Amazon's cloud used for brute force attacks

Hackers are waking up to the fact that Amazon’s cloud is a jolly good tool to use to carry out brute force attacks on a password.

German white-hat hacker Thomas Roth claims he has found a way to use EC2 and some custom software to crack the password of WPA-PSK-protected networks in around 20 minutes.

His software can test 400,000 passwords per second using the EC2 compute power. All he has to do is pay $1.68 a minute to use the Amazon EC2.

Roth said from his bog that he is not the only one who has done this. Another hacker, who goes by the handle Moxie Marlinspike, is running a service called WPACracker that can be used for cracking handshake captures of WPA-PSK using “several very large dictionaries on a 400 CPU cluster that runs on the Amazon cloud.”

But Roth’s method speeds up how password storage on SHA-1 hashes can be extracted and it can do that thanks to Amazon’s new cluster GPU instances.

GPUs are some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD, he wrote..

In the good old days GPU-assisted servers were previously available only in supercomputers and the great unwashed did not get their paws on them. However EC2 gives the public some serious computer hardware to play with..

Part of his success is due to a weakness in SHA-1, which was never made to store passwords.