Hackers Use Cloud Computing to Boost Firepower
How better to break into a computer network than to use the power of a virtual supercomputer to crack codes? In a disturbing trend, cloud computing services are being used by hackers to rain down attacks upon other computer systems.
Cloud computing services string together online servers and storage systems in order to offer massive processing power and terabytes of storage space to businesses such as FourSquare and Netflix. The services allow companies to handle extra traffic and data processing on an as-needed basis without investing in the extra equipment themselves.
However, cloud computing services have become so inexpensive and easy to use that they are also available on demand to individual customers by the hour.
This allows unscrupulous users to use cloud computers to conduct digital assaults, such as so-called brute-force attacks that simply fire an endless stream of passwords at another computer system until they find the right code to break in.
"That's the real key now," said Scott Chasin, chief technology officer of McAfee's Security-as-a-Service, itself a cloud-based system. "There's a lot of available computing out there with instant-on and instant provisioning."
In other words, a hacker can have a cloud-based attack up and running within minutes, and then just as quickly get off the cloud once the attack has been successful.
Such hacks may become increasingly attractive to criminals. They require little investment and the criminals don't need to build so-called botnets thousands of infected individual computers operating as one which can take months to create.
The issue of cloud-based attacks was brought to the fore recently by the stunning shutdown of Sony's online consumer networks in April, which affected roughly 100 million users worldwide.
Even as Sony continued to plug security breaches after it brought its systems back online, Bloomberg News reported that the hackers responsible for the attacks employed Amazon's cloud-computing Elastic Computer Cloud (EC2) service as a base of operations.
Earlier this year, a German researcher demonstrated how Amazon's EC2 could be used to break into other systems. In a brute-force attack, he used EC2 to run 400,000 possible passwords per second to break into a secured Wi-Fi network in about 20 minutes.
While Amazon's pricing is complicated, such on-demand cloud computing time can cost as little as a few pennies per hour.
From Chasin's perspective, such "lily pad" attacks, in which hackers use one compromised server to attack another, are nothing new. But the ease of accessibility that cloud computing offers is.
While some customers may worry that such attacks could also affect their own cloud-computing accounts, experts point out that service providers are better equipped than most companies to deal with hackers.
"It's natural for any customer to be concerned," said Siamak Farah, the founder and CEO of Tarzana, Calif.-based InfoStreet, a 17-year-old provider of cloud services. "But most people want their money in the bank and not under their mattress."
Farah pointed out that most companies can't afford the technology and security expertise to maintain such systems. Furthermore, third parties can offer insurance, disaster recovery and backup as protection.
"You cannot stop crime, but you can reduce it from happening," Farah said.
So companies have to ask themselves: Who's better equipped to prevent attacks, they or the service provider?
McAfee's Chasin said that a well-rounded approach to security is needed to address the problem. Firms need to not only protect themselves from the traditional intrusions into their systems, but also from the abuse of their systems to launch outward-bound attacks.
"We're still dealing with the same security fundamentals," Chasin said. "It's just that the accessibility [of cloud computing] makes it a lot easier."