Five years ago, Benjamin Delpy was working for an unspecified French government agency and teaching himself to program in C, and had discovered a vital flaw in the way that Windows protected its users' passwords.
Delpy told Microsoft about his discovery, only to be rebuffed by Microsoft's engineering team, who told him that his security discovery was irrelevant because it would be too hard to exploit. As a way of proving his point and improving his C, he coded up Mimikatz ("Cute Cat"), a password stealing tool that has since grown into an "insanely powerful" Swiss Army Knife of Windows password-cracking.
Delpy released the sourcecode for Mimikatz after traveling to Russia to present on it at the Positive Hack Days conference in Moscow; that's because, while he was there, Russian spies repeatedly came after his code. First, he walked in on a spy who was physically tampering with his laptop while it was in his hotel room, then a "man in a dark suit" insisted that he put a copy of his presentation and sourcecode on a USB stick.
Andy Greenberg's Wired profile of Delpy exposes the complicated world of security research and disclosures. Companies would like to be able to control who can disclose defects in their products. Large firms have previously abused laws like the Computer Fraud and Abuse Act and Section 1201 of the Digital Millennium Copyright Act to threaten (and even jail) security researchers who disclosed true facts about errors in their code. Most recently, the largest tech companies on earth explicitly rejected a proposal that would have protected security researchers who went public with information about defects in browsers used by billions of people.
Delpy makes sure that he notifies Microsoft before he updates Mimikatz, but Microsoft sometimes insists that his discoveries aren't real problems. Without Delpy's public disclosures, the general public would have no way to know that these bugs existed and could be used to attack them. Security experts rely on Delpy's tool to evaluate whether their client's systems are well-secured.
But crooks also use Mimikatz. It has been folded into NSA hacking tools that have leaked into the public domain, and used by Russian spies to hack the German Parliament.
As Greenberg's experts say, though: if Delpy hadn't gone public with his bugs, someone else would have, and may not have been so willing to share their discoveries with the good guys who are trying to secure, rather than compromise, our systems.
Each of those features—the Minesweeper hack included—is intended not to enable criminals and spies but to demonstrate Windows' security quirks and weaknesses, both in the way it's built and the way that careless corporations and governments use it. After all, Delpy says, if systems administrators limit the privileges of their users, Mimikatz can't get the administrative access it needs to start hopping to other computers and stealing more credentials. And the Shadow Brokers' leak from the NSA in fact revealed that the agency had its own Mimikatz-like program for exploiting WDigest—though it's not clear which came first."If Mimikatz has been used to steal your passwords, your main problem is not Mimikatz," Delpy says.
Mimikatz is nonetheless "insanely powerful," says UC Berkeley security researcher Nicholas Weaver. But he says that doesn't mean Delpy should be blamed for the attacks it's helped to enable. "I think we must be honest: If it wasn't Mimikatz there would be some other tool," says Weaver. "These are fundamental problems present in how people administer large groups of computers."
And even as thieves and spies use Mimikatz again and again, the tool has also allowed penetration testers to unambiguously show executives and bureaucrats their flawed security architectures, argues Rendition security's Williams. And it has pressured Microsoft to slowly alter the Windows authentication architecture to fix the flaws Mimikatz exploits. "Mimikatz has done more to advance security than any other tool I can think of," Williams says.
HE PERFECTED A PASSWORD-HACKING TOOL—THEN THE RUSSIANS CAME CALLING
[Andy Greenberg/Wired]