Over the past 3 years (and yes it really has only been 3 years!) Amazon and other players have delivered the Cloud to the world of business providing IaaS and causing ripples in well established cost models for computer processing power.
The entire thrust of Amazon’s argument behind cloud computing is simple, “Trust us with your services and we’ll scale up and out instantly to manage increased load”. Whereas, under the traditional CapEx model a new server would require purchase or lease, build and deployment with considerations for switching capacity and power availability, the Cloud allows businesses to power up a new box (or the abstracted equivalent), with a few mouse clicks and you only pay for it for as long as it’s on-line.
This “power on demand” model has been touted as a solution for businesses requiring a dynamic level of scalability without wanting to commit vast sums of cash to manage physical resources… but there is a darker side to Amazon’s all you can eat approach.
As well as allowing genuine enterprise the option to scale ad infinitum (or ad budget constriantum) Amazon and other Cloud providers are effectively opening up super computer levels of processing to a slightly grubbier level of on-line society – crackers.
In a post to his blog, security consulatant David Campbell calculated that an 8 character password could be brute forced for an EC2 bill of less than $106,000:
To calculate the cost of brute forcing an eight-character password consisting only of lower-case letters, he raised 26 to the power of 8 to get the total number of possible passwords. Because his cracking application can handle 9.36 billion keys per hour, he then divided by that amount and multiplied that by EC2′s standard rate of 30 cents per hour. An eight-character password that contains numbers and upper- and lower-case letters would be ((26+26+10)8/ 9,360,000,000) * .30.
Of course that article was posted almost a year ago. The costs are now more like $1,982.79 to test the total keyspace for an 8 character password containing upper case, lower case and numeric characters.
In case you hadn’t worked it out yet, the key point to using Amazon’s cloud resources in place of traditional hacking is that they allow this attack to be run in parallel across many EC2 instances thus reducing the attack time from 10,000 years to a couple of hours!
In Bruce Schneier’s 2006 post mortem of the password lists resulting from the MySpace phishing attack he identifies that the majority of passwords are under 10 characters long and are purely alpha numeric which means they fall well within the range of an EC2 hosted attack.
Whilst you may not have a couple of grand to spare to break into your nemesis’ twitter feed there are plenty of people (*cough* media outlets & organised criminals *cough*) out there who would benefit from the ability to quickly and easily smack through passwords for social networking or even email accounts.
And let’s not forget those costs of for querying the 100% of the key space for an account. The odds are good that most passwords will be given up before the 100% mark is reached. This could also be combined with a quick run using dictionary attacks to weed out common passwords further reducing the key space and increasing the effectiveness of the attack.
Of course entropy isn’t a panacea for security, but, as these calculations show you’d better make sure your password is longer than 8 characters and involves at least 1 non alphanumeric character to mitigate the potential of this form of attack.
Oh and make darned sure you’re not using the same password for everything!
(Original source – The Register,
XKCD Comics from XKCD.com)
Speaking as a prime target of these new-fangled, hyper-scalable interweb criminals; this worries me greatly.
If anyone needs me, I’ll be hiding out in my doomsday capsule.
@Mike – FEAR THE INTERNETS!!! LIVE IN FEAR, CLOSET YOUR SELF AND DO NOT LEAVE THE HOUSE! FEAR FEAR FEAR …
or just use certificate based auth for everything
speaking of which what ever happened to Smart Cards?