the potential basis for more interesting illegal uses. For instance, brute force password cracking costs as measured in CPU cycles can be prohibitively expensive (as cost is measured in dollars) when using privately owned hardware, but when additional hardware can be added to a distributed supercomputer by automatically propagating botnet infections, things start looking significantly cheaper.

As Internet presence becomes increasingly widespread -- particularly amongst users of inadequately secured, largely homogenous operating system environments -- we can only expect that distributed computing resources will become more common tools for those who wish to solve computationally difficult problems. Among those people will be scientists, businesses that need to process tremendous amounts of data, and of course security researchers. Those security researchers, in fact, include the people at Free Rainbow Tables, who have already employed distributed computing resources to improve their rainbow table generation capabilities. This is, if it were placed in the wrong hands and achieved by dubious means such as use of botnet infected systems, exactly the sort of nefarious purpose for "cloud" computing I spoke of above.

As already mentioned, also among the people we can expect to leverage distributed computing technologies in the future will be malicious security crackers, and these are the cloud computing users that will significantly change the face of computer security policy in the future. Security cracking activities that have been dismissed as impractical because of the necessary dedicated processing time and power in the past will rapidly become more commonplace as the sophistication of botnet users improves. Security professionals will need to take this changing security landscape into account if they wish to remain a step ahead of their malicious counterparts.

The aggregated power of distributed computing provides a potentially bright future for those of us who need more than an email client and a Web browser. Unfortunately, that includes those of us with malicious intent, as well as those of us whose intentions are more pure. It would not serve us well to forget that fact.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

13 comments
noah
noah

Three concepts here I'm not seeing, primarily because I really don't care for this "cloud Computing" name. Virtualization, clustered computing, modular computing, these are all the foundation principles of computing. Its as if we forgotten that PCs were just the miniaturization of computers. They were intended for distributed computing. The factor of cloud computing has even come to mind by all of the M$ heads amazes me. Windows OS barely is able to maintain a single PC's resources (daily reboots required) and manage them on its own, better yet the aggregated resources of a cluster. (however its reflective of the human cycle of life) And another huge factor in here is that with the strong encouragement of Virtual computing, we've failed to look at the controlling factor of some of these "blade"/modular type computing, there are underlying hardware languages/OSes that are controlling the master box. As we learned with the Boeing incident these languages when exposed to an open facing network are very susceptible. There is no intuitive security. And small percentage of IT has the ability to even begin understanding/protecting these (myself most definitely included, but blade servers are awesome boxes for cracking/large computational type deals). I realize that this is not a huge threat for most commercial entities, but one thing we have to acknowledge is how many commercial entities play a part in our economy (stocks, manufacturing, utilities) disruption in just one company could very well lead a chain reaction. Summarized version: If we go back to the basics, distributed cracking of passwords is a very easy to accomplish concept, you can treat complex rainbow tables as the database, and utilize round robin distribution from multiple clients. or just the opposite distribute 100s of simple tables and the host compiles them (understood that both methods still require some complex fundamentals to be in place) Using BOINC at the company office, not very green. As much as I believe its the right thing to do, it would very likely suck down more resources than the infrastructure does at its peak usage hours. And as mentioned nobody wants to go through the trouble of understanding the legal concerns, and getting some legal head/marketing head to understand all the techy stuff to convince that its a great idea.

Neon Samurai
Neon Samurai

I've heard it discussed a few times. It can be a handy tool if your not at your own machine with rainbow tables handy but you have to consider that posting a hash you might need broken means probably waiting a few days. It becomes a bit of a grey area also if your auditing contract has a non-disclosure clause that would be broken by posting password hashes in public forums. Offhand, do you see any risks associated with running BOINC on business machine after hours? I can see it being used to find out office hours during the recon phase but haven't yet decided if there is any risk of having malicious traffic injected into the transfer as each processed package is reported back to the management servers.

fernlyn
fernlyn

yep! good old botnets, where would the security profesional be without them.

apotheon
apotheon

What new uses for distributed security cracking do you foresee in the future? What kind of changes do you think IT security professionals will have to make in how they approach security to compensate for the growing capabilities of distributed computing used by malicious security crackers?

Neon Samurai
Neon Samurai

With our network, it's not really a concern though as it's not an enterprise monster where even having all the computers sleeping would be a noticable power draw. I'll be looking at that in more detail though if the idea of running BOINC does get the interest of management. At the same time, helping to fold proteins may provide greater long term benefits than the short term cost of having the processors on over night. We'll see though as the idea gets bounced around the office more.

apotheon
apotheon

That depends entirely on the security status of the BOINC client software and the security status of the BOINC servers. Generally, as an open source project, run by responsible people, that has a very narrow scope, the chances of BOINC becoming a security issue are very slim -- significantly slimmer than running Automatic Updates on MS Windows, in my estimation. Adding a network-capable piece of software to the daily functions of a system always increases the potential for vulnerability to outside threats, though. The only question is how much. I believe BOINC probably represents a very, very small increase in potential vulnerability, so you really just have to balance that against the knowledge that BOINC is (probably) not a business-critical tool for you, and thus there's no trade-off for the company's bottom line, unless you've found some way to use it as a tax exemption. If you're talking about a publicly traded corporation, something like that could possibly represent a criminal misuse of resources (though IANAL, so don't just take my word for it).

Neon Samurai
Neon Samurai

That's be my guess as to our industry if botnets had not come along. it was inevitable though. Just look at IRC networks and the great grandparents of botnets that played there. I kind of miss my handy Eggdrop bot but the time when it was simple fun amongst keyboard cowboys has past.

robo_dev
robo_dev

More processing power means longer encrpytion keys, choosing the appropriate encrpytion algorithm, and using longer and stronger passwords. The bulk of security breaches or exploits do not happen because somebody brute-forced a password or used 400 MIPS of computing power to crack an encryption key. The only 'new uses' might be to crack encryption algorithms and key lengths that are today not considered to be feasible. The EFF 'deep crack' machine can do 90 billion tries per second and can crack a DES key in several days. Distributed cracking across PCs not very efficient. Estimates are that a single PC can do about 10Million/sec, so you can do the math from there.... The real performance comes from those who build custom FPGA-based cracking machines. An interesting discovery is that PC video hardware, which uses massive parallel processing, is much faster at cracking than the PC itself (like 200 Million/sec) http://www.newscientist.com/article/dn12825 http://en.wikipedia.org/wiki/Brute_force_attack

Dumphrey
Dumphrey

passwords on network devices will NEED to be longer, and more complex to minimize brute force attacks. I wonder if any bot-herder will find a way to distribute his CnC across several machines, or even several hundred machines using distributed computing, each machine in the CnC net splitting load, and allowing a bigger reach, and more wide spread noise, making it harder to single out. Heck, it could even just be a select subset of the bot cloud its self. The only hurdle I see off the top, is how would the herder connect to the initial machine to create the CnC net, as well as how would they communicate anonymously with the CnC.

Sterling chip Camden
Sterling chip Camden

Good article, Chad. Black hats have never left an opportunity on the table, so I have every expectation that they'll find more ingenious ways to use distributed computing to their advantage. It would be a good idea for those who provide services like these to predict ways in which they could be abused, but if history is any indication the abuse must first be experienced to be grokked.

Neon Samurai
Neon Samurai

I hadn't considered the legal angle. As a non-profit, we can probably even tag it on to our business resume but I can see how a corporation could be held accountable by the shareholders. If we end up doing it, it'll be office wide with the board's approval so that sidesteps the social issues. Now I have to let my paranoia take it's course and make sure we're not stepping on any technical issues. It would be interesting to be able to include "and contributes to the XYZ project" on our business resume though.

apotheon
apotheon

At least in corporate IT, that certainly seems to be the case.