Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Cloud Password Crack Provides Glimpse Into Future of Cybercrime

Credant Technologies : 19 November, 2010  (Technical Article)
Credant Technologies explains the implications of the recent successful crack of a secure hashing algorithm password using cloud services
Reports that a German hacker has successfully cracked a secure hashing algorithm (SHA-1) password using a pay-as-you-use Cloud Computing based parallel processing environment is very worrying, says Credant Technologies.

According to Chris Burchett, CTO and Co-Founder of the data security specialist, this is one of the first times that an SHA-1 encrypted password has been cracked using rentable cloud-based computation.

'It's worrying because, as Thomas Roth says, it's easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe,' he said.

'Although renting processing time on a cloud resource like Amazon Web Services could get relatively expensive at this level, there is the added dimension of cybercriminals using stolen payment card credentials to fund their cloud cracking escapades, which means they will not be bothered about the cost involved,' he added.

Burchett went on to say that the incident has parallels with other online password and hash cracking websites including the revelation of almost 12 months ago when security researcher Moxie Marlinspike revealed he had created an online WiFi password cracking service called, appropriately enough,

At the time, some experts were calling Marlinspike's service a cloud-based resource, but whilst the $17.00-a-time service can reportedly crack a WiFi password in around 20 minutes - a process that would take a dual-core PC around 120 hours - it is a highly specific cracking application with relatively finite processing power.

Using Amazon Web Services to crack a 160-bit SHA-1-hashed password, however, extends the hacker ballgame into a whole new Cloud Computing dimension, since it allows hackers to run custom cracking code that would normally take several months on a multi-core supercomputer - a platform that, of course, cybercriminals would not normally have access to, the Credant CTO explained.

Roth's exploit, says Burchett, is significant, as he claims to have cracked all the hashes from an SHA-1 hash with a password of between 1 and 6 characters in around 49 minutes - and at a cost of just over one pound.

'Up to now, we've been in the realm of a more limited use crack sites, but the concern is that the practically limitless compute resources for relatively low cost available in the cloud can make attacks that previously were proof of concept an everyday reality. You can be sure that cybercriminals will be passing reports of Roth's exploits on to their black hat hackers and asking them to repeat the methodology in other applications,' he said.

'It has to be remembered that SHA-1, although it is being phased out, still forms part of several widely-deployed security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols to mention but a few,' he added.

'At the moment, we are talking about a limited application, but it doesn't take a genius to work out the ramifications of Mr Roth's research project.'
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo