Microsoft Says Two Basic Security Steps Might Have Stopped Conficker

coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."

Re:Two basic steps

[hackula]

Troll much? Windows has nothing to do with it when you set all of your passwords to "123456".

Applying security patches is a good idea?

[Gothmolly]

So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

Nice to see MS on the cutting edge of security research.

Why are we still using passwords?

[betterunixthanunix]

We have better authentication methods, we are just not bothering to deploy them. How many times do passwords have to fail before we acknowledge that they do not provide the sort of security that we need?

Re:Why are we still using passwords?

[Lunix+Nutcase]

We were waiting on you to implement it since it's so easy of a change to make.

Re:Why are we still using passwords?

That kind of policy is the reason why people use P@ssword0000001 as their password, and then increment it by one every time they're forced to change.

Re:Why are we still using passwords?

[arth1]

My European bank used a one-time pad in addition already 13 years ago. They replaced it with a code generating card a while ago, for improved security (no one can make a copy of a code that's not generated yet).

My US bank still uses plain passwords.

It also uses debit and credit cards with just a magnet strip (which European stores won't accept anymore), and offers cheques (which the rest of the world stopped using in the 80s). And forget about having a giro system or SWIFT. It's truly like the dark ages over here.

Re:Why are we still using passwords?

[arth1]

Indeed.

And not only that, but by imposing published restrictions on the password, you reduce the number of possible passwords, making brute force attacks easier.

Just by saying "at least one digit", you reduce a brute force attacker's job by at least a factor of 9.5 (given you use ASCII; even more if you allow ISO-8859-x or Unicode). You reduce the time until any random password is cracked by about an order of magnitude. Or, put another way, the cracker can use a partial rainbow table that covers almost ten times as much of the total space.

Han Solo said it best

[swm]

It's not my fault!

Re:Two basic steps

[hackula]

Fanboy? No, I actually run Mac and Linux at home and I program cross platform at work. The fact that Conflicker happened to be for Windows has nothing to do with this. Running old software with weak passwords is a recipe for disaster on any existing OS.

Re:Two basic steps

Yes, because it's completely impossible to turn that feature off. Oh wait...

http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off

If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?

Re:Two basic steps

[a90Tj2P7]

It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.

1) Just as a point of clarification, Patch Tuesday is only once a month. And there's usually only about a dozen or so, only some of which are genuinely "critical". Obviously that varies though. 2) Windows Update has been a lot better for years, ever since Vista. There's nothing wrong with it now. You might be able to complain about the default settings, but they're right there and they're pretty straightforward. If you're logged in and it's set to restart automatically, it prompts you to restart or postpone it. And, obviously, you can shut down the automatic reboots or the automatically downloading/installation of updates. Besides, since moving Windows Update to an actual program after XP, there's also been a lot fewer updates that seem to require restarts. With XP, it seemed like you had to restart every single time you ran updates. Vista/7's a lot better with that.

Re:Two basic steps

[toadlife]

Microsoft gets to say, "hey we patched that before it was a problem". That's an unusual position for them to be in.

It's actually not an unusual position for them to be in at all. The vast majority of major Windows worms exploited vulnerabilities that had long been patched.

Re:Two basic steps

[Opportunist]

For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?

What bugs me about Windows is that there is very often no way to do an unattended update at a certain time for many "packages". Windows being the notable exception. The average Windows day for the average customer runs a bit like this:

"Ok, I'd like to play a game. Let's double cli... huh? Oh, Acrobat update. Ok.... yes, accept license... wait ... download patch, watch download bar move... installing... watching bar move ... ok, we're set. Now lemme... huh? Oh, virus killer. Ok, 'tis important, go ahead and update yourself. Yes, license agreement... waiting for download (because experience taught us that you better NOT try to do anything as system critical as starting a game while something is being patched. Could upset the copy protection trojan). Huh? Failed? Oh, because the Acrobat update didn't finish yet. Ok, it's finished now insta... restart."

"And we're back after the break. Now, for the antivirus. download ... update... huh? New version? Ok, install it. Yes, I agree with the license... installing... reboot."

"Finally! Ok, first of all, let's take a look at some porn. Open Browser... oh, new version? *sigh* Ok, download and install it. ...waiting... Ok, now... huh? What happened to my plug... oh. Of course. Incompatible. Fine, but I'm not going to visit any porn pages without a decent ad blocker, so first of all, update the plugins."

(half an hour of browsing, finding them, or not finding them and searching for a replacement later ... And another few minutes later including washing your hands...)

So. Game time! Fire up Steam... updating... Ok, restart steam... While it's doing that, let's start Teamspeak... Oh. Updating... must be patch day all over the world...

Finally a good game of $whateverfps. Huh? Patch? I don't wanna, not again! Oh, no multiplayer without, huh? Ah, anti cheat stuff. Ok, make it so...

And so on, and so forth. THIS is what actually bugs me about Windows. The piecemeal updating process. You can't just keep your machine running to have it update its stuff and actually, you know, USE it when you are sitting in front of it. It seems to be critical to steal the user's time and show him that they actually patch their half baked software.

And it's not like the software (and its patchers, launchers and oh-so-important taskbar tools) wouldn't run anyways and could technically do a daily check for updates. Dear Adobe, care to inform me why you insist that your launcher is running (and turning it off only means it gets reinserted into the Run key as soon as I dare to open an Acrobat document) and steals my ram for zero return, yet STILL require me to be present for every damn update you might want to run? Why is there no option in Steam to automatically patch and restart Steam if I'm not currently playing a game?

Rolling that all into a single package handling goodie would be a blessing. And MS actually manages to do just that with their updates, the kicker is that of all the various companies that have their fingers in my system, MS bugs me the least!

Re:Two basic steps

[Opportunist]

It's really hard for me to say that, but getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.

The key to the whole issue is the Dancing pigs problem. In a nutshell:

"Given a choice between dancing pigs and security, users will pick dancing pigs every time."

People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? Because they learned the wrong lesson. They lesson they SHOULD have learned is that this window tells them to go and think whether what they are about to do should really require administrative privileges. Should displaying some childish webpage require the rights to dig into your system's bowels?

What they learned is "if I click no, it does not work". That's pretty much it, this is the way people work and think. They don't WANT to know what this window means. For them, it could as well not exist and if anyone ever tells them how to turn it off (and yes, you can), they will without thinking twice and be grateful that they got rid of that nuisance. And, bluntly, it doesn't make a lick of a difference for them anyway!

Why the heck would this be different with, say, SE-Linux? You know SE-Linux? Allegedly one of the more secure and hardened Linux flavors in the world. Hand it to Mr. Moron now using Windows 7 and it will be "pwned" in minutes. Allow me to illustrate.

Let's assume he is using Linux, even properly configured by a good friend of his who made the horrible mistake of telling him the root password. In comes my trojan, disguised as some kind of, say, torrent speed enhancer. I'll even be blunt and forward in the reasoning just why he has to install it as root.

"The software needs elevated privileges to install and properly configure the device driver needed to establish a secure connection with the controlling server to maximize the success and streamline the process. This also allows the software to work without any user interaction necessary, you will not have to enter the password ever again for this software to function properly"

In short, let me install my rootkit and hook up a connection to my bot herder server.

What will Mr. Moron read in this sentence. He doesn't understand it, at least not all of it, but he knows a few words out of that and here's what he puzzles together from this:

"The software ... technobabble ... install and properly configure (ok, it does that by itself, I guess, but only if I type in the password. If I don't, it probably won't work properly)... more technobabble ... server (server is good, I want to connect to one. I think) to maximize the success, streamline process (yeah, I want that!). No user interaction necessary later on. Never have to type the password again (great, so just once and then it works on its own. 'k, no problem, once doesn't count, right?)

He WILL hand over his credentials. Without thinking twice. And he will have forgotten about it before the trojan makes his first report to his controlling server.

It doesn't matter what system you give him. Security is the minimum of the system's capabilities and its user's capabilities. Not the average. The minimum thereof.

Re:Two basic steps

[Opportunist]

Again. Just in case I didn't make my point clear.

The user hands over the password.

It's not a trojan reading the file where the password is stored. It's not a hacker getting in from the outside using some supersecret backdoor account. It's not any kind of hack whatsoever. How the heck do you want to keep a password secure from its rightful owner and user?

The USER is the problem. Not the system. And unless Linux has some magical ability that I didn't notice yet, namely the ability to know what the user WANTS, instead of just what he DOES, there is exactly zero chance to protect the password. No matter the system.