Microsoft Says Two Basic Security Steps Might Have Stopped Conficker 245
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
Re:Why are we still using passwords? (Score:5, Interesting)
Indeed.
And not only that, but by imposing published restrictions on the password, you reduce the number of possible passwords, making brute force attacks easier.
Just by saying "at least one digit", you reduce a brute force attacker's job by at least a factor of 9.5 (given you use ASCII; even more if you allow ISO-8859-x or Unicode). You reduce the time until any random password is cracked by about an order of magnitude. Or, put another way, the cracker can use a partial rainbow table that covers almost ten times as much of the total space.
So like, where is "User.education.microsoft.com"? (Score:4, Interesting)
Sure, sure, blame the users again, Microsoft.
How about educating them for once? You own, according to some metrics, 90 percent of the desktop market. Your operating systems in retail boxes don't even come with quickstart guides to basic security. No, you just leave your users to flounder about without any guidance at all, and if they want it, they have to pay extra for it.
At least when I was paying for boxed sets of SuSE Linux, it came with two well-written manuals, a user's manual, and an administrator's manual. I suspect that boxed sets still include these. It was in the grand old tradition of "when you get this software, we'll give you the manual too" like what you got when you bought DOS or CP/M.
But these days, I guess that user education is viewed as "intimidating" to users, because *shock* *horror* computers might be revealed as the complicated, useful, and powerful devices they actually are and heaven forfend users get any ideas beyond clicking on the pretty pictures. Microsoft does its damnedest to not give the user *anything* that might resemble common sense lessons in security.
There is a lot of energy pointed at the education of developers, but none that I can see at day-to-day users from Microsoft.
I just dealt with a user who has become so paranoid, she considers technet.microsof.com "foreign" because she's been so abused by the utter lack of guidance in the past with computers that she can no longer tell what's legitimate or not, wrt software. I was merely pointing out a sysinternals tool. This makes me a sad panda, and I don't blame her. I can't. Because I've seen it too many times to think it's just "dumb users" anymore.
Microsoft's blaming of the user is utter bollocks. It is entirely their fault now.
Yes, this makes me mad. Deal with it.
--
BMO
Re:Two basic steps (Score:3, Interesting)
Where do you think the term "Root"kit came from?
Before NT Unix was the laughing stock off security seriously. Like Windows it is also written in C and uses the same apis for buffer overflows, stack over runs, and other crack attacks.
My old World Almanac from 1990 had an editorial on the first ever Worm which nearly took down the internet. Hint ... it was all Unix based.
Re:Two basic steps (Score:3, Interesting)
You hit the nail there.
ASLR and the other OS protections are untouched because most corporations still use XP and a 10 year old kernel. The reason most software doesn't use these things and tap into them is because they wont run on XP. Corporations wont leave XP because software doesn't use things and tap into them. Cost savings are on top of this.
This is a great reason to upgrade to Windows 7 and keep your systems patched. This was totaly preventable and IT departments got what they deserved for their short sightedness on only cost savings.