You've heard of Trojan horses? How about Trojan grids?

You've heard of Trojan horses? How about Trojan grids?

Summary: Over the weekend, fellow ZDNet blogger George Ou wrote to me to say I might be interested some math he did in a recent blog -- math that for fun, I'm now calling George's Law.  George's Law appears in his blog about  certain types of WiFi access points and how long their user-defined pass phrases should be in order to minimize the chances of a hacker gaining access to information that was thought to be protected through encryption.

TOPICS: Security

Over the weekend, fellow ZDNet blogger George Ou wrote to me to say I might be interested some math he did in a recent blog -- math that for fun, I'm now calling George's Law.  George's Law appears in his blog about  certain types of WiFi access points and how long their user-defined pass phrases should be in order to minimize the chances of a hacker gaining access to information that was thought to be protected through encryption.  The blog itself is worth a read if you've got consumer grade WiFi access points that you think you've secured.  But what was even more interesting to me was how, in a chart, he did some math to show how long it would take for a hacker to crack your security based on the number of computers that the hacker used to work on the problem.  For example, if your pass phrase is 7 alphanumeric characters long, it would take .01 years (3.65 days) to crack your pass phrase if a hacker had 1000 computers noodling on the problem.  With a 10 character pass phrase length and one computer working on the problem, it would take 580,000 years. 

But what if the hacker had 100,000 computers working on the problem? Or 1,000,000? OK, so there's a good possibility that your everyday hacker doesn't have warehouse-sized space nor the power it takes to run 100,000 computers just for the purpose of cracking the local accountant's WiFi network.  But, would he or she really need that?  Consider for example how hackers have routinely commandeered legions of PCs (unbeknownst to those PC owners) to launch Distributed Denial of Service (DDoS) attacks against one or more Internet domains.  DDoS attacks flood their target with so much traffic that all of the legitimate traffic to those sites is blocked or "denied service."   I was reminded of this question last week when I came across the story of how Dutch authorities recently busted what may have been the largest botnet (a network of Internet-connected PCs that were surreptitiously commandeered and doing the bidding of some hackers) ever.  According to the story, the botnet consisted of over 100,000 systems that were commandeered using the W32.toxbot Internet worm.

The group responsible for organizing the botnet is apparently under investigation for blackmail (targets  of DDoS are typically blackmailed to get the attack stopped) as well as for credit card and identity theft.  In addition to launching DDoS attacks, the bots that were loaded onto victim's PCs may have also been capable of the sort of keystroke logging that spyware is known for.  Scary stuff.  So, what if, instead of launching DDoS attacks or logging your keystrokes, a bot that had been surreptitiously loaded onto your PC was simply stealing a few cycles here and there to help some larger botnet crack the security behind thought-to-be-inpenetrably encyrpted spy information or stock market data? Sort of the same way a lot of people have knowingly loaded the SETI screensaver onto their system in a way that dedicates spare cycles to a grid of other PCs that are volunteering their help in the search for extraterrestrial life.  What if there were a million or 10 million other PCs that were also a part of that botnet whose cycle theft was going undetected by the owners of those PCs? 

Think it's not possible?  Think again.

I checked with Gartner security analyst John Pescatore and not only is it possible, it has been done.  Wrote Pescatore via e-mail:

The "SETI-like" key crack has already been done, though it was the good guys who did it. Back in 1997, used that approach to crack a 56 bit DES key to win the $10,000 RSA challenge. So, using bots to put key crackers on thousands of PCs is certainly feasible these days, along with a variation of that: using that kind of distributed intelligence to break *passwords*. See my latest blog entry for more information about this.

Using bots that way puts supercomputer power into the hands of unfunded bad guys - greatly increases the number of attackers who could go after keys and passwords. This changes the typical math involved in selecting key lengths and it means that 128 bit keys don't look as strong anymore. This is why we really need ISPs to be doing some in-the-cloud filtering of malicious traffic coming from their subscribers, and then notifying subscribers they have a problem - that is the only real solution to bot nets on consumer PCs.

In the meantime, do you have that outbound blocking personal firewall turned on? Have you checked it recently to make sure it hasn't been set to let some unknown bot phone home, having already used your PC to complete its little piece of some password cracking algorithim? You should.  My concern with this is that given the speed at which zero-day exploits appear and spread around the world -- especially ones like bots that don't do any damage to your PC -- it could be a matter of minutes or even seconds before something really important could get compromised.  Pescatore obviously has some ideas on how ISPs can get involved.  But short of that, I'm wondering if any of you security gurus out there have some thoughts on this.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • computing grids

    Say it could be seems to me that even hackers are not that boring....what sort of interesting info is going to come from the neighbor's wireless account anyway?
    • Who's the neighbour?

      Depends if the neighbour in question has a VPN link to the Defence department or not.
      • They shouldn't - if they're smart

        If the people who design the systems are intelligent, they'll completely isolate networks that contain classified info, and ensure not one of the computers has internet access.

        Most soldiers live and work on post anyways - the office is within 15 or less minutes from housing, so there's really no excuse not to do their work from a work computer.

        But then again - intelligence is not required to join the armed forces, so I wouldn't be surprised if somebody is in fact carelessly leaving holes in the network.
        • Military I.S. is just as vulnerable to stupidity

          Old true story.
          Guy goes to military salvage auction, buys a pallet of old computers. Guy fixes up the computers and makes them fully operational.
          The computers had operating systems and applications software (such as it was at the time) on them still. Guy finds dozens of investigation files still on the hard drives with intimate details of 'sexual deviance", fraud, corruption, etc. Guy calls up the military to report it. Military first doesn't beleive guy; and had to have several cases read over the phone to them before they got the message. Miitary comes to guy's home and 'seize' the systems. Guy gets a receipt for systems with a promise that they will be returned after they are 'purged'.
          Couple weeks go by. Military returns computers to guy. Guy boots up systems. Doesn't see the files anymore. Guy runs recovery utility. Files are back in all their glory on the systems. This was before the Oliver North case, so I guess you could excuse them for being morons. But knowing human nature, the majority still really haven't learned.
  • Yet another use for a rootkit!

    I think you've hit on a relatively scary scenario when coupled with the Sony DRM-rootkit fiasco. Take it a little further. A root kit embedded in some media material is dropped onto your PC.

    The rootkit is used to allow downloaded chunks of programs onto the computer to service some functionality that was offered for sale by a unscruplious "grid services" company, maybe something like a massive Lotto scam, Horse betting or casino action. The state you live in doesn't like that and arrests you for running numbers or illegal gambling. Its your computer and your IP address and they've been tracking your Ip traffic for months.

    Or this one....

    A terrorist organization encrypts the plans for a nuclear device, chops up the data into chunks and spreads it across the DRM-rootkit enabled zombies.
    They use your computer as a Bit-torrent sort of web-server to support their propaganda efforts. Or better yet, they're using your computer and thousands of others to do the calculation and or simulation necessary to design the bomb!

    Or this one....

    They drop one into a grid system running the traffic control lights for a major metro city. Turn all the lights Green during morning rush hour, wait about 5 minutes and then turn them all Red, repeat.

    We haven't heard the last of this sort of activity.
    • Am I paranoid enough?

      I turned off AUTORUN on all of my drives in every computer I own, use or design because of rootkits.

      Most system designs I've seen, including "Mythical Nordic Hero" clusters all use as little security software as possible since the system is supposed to be secure behind a double or triple layer firewall. The assumption is that only trusted applications can get behind the firewall. A terrorist with a CDROM or DVD could do a LOT of damage fairly easily, especially if he/she is the IT guy.

      The unfortunate thing about paranoia is that its like greed, you can't enough to be really secure.

      The traffic light scenario would be actually much worse if all the traffic lights were programmed to be yellow, jump to red for 10 seconds and then jump to green for about 5 and back to yellow! Somebody speeding cause he's ten minutes late because of the line at Starbucks will come blasting through the intersection practically every 2 to 3 minutes.
    • traffic lights do have some protection

      There's supposedly hardware in traffic lights that prevent opposing green lights.

      So even if you took control of them, a simple hardware circuit stops you from turning all the lights green.

      There's nothing AFAIK, that prevents them from being all red, or preventing you from doing a fast cycle though all the lights. Short enough of a cycle would probably be just as disasterous as opposing greens...
  • Indemnification

    of those responsible of putting faulty equipment
    in the hands of low knowledge user grids,,,

    Is never a solution.
  • Indemnification

    of those responsible of putting faulty equipment
    in the hands of low knowledge user grids,,,

    Is never a solution.
  • Not a new idea

    This is not a new idea; Bruce Schneier suggested the possibility of something along these lines maybe ten years ago, and he likely heard it from someone else. As I remember, it may have also considered something like creating a keycracking grid by embedding capability into low cost consumer electronics devices, at the direction of a foreign government.
  • Followup

    Yes, it's in "Applied Cryptography" (Second Edition, 1996 printing), pgs 155-156, under the headings "Viruses" and "The Chinese Lottery".
  • Whoa! Trojan grids?

    Apparently, we've begun to accept the enormous gravity of the present situation. I see the certain necessity of developing some kind of industry wide watchdog group. Well intentioned geniuses amongst the ZDNet user community could be supported by the engineering challenged amongst us to dedicate some time to addressing these concerns. With their market share at stake, large corporations may be open to the idea of supporting these heroes.