It’s not the first time someone has pulled this off, back in November 2009 we wrote about Using Cloud Computing To Crack Passwords – Amazon’s EC2.
Add that with a story way back from 2007 – Graphics Cards – The Next Big Thing for Password Cracking? – and you’ve got yourself an interesting combo with the new offering from Amazon, distributed GPU-based resources.
Put those two stories together in true hacker style and you end up with a guy who used GPU instances on the Amazon EC2 platform to crack SHA-1 password hashes.
A German security enthusiast has used rented computing resources to crack a secure hashing algorithm (SHA-1) password.
Thomas Roth used a GPU-based rentable computer resource to run a brute force attack to crack SHA1 hashes. Encryption experts warned for at least five years SHA-1 could no longer be considered secure so what’s noteworthy about Roth’s project is not what he did or the approach he used, which was essentially based on trying every possible combination until he found a hit, but the technology he used.
What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth’s proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer.
SHA-1 was of course cracked way back in 2005, and widely reported on in 2007 – and whilst being phased out it is still used in many applications.
But then this attack isn’t really using any flaws in the algorithm – it’s just straight up hash cracking it.
The tool he used was CUDA-Multiforcer – GPU Powered High Performance Multihash Brute Forcer.
SHA-1, although it is in the process of being phased out, still forms a component of various widely-used security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols. Roth claims to have cracked all the hashes from a 160-bit SHA-1 hash with a password of between 1 and 6 characters in around 49 minutes. The process would create a rainbow table, allowing short and therefore automatically insecure passwords to be matched to their hash. It wouldn’t work for longer length passwords. Even so, the bigger point that rentable computing resources might be used for password hacking still stands.
Security watchers warn that the development opens up the possibility of cybercrooks using pay-as-you-go cloud computing-based parallel processing environment for their own nefarious purposes.
Chris Burchett, CTO and co-founder of the data security firm Credant, said: “It’s easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe.”
Cybercriminals might use stolen payment card credentials to fund their cloud cracking escapades “which means they will not be bothered about the cost involved,” he added.
Around 12 months ago, another white-hat hacker, Moxie Marlinspike, created an online Wi-Fi password-cracking service called WPAcracker.com. The $17-a-time service is able to crack a Wi-Fi password in around 20 minutes, compared to the 120 hours a dual-core PC might take to carry out the same job.
Although there’s nothing really new here, it’s still an interesting implementation of some already known techniques. As cloud/distributed computing becomes even cheaper, I’d guess we’ll be seeing more similar attacks in the future.
The original post (which precise details on how to set everything up) can be found on the blog of Thomas Roth here:
Cracking Passwords In The Cloud: Amazon’s New EC2 GPU Instances
Source: The Register
Simon says
SHA-1 is not cracked, it’s weakened, but _no one_ have found a SHA-1 collision yet.