Because I spend the most of my working day writing about the IT security space, you might think I get to read an awful lot of research papers concerning proof of concept threats and potential exploits.
And you would be right. On the whole, while these are interesting enough to someone such as myself, when it comes to the actual real-world risk posed to your average enterprise by such research that is best summed up in the title of a recent blog of mine: Cryptography attack: side-channel cloud threat is all nerd and no knickers. I concluded that particular piece by saying that "If you are a business with real data out there in the real cloud, and assuming you've followed basic security best-practice strategies, including the rather obvious non-use of public clouds for highly sensitive data storage, you can move on: nothing to see here..."
But not all labs-based security research can be so readily dismissed. Take the new Google MapReduce proof of concept, for example.
Researchers from NC State University and the University of Oregon are going to present their paper with the up-beat title of Abusing Cloud-Based Browsers for Fun and Profit at a security applications conference in Orlando, Florida next week. Ordinarily I wouldn't recommend these kind of papers unless you suffer from insomnia and have tired of counting sheep, but give this one a go if you are of a technical IT bent. It's worth investing a little time in getting your heading around it, in my never humble opinion. Not least as the potential for this to find a place in the very real world of computer crime is quite high.
So what is all the fuss about, and what has Google got to do with it? Well, for a start it isn't a direct threat to data as in it exposes a vulnerability that in turn exposes your data in the cloud - it is much more interesting and ingenious than that. Instead, what this proof of concept shows is how cybercriminal and hacker types can fairly easily hijack cloud-based mobile browsers, or rather the computational power of the cloud which they offload their processing to, in order to be used for everything from password cracking through to denial of service (DoS) attacks.
Think of the risk, in layman's terms, as being equivalent to that of a poorly configured mail server being used as an open relay for spam and the distribution of malicious attachments. Cloud browser providers render web pages in the cloud, effectively becoming 'open computation centres' as the research authors put it. The researchers have named the new threat a Browser MapReduce or BMR.
The clever bit, and this is where Google enters the fray, is that the researchers were able to use the search giant's 'MapReduce' programming model which provides an in-the-cloud implementation for processing and generating large data sets.
But they used it without paying for it, without renting space, and with anonymity. This was achieved courtesy of a combination of using URL shortening sites to disguise the traffic between multiple nodes by storing large data there, and the use of the cloud-based Puffin browser.
Sure, it's possible to simply commit a payment fraud of some kind and rent some space on Amazon EC2 or similar, and perform your computationally intense activities from there. Or use a botnet of zombie machines for the purpose. And both these methods are the norm for the cybercriminal of today.
The cybercriminal with an eye on tomorrow, however, is always looking for new methods which can keep the costs down both in terms of budget but importantly also in terms of risk. If you commit fraud or run a zombie botnet then you have an additional risk layer that could mean you get caught. Removing these from the equation would seem to be an attractive option, and that's why this particular proof of concept comes, if you'll pardon the phraseology, complete with knickers firmly pulled up. Indeed, the researchers in question were able to use Puffin and the MapReduce process to knock out 24,000 hashes per second in their password cracker testing.
So what can be done to mitigate against such abuse? That's the slightly more difficult bit it would seem. There is talk online already about cloud browser providers shoring up their defences and monitoring traffic more effectively. This would require some kind of account association to be able to produce an IP blacklist of potential offenders. If providers coupled this with a device-specific private key, as is the case with the Silk Browser on the Amazon Kindle Fire, then the possibility of abuse is further reduced.
Certainly, having read the paper in question a couple of times now in order to allow it to sink in properly, I have to agree with the conclusion that the results of the testing "strongly suggest that current cloud browsers are a viable source of arbitrary free computing at large scale". If I were a cloud browser provider, I would be investigating how to stop the brown stuff before it hits the fan - as it inevitably will now this paper has been published.
