Cyber criminals can hack on the cheap thanks to Google

Cyber criminal in a hoodie holding a laptop
(Image credit: Shutterstock)

Because I spend the most of my working day writing about the IT security space, you might think I get to read an awful lot of research papers concerning proof of concept threats and potential exploits.

And you would be right. On the whole, while these are interesting enough to someone such as myself, when it comes to the actual real-world risk posed to your average enterprise by such research that is best summed up in the title of a recent blog of mine: Cryptography attack: side-channel cloud threat is all nerd and no knickers. I concluded that particular piece by saying that "If you are a business with real data out there in the real cloud, and assuming you've followed basic security best-practice strategies, including the rather obvious non-use of public clouds for highly sensitive data storage, you can move on: nothing to see here..."

But not all labs-based security research can be so readily dismissed. Take the new Google MapReduce proof of concept, for example.

Researchers from NC State University and the University of Oregon are going to present their paper with the up-beat title of Abusing Cloud-Based Browsers for Fun and Profit at a security applications conference in Orlando, Florida next week. Ordinarily I wouldn't recommend these kind of papers unless you suffer from insomnia and have tired of counting sheep, but give this one a go if you are of a technical IT bent. It's worth investing a little time in getting your heading around it, in my never humble opinion. Not least as the potential for this to find a place in the very real world of computer crime is quite high.

So what is all the fuss about, and what has Google got to do with it? Well, for a start it isn't a direct threat to data as in it exposes a vulnerability that in turn exposes your data in the cloud - it is much more interesting and ingenious than that. Instead, what this proof of concept shows is how cybercriminal and hacker types can fairly easily hijack cloud-based mobile browsers, or rather the computational power of the cloud which they offload their processing to, in order to be used for everything from password cracking through to denial of service (DoS) attacks.

Think of the risk, in layman's terms, as being equivalent to that of a poorly configured mail server being used as an open relay for spam and the distribution of malicious attachments. Cloud browser providers render web pages in the cloud, effectively becoming 'open computation centres' as the research authors put it. The researchers have named the new threat a Browser MapReduce or BMR.

The clever bit, and this is where Google enters the fray, is that the researchers were able to use the search giant's 'MapReduce' programming model which provides an in-the-cloud implementation for processing and generating large data sets.

But they used it without paying for it, without renting space, and with anonymity. This was achieved courtesy of a combination of using URL shortening sites to disguise the traffic between multiple nodes by storing large data there, and the use of the cloud-based Puffin browser.

Sure, it's possible to simply commit a payment fraud of some kind and rent some space on Amazon EC2 or similar, and perform your computationally intense activities from there. Or use a botnet of zombie machines for the purpose. And both these methods are the norm for the cybercriminal of today.

The cybercriminal with an eye on tomorrow, however, is always looking for new methods which can keep the costs down both in terms of budget but importantly also in terms of risk. If you commit fraud or run a zombie botnet then you have an additional risk layer that could mean you get caught. Removing these from the equation would seem to be an attractive option, and that's why this particular proof of concept comes, if you'll pardon the phraseology, complete with knickers firmly pulled up. Indeed, the researchers in question were able to use Puffin and the MapReduce process to knock out 24,000 hashes per second in their password cracker testing.

So what can be done to mitigate against such abuse? That's the slightly more difficult bit it would seem. There is talk online already about cloud browser providers shoring up their defences and monitoring traffic more effectively. This would require some kind of account association to be able to produce an IP blacklist of potential offenders. If providers coupled this with a device-specific private key, as is the case with the Silk Browser on the Amazon Kindle Fire, then the possibility of abuse is further reduced.

Certainly, having read the paper in question a couple of times now in order to allow it to sink in properly, I have to agree with the conclusion that the results of the testing "strongly suggest that current cloud browsers are a viable source of arbitrary free computing at large scale". If I were a cloud browser provider, I would be investigating how to stop the brown stuff before it hits the fan - as it inevitably will now this paper has been published.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.