Over the weekend, fellow ZDNet blogger George Ou wrote to me to say I might be interested some math he did in a recent blog -- math that for fun, I'm now calling George's Law. George's Law appears in his blog about certain types of WiFi access points and how long their user-defined pass phrases should be in order to minimize the chances of a hacker gaining access to information that was thought to be protected through encryption. The blog itself is worth a read if you've got consumer grade WiFi access points that you think you've secured. But what was even more interesting to me was how, in a chart, he did some math to show how long it would take for a hacker to crack your security based on the number of computers that the hacker used to work on the problem. For example, if your pass phrase is 7 alphanumeric characters long, it would take .01 years (3.65 days) to crack your pass phrase if a hacker had 1000 computers noodling on the problem. With a 10 character pass phrase length and one computer working on the problem, it would take 580,000 years.
But what if the hacker had 100,000 computers working on the problem? Or 1,000,000? OK, so there's a good possibility that your everyday hacker doesn't have warehouse-sized space nor the power it takes to run 100,000 computers just for the purpose of cracking the local accountant's WiFi network. But, would he or she really need that? Consider for example how hackers have routinely commandeered legions of PCs (unbeknownst to those PC owners) to launch Distributed Denial of Service (DDoS) attacks against one or more Internet domains. DDoS attacks flood their target with so much traffic that all of the legitimate traffic to those sites is blocked or "denied service." I was reminded of this question last week when I came across the story of how Dutch authorities recently busted what may have been the largest botnet (a network of Internet-connected PCs that were surreptitiously commandeered and doing the bidding of some hackers) ever. According to the story, the botnet consisted of over 100,000 systems that were commandeered using the W32.toxbot Internet worm.
The group responsible for organizing the botnet is apparently under investigation for blackmail (targets of DDoS are typically blackmailed to get the attack stopped) as well as for credit card and identity theft. In addition to launching DDoS attacks, the bots that were loaded onto victim's PCs may have also been capable of the sort of keystroke logging that spyware is known for. Scary stuff. So, what if, instead of launching DDoS attacks or logging your keystrokes, a bot that had been surreptitiously loaded onto your PC was simply stealing a few cycles here and there to help some larger botnet crack the security behind thought-to-be-inpenetrably encyrpted spy information or stock market data? Sort of the same way a lot of people have knowingly loaded the SETI screensaver onto their system in a way that dedicates spare cycles to a grid of other PCs that are volunteering their help in the search for extraterrestrial life. What if there were a million or 10 million other PCs that were also a part of that botnet whose cycle theft was going undetected by the owners of those PCs?
Think it's not possible? Think again.
I checked with Gartner security analyst John Pescatore and not only is it possible, it has been done. Wrote Pescatore via e-mail:
The "SETI-like" key crack has already been done, though it was the good guys who did it. Back in 1997, distributed.net used that approach to crack a 56 bit DES key to win the $10,000 RSA challenge. So, using bots to put key crackers on thousands of PCs is certainly feasible these days, along with a variation of that: using that kind of distributed intelligence to break *passwords*. See my latest blog entry for more information about this.
Using bots that way puts supercomputer power into the hands of unfunded bad guys - greatly increases the number of attackers who could go after keys and passwords. This changes the typical math involved in selecting key lengths and it means that 128 bit keys don't look as strong anymore. This is why we really need ISPs to be doing some in-the-cloud filtering of malicious traffic coming from their subscribers, and then notifying subscribers they have a problem - that is the only real solution to bot nets on consumer PCs.
In the meantime, do you have that outbound blocking personal firewall turned on? Have you checked it recently to make sure it hasn't been set to let some unknown bot phone home, having already used your PC to complete its little piece of some password cracking algorithim? You should. My concern with this is that given the speed at which zero-day exploits appear and spread around the world -- especially ones like bots that don't do any damage to your PC -- it could be a matter of minutes or even seconds before something really important could get compromised. Pescatore obviously has some ideas on how ISPs can get involved. But short of that, I'm wondering if any of you security gurus out there have some thoughts on this.