Saturday, March 1, 2014

Why We Don't Get It and Why We Shouldn't

Warning: This is a rant with a few technical details sprinkled in.

It is 2014.

Would you voluntarily store your sensitive data with an organization that...

stores your password essentially in clear text?
stores it somewhere else as an unsalted hash?
treats password hashes as an equivalent to a password?
can't tell the difference between when the hash was used or the password?
introduces a mitigation feature that actually makes the problem a bit worse?
tells you they are properly encrypting your administrative and service passwords?
introduces two-factor authentication support but doesn't actually enforce it in some cases?

Hopefully, you answered "NO!" to all of those questions, but its very likely that you are doing all of those things in your enterprise. Congratulations, by utilizing Microsoft Windows you have inherited all of those problems and more! All of the data that resides on Windows-based file servers, SharePoint servers and Exchange servers are all at risk, but according to Microsoft this is not a "Windows Problem":

The title of the slide seems to be where Microsoft goes wrong. They assert that Pass-the-Hash (PtH) is the same thing as Single-Sign On (SSO). It is not. The PtH attack is viable because of how Microsoft designed their authentication architecture decades ago. So to fix the title of that slide:
There are other logical problems with the slide, but the content is generally correct. PtH can't be "fixed" within the constructs of the currently broken authentication model. Whose problem is that? If you are a Windows user, apparently it is yours.

You were absolutely correct before you blocked us on twitter, we don't get it. We really don't get it. Why do we have to accept this vulnerability just because you assert that it is a feature? (On another note, Why would we pay to see a talk that you and other Microsoft employees have already given many times?)

We applaud your efforts to make Windows more secure going forward, but convoluting token manipulation and PtH is wrong. Please stop doing it. Furthermore, if your SSO-model means that an attacker can masquerade undetected as any user (without having to crack passwords) - IT IS BROKEN.

When will you stop hiding behind your dated "Laws of Security"? They are true for Windows, but should they be? Should an attacker be able to knock over a domain controller and have access to all of your data? Should an admin be able to easily gain access to all data on the system regardless of ACLs?

The new mitigation techniques are long overdue band-aides and do nothing to stop and attacker who has already taken over your domain. The model is broken Microsoft. Fix it.

Oh yeah, I support this:


No comments:

Post a Comment