Recently, a partner of mine asked me to look at a website used to crack wireless passwords in the cloud. The site WPA Cracker is defined as:
…a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.
So the general idea is only good guys will use this site to see how secure their WiFi network may be. It is a noble cause, but let us not kid ourselves, any tool a good guy can use, will likely be used by a bad guy. Just like the cloud, it can a great tool (when used properly and securely) to enable organizations to do more, with less internal resources, but it can provide the same benefits to the bad guys. They can easily use the cloud to stream-line their processes and procedures to make them more agile, more focused, and generally more evil.
Bad guys using the cloud for evil is nothing new. I remember when rainbow tables and NTLM hashes were first places online. Prior to that, you would have to compute your own which required gigs to terabytes of storage. People began developing desktop agents similar to the SETI project to leverage peer-to-peer computing to crack passwords in seconds. So this site is not the first to leverage this concept.
What does this mean for us? It means that regardless of how excited we get over new ideas and concepts in terms of business enablement, we can not forget the basic tenants of Information Security. We have to continue to be on our toes, and realistic that we are only secure for a moment. The best we can do is to extend that moment as long as possible, focus on new technologies that makes us even more secure, and remember that prevention is only half of the game. We most focus just as much on detection and response and look to every company that was ever breached who went to sleep thinking that day would never come.
When the Data Encryption Standard was proposed in 1977, it was predicted that the computing power to crack the password would take more 72 quadrillion keys to test and the cost of such computing power would be unreasonable. That same year, Diffie and Hellman estimated that such a machine could be built for around $20,000,000US and would take about a single day. In 1998, the Electronic Frontier Foundation built a system for $250,000 and cracked DES in 2 days. Since then, DES has been broken in less than one day, using hardware that costs less than $10,000. None of these techniques leveraged cloud-computing, which as we see with the WPA cracker, shows us that we will always be changing encryption standards, as well as watching the bad-guys as much as the bad-guys are watching us.
