I’ve been busy over at my other show these days so blogging at TvB has been put on a long hold. Part of my time over the last few weeks has been spent decoding something called the Kerberos Silver Ticket attack. The curious and the brave can read my original post from back in December 2014, and one response from the hackeratti. Also spring is here and who feels like blogging anyway.
Once upon a time, I was something of a UNIX systems programmer and had to deal with Kerberos, a authentication system hatched by the great minds at MIT. I do remember having to refresh my credentials every hour or so—it was a pain, but it was designed to prevent or greatly reduce the kinds of credential hacking that is common place these data.
I recently had to look into a Microsoft patch fixing a ticket problem in Kerberos—technically correcting a hole that allows bad signature signing in a PAC. And then made some connections to a Kerberos attack that was described by the presenter as a Silver Ticket variant. If you’re following this far and haven’t fallen asleep, I posted my findings months ago. And then to my surprise recently noticed a flurry of twitter responses to the post.
Here’s what I learned. One, definitions that are used to describe security vulnerabilities are not universally shared. They may have currency among people who are 100% focused on data security, but there are many others with sophisticated backgrounds who have different viewpoints. Two, Microsoft doesn’t know how to write a security bulletin. Sigh, that shouldn’t have surprised me. Third, when you discuss a broader issue with a programmer, they always have, for better or worse, a specific piece of code or function in their mind.
Anyway, TechCrunch Disrupt will be in town in a few weeks. For any PR folks who’ve made their way to the blog, I will be attending this former must-go-to startup event for one afternoon.
That is all.