By Jim Finkle
LAS VEGAS, July 28 (Reuters) – A hacking expert has launched
a $200 password-cracking tool that makes it easy to decipher
Internet traffic sent through a widely used method for securing
businesses communications.
Moxie Marlinspike, one of the world’s top encryption
experts, unveiled the tool on Saturday during a presentation at
the Def Con hacking conference in Las Vegas.
Marlinspike said he developed the service, CloudCracker.com,
by taking advantage of a vulnerability he discovered in a widely
used virtual private network technology known as point-to-point
tunneling protocol.
Virtual private networks, or VPNs, scramble traffic as it
travels between a PC and its final destination so that the data
is useless to hackers if they eavesdrop on those communications.
But Marlinspike provides clients with a tool that analyzes
captured data streams and creates a data file that they upload
to his website. He then runs that through code-cracking computer
programs that figure out a password that will unscramble the
protected communications. He delivers that to clients within 24
hours.
With access to web traffic, hackers could potentially steal
passwords to financial accounts, read business emails and learn
business secrets.
Marlinspike said he will not screen clients to determine
whether they are using CloudCracker for illegal purposes,
although his ultimate intent is help computer users by
pressuring operating systems makers to make their software
safer.
“What we’re trying to do is force people to use more secure
VPN technology in the products they are building,” he said.
Marlinspike said that small to mid-sized businesses and
consumers typically use VPN software with the point-to-point
tunneling protocol.
Large corporations typically supply their employees with VPN
software from Cisco Systems Inc, whose communications
cannot be cracked by CloudCracker.com, he said.
Marlinspike has worked for Twitter since the end of last
year when the mobile blogging service acquired a company he
co-founded, Whisper Systems. Marlinspike said that
CloudCracker.com was a personal project and has nothing to do
with Twitter.
Hackers and security experts present research on a wide
range of vulnerabilities in products ranging from computers and
networking equipment to locks, drones and air-traffic control
systems at the annual Def Con gathering.
They often publicize their work in an effort to warn the
public about security risks and pressure manufacturers to
address the problems.
