Microsoft security critic Aorato in Redmond giant's buyout sights

The Tel Aviv company issued a blog post about a new twist on a known Active Directory security hole – which was followed up by reports that Microsoft might buy the company.
Written by David Shamah, Contributor

An Israeli 'critic' of Microsoft's security deployment for Active Directory is a candidate for a buyout by the Redmond giant, according to a recent report in the Wall Street Journal.

Microsoft is said to have made an offer for Aorato, a Tel Aviv-based company that has made a business of uncovering and remediating holes in Microsoft's security schemes for Active Directory — made all the worse by the fact that they appear to be "design flaws", according to Aorato's vice president of research Tal Be'ery.

According to the report, Microsoft is said to be willing to pay up to $200m for Aorato, though neither the Israeli company nor Microsoft had any comment on the rumoured acquisition.

What the company is talking about, however, is the latest twist on "pass-the-hash" attacks that hackers use to "invade" Windows networks controlled by Active Directory. "We consider this vulnerability highly sensitive," Be'ery said. "And even worse, the vulnerability was apparently put there by design, and that is a matter of great concern to the 95 percent of Fortune 1000 companies that deploy Active Directory."

A pass-the-hash (PtH) attack involves stealing the hashed credentials of a user (or a computer) in order to authenticate, via NTLM, their identity to various enterprise resources. The problem is especially acute for companies that have legacy systems which utilise NTLM authentication instead of the newer (and more secure) Kerberos system, and that offer single-sign on access to all network services.

"The problem is that the system remembers you for as long as you are signed on, and keeps the hashes corresponding to your credentials for when you want to access more services," Be'ery said. "A savvy hacker, using publicly-available free penetration testing tools, could grab the hashes from a computer or device."

Using the hashes, an intruder can authenticate to NTLM-authenticated services, and basically freely explore a server — and, if so desired, change a user's password of a user.

The exploit is less of a problem for pure-Kerberos environments (but even there, Be'ery said, there's a potential problem, because the user's credentials stay alive for as many as ten hours, giving hacker plenty of time to get the hashes), but turning off NTLM authentication is impractical, as it would lock users out of many legacy services.

"We've consulted with a lot of clients who raise the same idea as a solution, but after examining their deployment, we always come to the conclusion that it's impractical, if not impossible, without a major investment in upgrading everything."

Even Microsoft, which itself warns of the possibility of these kinds of attacks, discusses the idea of disabling NTLM as an authentication method where possible — but "also warns that administrators must be very careful when doing so, which is their way of saying that it's not a good idea", Be'ery said.

And to add insult to injury, PtH attacks don't even show up in logs. "Forcing a system to accept NTLM-authenticated credentials instead of Kerberos credentials is too subtle a change for log files to follow, so a hacker who pulls this off leaves no evidence behind."

Fortunately, Be'ery said, Aorato has tools to deal with the problem, checking the for the anomaly of downgraded network security protocols.

Be'ery posted this latest twist on PtH on the Aorato blog this week — coincidentally, the same day that reports emerged about the possible buyout (Be'ery said he could not comment on the apparent serendipity of the two events).

"Microsoft recognised our findings to be valid but confirmed that this is a 'limitation' that cannot be fixed as it stems from the design of the authentication protocols," Be'ery wrote in the blogpost. "Additionally, since these protocols' specifications are publicly available, Microsoft considers this 'limitation' to be 'well known.' We consider the fact that attackers can change the victim's password by only knowing the NTLM hash to be a flaw. If this flaw is by design, this simply makes it a 'by-design' flaw."

Tal Be'ery
Tal Be'ery

That, Be'ery told ZDnet, was — or should be — a matter of great concern to all. Although reluctant to label the situation as "irresponsible," Be'ery thinks Microsoft could do better. "With great power comes great responsibility," he said. "If it was a smaller company I would cut them some slack, but when you power 95 percent of the enterprise infrastructure, you have to be much more careful."

Aorato's works with customers on PtH, and other Active Directory security issues. "We have developed tools to determine if this kind of attack, as well as others, have been carried out on AD, allowing us to help customers mitigate damage. To do that, we study closely the interactivity of elements in a network, including users, devices, servers, etc. Our tools can detect the very subtle changes that you would never find in log files."

Aorato and Microsoft work together extensively, with the Israeli company a member of Microsoft's Microsoft Active Protections Program (MAPP), a group that gets up-to-date information on emerging online security threats ahead of Microsoft's monthly security bulletins. Aorato joined the program a recently, and Microsoft welcomed the company with open arms — perhaps a hint of future cooperation, or more, between the two.

"Members of the MAPP program share our passion for industry collaboration to protect a world full of Internet users," said a Microsoft spokesperson. "No one company can accomplish this by itself. That is why we are working with Aorato to advance and improve security."

Read more on Active Directory

Editorial standards