Feeds

NTLM authentication: still broken after all these years

Popular tech imperils users

High performance access to file storage

A 15-year-old vulnerability in technology used to authenticate users on Windows and Unix networks continues to put the organizations that rely on it at risk, a security researcher said on Thursday.

Short for NT LAN Manager, NTLM and its offspring, NTLMv2, is a challenge-and-response protocol for logging onto Microsoft accounts over Windows or Unix networks. While it encrypts credentials to prevent them from being captured, it still leaves much to be desired from a security perspective, says Marsh Ray, a researcher who was scheduled to speak about the weakness on Thursday at the Usenix Security Symposium in Washington, DC.

“The deeper problem is that NTLMv1-2 provide absolutely no protection against credentials forwarding/relay or reflection attacks,” Ray, who is a software developer at two-factor authentication service PhoneFactor, wrote in an email sent to journalists. “This means that an active attacker (such as a man-in-the-middle) is sometimes able to redirect the login of the legitimate user to authenticate his own session.

“For example, Alice connect to insecure public wifi -> Mallory gets into corporate Outlook Web Access or SSL VPN portal. It's that bad.”

Awareness of the protocol vulnerability dates back to 1996 and it has been the topic of several presentations over the years at various Black Hat security conferences, Ray says. Since that time, a variety of vendors have issued patches for the weakness. Microsoft alone has issued at least six related updates starting in 1999, including one in 2008 that was seven years in the making.

But a raft of software packages, including WebKit, Samba, and Mozilla titles, continue to be plagued by the problems, in large part because fixes tend to limit themselves to specific attack vectors at the expense of comprehensiveness. And that means that the flaw is likely of benefit to black-hat hackers.

“So after a little research and talking to quite a few people, my impression is the only people who really understand the scope and severity of this problem are some bad guys, some pen testers and a few people at MS and other vendors,” Ray warns. Referring to the software framework written for pen testers, he adds: “The Metasploit crew doesn't have the time and energy to write the finicky custom exploit code for every vulnerable configuration, but I would not make such an assumption about other teams of professionals.”

Extended excerpts of Ray's letter are published here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.