Calum MacLeod, VP of EMEA at Lieberman Software Corporation suggests 2014 is set to be the year of PTH
There was a time many moons ago when, in an age of innocence, “Pass The Hash†had a whole other meaning. For some of us old enough to remember, or that still have our wits about us, “Pass The Hash†was something you did at the back of the school on a Friday night. But times move on, and suddenly it seems that “Pass The Hash†is in vogue again.
You'd think it had only just been discovered, and that this is suddenly the latest exploit that is about to be unleashed on the corporate landscape. Yes, within a week or two you'll be having the inside sales departments calling to ask if you have “PTH†problems. In fact, come April, we can expect to see every vendor in the security space having “PTH†solutions on their stands at tradeshows. This will, of course, be followed by the PTH User Groups sponsored by vendors desperately trying to save you from PTH attacks. APTs will have become a distant memory as that was all solved in 2013. 2014 - The year of PTH!
A "pass the hash" (PTH) attack can happen when just the password hash is sufficient to authenticate a user to a system. This is more of an issue on older windows systems such as XP and 2003. Because of the way in which administrative accounts were set up and stored on a system, it means that very often the local administrator account is vulnerable. And because it is used for many administrative tasks such backups, patching, installing software, etc, it becomes a security risk. If one of the machines is compromised, and the local hashes can be dumped out of the Security Account Manager (SAM) database which is present on servers running Windows Server 2003. The SAM stores user accounts for users on the local computer, so if an attacker has now gained administrative access to that machine, other machines on the networks become easy targets.
I suppose you could say that PTH has never been good for anyone, and both variants can be life changing, and not necessarily for the better. Pass The Hash in IT terms has been around for close to fifteen years, and exploits were available several years ago. It's not a new vulnerability, but it is something that you should be aware of. Taking proper precautions such as ensuring that passwords are changed regularly will help. It is also important to ensure that services and scheduled tasks are not using the same passwords across your infrastructure. For example segment your environment in such a way that a breach can be contained, and always be vigilant. Now please “Pass the Hashâ€
Contributed by Calum MacLeod, VP of EMEA at Lieberman Software Corporation