The Cloud has a great future, the possibilities are huge, but security needs to remain a pressing issue because cloud-based browsers that offload processing in the cloud for mobile devices can also be a security issue.
Those types of browser services can undergo abuse in order to crack passwords, wage denial-of-service attacks, or perform other unauthorized computations with the free computing power, researchers said.
A team of North Carolina State University and University of Oregon researchers in their proof-of concept used Google’s MapReduce technique that allows parallel computing for performing fast computing in the cloud and the Puffin cloud-based browser service. They stored large data packets on URL-shortening sites to disguise the traffic between multiple nodes in order to test how the browsing service could see use for more than just browsing.
“To do that computation normally, you would rent space. If you want to do a job anonymously, like cracking passwords … you could use these available services” rather than paying for Amazon EC2 services, for instance, said William Enck, assistant professor of computer science at NC State and a co-author of the research paper on the subject. “This is a way of getting that computation [power] without going through the hurdle [of payment fraud].”
The researchers were able to generate more than 24,000 hashes per second in password-cracking tests with Puffin and their proof-of-concept.
Cloud-based password cracking using cloud-based computing has been proven before, with tools like the WPACracker service, created by researcher Moxie Marlinspike, to test the strength of passwords used in the encryption of wireless access points, and the Cloud Cracking Suite, built by European researcher Thomas Roth, that uses the Amazon EC2 cloud to decrypt passwords and break into wireless networks via a brute-force password-cracking attack.
With this latest research in what is “parasitic computing,” the problem lies with the cloud browser providers themselves, whose resources can undergo abuse by bad actors.
“Like any other online service, cloud browser providers must ensure adequate security controls are in place to prevent their end users from abusing the system,” said Jeremiah Grossman, CTO of WhiteHat Security.
NC State’s Enck said there are ways for cloud-based browsing providers to better monitor their traffic — namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he said, this would allow cloud browser providers to quash abuse. “It’s similar: You can say, ‘Here are the clients from where [the traffic] is coming from and the IP addresses.'”
Cloud browser providers can also limit the computing resources used by each user or client, he said, which also would help detect abuse.
Some providers currently employ features that can help minimize abuse. The Amazon Kindle Fire’s Silk browser, for example, entails user registration and also sends a private key specific to the tablet as part of its handshake with the cloud-based servers. “Such a strategy is particularly helpful in mitigating the ability to clone instances. Additionally, existing techniques such as CAPTCHAs can limit the rate of creating new accounts,” the researchers wrote in their paper.
In their proof-of-concept, the researchers used 1-, 10- and 100-megabyte data packets rather than larger ones. “When we ran our experiments, we didn’t overly tax the services. Our goal was to show these things are feasible and not to demonstrate large-scale use of this in practices and put undue strain on the technology we were using,” Enck said.
“By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays,” Enck wrote in the paper.