Slashdot Mirror
Microsoft Says Two Basic Security Steps Might Have Stopped Conficker
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
1) Get rid of Windows
2) Never use it again
When all you have is a hammer, every problem starts to look like a thumb.
Me Ballmer! Me blame users for our security holes! Ooh ooh ohh ooh! *hurls chairs* Get out now! Me angry!
So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?
Nice to see MS on the cutting edge of security research.
I want to delete my account but Slashdot doesn't allow it.
We have better authentication methods, we are just not bothering to deploy them. How many times do passwords have to fail before we acknowledge that they do not provide the sort of security that we need?
Palm trees and 8
It's not my fault!
biometrics are not that much better and don't to well for say a sheared admin or other maintenance password.
Is that like locking your doors? But what if I need to run into my house in order to escape a horde of Zombies? What if I need to run into somebody else's house? What if my wacky neighbor needs to come in and deliver a punchline?
People just don't think!
The software had a poor security model that allowed poor passwords, did not educate the customer with what a 'good' password choice is, and did not have a convenient update system easily understood by the customer.
And it's your friggin customers -- understanding how they work with your software is your core business. This is an interface failure.
If possible and if the systems in question allow for it, you could still authenticate the admin with RADIUS+, and have the access to the RADIUS+ server done with two factor authentication or biometrics.
We had the conficker worm run wild at my work not long ago. Even systems that were well secured by passwords ended up falling victim to the worm due to unpatched vulnerabilities. Yes, bad passwords don't help, but Microsoft needs to own up to the fact that a worm such as conficker is perfectly capable of infecting well-secured (password-wise) machines if they are not patched for the vulnerabilities that Microsoft left behind.
And being as some patches and updated break compatibility with critical software, patching is not always a trivial matter. Some systems need to stay essentially frozen in time with regards to updates, while still being on the network. Of course then an infected system is added to the network and away we go again.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
If only:
1. Everyone were meticulous in following the guidelines which require passwords being more shift+number than letters, and capable of memorizing new ones on a regular schedule.
2. Everyone kept better care of their computers (regular updates) than they do for their own bodies (regular physicals, anyone?).
Then we could have prevented this whole thing!
Real world implications of having to remember numerous non-dictionary passwords, and expecting those who see the computer as a magic box to the interwebs to treat it better than many of them probably do their cars as far as maintenance goes, is far beyond simple.
They might as well be saying that mentally wiring humanity differently is simple. And that's just silly for Microsoft to say (because that's Apple's mindset!).
Which wasn't even properly disabled when you tried to disable it through the UI in Windows. Who were the idiots not following security best practices when they came up with that idea? Infected flash drives and non-disabled autorun were the main vectors for Conficker around here.
I should expect an answer like this from MicroSoft. Weak passwords and systems that aren't updated, the finger points away from MicroSoft and towards the user. Maintaining unique strong passwords is truly a serious burden on the user. Updates on top of being a burden is a chance for intrusion that MicroSoft is way to eager exploit.
Just two attack methods:
1. weak passwords
2. stolen passwords
3. software vulnerabilities
'nuff said
what about local admin / laptops that may not be linked to the sever?
to an7 BSD project,
What percentage of infected machines had pirated copies of Windows XP and couldn't get patches because of âGenuine Advantageâ validation?
If Microsoft really wants to help the security situation, when XP is officially EOLed remove the restriction on herring all the updates.
Learning HOW to think is more important than learning WHAT to think.
having to change passwords all the time leads to weak ones or the password being put on a post it note.
Seeing as Microsoft wrote it in the first place, I think it's fair for them to share some of the blame.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
The assumption here is that an attacker choosing the easiest way has no other route. It would be safer to say that the route used by the worm would have been unavailable if basic preventative steps had been taken.
It's like the old joke. "Ever wonder why whatever you're looking for is always in the last place you look?" "Well, sure, once you've found it, why keep looking?"
Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.
For example E-trade will give you the RSA key fob. Am I supposed to get a dozen key fobs from each of my bank, brokerage, mutual fund, anf 401-K administrator? Schwab would not let me use special characters in passwords. I think they also have a ridiculous 8 char limit. In this day and age where GPUs are being used for dictionary attacks? 8 char? Fidelity wanted an all numeric password because they wanted the phone based log-in used by their older customers to work in web too. On top of all that they have the password reset procedure which asks for stuff that you can find on the facebook profile.
Then there are idiotic Paychex which will lock you out after two failed login attempts. There is this site securetransfer.com that requires some 16 char password with at least two capitals two numerals and two special characters to get 100% strong password quality rating. Then there are clueless admins who tell you "never write down the password". Hello! Is there any end to this password madness?
Why can't they give me two levels of access? Read only access that lets me see account balances and verify that the check has cleared. And the write access that requires one more password that allows me to transfer funds and trade securities. May be even a third level password to send cash out of that institution to outside.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I just got caught up on some of my reading. One of those articles was about how people who 'foolishly' applied their black Tuesday patches were unable to print out their tax forms. I think that might just explain why so many systems are so far out of date.
having to make up your own passwords, then having to change them all the time leads to weak ones or the password being put on a post it note.
FTFY.
I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.
Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lower case letter, and 1 number, still changes every quarter.
With a faculty of about 150 users, we cracked approximately half of the user-defined passwords within 5 minutes of firing up JtR. My personal favorite was cracked in less than half a second:
Dolphin1
My experience is, it's less about how often the passwords change, and more an issue of users not having a good sense of what it takes to secure their data.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
It's nice to keep telling people "you wouldn't have the security issue if you did all the updates right away". But to that, I'd like to tell the OS developers something else:
You wouldn't have the concerns about unpatched systems if you designed the OS so it could apply the downloaded updates without requiring system reboots!
And yes, though I'm not a software developer, I do know a little bit about this, and why it's a "tall order" (core services you can't just delete and replace with updated versions while they're in use, etc.). But I guess I'm saying this doesn't seem impossible to overcome, if someone wanted to make the functionality a priority in a new OS's design?
Unless we reach that point, people will always be delaying installation of new updates because it interferes with work they need to get done, or they're afraid an update could potentially break something they rely on and don't have time to deal with, if it goes wrong. System patches/updates need to become a less intrusive, more seamless process -- and one that can easily "roll back" any new update that turns out to cause issues. It should automatically notify the developer when this happens, and should flag the problem update so it doesn't get re-installed (but subsequent, supposedly corrected versions DO get installed ASAP).
With today's multi-core CPUs, maybe it's even possible to design systems so two instances of the OS/application environment can be run in tandem during an update process? Hand off the running processes to a parallel copy of the current environment, invisibly to the user, when an update is about to take place. Then patch the first environment, which now has no "core services" in use by apps anymore, and shuttle the apps back over to the patched environment when it's ready?
And MS knew that.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
Not only is it possible to overcome the rebooting issue, there are tools for Linux that all you to update the kernel while it is in use. Essentially it is possible to update an entire Linux system while it is in use. Had Microsoft implimented a similar feature in Windows and made updating less of an "in your face" process and combined that with some built in password management that's similar to keepass but more simple and integrated then the users would have more updated systems and stronger passwords.
Severed and sheared? Your workplace sounds way too violent.
It doesn't mean much now, it's built for the future.
The problem is that an update might involve any part of the system. What if it's the web browser? What if it's in the C standard library? What if it's in a library that is used pervasively but there's no good way to tell who's using it, like an encryption or compression library? How do you determine what needs to be restarted and what doesn't? What happens when something like an X server needs to be restarted (where restarting it means that all of its clients also need to be restarted)?
Making sure that all the running processes in your system are completely patched without simply rebooting is a non-trivial task. Generally you end up with one of the two extremes: Windows, where you usually just reboot; and Linux, where you usually don't restart everything that was patched so you have vulnerable processes still running.
dom
Updates are worse than just the hassle of them. Many of the updates take away, or fundamentally change, the way the underlying software works. IIRC, iTunes had a great example of this early in their release schedule... At some point, Apple wanted to stop people from doing something with their files...like being able to turn them into MP3's or something like that. They released an "Update" that stopped that ability. (I may be remembering some other similar functionality)... Anyway, I remember consciously NOT upgrading, even though it nagged every time it started up, so that I wouldn't have this functionality removed. At some point, one of my kids clicked "Yes" and the functionality I was trying to preserve disappeared. I abandoned iTunes at that point because Amazon had finally come up with a viable music store that sold MP3's directly. About a year later, after Amazon started eating their lunch, Apple allowed "unprotected" files, but they were still AAC files, not MP3... Like I said, I never went back.
The point is that as long as companies use updates to make things that used to be free cost something now, or otherwise preclude you from doing certain things, the "safe" thing to do from a users point of view is adopt the "If it ain't broke, don't fix it" mentality, thus opening their systems to unpatched and potentially dangerously out of date software. My main point is that this isn't all the user's fault.
Brawndo: It's what plants crave!
Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs. And if it had any data, it would be schoolwork, work not regarded as super-secret.
OTOH, if it actually was important to them, say, it held the meal plan credit or something, they'd pick more secure passwords (if someone breaks in, I could starve).
Ditto grades and transcript - for a lot of people ,they don't care if a determined hacker sees their grades - big whoop.
You'll find the same thing applies to corporate users as well - they feel the stuff they do isn't as important as the company makes it out to be, and thus end up going "why bother - what can a hacker do with my data?".
One of IT's jobs is to stress how important the data is, and why. The HR person may not care about the data (it's not THEIR data), but they should because all the employee information is in there. What IT needs to stress is that aspect - that so few people have access to that information, should it get out, suspicion would fall on them
It's a known thing, actually. Criminals in general are looking for the quick buck. Rule #1 of home security, you don't need to live in Fort Knox, your house just needs to be more difficult to break into than Tommy's down the street. If every Microsoft user would keep their computer up-to-date, and stop clicking on stupid links in their email (We can dream, can't we?), then the hackers would look towards more easily exploitable sources, and if it came to light that the average Windows box was 5 times harder to break into than a Mac, we'd see the viruses and malware move over to the OS X platform, or the Android platform (which is beginning to happen). Unfortunately, right now it is harder to rip a wet piece of toilet paper than it is to break into the average (not all) Windows machines. This is the problem. Sure, Microsoft should take part of the blame (if they had more peer review over the code, maybe some obvious security flaws would have never made it into production), but in the end, as anyone who has worked a help desk job or on-call tech support job can tell you, the worst enemy is the user.
As someone who has worked several On-call Tech jobs, I've seen it all. From people putting a USB key in the CD Drive, plants being watered on top of towers (and dripping water down the vent hole covers onto the motherboard/processor, and what looked like hot chocolate poured all over the CD tray (I seriously hope that user didn't think the CD drive was a cup holder, but I was too confounded to ask at the time). We can't blame Dell or HP or Acer for these users stupidity, so when Tommy clicks on that "OMG YOU WON'T BELIEVE THIS WEBCAM VIDEO!" link, why do we blame Microsoft? This being said, I am not a Microsoft fan, and the only computer in my house that runs windows is one I use to play games (and nothing else). I'd prefer to run only Linux in my house, but until game developers start creating games for Linux, I'm stuck.
Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs.
Faculty and staff network access; pretty major stuff.
If I'm not mistaken, it was someone in the financial office (which handles not only student accounts, but payroll as well) who had the wonderfully secure password 'Dolphin1'
I wish it had been something as benign as lab computer access, would have made my job of patching up the holes created by user generated passwords a hell of a lot easier.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Instead of blaming the user, perhaps the *biggest and most successful software company in the world* can do something to help.
1) Bake-in a password-generator tool into IE (along the lines of 1Password).
2) Don't make the software update system suck balls so people want to turn it off.
On the former point, I know this isn't a magic bullet solution. You still need to remember a password. But it's one password, not 37. It at least makes it easier.
On the latter point, I have automatic updates turned on. Two things happen: the updates don't always download and install automatically (I am often bugged by security center telling me there are critical updates available - sometimes they just don't install automatically) and I often have to wait at log off and logon while updates are configured. That's beyond annoying.
I know 1 & 2 above won't solve the issue for everyone, but. The biggest software company in the world. C'mon. You can do better. Try harder. If we still suck at computers after that then fine, blame the user.
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
Microsoft were the ones who restricted updates to those who are running Genuine Windows via various measures...
It's Microsoft's harm they are inflicting on the net - licensed systems that are easy to pirate, with features that encourage users to disable the updates. They decided to generate revenue through annoyance. The end result is zombie systems that will never get updates.
It's all Microsoft's fault. There is not even an iota of blame that falls on the pirate, as the existence of same is only human and entirely predictable.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
The assumption here is that an attacker choosing the easiest way has no other route
No. That is YOUR assumption. Nobody has ever claimed that.
Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.
Where do they say that? Other than the thoughts rattling inside your mind, noone inside microsoft has ever said that or anything even close to that.
I know this is slashdot and facts are only slightly relevant to make way for MS bashing, but what they said can be factually tested.
Patch to fix bug used by Conficker. October 23 2008
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
Conficker started spreading in Late November. Gee.. its almost like they reverse engineered the patch to see what bug was patched and then created an exploit for it.
http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/
not rebooting leads to memory leaks and stuck software.
Even with a system to update stuff with out a full reboot what happens when it hits some thing stuck in the background or updates some thing that is leaking ram?
Sure, sure, blame the users again, Microsoft.
How about educating them for once? You own, according to some metrics, 90 percent of the desktop market. Your operating systems in retail boxes don't even come with quickstart guides to basic security. No, you just leave your users to flounder about without any guidance at all, and if they want it, they have to pay extra for it.
At least when I was paying for boxed sets of SuSE Linux, it came with two well-written manuals, a user's manual, and an administrator's manual. I suspect that boxed sets still include these. It was in the grand old tradition of "when you get this software, we'll give you the manual too" like what you got when you bought DOS or CP/M.
But these days, I guess that user education is viewed as "intimidating" to users, because *shock* *horror* computers might be revealed as the complicated, useful, and powerful devices they actually are and heaven forfend users get any ideas beyond clicking on the pretty pictures. Microsoft does its damnedest to not give the user *anything* that might resemble common sense lessons in security.
There is a lot of energy pointed at the education of developers, but none that I can see at day-to-day users from Microsoft.
I just dealt with a user who has become so paranoid, she considers technet.microsof.com "foreign" because she's been so abused by the utter lack of guidance in the past with computers that she can no longer tell what's legitimate or not, wrt software. I was merely pointing out a sysinternals tool. This makes me a sad panda, and I don't blame her. I can't. Because I've seen it too many times to think it's just "dumb users" anymore.
Microsoft's blaming of the user is utter bollocks. It is entirely their fault now.
Yes, this makes me mad. Deal with it.
--
BMO
Save this article and email it to the idiot bean counters at work who say IE 6 is perfectly fine and so is XP so why upgrade until 2014?
I thought Conflicker came out in like 2004? It should not be infected machines today and this is stupid.
The problem is not IE and Windows. Windows 7 and IE 9 have been secure for awhile with ASLR, DEP, and sandboxing. The idiots are not the users (well most are not), but IT and CIOs and CEOs who refuse to look at things like computers as anything but cost centers. It is gray and not black and white like the CPA rules on GAAP are the golden rules for any business decision.
Use Windows Update and stop worrying if software will break. I have never heard of a piece of software not working with Windows Update for home users. If IT is looked up as tools and investments and people ran Windows Update, had proper staffing levels, and ran Windows 7 the problem wouldn't exist and it is purely preventable.
http://saveie6.com/
In one company I worked for, local admin laptops were not used for networking gear once it was up and running. Only if something failed, then there was the occasional factory reset and reuploading the last known good config.
Well, you can't avoid the need to reboot when things crash. Nothing new there. But people have a need to apply updates far more often than they encounter stuck software and memory leaks crippling things, right?
With a seamless update process like I was suggesting, the need to *eventually* reboot probably doesn't go away. But uptimes would certainly improve over what you'd have if you applied, say, every Microsoft update on the day it was released. My experience with those is you get at least 3-5 of them every single week, and the vast majority of times, at least one in each set requires a system reboot to complete.
what about in the field or where you may not have a good remote link.
Isn't Conficker a Windows-only issue?
If so, wouldn't the obvious one basic security step be to stop using Windows?
Just sayin'...
It must have been something you assimilated. . . .
http://it.slashdot.org/comments.pl?sid=1159209&cid=27178753
Not that what MS says wouldn't!
It helps too.
(It ALL helps: "Layered-Security"-"Defense-In-Depth" is the best thing we've got going today vs. this nuttiness of outbreaks of malware-in-general galore...)
APK
P.S.=> At home especially, if you're not connected to a LAN/WAN? Hey: Then you've "got it made" & especially vs. CONFICKER!
(That's possible since cutting the server service does the job almost ALL by itself (along with cutting javascript & ACL + write protecting autorun.inf files))... apk
This, this, a thousand times this. If only I wasn't at work and unable to log in so I could mod you up.
It's like security companies see something happening, patch it, and go "yup, problem solved. Now I can go back to playing Minecraft for the rest of the day".
No. You just patched the lowest of the low hanging fruit. There's still plenty more kicking around up there... and odds are a lot of it is probably just as low, or lower but unnoticed earlier.
So how in the hell do you explain updates that require 2 or 3 reboots in succession? What the fuck is with that?!? I'm sorry, here I am doing shit, and some update happens in the background and asks me to reboot. Fine, whatever, I quickly finish what I was doing, and reboot. God help that program if it's one of the ones that automatically shuts down and reboots. Unless it's absolutely vital, it will find itself quickly uninstalled and boycotted from that point on.
So I shut down the computer and wait for it to boot up. On a somewhat older machine, this is not a particularly fast process. Sure, it's only 5 minutes or so, but that 5 minutes is really fricking annoying when I'm in a rush, need to do things, and am stuck staring at the wall while the computer ever so slowly loads itself to the desktop (and this is AFTER I've gutted all that I can from msconfig).
After it boots up, it immediately says it's updating AGAIN... because clearly that update needed an update... which takes god knows how long, and reboots AGAIN! And I've encountered one time where it decided to go for a round 3 after that.
Please explain to me why this is necessary. Why it's infeasible or impossible to just do all the fucking core system updates needed and THEN reboot to have them running.
That's why the correct question is, "Why is it that things are always in the last place I *think* of to look?" Critical difference. ;-)
"For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?
Ubuntu manages to do this through Synaptic and Update Manager
AccountKiller
I'd consider technet.microsof.com to be untrusted. Hackers love to take advantage of URL typos to post fake sites. This is just one more thing that users need to be aware of. Some DNS servers will auto-correct a mis-typed URL (by redirecting to the correct one), but until this practice is standardized, this will be a problem.
for say a sheared admin...
Is that what you get when you shave off his beard?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
i made a typo and you're a fuckwad.
Have a nice day.
--
BMO
And not following any of my recomendations. It keeps me employed.
educating you is no one elses job. it is not microsofts job to make sure you dont ruin your fucking data through failure to understand the tools you're using.
take some personal responsibility for your actions or put yourself out of our misery.
... you don't have to care about users getting upset when you blame THEM!
Currently re-reading Alan Cooper's The Inmates Are Running The Asylum, so the blame the users apologist stance seems especially unsteady right now.
>didn't read a goddamned thing I wrote
>put myself out of your misery
Get fucked. Don't like me? Login, set your foes setting to -6 and never see me again. It's that simple. It seems to me that your inability to perform this simple operation means that you are mentally deficient.
--
BMO
cry more
""Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism." - http://en.wikipedia.org/wiki/Conficker. Nice try." - by Anonymous Coward on Friday April 27, @05:16PM (#39826583)
Big deal, autorun is disabled by default in Windows from the end of 2009 onwards & MS update makes sure this is so in fact... it's been that way since long ago:
http://www.zdnet.com/blog/security/microsoft-disables-autorun-on-windows-xpvista-to-prevent-malware-infections/8123
---
PERTINENT QUOTE/EXCERPT:
"Microsoft disables AutoRun on Windows XP/Vista to prevent malware infections
By Dancho Danchev | February 10, 2011, 6:54am PST
Summary: Microsoft has decided to disable the AutoRun feature on Windows XP. The âoenon-security updateâ doesnâ(TM)t affect shiny mediaâ such as CDs or DVDs that contain Autorun files."
---
(Even Linux does that, and they were 'bitten" by that mistake later too... )
* The new variants may overcome a couple things like autorun.inf, but I covered that too, as well as the service service & shares + more...
Read closer next time fool!
APK
P.S.=> You also must have missed the part where I noted ACL protecting the autorun.inf file as well (dumb of you there too)... apk
http://linux.slashdot.org/story/11/02/07/1742246/USB-Autorun-Attacks-Against-Linux
Thus, you see, even LINUX had hassles with AutoRun, & AFTER Windows fixed them, per the link below...
Also, a slight "amendment" to my initial words per this article:
http://www.zdnet.com/blog/security/microsoft-disables-autorun-on-windows-xpvista-to-prevent-malware-infections/8123
Windows has had autorun disabled since before the date of that article (not 2009 as I stated, my bad, but correcting NOW vs. nitpicker "Cardinal Richelieu" AC stalker harasser trolls I have here on /.)
APK
P.S.=> Plus, of course, my points on what to do with the server service, shares, OR autorun.inf itself... apk