Security

IBM X-Force Red Security Team takes on security challenges with the help of IBM Cloud

Share this post:

IBM X-Force Red finds security vulnerabilitiesUnless you live under a rock, you’ve likely seen a recent top news headline with the words “security breach” somewhere in there. This is not the type of press companies want to be recognized for, and it is even worse for the millions of customers who are left out in the cold when their unauthorized information is made public.

High-profile security breaches are becoming more common every year as cyber criminals are becoming more sophisticated in finding new security vulnerabilities to penetrate to access protected data. These hackers aren’t planning to ease up on businesses anytime soon, either. With that in mind, the best course of action for organizations is to rapidly test, identify and fix where they are most vulnerable.

Security penetration testing to better manage vulnerable data

IBM recognized this need two years ago when it launched IBM X-Force Red, a team of security professionals and ethical hackers whose goal is to help businesses discover vulnerabilities in their computer networks, hardware and software applications before cybercriminals find those same vulnerable areas. The security testing expertise that IBM X-Force Red brings to the table spans multiple industries including healthcare, financial services, retail, manufacturing, government and the public sector.

Although there are unique security vulnerabilities in each industry, password security issues remain among the top areas of concern for every enterprise, no matter the industry. It only takes one weak password for a cybercriminal to breach an entire business. The need for greater password security has given rise to an entire segment of “password auditing” solutions that test for password weaknesses within an enterprise, particularly among website applications.

Password auditing, or password cracking, is the act of running plain text through an algorithm to generate a hash, then matching the plain text to hashes. When a match occurs, the hash is considered cracked. Once the hash is cracked, so is the password. This assumes there hasn’t been anything added to the password before hashing — referred to as password “salt” — which is added to slow down hackers.

Hacking anything to secure everything

In the world of password auditing, there is little that the IBM X-Force Red team doesn’t know. The team put this on full display recently at the Black Hat Security Conference in Las Vegas, Nevada. However, as the team prepared for the security event, members realized that, to rapidly test all aspects of an organization’s password security vulnerabilities, they would need a strong compute foundation to run their tests at scale.

Dustin Heywood, also known as EvilMog, from the IBM X-Force Red team and a member of Team Hashcat — a group of password security researchers and the contest team for the open source Hashcat project — led both teams, first in a demo of their “Cracken” password cracking application, then in the Black Hat “Crack me if you can” password cracking contest. He decided to turn to IBM Cloud infrastructure as a service (IaaS) for high-computing performance and scalability. In preparation for both the demo and the contest, Heywood and his team provisioned and tested a complex, 32-server virtual server environment with 64 NVIDIA Tesla P100 graphical processing units (GPUs) all in under a day. In the words of one Hashcat team member, “it was a little like bringing a nuke to a gunfight.”

Big results

The IBM Cloud environment provided a fivefold increase over the existing IBM X-Force Red 16-server GPU-based infrastructure to fuel the “Cracken” password cracking application and demonstrate real-time, eight-character password cracking in an average of two to three minutes, a feat that would normally take the X-Force Red GPU-based infrastructure alone about eight to 12 hours per password to accomplish.

The IBM X-Force Red team didn’t stop there. With the DEF CON 26 conference coming hot on the heels of Black Hat, EvilMog used the same IBM Cloud and Cracken combined infrastructure to tackle the “Crack Me If You Can” contest, which is essentially, the World Series of password cracking contests. Over a two-day period, Team Hashcat cracked more passwords than any other team.

The team’s performance shows that the IBM Cloud is an ideal environment to consider for quickly running complex, compute-intensive applications.

Learn more about IBM Virtual Servers and IBM Cloud GPU offerings to see how your business can benefit.

More Security stories

IBM and CDC blockchain project uses records stored on cloud

IBM and the US Centers for Disease Control are teaming up to build a blockchain and cloud-based data system that could track public health issues including opioid addiction. The CDC’s National Center for Health Statistics already collects copious amounts of health data from surveys, and the new system would include medical records obtained through hospital […]

Continue reading

CenturyLink and Digital Realty tap IBM Cloud Direct Link to expand access

Over the past two weeks, two companies, CenturyLink and Digital Realty, have announced plans to expand direct, private access to the IBM Cloud in North America, South America, Europe, Australia and New Zealand. Both companies will use IBM Cloud Direct Link Dedicated Hosting deployments to help enterprise customers establish low-latency, global connections across a security-rich […]

Continue reading

Privacy by design in the era of GDPR

“Privacy by design” is a way to make complying with GDPR regulations simpler. Instead of having to try to protect multiple aspects of security in every system, you can ensure security is applied much more widely, so that individual areas of security and multiple connected systems are protected without additional effort or overview. Keeping customer […]

Continue reading