Collective Software Blog

Windows 10 support with AuthLite v2.1

Mon, 24 Aug 2015 17:14:32 Z

Just a quick note that the new version 2.1 branch (now available at the main AuthLite page) supports Windows 10 domain-joined machines!

Microsoft Fixes the Local Administrator problem!

Mon, 04 May 2015 15:23:34 Z

Every admin's frenemy, the Local Admin

Apparently this has been percolating for a while, but I just now found out via the Spiceworks Forum post.

AuthLite v2 doesn't directly deal with non-domain accounts, but I know from many customer conversations that local admin accounts are a necessary evil, for emergency recovery if nothing else. Our customers want to be able to secure these accounts, but many end up just using a common password for all.

The inability to centrally manage these passwords led to a raft of third party apps, and many administrators flexed their scripting muscles to come up with bespoke solutions.

Microsoft's new solution (LAPS, the Local Admin Password Solution) is certainly welcome, and I will now be able to recommend this as a great way to have a strong backup admin account that is banked in AD and not reliant on any third party solutions (even ours :)

RSA 2015 and YubiKey Edge!

Thu, 16 Apr 2015 23:56:28 Z

Bag o' YubiKeys

As of this afternoon, I have in my hands a bag of 199 individually wrapped YubiKey Edge tokens. (OK they gave me 200 but I'm keeping one for myself!)

We'll be giving these out at our RSA 2015 booth #739 in the south expo hall. Hope to see you there!

Exploring Pass-the-hash, authentication, authorization, and security groups

Mon, 26 Jan 2015 17:45:19 Z

I received the following question in an email today:

What authentication is being “two factored”? For instance; is a pass the hash technique, where the Hash from an admin is captured and used to connect to another machine through e.g. smb, always made impossible because a two factor authentication is required? Or is pass the hash still possible because you’ll only prevent an RDP from being single factor?

That's a perceptive question considering that most admins have never even heard of a "pass the hash" attack, or considered what it means to say that you have "two-factor authentication" and what the limits are. So I have reproduced my answer below, hoping it will be of general interest!

The answer to your question about credential capture and re-use is quite nuanced. You can enforce 2FA everywhere, or only on some systems, etc., depending on your needs. Other 2F solutions are only secure if you create a completely sealed boundary (VPN, etc.) of 2-factor-ness, but all the logic inside that perimeter still runs insecurely. That works fine if you don't make any mistakes and if your threat model is only external attackers. For protection of domain admin accounts, that's pretty insufficient in my opinion.

To clarify things, let's start out by forgetting password hashes for the moment; we will say the attacker captures the password itself via a key logger or watching you type, or guessing etc. They now know one of your authentication factors. The attacker can use this knowledge to gain access to any systems that allow one-factor (password only) authentication. But any system or service that requires 2-factor would be protected from this attack.

Now we can add into the discussion some similar but more subtle attacks. Plain hashes are not very often sent on the wire these days, but if an attacker can obtain in some way the true MD4 hash of your password (what is commonly referred to as "the" hash) then they can authenticate to any services that use NTLM authentication, again only if those services don't enforce 2-factor. There are several ways to make them enforce 2-factor auth however, so this can be protected.

More insidiously than hash passing is ticket "passing". It simply means, if the attacker can obtain an authenticated kerberos ticket, they can use it to gain access to other services. This is why it's not sufficient to block things at the authentication point. What we want to do is to stamp the kerberos ticket with information about how the login was done (1 vs 2 factor group) so that later on, services can examine it and authorize or block based on that knowledge. AuthLite is the ONLY two factor solution (apart from smart cards) that can do this fairly important operation. (And strictly speaking the smart cards aren't quite as good because they have an underlying hash that can be replayed to access NTLM services, but that's a separate issue.)

Lastly we can discuss the worst case, the "man in session" attack, where the attacker gains access to your true, 2-factor authenticated session, by for example having a root kit on your workstation or other major compromise. In this case, the attacker for all practical purposes is really you and can do whatever you can do. They cannot produce additional OTP authentications to use in the future, but they have your current well-authenticated session and your true 2FA kerberos ticket to use until it expires. (Unless the attacker is offline and waits until the session is expired, in which case you'd be OK.. but why assume they are sleeping? If they have rooted you, it should be assumed they or their tools are paying attention!).

Every single authentication product will fall to this last attack. You only begin to make progress against it with solutions that audit and control every operation going on in the network, which goes very far beyond the concept of simple authentication.

Hope this helps!

RSA Conference and the Future of Enterprise Security

Wed, 06 Mar 2013 12:17:26 Z

Before heading out to attend RSA Conference 2013, Bruce Schneier brought up this interesting point on his (excellent) blog:

Vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term "cloud provider" hadn't been invented yet)

This was evoked by a post from Mike Rothman titled Security No-Man's Land, where he notes:

As the industry descends on the RSA Conference to discuss the latest and greatest in security, the underserved midmarket continues to struggle with basic blocking and tackling. The industry machinery is not built to solve that problem.

All of this is essentially correct; eventually most security and IT in general for the small and midmarket orgs might be adeptly served by cloud providers. It's certainly the case that each year the big companies at RSA get bigger, blotting out the proverbial sun with their towering displays. And of course many of the smaller vendors are busy trying to look like good acquisition targets. But this isn't quite the entire story.

Last week when we were exhibiting at RSA 2013 (beyond the massive booth citadels, among the suburbs of smaller vendors), I had the great good luck to catch Bruce Schneier quickly pacing through the aisles, without really looking at the companies exhibiting there. He mentioned that he was trying to find someone giving away notepads. I would have loved to do the fan-boy thing, but since he was very obviously in a hurry, I fell behind and left him to his quest.

Although the circumstance of our meeting was just a coincidence, it was a poignant one to me. Each year Collective heads to RSA to set up the little green booth. We tell everyone who will stop to listen about AuthLite and yubikeys. We are a small company and are not trying to be acquired, "make it big", or sell to the top 1000. In fact, our 2-factor authentication product is priced and positioned to serve the small and medium market best; folks who are running their own Active Directory and want to add 2FA with a minimum of hassle. The only way we succeed at this is by meeting new customers to sell directly, and meeting new consulting partners and value-added resellers, both of which reliably happen all week long at the show.

As Bruce and Mike note, the cost to a small organization to implement good security can be severe (in time, experience, and dollars). Every year I am continually amazed at how many people approach us whose companies are still just using static passwords to log on! We are trying really hard to make it easy and affordable. Companies like Yubico help by continually innovating in the affordable hardware space, and Google authenticator offers free OATH token support to mobile platforms. And I know for certain there are dozens of other small vendors right along side us (both competing and orthogonal) who are variously working on the same goals.

I do think it's likely that the security landscape will keep moving in the direction noted by the experts above. I'm not even worried about it as a vendor; the market moves like a steamroller and you have to innovate new things or be squished! But as long as companies are still running their own directory, I will be happy to offer AuthLite as a 2FA solution. I very much hope RSA doesn't become the exclusive purview of giant company booths all angling to buy and sell each other.

And I'm making a mental note right now to bring a notebook with me next year. I want another shot at meeting Bruce :)

Test Your Network For UPnP Exposure

Thu, 07 Feb 2013 19:25:50 Z

As widely reported, many home network routers have BADLY BROKEN security, allowing any external attacker to take over the router and perform nefarious acts in your network.

Steve Gibson of GRC.com created a super easy way for you to test your network.

Here, I show a simple video walk-through. EVERYONE should do this as soon as possible. If your network is exposed, fix your router settings or replace it, then try again. Serious business, people.