Oh how I long for the days of hackers simply cracking password hashes. Defending against that technique required only three steps: First, protect your password hashes from being stolen. Second, use strong password hashes. Third, make your passwords long enough to prevent easy cracking.
These days, cracking password hashes is passé. Today's hackers are all about pass-the-hash (PTH) attacks. With PTH attacks, the bad guys steal the hashes -- either from the password-hash-storage databases or from memory -- and reuse them to create brand-new authenticated sessions.
[ Download Roger Grimes' new "Data Loss Prevention Deep Dive" PDF expert guide today! | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
The password hash -- or whatever the authentication token -- is the ultimate logon secret. They're the keys to the kingdom, granting the attacker the authentication data that nearly every other protection mechanism is trying to protect. He or she has superadmin access, can do anything, and can bypass anything you throw in the attacker's path -- and there's no defense.
PTH-style attacks can be successful against any operating system and any authentication protocol, even Kerberos. The technique also can be used successfully against smartcard logons (because in Microsoft Windows, the NT password hash is still stored and used for NTLM authentication).
I keep trying to tell clients to worry about keeping the bad guys from getting the kind of access they need to pull off PTH attacks and not so much about PTH itself. Concentrating on PTH when the bad guy is a superadmin is like worrying about your brakes after a thief steals your car. Still, when you're repeatedly the victim of PTH attacks, it inevitably draws your attention -- and my clients are being hit by PTH attacks more than ever.
Block the pass
As I said, there is ultimately no defense against PTH attacks, but that doesn't mean you can't do anything to minimize the risk. Security isn't binary, after all. It's not black and white. It's shades of gray.