Microsoft Says Two Basic Security Steps Might Have Stopped Conficker 245
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Re:Two basic steps (Score:5, Insightful)
Why are we still using passwords? (Score:5, Insightful)
Re:Why are we still using passwords? (Score:5, Insightful)
We were waiting on you to implement it since it's so easy of a change to make.
Re:Two basic steps (Score:4, Insightful)
True, but there are targeted attacks even in the Unix world, and if you don't keep it up-to-date, you could be owned by one of them
Re:Why are we still using passwords? (Score:4, Insightful)
Would you kindly name three?
(Please be specific. Then, we can explain how for a given set of reality-based situations, they're not in fact actually "better".)
Re:Two basic steps (Score:1, Insightful)
FTFY
Re:Two basic steps (Score:5, Insightful)
Comment removed (Score:2, Insightful)
Re:Two basic steps (Score:0, Insightful)
I think the joke is, for once, Microsoft gets to say, "hey we patched that before it was a problem". That's an unusual position for them to be in.
So of course they're going to get every last inch out of that little sound bite. Of course anyone at Microsoft condemning people for not, "sticking to security basics" is laughable.
Re:Two basic steps (Score:4, Insightful)
Please name a Unix based attack that is equivalent to the malware being discussed.
Well, kinda. There is flawed reasoning here. (Score:4, Insightful)
The assumption here is that an attacker choosing the easiest way has no other route. It would be safer to say that the route used by the worm would have been unavailable if basic preventative steps had been taken.
It's like the old joke. "Ever wonder why whatever you're looking for is always in the last place you look?" "Well, sure, once you've found it, why keep looking?"
Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.
Better authentication? (Score:4, Insightful)
For example E-trade will give you the RSA key fob. Am I supposed to get a dozen key fobs from each of my bank, brokerage, mutual fund, anf 401-K administrator? Schwab would not let me use special characters in passwords. I think they also have a ridiculous 8 char limit. In this day and age where GPUs are being used for dictionary attacks? 8 char? Fidelity wanted an all numeric password because they wanted the phone based log-in used by their older customers to work in web too. On top of all that they have the password reset procedure which asks for stuff that you can find on the facebook profile.
Then there are idiotic Paychex which will lock you out after two failed login attempts. There is this site securetransfer.com that requires some 16 char password with at least two capitals two numerals and two special characters to get 100% strong password quality rating. Then there are clueless admins who tell you "never write down the password". Hello! Is there any end to this password madness?
Why can't they give me two levels of access? Read only access that lets me see account balances and verify that the check has cleared. And the write access that requires one more password that allows me to transfer funds and trade securities. May be even a third level password to send cash out of that institution to outside.
Re:Two basic steps (Score:4, Insightful)
Re:Why are we still using passwords? (Score:4, Insightful)
That kind of policy is the reason why people use P@ssword0000001 as their password, and then increment it by one every time they're forced to change.
Re:Two basic steps (Score:2, Insightful)
The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.
A C library update is pretty noticeable too; you might be able to keep the kernel up, but there's not a lot of point given that virtually every user process is entangled with the library being updated. OTOH, if you're having to update the C library on a regular basis, you've got pretty serious problems anyway...
Updates are a big part of the problem, really .... (Score:4, Insightful)
It's nice to keep telling people "you wouldn't have the security issue if you did all the updates right away". But to that, I'd like to tell the OS developers something else:
You wouldn't have the concerns about unpatched systems if you designed the OS so it could apply the downloaded updates without requiring system reboots!
And yes, though I'm not a software developer, I do know a little bit about this, and why it's a "tall order" (core services you can't just delete and replace with updated versions while they're in use, etc.). But I guess I'm saying this doesn't seem impossible to overcome, if someone wanted to make the functionality a priority in a new OS's design?
Unless we reach that point, people will always be delaying installation of new updates because it interferes with work they need to get done, or they're afraid an update could potentially break something they rely on and don't have time to deal with, if it goes wrong. System patches/updates need to become a less intrusive, more seamless process -- and one that can easily "roll back" any new update that turns out to cause issues. It should automatically notify the developer when this happens, and should flag the problem update so it doesn't get re-installed (but subsequent, supposedly corrected versions DO get installed ASAP).
With today's multi-core CPUs, maybe it's even possible to design systems so two instances of the OS/application environment can be run in tandem during an update process? Hand off the running processes to a parallel copy of the current environment, invisibly to the user, when an update is about to take place. Then patch the first environment, which now has no "core services" in use by apps anymore, and shuttle the apps back over to the patched environment when it's ready?
Re:Two basic steps (Score:5, Insightful)
For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?
What bugs me about Windows is that there is very often no way to do an unattended update at a certain time for many "packages". Windows being the notable exception. The average Windows day for the average customer runs a bit like this:
"Ok, I'd like to play a game. Let's double cli... huh? Oh, Acrobat update. Ok.... yes, accept license... wait ... download patch, watch download bar move... installing... watching bar move ... ok, we're set. Now lemme... huh? Oh, virus killer. Ok, 'tis important, go ahead and update yourself. Yes, license agreement... waiting for download (because experience taught us that you better NOT try to do anything as system critical as starting a game while something is being patched. Could upset the copy protection trojan). Huh? Failed? Oh, because the Acrobat update didn't finish yet. Ok, it's finished now insta... restart."
"And we're back after the break. Now, for the antivirus. download ... update... huh? New version? Ok, install it. Yes, I agree with the license... installing... reboot."
"Finally! Ok, first of all, let's take a look at some porn. Open Browser... oh, new version? *sigh* Ok, download and install it. ...waiting... Ok, now... huh? What happened to my plug... oh. Of course. Incompatible. Fine, but I'm not going to visit any porn pages without a decent ad blocker, so first of all, update the plugins."
(half an hour of browsing, finding them, or not finding them and searching for a replacement later ... And another few minutes later including washing your hands...)
So. Game time! Fire up Steam... updating... Ok, restart steam... While it's doing that, let's start Teamspeak... Oh. Updating... must be patch day all over the world...
Finally a good game of $whateverfps. Huh? Patch? I don't wanna, not again! Oh, no multiplayer without, huh? Ah, anti cheat stuff. Ok, make it so...
And so on, and so forth. THIS is what actually bugs me about Windows. The piecemeal updating process. You can't just keep your machine running to have it update its stuff and actually, you know, USE it when you are sitting in front of it. It seems to be critical to steal the user's time and show him that they actually patch their half baked software.
And it's not like the software (and its patchers, launchers and oh-so-important taskbar tools) wouldn't run anyways and could technically do a daily check for updates. Dear Adobe, care to inform me why you insist that your launcher is running (and turning it off only means it gets reinserted into the Run key as soon as I dare to open an Acrobat document) and steals my ram for zero return, yet STILL require me to be present for every damn update you might want to run? Why is there no option in Steam to automatically patch and restart Steam if I'm not currently playing a game?
Rolling that all into a single package handling goodie would be a blessing. And MS actually manages to do just that with their updates, the kicker is that of all the various companies that have their fingers in my system, MS bugs me the least!
Re:Why are we still using passwords? (Score:4, Insightful)
That's only necessary if you are forced to change your password frequently.
Then you're stuck with coming up with new passwords all the time and something that you will actually remember. (assuming you don't just start writing them down)
Re:Why are we still using passwords? (Score:3, Insightful)
And when you start doing that the user will then just write their password on a sticky note since it'll be complex to remember. And if other sites have the same policies they will just duplicate that password around. So, you've just made things more insecure.
Re:Two basic steps (Score:5, Insightful)
It's really hard for me to say that, but getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.
The key to the whole issue is the Dancing pigs [wikipedia.org] problem. In a nutshell:
"Given a choice between dancing pigs and security, users will pick dancing pigs every time."
People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? Because they learned the wrong lesson. They lesson they SHOULD have learned is that this window tells them to go and think whether what they are about to do should really require administrative privileges. Should displaying some childish webpage require the rights to dig into your system's bowels?
What they learned is "if I click no, it does not work". That's pretty much it, this is the way people work and think. They don't WANT to know what this window means. For them, it could as well not exist and if anyone ever tells them how to turn it off (and yes, you can), they will without thinking twice and be grateful that they got rid of that nuisance. And, bluntly, it doesn't make a lick of a difference for them anyway!
Why the heck would this be different with, say, SE-Linux? You know SE-Linux? Allegedly one of the more secure and hardened Linux flavors in the world. Hand it to Mr. Moron now using Windows 7 and it will be "pwned" in minutes. Allow me to illustrate.
Let's assume he is using Linux, even properly configured by a good friend of his who made the horrible mistake of telling him the root password. In comes my trojan, disguised as some kind of, say, torrent speed enhancer. I'll even be blunt and forward in the reasoning just why he has to install it as root.
"The software needs elevated privileges to install and properly configure the device driver needed to establish a secure connection with the controlling server to maximize the success and streamline the process. This also allows the software to work without any user interaction necessary, you will not have to enter the password ever again for this software to function properly"
In short, let me install my rootkit and hook up a connection to my bot herder server.
What will Mr. Moron read in this sentence. He doesn't understand it, at least not all of it, but he knows a few words out of that and here's what he puzzles together from this:
"The software ... technobabble ... install and properly configure (ok, it does that by itself, I guess, but only if I type in the password. If I don't, it probably won't work properly)... more technobabble ... server (server is good, I want to connect to one. I think) to maximize the success, streamline process (yeah, I want that!). No user interaction necessary later on. Never have to type the password again (great, so just once and then it works on its own. 'k, no problem, once doesn't count, right?)
He WILL hand over his credentials. Without thinking twice. And he will have forgotten about it before the trojan makes his first report to his controlling server.
It doesn't matter what system you give him. Security is the minimum of the system's capabilities and its user's capabilities. Not the average. The minimum thereof.
Re:Two basic steps (Score:3, Insightful)
Thats a false argument. You give me equal amounts of clueless users using Linux as they are with Windows and I'll name one.
The vast vast vast majority (I'd say 90+%) of Linux PCs are (1) servers that are administered professionally or (2) locked down cell phone OS or (3) desktops that geeks use. There is no way you're going to be in the same situation as Windows is with that kind of demographics.
Re:Two basic steps (Score:3, Insightful)
ELF, ld.so, and dynamic library versioning pretty much eliminated that. Or are you one of the few that actually manually removes an old C library version and then rebuilds every single executable that complains it can't find the old version?
Re:Two basic steps (Score:5, Insightful)
Again. Just in case I didn't make my point clear.
The user hands over the password.
It's not a trojan reading the file where the password is stored. It's not a hacker getting in from the outside using some supersecret backdoor account. It's not any kind of hack whatsoever. How the heck do you want to keep a password secure from its rightful owner and user?
The USER is the problem. Not the system. And unless Linux has some magical ability that I didn't notice yet, namely the ability to know what the user WANTS, instead of just what he DOES, there is exactly zero chance to protect the password. No matter the system.
Re:Two basic steps (Score:1, Insightful)
Yes, because it's completely impossible to turn that feature off. Oh wait...
http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off
If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?
I use Windows maybe twice a year and I am not going spend hours fiddling with settings just for that. On Linux it Just Works[tm] and I usually do not have to reboot, even on the rare occasions there is a critical patch.
That comment could only be a troll in the mind of a Microsoft Spinbot.