Not all clouds are security threats. (flickr.com/kky)

Researchers at North Carolina State University and the University of Oregon have discovered a way to turn cloud computing into hacker heaven.

Disguising data transfers with URL-truncating services like TinyURL or Bit.ly, researchers found that cloud-based processing power intended to shift computing tasks from laptops, tablets and mobile devices could be converted to crack encoded passwords or used for a large scale denial-of-service attack.

WhiteHat Security's Jeremiah Grossman told Dark Reading that cloud browser providers need to "ensure adequate security controls are in place to prevent their end users from abusing the system."

N.C. State researcher William Enck said one key is awareness:

NC State's Enck says there are ways for cloud-based browsing providers to better monitor their traffic -- namely, by associating accounts with the users so they can detect possible abuse or rogue traffic. Just like blacklisting offending IP addresses in a DDoS attack, for example, he says, this would allow cloud browser providers to quash abuse. "It's similar: You can say, 'Here are the clients from where [the traffic] is coming from and the IP addresses.'"

Dark Reading notes that users of the Silk browser on Amazon's Kindle Fire have to register with the service, and each tablet has a unique key that identifies that user and device to the browsing service. The university researchers who discovered these vulnerabilities believe Amazon's strategy is a sound way to keep cloud users honest. They also recommend using CAPTCHAs so potentially malicious cloud users can't write scripts that will automatically create multiple accounts they could later use in large-scale hacks or cyber-attacks.

We're not really looking forward to the day we can say hackers have maliciously used the cloud to "make it rain."

What Flame did to Iranian computers. (Image: William Warby, Flickr)

The Cold War is over and Russia and America are getting along. So surely the Men in Black behind the United States' cyber weapons program based at Area 51 or wherever will not be too concerned that a Russian researcher cracked an encoded password associated with the now infamous, allegedly American-made Flame malware.

Symantec and Kaspersky recently teamed to pick apart Flame's command and control systems, discovering at least three previously unknown infectious scripts in the process. The researchers also discovered a great deal about how the weapons were assembled and launched against enemy targets, but were left with a hashed passcode they couldn't break. They put out a call for help but didn't need the assistance of anyone outside either outfit, after all:

Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast. [...]

The hash - 27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.

So now the whole world knows the password that once protected the servers behind Flame, a complex and sophisticated cyber weapon that was a major blow to Iran's nuclear program.

Which is a little scary, because if someone can crack the password that once protected such a covert weapon created by a nation state, the average Internet user's method of password protecting their GMail with a pet's name plus grandma's birthday doesn't seem too safe anymore.