Microsoft Says Two Basic Security Steps Might Have Stopped Conficker

coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."

Re:Two basic steps

[hackula]

Troll much? Windows has nothing to do with it when you set all of your passwords to "123456".

Applying security patches is a good idea?

[Gothmolly]

So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

Nice to see MS on the cutting edge of security research.

Han Solo said it best

[swm]

It's not my fault!

Re:Two basic steps

[hackula]

Fanboy? No, I actually run Mac and Linux at home and I program cross platform at work. The fact that Conflicker happened to be for Windows has nothing to do with this. Running old software with weak passwords is a recipe for disaster on any existing OS.

Re:Two basic steps

Yes, because it's completely impossible to turn that feature off. Oh wait...

http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off

If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?

Re:Why are we still using passwords?

[arth1]

My European bank used a one-time pad in addition already 13 years ago. They replaced it with a code generating card a while ago, for improved security (no one can make a copy of a code that's not generated yet).

My US bank still uses plain passwords.

It also uses debit and credit cards with just a magnet strip (which European stores won't accept anymore), and offers cheques (which the rest of the world stopped using in the 80s). And forget about having a giro system or SWIFT. It's truly like the dark ages over here.

Re:Two basic steps

[a90Tj2P7]

It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.

1) Just as a point of clarification, Patch Tuesday is only once a month. And there's usually only about a dozen or so, only some of which are genuinely "critical". Obviously that varies though. 2) Windows Update has been a lot better for years, ever since Vista. There's nothing wrong with it now. You might be able to complain about the default settings, but they're right there and they're pretty straightforward. If you're logged in and it's set to restart automatically, it prompts you to restart or postpone it. And, obviously, you can shut down the automatic reboots or the automatically downloading/installation of updates. Besides, since moving Windows Update to an actual program after XP, there's also been a lot fewer updates that seem to require restarts. With XP, it seemed like you had to restart every single time you ran updates. Vista/7's a lot better with that.

Re:Two basic steps

[Opportunist]

It's really hard for me to say that, but getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.

The key to the whole issue is the Dancing pigs problem. In a nutshell:

"Given a choice between dancing pigs and security, users will pick dancing pigs every time."

People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? Because they learned the wrong lesson. They lesson they SHOULD have learned is that this window tells them to go and think whether what they are about to do should really require administrative privileges. Should displaying some childish webpage require the rights to dig into your system's bowels?

What they learned is "if I click no, it does not work". That's pretty much it, this is the way people work and think. They don't WANT to know what this window means. For them, it could as well not exist and if anyone ever tells them how to turn it off (and yes, you can), they will without thinking twice and be grateful that they got rid of that nuisance. And, bluntly, it doesn't make a lick of a difference for them anyway!

Why the heck would this be different with, say, SE-Linux? You know SE-Linux? Allegedly one of the more secure and hardened Linux flavors in the world. Hand it to Mr. Moron now using Windows 7 and it will be "pwned" in minutes. Allow me to illustrate.

Let's assume he is using Linux, even properly configured by a good friend of his who made the horrible mistake of telling him the root password. In comes my trojan, disguised as some kind of, say, torrent speed enhancer. I'll even be blunt and forward in the reasoning just why he has to install it as root.

"The software needs elevated privileges to install and properly configure the device driver needed to establish a secure connection with the controlling server to maximize the success and streamline the process. This also allows the software to work without any user interaction necessary, you will not have to enter the password ever again for this software to function properly"

In short, let me install my rootkit and hook up a connection to my bot herder server.

What will Mr. Moron read in this sentence. He doesn't understand it, at least not all of it, but he knows a few words out of that and here's what he puzzles together from this:

"The software ... technobabble ... install and properly configure (ok, it does that by itself, I guess, but only if I type in the password. If I don't, it probably won't work properly)... more technobabble ... server (server is good, I want to connect to one. I think) to maximize the success, streamline process (yeah, I want that!). No user interaction necessary later on. Never have to type the password again (great, so just once and then it works on its own. 'k, no problem, once doesn't count, right?)

He WILL hand over his credentials. Without thinking twice. And he will have forgotten about it before the trojan makes his first report to his controlling server.

It doesn't matter what system you give him. Security is the minimum of the system's capabilities and its user's capabilities. Not the average. The minimum thereof.