New Windows Worm Inching Around Internet 706
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
What were those commons passwords in Hackers? (Score:5, Funny)
Re:What were those commons passwords in Hackers? (Score:5, Informative)
[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw
the pat / patrick is rather weird, eh? only name in the list.
Re:What were those commons passwords in Hackers? (Score:5, Funny)
pat/patrick (Score:5, Insightful)
For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...
Re:What were those commons passwords in Hackers? (Score:5, Funny)
Shit, I should go change my root password now.
Re:What were those commons passwords in Hackers? (Score:5, Insightful)
Shit, I should go change my root password now.
I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.
Re:What were those commons passwords in Hackers? (Score:5, Informative)
But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)
(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)
But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.
Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.
WRONG! (Score:5, Funny)
NO CARRIER
Re:WRONG! (Score:5, Funny)
<dream sequence>
ARTHUR:
What does it say?
MAYNARD:
It reads, 'Here may be found the last words of Joseph of Arimathea. He who is valiant and pure of spirit may find the Holy Grail in the Castle of aaarrrrggh'.
ARTHUR:
What?
MAYNARD:
'...The Castle of aaarrrrggh'.
BEDEVERE:
What is that?
MAYNARD:
He must have died while carving it.
LAUNCELOT:
Oh, come on!
MAYNARD:
Well, that's what it says.
ARTHUR:
Look, if he was dying, he wouldn't bother to carve 'aarrggh'. He'd just say it!
MAYNARD:
Well, that's what's carved in the rock!
GALAHAD:
Perhaps he was dictating.
ARTHUR:
Oh, shut up. Well, does it say anything else?
MAYNARD:
No. Just 'aaarrrrggh'.
LAUNCELOT:
Aaaauugggh.
ARTHUR:
</dream sequence>
No, that's just stupid. Too bad I hit submit already...
love of the Irish. (Score:3, Funny)
Happy Saint Patrick's day!
Re:love of the Irish. (Score:5, Funny)
Hey! My son Temp123 would take offense at that!
-T
Re:love of the Irish. (Score:5, Funny)
(*: True in the general case, since the XOR trick only works in certain circumstances.)
Re:What were those commons passwords in Hackers? (Score:5, Funny)
Yeah, but... (Score:5, Funny)
Re:Yeah, but... (Score:5, Funny)
Re:What were those commons passwords in Hackers? (Score:5, Funny)
Whew! For a second there I thought it was trying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
not in there? (Score:3, Informative)
What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.
I was surprised that it didn't include:
Months (i.e. january, february, ...) since I catch people using those a lot
system (i.e. another favorite)
xyzzy
plugh
Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.
Re:He was right! (Score:5, Informative)
22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod
There were 294 words with "sex" in them, the top ones are:
84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex
And 278 with "love" in it..
86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit
Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day.
Re:What were those commons passwords in Hackers? (Score:5, Informative)
password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.
9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.
hope that helps!
Re:What were those commons passwords in Hackers? (Score:5, Insightful)
505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345
Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..
Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive.
If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.
The web site password crackers that I've seen use dictionary files, and for the passwords they try:
word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]
Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")
Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.
BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..
I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home.
who's on first? (Score:5, Funny)
Re:who's on first? (Score:5, Interesting)
chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i
I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files.
I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day..
-----
#!/usr/bin/perl
# Define our character sets here, leaving out difficult (similiar) characters
open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----
Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed.
BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.
Re:who's on first? (Score:5, Funny)
lUSER: BOB! MY USERNAME IS BOB! WHAT'S MY PASSWORD.
BOFH: "no", Bob.. But I'm looking further into this, and it seems you may have a problem.
lUSER: Ya? What kind of problem? Everything was fine til you changed my password.
BOFH: Did you have any files in your directory?
lUSER: I just finished the annual fiscal reports!.
BOFH: [click][click][click].. Hmmmm, I don't see anything here.
lUSER: WHAT!!!!!!!!
BOFH: Hold on, lets look at the backups...
lUSER: Thank god..
BOFH: PFY, you made backups right?
PFY: there's right here in the tape degausser.
BOFH: Bob, I'm sorry, it seems there was a terrible accident with the backups..
[degausser mysteriously turns on]
lUSER: What about my Email, is it safe?
[lightbulb appears over BOFH's head]
BOFH: Lets have a look, shall we? [click][click][click] So, you've been writing to the bosses wife an awful lot.. Hmmm
lUSER: Ya, we're old friends.
BOFH: Are these nudes of her? Close friends, aren't you?
lUSER: BUT! No! Don't look at those!
PFY (whispers to BOFH): what if......
[click][click][click][click] No problem, I've removed all those nasty pictures from your box.
BOFH hangs up the phone, un plugs it from the wall, and gracefully sets it on top of the bookshelf where it won't be in the way.
"Where did you send the pics?", PFY asks...
"From: Mr. Luser
To: Bosses Wife
Bcc: to the boss, the boss's mother-in-law, luser's wife, and of course a copy in our files.", BOFH cites.
"Have we arranged for our monthly raises yet? I think it's about time. Lets check accountings database, and see how much Mr. Luser was earning us."
----
I'd love to be a BOFH writer.. But until then, I live the part in real life.
Just imagine the fun a BOFH could have with say an ex-girlfriend's new boyfriend, an ounce of cocaine (mixed in with 5 pounds of filler), superglue, epoxy, and a few "anonymous" phone calls to his boss, neighbors, and the police, all while being the nicest guy in the world to him too..
I've just never had a good outlet for my stories..
Re:who's on first? (Score:5, Funny)
Re:What were those commons passwords in Hackers? (Score:5, Funny)
Re:What were those commons passwords in Hackers? (Score:5, Funny)
53: 123456
21: password
keep in mind we require a >= 6 char password. We only have about 4,000 users.
After reading your post, I thought I would try a few myself. Sure it's a small sample, although probably not statistically valid it certainly adds to the anecdotal evidence
mysql> select count(*) from auth;
count(*)
873
Total Users
mysql> select count(*) from auth where password = md5(username);
count(*)
90
username same as password
mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.fname);
count(a.username)
44
password is first name
mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.lname);
count(a.username)
24
Password is last name
mysql> select count(*) from auth where password = md5('password');
count(*)
10
hmmm, only 10 users with a password of password
Some more
mysql> select count(*) from auth where password = md5('12345');
count(*)
10
I've got to put some text here to break up the queries, hopefully it will help out a little bit. Does anyone who has read through the slashcode know what criteria is used for the lameness filter? Is is the ratio of junk characters to nonjunk characters or is there something else to it?
It seems like it causes problems.
mysql> select count(*) from auth where password = md5('1234');
count(*)
2
Now I suppose I must do a very lengthy conclusion because the lame
Jesus, what a fucking pain in the ass. Is it really that painful to the community to have a few ASCII porn pics posted? Damn I hate to have to go through this huge fucking ordeal just to post a simple fucking comment. How about a goddamn lameness filter exemption for people with excellent karma? How many ASCII goatse.cx picxtures have you seen posted with a plus 1 bonus?
It still will not post. I have stripped just about every nonletter from my post and it still will not fucking go up. what next do i need to strip the punctuation and caps so that i can get more non motherfucking bullshit junk characters in my post i guess it just goes back to the saying often quoted on slashdot i will paraphrase those who give up essential posting liberties for a little temporary safety from goatsex deserve goatsex twentyfour seven i wonder if it has ever occured to the nitwits that run this site that people might actually want to post something that is meaningful to the conversation that is not plain old text sometimes it makes things much more readable if you have some formatting and punctuation in there to break things up a bit gee its news for nerds cant these guys forsee that some geeks are going to want to post code and other things that may have more punctuation and special characters than your standard text
motherfuckers
Re:What were those commons passwords in Hackers? (Score:5, Insightful)
You spent good time giving an informative message, which when you hit submit, it honestly should have taken..
At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one
I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?
I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")
They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts..
Re:What were those commons passwords in Hackers? (Score:5, Funny)
Re:What were those commons passwords in Hackers? (Score:4, Funny)
Not again... (Score:5, Funny)
Thank you (Score:3, Insightful)
This is a problem? (Score:5, Interesting)
Anyone want to tell me why this is a problem? It forces the person to act, unlike a security posting about good passwords in an employee handbook.
Re:This is a problem? (Score:3, Informative)
Re:This is a problem? (Score:5, Interesting)
Because it also installs a VNC server on the box and connects to a pre-defined list of 13 IRC servers, opening a big wide backdoor into the system.
I suppose you could argue that we don't know what their intentions are -- maybe they're gonna just connect to the box and fix things for the idiot admins, all nice like.
So, progressive administration? (Score:5, Funny)
-RB
Re:This is a problem? (Score:4, Insightful)
That would be pretty useful in my office...
Cheers,
Jim
yes, it's a problem (Score:5, Interesting)
Right, minimal damage, just a rebuild unless you want to trust a cracker's claim of minimal damage. Time, money all wasted. Ever tried to back up a windoze box? It's not like the useful files are all located in the user's home directory. Stuff gets lost, even with the best "migration" tools. I don't even want to think of the BSA accounting problem this will create at larger firms.
By the way, who let M$ off for this? They got server daemons running as ROOT, that can write anywhere? Oh yeah! And they have things so tied up that it's a pain in the ass to run anything but M$ crap? No resoponsibility for the monoculture of weak software on M$'s part is there? Burn, baby, burn, show'em what you are worth!
Re:This is a problem? (Score:4, Informative)
Celeb Commentary, not just on DVDs! (Score:4, Insightful)
Re:Celeb Commentary, not just on DVDs! (Score:5, Funny)
You must be new here.
A cold day in... (Score:5, Funny)
Taco: Hell just called. They want you turn back on the heat.
The Most Open Security Hole.... (Score:5, Interesting)
But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???
Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".
Re:The Most Open Security Hole.... (Score:5, Insightful)
Simple solution... (Score:5, Insightful)
This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.
And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.
huh? (Score:3, Insightful)
Not Microsofts Fault? (Score:3, Insightful)
Risks of default passwords (Score:5, Insightful)
Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.
The weakest link (Score:3, Insightful)
It isn't only at the PHB's desk that PEBKAC can occur.
Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon.
ummm.... (Score:4, Interesting)
BAD PASSWORD: it is based on your username
New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.
New UNIX password: rg78kn
BAD PASSWORD: is too simple
Yeh, nothing to do with the password system.
Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?
Re:ummm.... (Score:3, Interesting)
Hint: look at your keyboard.
Re:ummm.... (Score:5, Informative)
Solution: Don't use weak passwords. (Score:5, Interesting)
Good for those Linux boxes! You're using a weak password.
First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.
Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!
Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.
ACK!!! (Score:5, Funny)
What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...
Who are you and what have you done with the slashdot editors?!?
--
Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"
VB App to help? (Score:5, Insightful)
Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?
Dictionary attack + 1 (Score:5, Insightful)
When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.
This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.
Perhaps the best solution would be biometrics?
Re:Dictionary attack + 1 (Score:3, Funny)
Maybe. If implemented by a security guard with a pair of calipers that he measures your skull with every time you want to log on, then he logs on for you and if your skull doesn't match the numbers on his clipboard he shoots you.
Phew! I'm safe! (Score:3, Funny)
xyzzy
on the list of passwords it tries. Guess I don't have to worry about this one.
Ack! It's the Rapture! (Score:4, Funny)
Dammit, I knew I should have built that bomb shelter...
Re:Ack! It's the Rapture! (Score:5, Funny)
Along with that, this post [slashdot.org] observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.
It's very clear to me now, obviously the
Symantec's hint (Score:5, Interesting)
LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225
This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.
They know something, definitely.
Real Info on this Worm (Score:4, Informative)
1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.
Good Luck
McAfee has an extra.dat that fights it, the
Hypocrites (Score:5, Insightful)
Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists [securityfocus.com] and I can tell you that I see a lot more *nix than MS activity.
I feel sorry for those that let their hatred of a company clout their perception on information security.
-Lucas
Re:Hypocrites (Score:4, Insightful)
Sure, you see a lot of exploits for Open Source software, but the difference is when exploits for Open Source software are found, they are:
b) patched almost immediatley after the exploit is announced. We see in the world of Windows that it's not uncommon for vulerabilities to be announced and left unpatched for months. (And since you don't have access to the source, you can't do any patching yourself either.)
It's not a worm, it's a DDOS countermeasure (Score:5, Insightful)
Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...
Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.
Re:It's not a worm, it's a DDOS countermeasure (Score:4, Insightful)
If I was a spammer or hacker, I would probably have a bunch of PC's between me and my targets, and use those pc's to get more pc's ad infinitum.
(Not that I know anything about this, I program in userland against an ORACLE database behind a firewall
SAMBA protocol (Score:4, Insightful)
Just to be the devil's advocate (literally
And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.
Re:SAMBA protocol (Score:5, Informative)
Not default passwords... (Score:4, Insightful)
I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.
It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.
This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
Why do people hire these admins? (Score:5, Interesting)
How MS can "force" a person to choose a good pw? (Score:4, Interesting)
What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):
The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.
Of course, then what would the Linux and BSD zealots have left to bitch about?
disables network sharing. (Score:4, Funny)
Thank you god. Now all it has to do is infect our network and all those open Sharedocs shares that WinXP automaticially creates that are full of Nimda are history. Although the PC would most likely be history too.
Either way nimda would be off the network
Users pick bad passwords, sigh (Score:4, Informative)
I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.
In either case, to see how our Internet is currently faring check out the Internet Storm Center [incidents.org]. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm [nai.com].
Weak XP (Score:5, Interesting)
Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.
Add to that that all accounts made are Administrator by default, and DONT need passwords.
What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.
Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.
While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.
They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.
To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.
The windows box will have every spyware app on it, stuff deleted, etc, etc.
OH, Xupiter just installed itself again, i have to go...
Luckily the world is safe... (Score:5, Funny)
A bit more detail (Score:4, Informative)
Re:Microsoft's fault? (Score:5, Insightful)
Please tell me how it's MS's fault that people pick easy to guess passwords?
Re:Microsoft's fault? (Score:5, Funny)
Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.
Re:Microsoft's fault? (Score:5, Funny)
The fact that your aunt has breast cancer is Microsoft's fault.
THAT is what I have been telling everyone! Of course they don't believe me, and that is Microsoft's fault too!
DAMN YOU MICROSOFT
Technical Reasons: (Score:4, Insightful)
Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.
Everything IS Microsoft's fault. Duh.
Choose your weapons...Uh, I pick Blame! (Score:3, Interesting)
Please tell me how it's MS's fault that people pick easy to guess passwords?
Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.
You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.
A modest proposal:
Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)
Re:Choose your weapons...Uh, I pick Blame! (Score:4, Informative)
Re:Microsoft's fault? (Score:5, Interesting)
Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.
The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.
True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.
No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.
Re:Microsoft's fault? (Score:5, Informative)
Re:Microsoft's fault? (Score:4, Insightful)
The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Same as above, go you lumberjack... GO NOW!
Re:Microsoft's fault? (Score:5, Funny)
It's a good thought, but consider this:
You should be warned that ena*click*
Are you sure that you want*click*
Sweet. My files are shared.
Re:Microsoft's fault? (Score:5, Insightful)
There are some environments and situations where maliciousness simply isn't a concern, and security is used for other purposes.
Programmers Telling Users What to Do? (Score:5, Informative)
Spoken as a programmer: Password policy is not the job of the programmer, that's the job of management and/or sys admins. Your employer should outline a security policy and your admins should back it up in implementation and your managers should back it up with disciplinary policy (PAF's I think they are called, they smack you and you go 'PAF!', or something like that.) Programmers should not be in the practice of roaming around telling users how they should be doing things, stepping on the toes of management, sys admins or even analysts, etc. Programmers typically do not interact with users (unless they happen to be a programmer/analysts, in which case they probably are allowed out into the user community more often) in order to perform the important job of upholding the social misfit, geek, nerd, and so on, stereotypes.
Oh, and if you are an admin and the programmers have begun to rise up and tell you how, when and what to set your server passwords to dictate policy, just change the subject to Star Trek, The Matrix or Dr. Who and the problem will just go away.
That said...
Here's a pretty picture of my firewall log [dragonswest.com], please note the cluster of port 445 hits.
Re:Microsoft's fault? (Score:5, Interesting)
not all shares are manually set.
if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.
Re:Microsoft's fault? (Score:3, Interesting)
Re:Microsoft's fault? (Score:3, Informative)
Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!
Re:Microsoft's fault? (Score:3, Informative)
Re:Microsoft's fault? (Score:5, Informative)
From Technet article 318751 [microsoft.com] (HOWTO: Remove Administrative Shares in Windows 2000):
And... From 314984 [microsoft.com] (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)
These get rid of those pesky administrative shares.Re:Microsoft's fault? (Score:4, Informative)
So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.
Re:White-hat worm? (Score:3, Informative)
Re:White-hat worm? (Score:3, Insightful)
*sigh*
Re:Doh! (Score:3, Informative)
Re:Doh! (Score:5, Interesting)
To this day you can still connect to a Win98 share with smbclient and specify the users computer name as your computer name also (the -n switch) and win98 will not show when you are actually connected, it will complain about someone being connected if you attempt to shutdown but will not specify who is connected.
(I tried this trick with W2K and it was not fooled by the remote connection, unsure of other Win versions.) Of course connection logging on the Windows end is pretty much non existant so good luck trying to track someone down anyway.
Re:I wonder if that is why my router is not happy (Score:5, Funny)
Thats normal. There are two solutions;
1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.
Or
2. Stop logging UDP port 137.
Re:Might be MS's fault. (Score:3, Insightful)
Re:Hypocrisy (Score:4, Insightful)
What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.
windows guy: "You're operating system isn't anything by default!"
Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.
Windows, is a very secure operating system, but not out of the box.
Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:
Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.
Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?