Microsoft is buying an Israel-based company whose specialty in pointing out the security flaws in its premier products. On Thursday Microsoft spokespeople announced that it was buying Israeli cyber-security firm Aorato, confirming rumors that have been circulating for several weeks. Vice-President Takeshi Numoto wrote in a blog post that the company was “making this acquisition to give customers a new level of protection against threats through better visibility into their identity infrastructure. With Aorato we will accelerate our ability to give customers powerful identity and access solutions that span on-premises and the cloud, which is central to our overall hybrid cloud strategy.”
Aorato has long been on the radar of Microsoft – for discovering and publicizing security problems in AD, the premier identity server in use today. Among those problems was one in which authentication of users and computers in a Windows domain-based network could enable an attacker to change a user’s password, despite identity theft measures.
Considering the fact that 95% of all Fortune 1000 companies have an Active Directory deployment, “we consider this vulnerability highly sensitive,” said Aorato’s vice president of research, Tal Be’ery. “And even worse, the vulnerability was put there by design.” Stopping short of using the term “irresponsible,” Be’ery thinks the company could do better. “With great power comes great responsibility,” he said. “If it was a smaller company I would cut them some slack, but when you power 95% of the enterprise infrastructure, you have to be much more careful.”
AD assigns and enforces security policies for all computers, folders, files, objects, and users on a network, and being able to access it gives attackers, in essence, free reign to steal data at will — or wreak havoc on a system, trashing the relationships between users and resources. That kind of attack could put a company’s computer out of business, for hours, if not days.
The exploit is based on the fact that an older user authentication method, called NTLM, is activated by default in AD. Attackers can use NTLM to obtain encrypted login credentials — called hashes — for users in order to access AD accounts, in what is called a “pass-the-hash” (PtH ticket) attack. The hashes can be captured using off-the-shelf hacking tools. According to Be’ery, “this activity is not logged in system and 3rd party logs — even those that specifically log NTLM activity. So there are no alerts or other forensic data to ever indicate that an attack took place.”