How Cloud Computing changed the face of brute-force attacks.
Cloud Computing is the phrase that we loved last year. I don’t think there is any IT conference where the Cloud Computing topic misses completely the agenda. It’s a new paradigm that attempts to solve many of the existing IT problems. There are many advantages for the cloud and I just want to mention: scalability, flexibility, accessibility, redundancy, extraordinary capacity, predictable costs that go to OPEX not CAPEX. The Cloud promises. The trouble is that not only solve our problems but also the problems of individuals with less clean intentions that wander around the global data networks. This extraordinary capacity that can be used at an affordable price, almost unexpectedly, opens the doors for hackers. Let’s get in a few details.
We all use encryption mechanisms and we want to know that our personal data, emails or wireless networks are protected at least to a minimum level of security. Unfortunately, history shows that any encryption method has been defeated sooner or later. It’s just a matter of time. In fact, this is the idea, a reasonable level of encryption is one that requires a long enough time to be decrypted (long meaning at least years or decades). But that length depends on the computing resources available to the attacker.
But what is the promise of Cloud Computing? Computing resources. Anytime, anywhere and at a more or less acceptable price. I read a few days ago that a German security researcher, Thomas Roth, managed to create a little program that runs over the Amazon EC2 Cloud (Amazon Elastic Cloud) that attempts to discover passwords used by wireless networks (WPA-PSK). What’s new with this? Well, nothing, except that it can make 400,000 attempts per second. A staggering amount. The theoretically infinite resources of cloud computing are changing the face of brute force attacks.
What can be done? If you were cautious when choosing passwords, now you can start being paranoid. Do not use simple and predictable words. Use at least three of these character types: uppercase letters, lowercase letters, numbers and special characters. Do not use passwords shorter than 8 characters. And last but not least, change passwords from time to time. I would recommend every 3-4 months but I know nobody will do it so at least change them once a year. Oh, and another thing, do not use the same password everywhere! Rather, install a password manager software that will help you not to lose them. Good luck!