Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:34 PM
Connect Directly

New Hack Abuses Cloud-Based Browsers

Researchers show how attackers could anonymously pilfer free cloud computing power -- for cracking passwords, denial-of-service attacks, or other nefarious activities

Turns out those cloud-based browsers that offload processing in the cloud for mobile devices can also be a cybercriminal's best friend: Researchers have found that those browser services can be abused to crack passwords, wage denial-of-service attacks, or perform other unauthorized computations with the free computing power.

A team of NC State University and University of Oregon researchers in their proof-of concept used Google's MapReduce technique that allows parallel computing for performing fast computing in the cloud and the Puffin cloud-based browser service. They stored large data packets on URL-shortening sites to disguise the traffic between multiple nodes in order to test how the browsing service could be used for more than browsing.

"To do that computation normally, you would rent space. If you want to do a job anonymously, like cracking passwords ... you could use these available services" rather than paying for Amazon EC2 services, for instance, says William Enck, assistant professor of computer science at NC State and a co-author of the research paper published today by the team. "This is a way of getting that computation [power] without going through the hurdle [of payment fraud]."

The researchers were able to generate more than 24,000 hashes per second in password-cracking tests with Puffin and their proof-of-concept.

Cloud-based password cracking using cloud-based computing has been proved before, with tools like the WPACracker service, created by researcher Moxie Marlinspike, to test the strength of passwords used in the encryption of wireless access points, and the Cloud Cracking Suite, built by European researcher Thomas Roth, that uses the Amazon EC2 cloud to decrypt passwords and break into wireless networks via a brute-force password-cracking attack.

[Apparent mistranslation by a German newspaper of English-speaking reports on researcher's Amazon EC2-based password-cracking tool led to raid, frozen bank account. See Researcher Overcomes Legal Setback Over 'Cloud Cracking Suite'.]

With this latest research in what is sometimes called "parasitic computing," the problem lies with the cloud browser providers themselves, whose resources can be abused by bad actors.

"Like any other online service, cloud browser providers must ensure adequate security controls are in place to prevent their end users from abusing the system," says Jeremiah Grossman, CTO of WhiteHat Security.

NC State's Enck says there are ways for cloud-based browsing providers to better monitor their traffic -- namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. "It's similar: You can say, 'Here are the clients from where [the traffic] is coming from and the IP addresses.'"

Cloud browser providers can also limit the computing resources used by each user or client, he says, which also would help detect abuse.

Some providers currently employ features that can help minimize abuse. The Amazon Kindle Fire's Silk browser, for example, entails user registration and also sends a private key specific to the tablet as part of its handshake with the cloud-based servers. "Such a strategy is particularly helpful in mitigating the ability to clone instances. Additionally, existing techniques such as CAPTCHAs can limit the rate of creating new accounts," the researchers wrote in their paper.

In their proof-of-concept, the researchers used 1-, 10- and 100-megabyte data packets rather than larger ones. "When we ran our experiments, we didn't overly tax the services. Our goal was to show these things are feasible and not to demonstrate large-scale use of this in practices and put undue strain on the technology we were using," Enck says.

"By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays. The example applications shown in this paper were an academic exercise targeted at demonstrating the capabilities of cloud browsers. There is great potential to abuse these services for other purposes," Enck and his co-authors -- NC State graduate students Vasant Tendulkar and Ashwin Shashidharan, the University of Oregon's Joe Pletcher, Ryan Snyder and Kevin Butler -- wrote in their paper.

The researchers will present their "Abusing Cloud-Based Browsers for Fun and Profit" paper next week at the 2012 Annual Computer Security Applications Conference in Orlando, Fla.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...