German 'hacker' uses rented computing to crack hashing algorithm
Brute force PAYG hack attack cracks SHA1 hashes – for $2
Updated A German security enthusiast has used rented computing resources to crack a password scrambled by SHA-1, a supposedly secure hashing algorithm.
Thomas Roth used a GPU-based rentable computer resource to run a brute force attack to crack SHA1 hashes. Encryption experts warned for at least five years SHA-1 could no longer be considered secure so what's noteworthy about Roth's project is not what he did or the approach he used, which was essentially based on trying every possible combination until he found a hit, but the technology he used.
What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth's proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer tool.
Roth, who dayjob is as a security consultant with Lanworks AG, has published adetailed explanation of how the project was carried out here.
SHA-1, although it is in the process of being phased out, still forms a component of various widely-used security applications, including Secure Sockets Layer, Transport Layer Security and S/MIME protocols. Roth claims to have cracked all the hashes from a 160-bit SHA-1 hash with a password of between one and six characters in around 49 minutes.
This process involving cracking passwords hashes on the fly, not by means of generating a rainbow table, contrary to the first version of this article.
The approach wasn't applied to longer length passwords, which would take much longer to crack using the technique. Even so, the bigger point that rentable computing resources might be used for password hacking still stands.
Security watchers warn that the development opens up the possibility of cybercrooks using pay-as-you-go cloud computing-based parallel processing environment for their own nefarious purposes.
Chris Burchett, CTO and co-founder of the data security firm Credant, said: "It's easy to start up a 100-node cracking cluster with just a few clicks, but if you extend the parallel processing environment by just a few factors, it becomes possible to crack passwords of most types in a relatively short timeframe."
Cybercriminals might use stolen payment card credentials to fund their cloud cracking escapades "which means they will not be bothered about the cost involved," he added.
Around 12 months ago, another white-hat hacker, Moxie Marlinspike, created an online Wi-Fi password-cracking service called WPAcracker.com. The $17-a-time service is able to crack a Wi-Fi password in around 20 minutes, compared to the 120 hours a dual-core PC might take to carry out the same job.
That was a specialised service, whereas using Amazon Web Services would allow hackers to run custom cracking code using number-crunching resources that are far more powerful than anything they'd normally be able to access. ®