Distributed security cracking

Will the future of security cracking lie in “cloud computing”?

One of the newly popular buzzwords of the IT industry is “cloud computing”, referring to the use of computational capabilities derived from the aggregate of available distributed computing resources. What qualifies resources as “available” may vary from case to case, and in fact most discussion of cloud computing — referring to the “Internet cloud”, a conceptual abstraction of the complex, heuristic infrastructure of internetworked computers — is very inexact in its reference to how one creates, manages, and accesses this “cloud”. The implementation of aggregating distributed resources into a usable infrastructure is often left as an exercise for the audience.

Steps are being taken to create a tightly controlled business model based on the concepts of cloud computing, and these steps are necessary stops on the path to ubiquitous availability of cloud computing technologies. Utility computing is such a model, where one can subscribe to distributed computational resources maintained by a given provider similarly to the way one might subscribe to a household utility like electricity or natural gas service; Amazon has stepped into this role via its EC2 service.

A more well-established, but (these days) less buzzword compliant, implementation of cloud computing technologies is BOINC, the technological foundation for volunteer participation distributed computing networks such as SETI@Home and Folding@Home, both of which started out using a less standardized cloud computing technology before adopting support for the BOINC infrastructure. In some respects more primitive, while in others adopting a more advanced approach to distributed systems, is the proliferation of peer to peer network services such as BitTorrent — which serves as an excellent example of the early stages of participatory resource sharing, where to some extent one very directly gets out of a system what one puts into it.

Many of the IT industry buzzword followers may be shocked to have the fact pointed out to them, but one of the most venerable and successful implementations of cloud computing technologies is the proliferation of DDoS and spam botnets. Such botnets are assembled and expanded by use of self replicating mobile malicious code, which infects a computer, then sends copies of itself across the Internet to infect still other computers. These infected systems, often referred to as “zombies” — especially if they have a certain amount of autonomy and dumbly perform simple, repetitive actions — may then subject themselves to aggregate control, via networking protocols such as IRC, by the malicious security cracker who deployed them.

DDoS attacks and spam distribution hardly seem like the most sophisticated possible uses of cloud computing technologies, of course. On the other hand, botnets do provide the potential basis for more interesting illegal uses. For instance, brute force password cracking costs as measured in CPU cycles can be prohibitively expensive (as cost is measured in dollars) when using privately owned hardware, but when additional hardware can be added to a distributed supercomputer by automatically propagating botnet infections, things start looking significantly cheaper.

As Internet presence becomes increasingly widespread — particularly amongst users of inadequately secured, largely homogenous operating system environments — we can only expect that distributed computing resources will become more common tools for those who wish to solve computationally difficult problems. Among those people will be scientists, businesses that need to process tremendous amounts of data, and of course security researchers. Those security researchers, in fact, include the people at Free Rainbow Tables, who have already employed distributed computing resources to improve their rainbow table generation capabilities. This is, if it were placed in the wrong hands and achieved by dubious means such as use of botnet infected systems, exactly the sort of nefarious purpose for “cloud” computing I spoke of above.

As already mentioned, also among the people we can expect to leverage distributed computing technologies in the future will be malicious security crackers, and these are the cloud computing users that will significantly change the face of computer security policy in the future. Security cracking activities that have been dismissed as impractical because of the necessary dedicated processing time and power in the past will rapidly become more commonplace as the sophistication of botnet users improves. Security professionals will need to take this changing security landscape into account if they wish to remain a step ahead of their malicious counterparts.

The aggregated power of distributed computing provides a potentially bright future for those of us who need more than an email client and a Web browser. Unfortunately, that includes those of us with malicious intent, as well as those of us whose intentions are more pure. It would not serve us well to forget that fact.