This empowers script kiddies, but not significantly moreso than they already were. Of all the places this is still in use, they've been exposed for years, so this isn't likely to result in a a bunch of new exploitations.
However, it's most likely to be used by governments, with legacy servers that are finicky, with filesharing set up that's impacted other computers configured for compatibility, or legacy ancient network gear or printers.
I wonder who they're pushing around, and what the motivation is?
Mandiant is Google's incident response consulting business. Having worked for many years in that field myself (though not for Mandiant), they're probably sick of going to the same old engagements where companies have been getting owned the same way over and over again for the last 15 years.
What releases like this do is give IT ops people the ammunition they need to convince their leadership to actually spend some money on fixing systemic security problems.
It also empowers IT depts and cybersecurity people to be able to easily build a PoC to show why moving on from the deprecated protocol is important. In many white-hat jobs you can't just grab rainbow tables from a torrent, so a resource like this is helpful. For the grays and black hats, they've had access to rainbow tables like this for a very long time, so no change there.
This is like reminding that there are CVSes from 2010. Yes there are. And there are plenty of vulnerable systems.
They decided to not fix the vulns (either directly by not patching, or indirectly by not investing in cybersecurity). So exploiting them is somehow an act of mercy. They may not know they have a problem and they have an opportunity to learn.
Let's just hope they will have white or gray-ish hats teaching the lesson
Holy smoke. I honestly thought the 90s called and wanted their Windows exploits back (TFA mentions 1999). I do remember talk about this from many moons ago.
Plenty of protocols used by google over the years have been deprecated. The difference being that google actually stops using insecure protocols when they are discovered to be insecure instead of trying to sweep things under the rug.
Keep in mind we are talking about a protocol from 1987. How many protocols from 1987 is google currently using?
Keep in mind that google is primarily a cloud business. That means that they take on a lot more of a risk, as when they are hacked its a them problem vs traditional software where its much more the customer's problem. Security is very much about incentives, and the incentives line up better for google to do the right thing.
It's more about when Google assumed full control of the cloud, the browser, the OS, and everything in between they self-appointed themselves as the unelected standards board of the Internet, and forced everyone else to follow their whims and timelines. Some of which are completely insane.
What are the policies you view as "completely insane"? I have some I disagree with like how they've handled things like Manifest v3 in the browsers, however there are still alternatives like Firefox anyway. However I think in terms of web standards some of the things they have pushed are also helpful. It's been much nicer having a much more consistent web browsing experience with less things like "You must use Internet Explorer on this site".
I feel like web browser and website standards are one of the main areas Google has a lot more control of policies. Is there somewhere else they have much control of for standards?
"To demonstrate how crappy most front door locks are, to boost our company's social media cred we will be leaving drills and a dish of bump keys at the entrance of the neighborhood."
The bad guys already know you live in a bad neighborhood and have been closing your front door with a plastic combination lock you got in a Happy Meal 40 years ago. They can already come and go at a whim. This is Google letting you know that your crappy lock is pre-broken to encourage you to upgrade to literally anything else.
NTLM is often used for more of the underlying technologies, some more secure than others… nthash, net-ntlmv1, net-ntlmv2. There’s a little more complexity here and this is different than the stuff that was out 15 years ago
Amazing that this is still around and causing someone enough of a headache to justify spending money on.
Also amazing what a teenager with lots of free time and a bootable Linux usb can get up to.
However, it's most likely to be used by governments, with legacy servers that are finicky, with filesharing set up that's impacted other computers configured for compatibility, or legacy ancient network gear or printers.
I wonder who they're pushing around, and what the motivation is?
What releases like this do is give IT ops people the ammunition they need to convince their leadership to actually spend some money on fixing systemic security problems.
https://www.lesswrong.com/posts/koGbEwgbfst2wCbzG/i-don-t-kn...
They decided to not fix the vulns (either directly by not patching, or indirectly by not investing in cybersecurity). So exploiting them is somehow an act of mercy. They may not know they have a problem and they have an opportunity to learn.
Let's just hope they will have white or gray-ish hats teaching the lesson
Was it a success? Is Mandiant a cash cow or was it basically an acquihire?
The big "contact mandiant" button next to the post feels a bit like trying to stay relevant and acquire more customers.
Is there any business that does NOT try to do this? Why wouldn't they?
Great, so someone with half a motherboard can break this hash
But we are in two-thousand-twenty-FUCKING-six.
It's unbelievable. Just plain unbelievable.
Keep in mind we are talking about a protocol from 1987. How many protocols from 1987 is google currently using?
Keep in mind that google is primarily a cloud business. That means that they take on a lot more of a risk, as when they are hacked its a them problem vs traditional software where its much more the customer's problem. Security is very much about incentives, and the incentives line up better for google to do the right thing.
I feel like web browser and website standards are one of the main areas Google has a lot more control of policies. Is there somewhere else they have much control of for standards?
At least now nobody can pretend.
I for one hope that this hastens the demise of every remaining use.
It turns out when nerds get a billion dollars they like being bullies too.