Researchers at North Carolina State University and the University of Oregon have discovered a way to turn cloud computing into hacker heaven.
Disguising data transfers with URL-truncating services like TinyURL or Bit.ly, researchers found that cloud-based processing power intended to shift computing tasks from laptops, tablets and mobile devices could be converted to crack encoded passwords or used for a large scale denial-of-service attack.
WhiteHat Security’s Jeremiah Grossman told Dark Reading that cloud browser providers need to “ensure adequate security controls are in place to prevent their end users from abusing the system.”
N.C. State researcher William Enck said one key is awareness:
NC State’s Enck says there are ways for cloud-based browsing providers to better monitor their traffic — namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. “It’s similar: You can say, ‘Here are the clients from where [the traffic] is coming from and the IP addresses.’”
Dark Reading notes that users of the Silk browser on Amazon’s Kindle Fire have to register with the service, and each tablet has a unique key that identifies that user and device to the browsing service. The university researchers who discovered these vulnerabilities believe Amazon’s strategy is a sound way to keep cloud users honest. They also recommend using CAPTCHAs so potentially malicious cloud users can’t write scripts that will automatically create multiple accounts they could later use in large-scale hacks or cyber-attacks.
We’re not really looking forward to the day we can say hackers have maliciously used the cloud to “make it rain.”