Cybercrime as a Service–Our Future?

It is not really surprising that the criminals will leverage the economy of Cloud Computing for their illegal purposes. Especially activities, which consume a lot of processor power will be moved to the Cloud – like any other business.

Some way back, there were discussions on how to leverage GPUs to crack passwords: Graphics Cards – The Next Big Thing for Password Cracking? – that was back in 2007. Then in 2009 there were discussions on how to misuse Amazon EC2 to crack passwords: Using Cloud Computing To Crack Passwords – Amazon’s EC2. Now, there are announcements that it will become public knowledge how to use Amazon’s EC2 GPU to combine both – announced at BlackHat DC: Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC.

This development cannot be surprising. Crime is a business - illegal but following the same rules as any other business. If somebody is conducting illegal activities on a Cloud infrastructure, I expect every cloud provider to do their best to fight that. But it is close to impossible. Let’s assume you are a mathematician at a University doing crypto research. Part of your job is trying to understand how vulnerable the mathematical models for crypto are and how you can improve them. So, cracking crypto is a legitimate part of your job. Putting such work in the Cloud might make sense. How can you distinguish such use of a Cloud infrastructure from an illegal activity? Even worse: In Amazon EC2, you just rent an infrastructure, without Amazon knowing what is going on in the virtual machine. As a customer of Amazon, I would definitely not want them to look into my VMs – that’s my business.

How can we now make sure, that the criminals are not misusing a Cloud infrastructure but still retain confidentially? This will be a huge challenge.

Roger