03:34 PM
Connect Directly

New Hack Abuses Cloud-Based Browsers

Researchers show how attackers could anonymously pilfer free cloud computing power -- for cracking passwords, denial-of-service attacks, or other nefarious activities

Turns out those cloud-based browsers that offload processing in the cloud for mobile devices can also be a cybercriminal's best friend: Researchers have found that those browser services can be abused to crack passwords, wage denial-of-service attacks, or perform other unauthorized computations with the free computing power.

A team of NC State University and University of Oregon researchers in their proof-of concept used Google's MapReduce technique that allows parallel computing for performing fast computing in the cloud and the Puffin cloud-based browser service. They stored large data packets on URL-shortening sites to disguise the traffic between multiple nodes in order to test how the browsing service could be used for more than browsing.

"To do that computation normally, you would rent space. If you want to do a job anonymously, like cracking passwords ... you could use these available services" rather than paying for Amazon EC2 services, for instance, says William Enck, assistant professor of computer science at NC State and a co-author of the research paper published today by the team. "This is a way of getting that computation [power] without going through the hurdle [of payment fraud]."

The researchers were able to generate more than 24,000 hashes per second in password-cracking tests with Puffin and their proof-of-concept.

Cloud-based password cracking using cloud-based computing has been proved before, with tools like the WPACracker service, created by researcher Moxie Marlinspike, to test the strength of passwords used in the encryption of wireless access points, and the Cloud Cracking Suite, built by European researcher Thomas Roth, that uses the Amazon EC2 cloud to decrypt passwords and break into wireless networks via a brute-force password-cracking attack.

[Apparent mistranslation by a German newspaper of English-speaking reports on researcher's Amazon EC2-based password-cracking tool led to raid, frozen bank account. See Researcher Overcomes Legal Setback Over 'Cloud Cracking Suite'.]

With this latest research in what is sometimes called "parasitic computing," the problem lies with the cloud browser providers themselves, whose resources can be abused by bad actors.

"Like any other online service, cloud browser providers must ensure adequate security controls are in place to prevent their end users from abusing the system," says Jeremiah Grossman, CTO of WhiteHat Security.

NC State's Enck says there are ways for cloud-based browsing providers to better monitor their traffic -- namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. "It's similar: You can say, 'Here are the clients from where [the traffic] is coming from and the IP addresses.'"

Cloud browser providers can also limit the computing resources used by each user or client, he says, which also would help detect abuse.

Some providers currently employ features that can help minimize abuse. The Amazon Kindle Fire's Silk browser, for example, entails user registration and also sends a private key specific to the tablet as part of its handshake with the cloud-based servers. "Such a strategy is particularly helpful in mitigating the ability to clone instances. Additionally, existing techniques such as CAPTCHAs can limit the rate of creating new accounts," the researchers wrote in their paper.

In their proof-of-concept, the researchers used 1-, 10- and 100-megabyte data packets rather than larger ones. "When we ran our experiments, we didn't overly tax the services. Our goal was to show these things are feasible and not to demonstrate large-scale use of this in practices and put undue strain on the technology we were using," Enck says.

"By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays. The example applications shown in this paper were an academic exercise targeted at demonstrating the capabilities of cloud browsers. There is great potential to abuse these services for other purposes," Enck and his co-authors -- NC State graduate students Vasant Tendulkar and Ashwin Shashidharan, the University of Oregon's Joe Pletcher, Ryan Snyder and Kevin Butler -- wrote in their paper.

The researchers will present their "Abusing Cloud-Based Browsers for Fun and Profit" paper next week at the 2012 Annual Computer Security Applications Conference in Orlando, Fla.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youre still focused on securing endpoints, youve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.