Microsoft is said to have made an offer to buy the Israeli security firm Aorato in a deal that would have a bit of irony, coming just after Aorato published details of a major security flaw in Active Directory, one of MS’s premier business products.
According to the Wall Street Journal, the Israeli company received an offer of about $200 million. Neither Microsoft nor Aorato would comment.
Not that Microsoft couldn’t use Tel Aviv-based Aorato’s help. According to the Israeli firm, a flaw in Active Directory (AD) — the premier identity server in use today, authenticating users and computers in a Windows domain-based network — could enable an attacker to change a user’s password, despite identity theft protection now in place.
Considering the fact that 95% of all Fortune 1000 companies have an Active Directory deployment, “we consider this vulnerability highly sensitive,” said Aorato’s vice president of research, Tal Be’ery. “And even worse, the vulnerability was put there by design.” Stopping short of using the term “irresponsible,” Be’ery thinks Microsoft could do better. “With great power comes great responsibility,” he said. “If it was a smaller company I would cut them some slack, but when you power 95% of the enterprise infrastructure, you have to be much more careful.”
AD assigns and enforces security policies for all computers, folders, files, objects, and users on a network. Being able to access it gives attackers, in essence, free reign to steal data at will — or wreak havoc on a system, trashing the relationships between users and resources. That kind of attack could put a company’s computer out of business, for hours, if not days.
The exploitable flaw is based on the fact that an older user authentication method called NTLM is activated by default in AD. Attackers can use NTLM to obtain encrypted login credentials — called hashes — for users in order to access AD accounts, in what is called a “pass-the-hash” (PtH ticket) attack. The hashes can be captured using off-the-shelf hacking tools. According to Be’ery, “this activity is not logged in system and third party logs, even those that specifically log NTLM activity. So there are no alerts or other forensic data to ever indicate that an attack took place.”
PtH attacks were first documented in 1997, but the emergence of automated hacking tools has made the risk to companies using AD all the greater. “Common tools such as WCE and Metasploit have support to carry out PtH attacks in an automated manner,” said Be’ery. PtH was a key component in a major attack hack on US retailer Target last December, in which the credit card information of millions of customers was compromised.
Unfortunately, turning off the more risky NTLM authentication system and using the more secure Kerberos (used by newer versions of AD) is not an option for companies that need to integrate older systems and networks into their corporate structure, said Be’ery. “We’ve discussed this with many customers, and relying only on the newer authentication procedures just isn’t practical.”
Aorato informed Microsoft of the problem, to which the company responded that it wasn’t news to Microsoft, and it had already published details of the exploit and how to avoid it. But what really bothers Aorato, the company said, is that the AD vulnerability is not an exception or security hole — it was put there on purpose.
“Microsoft recognized our findings to be valid but confirmed that this is a ‘limitation’ that cannot be fixed, as it stems from the design of the authentication protocols,” Aorato said in a blog post. “Additionally, since these protocols’ specifications are publicly available, Microsoft considers this ‘limitation’ to be ‘well known.’ We consider the fact that attackers can change the victim’s password by only knowing the NTLM hash to be a flaw. If this flaw is by design, this simply makes it a ‘by-design’ flaw.”
Aorato’s business is built around making AD more secure, said Be’ery. “We have developed tools to determine if this kind of attack, as well as others, have been carried out on AD, allowing us to help customers mitigate damage. To do that, we study closely the interactivity of elements in a network, including users, devices, servers, etc. Our tools can detect the very subtle changes that you would never find in log files.”
Aorato is well known to Microsoft. The two companies have had a relationship for years, said Be’ery, but he would not comment on “anything having to do with the business side,” including the fact that the report on the possible buyout of the company appeared on the same day Aorato published its pass-the-hash exploit information.
Clearly the two firms have a great deal in common. “We trade information with Microsoft on numerous issues, and have helped them resolve security issues in the past,” said Be’ery. Some of that work is done in the context of the Microsoft Active Protections Program (MAPP), which gives security companies tips on patches and fixes for security issues as they are being developed.
“Members of the MAPP program share our passion for industry collaboration to protect a world full of Internet users,” said a Microsoft spokesperson. “No one company can accomplish this by itself. That is why we are working with Aorato to advance and improve security.”
And if the reported sale pans out–they’ll be working together more closely than ever.