Network Access Control Solutions & Protection | Enterprise Password Management | Access Smart

Power LogOn’s Reaction to Pass the Hash

Pass the Hash Protections.

Pass The Hash

Copyright: Walt Disney Productions

Last week I attended the BSide LA hackers’ conference to discuss that passwords are secure. At first, some of the attendees scoffed at my claim. I then went on to explain that it’s the management of passwords and the way some IT administrators configure their networks that causes the insecurities. To that point, they agreed. However, the more persistent attendees brought up the “Pass the Hash” (PtH) attack as the reason why passwords will never be secure.

Not being as well verse on PtH as with other attacks, I needed to do a little research before I had an informed response.

A Pass-the-Hash (PtH) attack uses a technique in which an attacker captures the password hash value on one computer and then plays back the hash without ever knowing any passwords. Ultimately, the attacker gets access to network disks, memory, network domain controllers, and other servers to install drivers, applications, and execute applications.

For a hacker to start the attack, he/she first needs access to a computer on a network with administrator rights. This often can easily be accomplished if IT inadvertently assigned “Administration” rights to a User/employee (Note: most Users do not need Administrator rights). Because Users typically do a poor job of generating and managing their logon password, the hacker easily breaks in the User’s account. The administrative privileges allows the hacker to drill deeper into the network. Even if a complex password is used, if the employee writes it down on a sticky note it only takes a cell phone camera to capture the password and sell it on the internet.

The password hash is the key to the kingdom with superadmin rights. The hacker can do anything, and can bypass all the security barriers IT has installed. All operating systems, authentication protocol, even Kerberos, and smartcard logons are vulnerable. What’s worst, there’s no defense, but there are protections.

Hash authentication is not a bug, hole, or flaw that can be solved with a patch. Microsoft, Apple, and others claim they cannot stop the attack. Therefore, the best defense is stop worrying and fighting PtH. Instead, keep the hackers from getting in in the first place. Here are some simple ways to start protecting your network.

  1. Don’t allow every user or employee to have administrative rights
  2. Administrator passwords should have a short lifecycle
  3. Implement strong, complex password policies
  4. Of course, maintain strong and up-to-date antivirus, antimalware, firewalls, whitelists, etc.
  5. Don’t use Remote Desktop Protocol (RDP) or some other sort of interactive remote software to administrate computers
  6. Don’t allow or assign a superadmins. Instead, “delegate” just the rights an administrator needs and no more
  7. When and employee is finished for the day, they not only need to log out but power down the computer


How Power LogOn Addresses Pass the Hash

Pass the Hash is not a password authentication issue, but again an administration and system security issue. While Power LogOn cannot stop or prevent a PtH there are features within Power LogOn to make an unauthorized access more difficult.

  1. IT assigns complex passwords
  2. IT changes passwords more frequently in the background
  3. Users don’t generate, type or know their passwords
  4. Power LogOn can auto-shut down or log users off the network when their smartcard is removed
  5. PL does not store an “authenticator” in memory and therefore requires users to present their card every time they logon to an application or website while using PL SSO functionality
  6. If a thief stole a Windows users password or password hash it would not enable them to logon to Power Logon managed SSO applications or website

Again, currently there are no ways to stop a Pass the Hash attack. Access Smart does not claim that we can safeguard a company for such an attack. However, Power LogOn does add some barriers while keeping the logon process convenient for the user so they don’t circumvent cyber security. The best an IT administrator can do is put up enough barriers for a hacker that the time and effort to break into a computer and network is too great; especially when there are easier prey just around the corner.

Power LogOn – The Stepping-Stone to PKI

Power LogOn Helps Migrate Companies to PKI Adoption.

Power LogOn Complements PKIIn my many blogs, videos and whitepapers, I discuss how passwords are secure, but their management isn’t. Frequently, cybersecurity specialists believe that I’m pitting my Power LogOn solution against a PKI solution. That is not my intent. In reality, Power LogOn is a stepping-stone to PKI adoption.

This is not a contest of one technology being better than another, but rather matching the right technology to the environmental requirements. For example, what’s the difference between a Ferrari and a Jeep? Both are automobiles, they have engines, tires, seats, etc., and both will get you from point A to B on any paved road. However, you would never take your Ferrari off-roading in the Utah desert, nor would you drive a banged-up jeep to the red carpet at the Oscars. Implementation is about matching the correct vehicle to the environmental requirements. IT must also match the correct cyber authentication solution to the company’s requirements. Read More→

Access Smart® Implements HTTPS Everywhere.

HTTPS Everywhere safeguards our visitors from malware.

https everywhereAccess Smart, LLC, a leading supplier of Cyber Access Control solutions, moves their website from the standard, unsecure Hypertext Transfer Protocol (HTTP) to the Hypertext Transfer Protocol Secure (HTTPS) web communications scheme as specified in the HTTPS Everywhere program. As internet browsers like for Google Chrome, Mozilla Firefox and Opera put more emphasis on security with their “HTTPS Everywhere” program, Access Smart wanted to embrace this forward thinking cybersecurity program.

“Access Smart is a cyber access control security company”, said Dovell Bonnett founder and CEO of Access Smart. “We believe that cybersecurity has to start before the firewall and continue throughout the entire Internet channel. It only makes sense that we would want to do everything possible to protect all our website visitors and customers.” Read More→

When is a Password like a Private Key?

Password vs KeyMy stance on passwords is well known – “Passwords are secure, people managing them aren’t.” Whenever I make this claim, some computer security pundits vehemently disagree with me. They bring up technologies like PKI, digital certificates, and all the advanced hardware technology, encryption algorithms and infrastructure. Their arguments are true, but why is all this advanced security technology needed? Answer: to protect the cryptographic keys. Read More→

Delaware Provider Finds Solution to HIPAA’s Network Security Concerns.

Solo doctor solves HIPAA multi-factor authentication need at a low cost.

(Re-posting of the article in Quality Insights of Delaware newsletter REC, 07-29-2014)

by Neil S. Kalin, MD

Dr. Neil Kalin adresses HIPAA

 I am a practicing ophthalmologist in Delaware, and like many solo docs, I am also the in-house IT manager. The government has encouraged all of us to adopt EMR. About two years ago, I went “all-in” with electronic medical records (EMR) software. One of the scariest things about this process is the penalties levied by the government for a failed security audit or data breach. I have read stories of medical practices losing a hard drive or laptop and then being fined over $100,000. In addition, many major hospitals with full-time IT security teams have also been fined millions dollars for a breach. The U.S. government does not treat protecting patient’s records lightly. Read More→