 Ars Technica |
Hack could let browsers use cloud to carry out big attacks on the cheap
Ars Technica While their proof-of-concept attack abuses the Puffin service for Android and iOS devices, they say similar cloud infrastructure is also vulnerable, including services that work with Amazon's Silk browser for Kindle devices, Cloud Browse from AlwaysOn … |
Scientists have devised a browser-based exploit that allows them to carry out large-scale computations on cloud-based services for free, a hack they warn could be used to wage powerful online attacks cheaply and anonymously.
The method, described in a research paper scheduled to be presented at next month’s Computer Security Applications Conference, uses the Puffin mobile browser to push computationally intensive jobs onto a cloud-based service that was never intended for such purposes. Normally, Puffin and other so-called cloud-based browsers are used only to accelerate the loading of Web pages on mobile devices by rendering JavaScript, images, and text from disparate sources on a server and only then delivering it to the smartphone or tablet. That’s more efficient than relying on mobile devices with limited computing power to render such content themselves.
Now, computer scientists at North Carolina State University and the University of Oregon have demonstrated a way to abuse such services. By creating a customized browser that mimics Puffin, they were able to trick the cloud-based servers it relies on to count words, search for text strings, and carry out other tasks the service was never designed for—free and semi-anonymously. Out of ethical considerations, they limited both the scope and workload imposed on the cloud resources, but they warned less-scrupulous attackers could use similar techniques to perform powerful denial-of-service attacks and password cracks.
Read 5 remaining paragraphs | Comments
When Libyan rebels finally wrested control of the country last year away from its mercurial dictator, they discovered the Qaddafi regime had received an unusual gift from its allies: foreign firms had supplied technology that allowed security forces to track nearly all of the online activities of the country’s 100,000 Internet users. That technology, supplied by a subsidiary of the French IT firm Bull, used a technique called deep packet inspection (DPI) to capture e-mails, chat messages, and Web visits of Libyan citizens.
The fact that the Qaddafi regime was using deep packet inspection technology wasn’t surprising. Many governments have invested heavily in packet inspection and related technologies, which allow them to build a picture of what passes through their networks and what comes in from beyond their borders. The tools secure networks from attack—and help keep tabs on citizens.
Narus, a subsidiary of Boeing, supplies “cyber analytics” to a customer base largely made up of government agencies and network carriers. Neil Harrington, the company’s director of product management for cyber analytics, said that his company’s “enterprise” customers—agencies of the US government and large telecommunications companies—are ”more interested in what’s going on inside their networks” for security reasons. But some of Narus’ other customers, like Middle Eastern governments that own their nations’ connections to the global Internet or control the companies that provide them, “are more interested in what people are doing on Facebook and Twitter.”
Read 63 remaining paragraphs | Comments
