Roth will present his findings at the Black Hat conference in Washington, DC. later this month.
Roth made news last November when as we reported, he used the new Amazon Cluster GPU instance to crack SHA1 hashes. According to Wikipedia, "SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely-used security applications and protocols."
Roth was able to crack 14 hashes with passwords ranging in length from one to six characters in 49 minutes.
Now he has developed software using AWS that could be used to break into corporations, public institutions or the wireless networks people use in their homes.
According to Reuters:
Roth said that he used his software and Amazon's cloud-based computers to break into a WPA-PSK protected network in his neighborhood. It took about 20 minutes of processing time. He has since updated his software to speed its performance and believes he could hack into the same network in about 6 minutes. "Once you are in, you can do everything you can do if you are connected to the network," he said.
Bruce Schneir is a security blogger who has also explored how the cloud is being used to hack passwords. He wrote in July about a mechanism that has been developed to capture network traffic that is then uploaded to the WPA Cracker. The data is then subject to a brute force cracking effort that can reduce exponentially the time it takes to crack a network.
Schneir touches on other effects of the mechanism as well:
It gets even better. If you try the standard 135-million-word dictionary and do not crack the WPA encryption on your target network, there is an extended dictionary that contains an additional 284 million words. In short, serious brute force wireless network encryption cracking has become a retail commodity.
Password security is proving to be a risky proposition. Cloud computing makes it easier for hackers to take advantage of weak security networks. There will be some huge and successful attacks this year. The level of preparedness is just not high enough to expect anything else except for some very high profile break-ins.