New Hack Abuses Cloud-Based Browsers

  /     /     /  
Publicated : 22/11/2024   Category : security


New Hack Abuses Cloud-Based Browsers


Researchers show how attackers could anonymously pilfer free cloud computing power -- for cracking passwords, denial-of-service attacks, or other nefarious activities



Turns out those cloud-based browsers that offload processing in the cloud for mobile devices can also be a cybercriminals best friend: Researchers have found that those browser services can be abused to crack passwords, wage denial-of-service attacks, or perform other unauthorized computations with the free computing power.
A team of NC State University and University of Oregon researchers in their proof-of concept used Googles MapReduce technique that allows parallel computing for performing fast computing in the cloud and the Puffin cloud-based browser service. They stored large data packets on URL-shortening sites to disguise the traffic between multiple nodes in order to test how the browsing service could be used for more than browsing.
To do that computation normally, you would rent space. If you want to do a job anonymously, like cracking passwords ... you could use these available services rather than paying for Amazon EC2 services, for instance, says William Enck, assistant professor of computer science at NC State and a co-author of the research paper published today by the team. This is a way of getting that computation [power] without going through the hurdle [of payment fraud].
The researchers were able to generate more than 24,000 hashes per second in password-cracking tests with Puffin and their proof-of-concept.
Cloud-based password cracking using cloud-based computing has been proved before, with tools like the
WPACracker service
, created by researcher Moxie Marlinspike, to test the strength of passwords used in the encryption of wireless access points, and the
Cloud Cracking Suite
, built by European researcher Thomas Roth, that uses the Amazon EC2 cloud to decrypt passwords and break into wireless networks via a brute-force password-cracking attack.
[Apparent mistranslation by a German newspaper of English-speaking reports on researchers Amazon EC2-based password-cracking tool led to raid, frozen bank account. See
Researcher Overcomes Legal Setback Over Cloud Cracking Suite
.]
With this latest research in what is sometimes called parasitic computing, the problem lies with the cloud browser providers themselves, whose resources can be abused by bad actors.
Like any other online service, cloud browser providers must ensure adequate security controls are in place to prevent their end users from abusing the system, says Jeremiah Grossman, CTO of WhiteHat Security.
NC States Enck says there are ways for cloud-based browsing providers to better monitor their traffic -- namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. Its similar: You can say, Here are the clients from where [the traffic] is coming from and the IP addresses.
Cloud browser providers can also limit the computing resources used by each user or client, he says, which also would help detect abuse.
Some providers currently employ features that can help minimize abuse. The Amazon Kindle Fires Silk browser, for example, entails user registration and also sends a private key specific to the tablet as part of its handshake with the cloud-based servers. Such a strategy is particularly helpful in mitigating the ability to clone instances. Additionally, existing techniques such as CAPTCHAs can limit the rate of creating new accounts, the researchers wrote in their paper.
In their proof-of-concept, the researchers used 1-, 10- and 100-megabyte data packets rather than larger ones. When we ran our experiments, we didnt overly tax the services. Our goal was to show these things are feasible and not to demonstrate large-scale use of this in practices and put undue strain on the technology we were using, Enck says.
By rendering Web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays. The example applications shown in this paper were an academic exercise targeted at demonstrating the capabilities of cloud browsers. There is great potential to abuse these services for other purposes, Enck and his co-authors -- NC State graduate students Vasant Tendulkar and Ashwin Shashidharan, the University of Oregons Joe Pletcher, Ryan Snyder and Kevin Butler -- wrote in their paper.
The researchers will present their Abusing Cloud-Based Browsers for Fun and Profit paper next week at the 2012 Annual Computer Security Applications Conference in Orlando, Fla.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Hack Abuses Cloud-Based Browsers