Forgot your password?
typodupeerror
Microsoft Security The Internet Technology

Microsoft Says Two Basic Security Steps Might Have Stopped Conficker 245

Posted by samzenpus
from the protect-ya-neck dept.
coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."
This discussion has been archived. No new comments can be posted.

Microsoft Says Two Basic Security Steps Might Have Stopped Conficker

Comments Filter:
  • by Gothmolly (148874) on Wednesday April 25, 2012 @03:23PM (#39798703)

    So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

    Nice to see MS on the cutting edge of security research.

    • Which is more than you can say for too many of its customers.

    • by PNutts (199112)

      So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

      Nice to see MS on the cutting edge of security research.

      Apparently the owners of 1.7 million PCs need to hear it. And since those machines are throwing malware at mine I support that advice from any source.

  • by betterunixthanunix (980855) on Wednesday April 25, 2012 @03:25PM (#39798739)
    We have better authentication methods, we are just not bothering to deploy them. How many times do passwords have to fail before we acknowledge that they do not provide the sort of security that we need?
    • by Lunix Nutcase (1092239) on Wednesday April 25, 2012 @03:26PM (#39798751)

      We were waiting on you to implement it since it's so easy of a change to make.

      • Did I say it was easy? Yes, it will take work, but we are not even trying right now. Does your bank offer anything better than passwords?
        • by hackula (2596247)

          Did I say it was easy? Yes[.]

          Sorry, I could not resist.

        • My bank offers text messages with one time password. After they found out that even printed OTPs can be abused.

          Believe it or not, I've analyzed a trojan that got by OTPs myself. Really clever. Relies on the fact that what you see and what gets transmitted isn't necessary the same in the average browser.

    • biometrics are not that much better and don't to well for say a sheared admin or other maintenance password.

    • by DdJ (10790) on Wednesday April 25, 2012 @03:31PM (#39798823) Homepage Journal

      We have better authentication methods...

      Would you kindly name three?

      (Please be specific. Then, we can explain how for a given set of reality-based situations, they're not in fact actually "better".)

      • by Siberwulf (921893)
        Do you really need three?

        Um, how about a simple rewording of "Password" to "Passphrase" and make the minimum required length 20 characters.

        If you take the utterly easy passphrase of "My favorite password is the word password.", you're talking about 7.1 x 10^61 years to crack it. A measly 20 character phrase would take 1 sextillion years.

        And really, from a development side of the coin, implementation doesn't get much simpler. You should already be storing hashes of the passwords, not the passwords
    • by houghi (78078)

      People always talk about passwords without looking at the other part: usernames.
      Often I am not able to select my username. I have more usernames then passwords. At work I have one password, which is less secure then it could be, because I need to change it every month.
      I have at least 7 different usernames.
      first letter first name up to 8 characters total with the last name
      first letter and full last name
      3 letters first name upt to 8 for the last name
      last name only
      first name only
      department name
      company name

      This

    • I guess you're barking up the wrong tree. The problem isn't that people can find out your passwords. The problem is that people hand them over willingly. They actively aid trojans and bank frauds. Unwittingly, of course, but because they don't know crap about the machines they are using.

      The biggest attack vector today isn't even faulty software, it is user action. Opening attachments without wondering why a .pdf file prompts a "you really want to execute this attachment from 'unknown'?" from their system, r

  • by swm (171547) * <swmcd@world.std.com> on Wednesday April 25, 2012 @03:26PM (#39798747) Homepage

    It's not my fault!

    • But he sure would have had every patch installed, for we all know he does not tardy. After all, he shot first!

  • We had the conficker worm run wild at my work not long ago. Even systems that were well secured by passwords ended up falling victim to the worm due to unpatched vulnerabilities. Yes, bad passwords don't help, but Microsoft needs to own up to the fact that a worm such as conficker is perfectly capable of infecting well-secured (password-wise) machines if they are not patched for the vulnerabilities that Microsoft left behind.

    And being as some patches and updated break compatibility with critical software, patching is not always a trivial matter. Some systems need to stay essentially frozen in time with regards to updates, while still being on the network. Of course then an infected system is added to the network and away we go again.
  • If only:
    1. Everyone were meticulous in following the guidelines which require passwords being more shift+number than letters, and capable of memorizing new ones on a regular schedule.
    2. Everyone kept better care of their computers (regular updates) than they do for their own bodies (regular physicals, anyone?).
    Then we could have prevented this whole thing!

    Real world implications of having to remember numerous non-dictionary passwords, and expecting those who see the computer as a magic box to the interweb

  • Like autorun? (Score:3, Informative)

    by Anonymous Coward on Wednesday April 25, 2012 @03:36PM (#39798881)

    Which wasn't even properly disabled when you tried to disable it through the UI in Windows. Who were the idiots not following security best practices when they came up with that idea? Infected flash drives and non-disabled autorun were the main vectors for Conficker around here.

  • having to change passwords all the time leads to weak ones or the password being put on a post it note.

    • having to make up your own passwords, then having to change them all the time leads to weak ones or the password being put on a post it note.

      FTFY.

      I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.

      Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lowe

      • by tlhIngan (30335)

        I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.

        Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lower case

        • Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs.

          Faculty and staff network access; pretty major stuff.

          If I'm not mistaken, it was someone in the financial office (which handles not only student accounts, but payroll as well) who had the wonderfully secure password 'Dolphin1'

          I wish it had been something as benign as lab computer access, would have made my job of patching up the holes created by user generated passwords a hell of a lot easier.

    • by clarkn0va (807617)

      And MS knew that. [microsoft.com]

  • ...exploiting software vulnerabilities for which updates existed.

    Seeing as Microsoft wrote it in the first place, I think it's fair for them to share some of the blame.

  • by shumacher (199043) on Wednesday April 25, 2012 @03:43PM (#39798997) Homepage

    The assumption here is that an attacker choosing the easiest way has no other route. It would be safer to say that the route used by the worm would have been unavailable if basic preventative steps had been taken.

    It's like the old joke. "Ever wonder why whatever you're looking for is always in the last place you look?" "Well, sure, once you've found it, why keep looking?"

    Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.

  • by 140Mandak262Jamuna (970587) on Wednesday April 25, 2012 @03:44PM (#39799001) Journal
    Each and every site admin comes up a different idea for more secure authentication. Then clueless management insists on dumbing it down shredding what little remains.

    For example E-trade will give you the RSA key fob. Am I supposed to get a dozen key fobs from each of my bank, brokerage, mutual fund, anf 401-K administrator? Schwab would not let me use special characters in passwords. I think they also have a ridiculous 8 char limit. In this day and age where GPUs are being used for dictionary attacks? 8 char? Fidelity wanted an all numeric password because they wanted the phone based log-in used by their older customers to work in web too. On top of all that they have the password reset procedure which asks for stuff that you can find on the facebook profile.

    Then there are idiotic Paychex which will lock you out after two failed login attempts. There is this site securetransfer.com that requires some 16 char password with at least two capitals two numerals and two special characters to get 100% strong password quality rating. Then there are clueless admins who tell you "never write down the password". Hello! Is there any end to this password madness?

    Why can't they give me two levels of access? Read only access that lets me see account balances and verify that the check has cleared. And the write access that requires one more password that allows me to transfer funds and trade securities. May be even a third level password to send cash out of that institution to outside.

    • by jonwil (467024)

      My bank has a second layer of authentication (either one-time-use SMS codes or a second password) that is used any time you want to transfer to someone not on your "approved payees" list.
      They also have password entry done (both the main password and this extra password) through an on-screen keyboard where you have to click the letters and the keyboard moves slightly when you click it.

      On the minus side, they have a stupid limit of 10 characters for the passwords.

  • I just got caught up on some of my reading. One of those articles was about how people who 'foolishly' applied their black Tuesday patches were unable to print out their tax forms. I think that might just explain why so many systems are so far out of date.

  • by King_TJ (85913) on Wednesday April 25, 2012 @04:00PM (#39799209) Journal

    It's nice to keep telling people "you wouldn't have the security issue if you did all the updates right away". But to that, I'd like to tell the OS developers something else:

    You wouldn't have the concerns about unpatched systems if you designed the OS so it could apply the downloaded updates without requiring system reboots!

    And yes, though I'm not a software developer, I do know a little bit about this, and why it's a "tall order" (core services you can't just delete and replace with updated versions while they're in use, etc.). But I guess I'm saying this doesn't seem impossible to overcome, if someone wanted to make the functionality a priority in a new OS's design?

    Unless we reach that point, people will always be delaying installation of new updates because it interferes with work they need to get done, or they're afraid an update could potentially break something they rely on and don't have time to deal with, if it goes wrong. System patches/updates need to become a less intrusive, more seamless process -- and one that can easily "roll back" any new update that turns out to cause issues. It should automatically notify the developer when this happens, and should flag the problem update so it doesn't get re-installed (but subsequent, supposedly corrected versions DO get installed ASAP).

    With today's multi-core CPUs, maybe it's even possible to design systems so two instances of the OS/application environment can be run in tandem during an update process? Hand off the running processes to a parallel copy of the current environment, invisibly to the user, when an update is about to take place. Then patch the first environment, which now has no "core services" in use by apps anymore, and shuttle the apps back over to the patched environment when it's ready?

    • Updates are worse than just the hassle of them. Many of the updates take away, or fundamentally change, the way the underlying software works. IIRC, iTunes had a great example of this early in their release schedule... At some point, Apple wanted to stop people from doing something with their files...like being able to turn them into MP3's or something like that. They released an "Update" that stopped that ability. (I may be remembering some other similar functionality)... Anyway, I remember consciously
    • not rebooting leads to memory leaks and stuck software.

      Even with a system to update stuff with out a full reboot what happens when it hits some thing stuck in the background or updates some thing that is leaking ram?

      • by King_TJ (85913)

        Well, you can't avoid the need to reboot when things crash. Nothing new there. But people have a need to apply updates far more often than they encounter stuck software and memory leaks crippling things, right?

        With a seamless update process like I was suggesting, the need to *eventually* reboot probably doesn't go away. But uptimes would certainly improve over what you'd have if you applied, say, every Microsoft update on the day it was released. My experience with those is you get at least 3-5 of them ev

  • Instead of blaming the user, perhaps the *biggest and most successful software company in the world* can do something to help.

    1) Bake-in a password-generator tool into IE (along the lines of 1Password).

    2) Don't make the software update system suck balls so people want to turn it off.

    On the former point, I know this isn't a magic bullet solution. You still need to remember a password. But it's one password, not 37. It at least makes it easier.

    On the latter point, I have automatic updates turned
  • by bmo (77928) on Wednesday April 25, 2012 @05:38PM (#39800313)

    Sure, sure, blame the users again, Microsoft.

    How about educating them for once? You own, according to some metrics, 90 percent of the desktop market. Your operating systems in retail boxes don't even come with quickstart guides to basic security. No, you just leave your users to flounder about without any guidance at all, and if they want it, they have to pay extra for it.

    At least when I was paying for boxed sets of SuSE Linux, it came with two well-written manuals, a user's manual, and an administrator's manual. I suspect that boxed sets still include these. It was in the grand old tradition of "when you get this software, we'll give you the manual too" like what you got when you bought DOS or CP/M.

    But these days, I guess that user education is viewed as "intimidating" to users, because *shock* *horror* computers might be revealed as the complicated, useful, and powerful devices they actually are and heaven forfend users get any ideas beyond clicking on the pretty pictures. Microsoft does its damnedest to not give the user *anything* that might resemble common sense lessons in security.

    There is a lot of energy pointed at the education of developers, but none that I can see at day-to-day users from Microsoft.

    I just dealt with a user who has become so paranoid, she considers technet.microsof.com "foreign" because she's been so abused by the utter lack of guidance in the past with computers that she can no longer tell what's legitimate or not, wrt software. I was merely pointing out a sysinternals tool. This makes me a sad panda, and I don't blame her. I can't. Because I've seen it too many times to think it's just "dumb users" anymore.

    Microsoft's blaming of the user is utter bollocks. It is entirely their fault now.

    Yes, this makes me mad. Deal with it.

    --
    BMO

  • Save this article and email it to the idiot bean counters at work who say IE 6 is perfectly fine and so is XP so why upgrade until 2014?

    I thought Conflicker came out in like 2004? It should not be infected machines today and this is stupid.

    The problem is not IE and Windows. Windows 7 and IE 9 have been secure for awhile with ASLR, DEP, and sandboxing. The idiots are not the users (well most are not), but IT and CIOs and CEOs who refuse to look at things like computers as anything but cost centers. It is gra

  • Isn't Conficker a Windows-only issue?
    If so, wouldn't the obvious one basic security step be to stop using Windows?
    Just sayin'...

1 Dog Pound = 16 oz. of Alpo

Working...