Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Cybercrime as a Service–Our Future?

Cybercrime as a Service–Our Future?

  • Comments 2
  • Likes

It is not really surprising that the criminals will leverage the economy of Cloud Computing for their illegal purposes. Especially activities, which consume a lot of processor power will be moved to the Cloud – like any other business.

Some way back, there were discussions on how to leverage GPUs to crack passwords: Graphics Cards – The Next Big Thing for Password Cracking? – that was back in 2007. Then in 2009 there were discussions on how to misuse Amazon EC2 to crack passwords: Using Cloud Computing To Crack Passwords – Amazon’s EC2. Now, there are announcements that it will become public knowledge how to use Amazon’s EC2 GPU to combine both – announced at BlackHat DC: Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC.

This development cannot be surprising. Crime is a business - illegal but following the same rules as any other business. If somebody is conducting illegal activities on a Cloud infrastructure, I expect every cloud provider to do their best to fight that. But it is close to impossible. Let’s assume you are a mathematician at a University doing crypto research. Part of your job is trying to understand how vulnerable the mathematical models for crypto are and how you can improve them. So, cracking crypto is a legitimate part of your job. Putting such work in the Cloud might make sense. How can you distinguish such use of a Cloud infrastructure from an illegal activity? Even worse: In Amazon EC2, you just rent an infrastructure, without Amazon knowing what is going on in the virtual machine. As a customer of Amazon, I would definitely not want them to look into my VMs – that’s my business.

How can we now make sure, that the criminals are not misusing a Cloud infrastructure but still retain confidentially? This will be a huge challenge.

Roger

Comments
  • How can we now make sure, that the criminals are not misusing a Cloud infrastructure but still retain confidentially?

    - let's replace "Cloud infrastructure" with other things..

    How can we now make sure, that the criminals are not misusing an internet connection but still retain confidentially?

    How can we now make sure, that the criminals are not misusing a telephone but still retain confidentially?

    How can we now make sure, that the criminals are not misusing a fax machine but still retain confidentially?

    How can we now make sure, that the criminals are not misusing a first class letter but still retain confidentially?

    How can we now make sure, that the criminals are not misusing a conversation but still retain confidentially?

    The Fourth Amendment guarantees us a right to be secure against unreasonable search of our person and of our things. It takes a court order to transgress that right to privacy. We must rely on fundamentally good people to be in positions to remove those rights. If they over step their bounds, then expel and punish those individuals.

    The Founding Fathers weren't dummies. They had a pretty good set of ground rules. We don't need to reinvent the wheel every time somebody invents a whizbang new gadget.

  • thank you

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment