Feeds

NTLM authentication: still broken after all these years

Popular tech imperils users

Protecting against web application threats using SSL

A 15-year-old vulnerability in technology used to authenticate users on Windows and Unix networks continues to put the organizations that rely on it at risk, a security researcher said on Thursday.

Short for NT LAN Manager, NTLM and its offspring, NTLMv2, is a challenge-and-response protocol for logging onto Microsoft accounts over Windows or Unix networks. While it encrypts credentials to prevent them from being captured, it still leaves much to be desired from a security perspective, says Marsh Ray, a researcher who was scheduled to speak about the weakness on Thursday at the Usenix Security Symposium in Washington, DC.

“The deeper problem is that NTLMv1-2 provide absolutely no protection against credentials forwarding/relay or reflection attacks,” Ray, who is a software developer at two-factor authentication service PhoneFactor, wrote in an email sent to journalists. “This means that an active attacker (such as a man-in-the-middle) is sometimes able to redirect the login of the legitimate user to authenticate his own session.

“For example, Alice connect to insecure public wifi -> Mallory gets into corporate Outlook Web Access or SSL VPN portal. It's that bad.”

Awareness of the protocol vulnerability dates back to 1996 and it has been the topic of several presentations over the years at various Black Hat security conferences, Ray says. Since that time, a variety of vendors have issued patches for the weakness. Microsoft alone has issued at least six related updates starting in 1999, including one in 2008 that was seven years in the making.

But a raft of software packages, including WebKit, Samba, and Mozilla titles, continue to be plagued by the problems, in large part because fixes tend to limit themselves to specific attack vectors at the expense of comprehensiveness. And that means that the flaw is likely of benefit to black-hat hackers.

“So after a little research and talking to quite a few people, my impression is the only people who really understand the scope and severity of this problem are some bad guys, some pen testers and a few people at MS and other vendors,” Ray warns. Referring to the software framework written for pen testers, he adds: “The Metasploit crew doesn't have the time and energy to write the finicky custom exploit code for every vulnerable configuration, but I would not make such an assumption about other teams of professionals.”

Extended excerpts of Ray's letter are published here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.