Please don't pass the hash

Calum Macleod says a mellow customer situation means careful password and admin account management

There was a time, many moons ago in an age of innocence, when passing the hash had another meaning. For some of us old enough to remember, or who still have our wits about us, it was something you did behind the school on a Friday night.

But times move on, and suddenly it seems that passing the hash is in vogue again.

Like with so many other things, the meaning has changed. Ridiculous now means "really good", sick means "cool", bad means "good". You'd think the phrase "pass the hash" had only just been discovered, and that this is the latest exploit unleashed on the corporate landscape.

Within a week or two, internal sales departments will be calling to ask if you have "pass the hash" (PTH) problems. Come April, we expect to see every vendor in the security space showing solutions at trade shows. This of course will be followed by PTH User Groups (sponsored by vendors desperately trying to save you from PTH attacks).

APTs will have become a distant memory as that was all solved in 2013. 2014 will be the year of PTH!

Unfortunately, it is not as interesting as the original, and it certainly will not give you a mellow feeling. If, like me, you hadn't graduated much beyond understanding the "original" hash, it has a lot to do with maths - which is probably why I should have asked my wife to write this article, since she has the maths degree.

A PTH attack can happen when the password hash is sufficient to authenticate a user. This is more of an issue on older Windows systems, such as XP and 2003. The way administrative accounts were set up and stored may make the local administrator account - used for tasks from backups to patch to install - vulnerable.

If a machine is compromised, the local hashes can be dumped out of the security account manager (SAM) database present on servers running Windows Server 2003. The SAM stores user accounts locally, so if an attacker has administrative access, other machines on the networks become easy targets.

Newer versions of Windows are less vulnerable because of the way the machines act when added to a domain, but there is still risk. Check out a blog post on http://passing-the-hash.blogspot.nl/2012/12/wth-is-pth.html if you'd like a more intelligent description (my thanks to the authors, Alva Lease ‘Skip' Duckwall IV and Christopher Campbell).

Contrary to the claims of certain security vendors, PTH is neither new nor solved by simply changing administrative passwords - unless by administrative passwords you mean administrators, service accounts, scheduled tasks and all the other accounts in a system that are likely using the administrative password.

Simply changing your administrator user password might give you that nice feeling the original PTH gave, but you can be sure that one of these days you are also going to wake up with a terrible headache, finding that changing your admin accounts didn't offer any real satisfaction.

Ultimately you need a complete, up-to-date inventory of everything from your registry onwards. Vigilance was key in the original PTH scenario. Someone had to be constantly on the lookout for "hackers", be they teachers, parents or the dreaded men and women in blue. The same applies with the 21st century PTH.

Organisations need continuous monitoring for the complete Windows environment, and to be dynamically discovering every location where an account is referenced by a Windows service, task, COM/DCOM object or AT account.

Discovering where the accounts are used is half the battle. Snapshots in time are not going to do it. It didn't work in the old PTH days, and it doesn't work now. You can't manage what you don't know, and unless you are checking continuously you will get caught. I know this from past experience.

Don't end up starting some process to change passwords by creating yet another password on the system, so you can log on to change the passwords.

PTH has never been good for anyone. Both types can be life changing, and not necessarily for the better. In IT terms, PTH has been around for about 15 years, and exploits began several years ago.

Change passwords regularly, and ensure services and scheduled tasks are not using the same passwords across your infrastructure. For example, segment your environment so a breach can be contained, and always be vigilant. Now, please pass the hash.

Calum Macleod is EMEA vice president at Lieberman Software