Description: It is commonly assumed that most technology based on strong computations such as encryption keys cannot be broken. And generally, even GPUs or relatively small to medium size GPGPU clusters are not sufficient. People usually feel safe using a relatively strong password to generate keys in order to secure sensitive data on a mobile device or desktop computer. In the same way, companies generally feel safe encrypting data or signing emails with keys that are supposed to resist common attackers, or some times storing password hashes with multiple rounds in the best cases. What methods can attackers use to break them? Botnets or expensive GPU clusters. For the botnet option, the problem is that creating a good rootkit is very expensive if willing to exploit recent computers (those with the better GPUs, generally), and must target a specific and recent OS. What about a botnet in a browser that could efficiently use GPUs? It's cheap, doesn't require too much knowledge to create, and could work on mobile, Windows, Mac, tablets and even game consoles! Also, GPUs evolve so much faster than CPUs (and newer CPUs now even integrate on chip graphics), and with the number of web-enabled computing devices greatly increasing; it is not so far-fetched to think that such botnets might be breaking higher-entropy keys within a few years.
The technology is already here, and is already partially implemented in most applications and browsers. Using XSS and HTML5, a permanent XSS would be injected client-side through cache poisoning at several layers. Cross frame scripting and other techniques can also be used, and communication to the server would be handled by HTML5 functions bypassing the same origin policy. Thousands of web zombies can be controlled and used. Using a machine's GPU is a little bit trickier. WebGL, NaCL and even Flash can use OpenGL ES, which would allow using the GPU to compute complex operations and is currently implemented in most of the latest web browsers on various platforms. The current version of OpenGL ES is not ideal for General Computing (but it is getting better), however the company that created this standard also created WebCL, which allows tapping into parallel computing resources of GPUs and is much faster than any other browser-based technology. Is this going to be the final piece of the puzzle for high-speed browser-based botnets?
I will consider botnet impact, cost, stealth requirements and portability, and sketch out the optimal botnet architecture. Performance metrics will be presented for the chosen architecture. Lastly, I will discuss what attackers would be able to do now and in the future, and what they could break.
For More Information please visit : - http://www.blackhat.com/eu-13/briefings.html
Tags: securitytube , hacking , hackers , information security , convention , computer security , blackhat-eu-2013 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.