Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Says Two Basic Security Steps Might Have Stopped Conficker

samzenpus posted more than 2 years ago | from the protect-ya-neck dept.

Microsoft 245

coondoggie writes "If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011. According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed."

cancel ×

245 comments

Sorry! There are no comments related to the filter you selected.

Two basic steps (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#39798669)

1) Get rid of Windows

2) Never use it again

Re:Two basic steps (5, Insightful)

hackula (2596247) | more than 2 years ago | (#39798691)

Troll much? Windows has nothing to do with it when you set all of your passwords to "123456".

Re:Two basic steps (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#39798741)

Fanboy much? Conflicker is a Windows worm.

Re:Two basic steps (3, Insightful)

yuhong (1378501) | more than 2 years ago | (#39798793)

True, but there are targeted attacks even in the Unix world, and if you don't keep it up-to-date, you could be owned by one of them

Re:Two basic steps (1, Insightful)

Anonymous Coward | more than 2 years ago | (#39798833)

there are targeted attacks even in the Unix world, and, if you don't keep it up-to-date, you will be owned by one of them.

FTFY

Re:Two basic steps (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#39798857)

It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.

Re:Two basic steps (5, Informative)

Anonymous Coward | more than 2 years ago | (#39799011)

Yes, because it's completely impossible to turn that feature off. Oh wait...

http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off

If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?

Re:Two basic steps (3, Insightful)

g0bshiTe (596213) | more than 2 years ago | (#39799067)

The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.

Re:Two basic steps (1, Insightful)

dkf (304284) | more than 2 years ago | (#39799145)

The difference is that unless it's a kernel update Linux doesn't really need a reboot on update.

A C library update is pretty noticeable too; you might be able to keep the kernel up, but there's not a lot of point given that virtually every user process is entangled with the library being updated. OTOH, if you're having to update the C library on a regular basis, you've got pretty serious problems anyway...

Re:Two basic steps (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39799507)

A C library update is pretty noticeable too;

ELF, ld.so, and dynamic library versioning pretty much eliminated that. Or are you one of the few that actually manually removes an old C library version and then rebuilds every single executable that complains it can't find the old version?

Re:Two basic steps (0, Redundant)

Anonymous Coward | more than 2 years ago | (#39799241)

Linux doesn't really need to be updated as a response to Windows viruses either.

Re:Two basic steps (0, Troll)

Tough Love (215404) | more than 2 years ago | (#39799583)

Yes, because it's completely impossible to turn that feature off. Oh wait...

http://windows.microsoft.com/en-US/windows7/Turn-automatic-updating-on-or-off

If you don't want them "forced down your throat", maybe you should change the setting to instead notify you that they exist and then let you pick and choose which ones you want to install as well as those you want to ignore permanently? How is that any different from any of the automatic update services in Linux distributions bugging you to update and you continually ignoring them?

I use Windows maybe twice a year and I am not going spend hours fiddling with settings just for that. On Linux it Just Works[tm] and I usually do not have to reboot, even on the rare occasions there is a critical patch.

Re:Two basic steps (0)

Anonymous Coward | more than 2 years ago | (#39799087)

At least it's once a month instead of every day *cough cough* ubuntu.

Re:Two basic steps (5, Informative)

a90Tj2P7 (1533853) | more than 2 years ago | (#39799175)

It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.

1) Just as a point of clarification, Patch Tuesday is only once a month. And there's usually only about a dozen or so, only some of which are genuinely "critical". Obviously that varies though. 2) Windows Update has been a lot better for years, ever since Vista. There's nothing wrong with it now. You might be able to complain about the default settings, but they're right there and they're pretty straightforward. If you're logged in and it's set to restart automatically, it prompts you to restart or postpone it. And, obviously, you can shut down the automatic reboots or the automatically downloading/installation of updates. Besides, since moving Windows Update to an actual program after XP, there's also been a lot fewer updates that seem to require restarts. With XP, it seemed like you had to restart every single time you ran updates. Vista/7's a lot better with that.

Re:Two basic steps (1)

Anonymous Coward | more than 2 years ago | (#39799281)

Sure, you can choose to update at your leisure (as you can on a Windows box, btw), and that includes not updating, which is the condition the article describes, and then your Linux system is in a better position.. how?

Re:Two basic steps (1, Troll)

Tough Love (215404) | more than 2 years ago | (#39799565)

It's nothing like the Windows situation where you get a bag of critical patches forced down your throat every Patch Tuesday, and then your Windows box loves to reboot right in the middle of whatever you are doing. Sheesh.

No possible way to construe that as a troll, it is a fact. About Windows. The worst operating system ever forced on the world by illegal means.

Re:Two basic steps (0, Insightful)

Anonymous Coward | more than 2 years ago | (#39798893)

I think the joke is, for once, Microsoft gets to say, "hey we patched that before it was a problem". That's an unusual position for them to be in.

So of course they're going to get every last inch out of that little sound bite. Of course anyone at Microsoft condemning people for not, "sticking to security basics" is laughable.

Re:Two basic steps (4, Informative)

toadlife (301863) | more than 2 years ago | (#39799197)

Microsoft gets to say, "hey we patched that before it was a problem". That's an unusual position for them to be in.

It's actually not an unusual position for them to be in at all. The vast majority of major Windows worms exploited vulnerabilities that had long been patched.

Re:Two basic steps (0)

Anonymous Coward | more than 2 years ago | (#39799529)

You forgot to finish that last sentence:

...but the user experience with older OS updates was so terrible that most users had turned it off.

Re:Two basic steps (3, Insightful)

farrellj (563) | more than 2 years ago | (#39798897)

Please name a Unix based attack that is equivalent to the malware being discussed.

Re:Two basic steps (3, Insightful)

Anonymous Coward | more than 2 years ago | (#39799471)

Thats a false argument. You give me equal amounts of clueless users using Linux as they are with Windows and I'll name one.

The vast vast vast majority (I'd say 90+%) of Linux PCs are (1) servers that are administered professionally or (2) locked down cell phone OS or (3) desktops that geeks use. There is no way you're going to be in the same situation as Windows is with that kind of demographics.

 

Re:Two basic steps (1)

jedidiah (1196) | more than 2 years ago | (#39799031)

Even if you do keep it up to date, you could get potentially "owned" by someone. That's why it's a better idea to be more proactive and keep track of likely attacks and black list the attackers.

It also helps not to leave things in a state where they can be exploited to begin with.

Re:Two basic steps (0, Troll)

Tough Love (215404) | more than 2 years ago | (#39799607)

Insightful? Give me a break. Ditto for this troll's other posts.

Microsoft up to its usual tricks.

Re:Two basic steps (5, Insightful)

hackula (2596247) | more than 2 years ago | (#39798837)

Fanboy? No, I actually run Mac and Linux at home and I program cross platform at work. The fact that Conflicker happened to be for Windows has nothing to do with this. Running old software with weak passwords is a recipe for disaster on any existing OS.

Re:Two basic steps (2)

stephanruby (542433) | more than 2 years ago | (#39799585)

Part of the problem is also running unlicensed Windows, since those people that do -- don't get the security updates (or they may just turn off updates because they don't want to be tracked, or have some of their functionality remotely shut down). At least with Linux, there isn't much of an issue there. If someone wants to stop paying RedHat/Fedora, they can just switch to Cent OS. That's it.

And really, this wouldn't be a problem for the rest of us, except that those zombie PCs can affect the rest of us, even those of us that run legitimate copies of everything. This is just like when some parents decide to not vaccinate their children, or decide to use antibiotics for every little cold (without finishing the prescription). This is technically their decision, but then again, their decision can adversely affect the rest of us.

Re:Two basic steps (2, Insightful)

YodasEvilTwin (2014446) | more than 2 years ago | (#39798867)

If everyone stops using Windows then there will be no Windows worms, and the next popular OS will be targeted. That's economics. It's been shown repeatedly that Windows is more secure than Mac OS, just for example. Let's not argue about Linux. In fact, let's not argue about the fact that people should stop being stupid about security. The platform is really not as relevant.

Re:Two basic steps (0)

Anonymous Coward | more than 2 years ago | (#39799217)

Windows more secure than OS X? HAHAHAHAHA! Good one. Got any more funny jokes?

Re:Two basic steps (-1)

Anonymous Coward | more than 2 years ago | (#39799439)

Actually, the Parent is correct. Windows is a lot more secure than OS X, however, there are more attacks daily on Windows than OS X. This may seem like a contradiction, except that the Parent explicitly brings light to how this is possible in their post. Obviously, you are a Microsoft hater or Mac Fanboy, so let me break it down into very small chunks for you to comprehend:

1> Microsoft has a much larger market share than OS X or Linux for the desktop, this means that it is not worth a malware author's time to go after a smaller piece of the pie.

2> a Corollary to point #1 is that the average user may find patching their OS to be pointless/not worth their time (see the troll above), thus meaning that there are more possibilities for unpatched machines on the more widely used OS. This is not Microsoft's fault, nor does it accurately reflect the security of the OS.

If you add 1 and 2 you get basic economics = it makes more sense to go after the much easier target, which is the dumb end-user who is willfully ignoring their security updates, and statistically more likely than not using Windows.

To use a car analogy: Honda decides that all 2012 car models are going to come out with a fancy new car alarm, which means, off the showroom floor it is more secure than the Ford equivalent. However, the car alarm requires a wire to be replaced every month - a five minute job that Honda has told it's shops to offer for free. Market share shows that 75% of new cars purchased this year are the secured Honda. Jim has bought a new Honda. Because Jim is an idiot, he never takes the car into Honda's shops to get the wire replaced, after all that's five minutes out of his month! Jim also leaves the keys in the ignition of his car, and parks it on the street in Downtown New York City (clicking on links without thinking, weak passwords (password1), etc). Tim sees Jim's Honda and notices that the doors are unlocked, the keys are in the car, and the security light is blinking, meaning that the wire needs to be replaced. Tim proceeds to steal Jim's car. This is not Honda's fault, and the unsecured Ford is not more secure than the Honda, Jim is just a moron.

Re:Two basic steps (2)

cpu6502 (1960974) | more than 2 years ago | (#39799521)

>>>shown repeatedly that Windows is more secure than Mac OS

I've never heard that before. Where has it been shown? Where does Linux fall? More or less secure than Mac?

Re:Two basic steps (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#39798871)

Fanboy much? Conflicker is a Windows worm.

Wow, we have a serious Microsoft Spinbot infestation problem today.

Re:Two basic steps (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#39799517)

Fanboy much? Conflicker is a Windows worm.

Wow, we have a serious Microsoft Spinbot infestation problem today.

Microsoft Spinbots are beginning to outnumber real people. I wonder how much it pays?

Re:Two basic steps (0)

Anonymous Coward | more than 2 years ago | (#39798761)

Revised: Step 1) Stop using computers

Re:Two basic steps (1)

jedidiah (1196) | more than 2 years ago | (#39798815)

It does on any reasonably well managed corporate machine.

Why can't that be the default in the consumer OEM copy?

Although the service in question likely has no business being anywhere it can be exploited anyways.

Re:Two basic steps (0)

Anonymous Coward | more than 2 years ago | (#39798891)

To be fair...

If Windows had a halfway decent package manager, most people would actually keep their stuff up to date instead of updating when they feel like it...

Re:Two basic steps (4, Insightful)

Opportunist (166417) | more than 2 years ago | (#39799221)

For this to work, companies would first of all have to agree to run their update process through said package manager. You don't think this will ever happen, do you?

What bugs me about Windows is that there is very often no way to do an unattended update at a certain time for many "packages". Windows being the notable exception. The average Windows day for the average customer runs a bit like this:

"Ok, I'd like to play a game. Let's double cli... huh? Oh, Acrobat update. Ok.... yes, accept license... wait ... download patch, watch download bar move... installing... watching bar move ... ok, we're set. Now lemme... huh? Oh, virus killer. Ok, 'tis important, go ahead and update yourself. Yes, license agreement... waiting for download (because experience taught us that you better NOT try to do anything as system critical as starting a game while something is being patched. Could upset the copy protection trojan). Huh? Failed? Oh, because the Acrobat update didn't finish yet. Ok, it's finished now insta... restart."

"And we're back after the break. Now, for the antivirus. download ... update... huh? New version? Ok, install it. Yes, I agree with the license... installing... reboot."

"Finally! Ok, first of all, let's take a look at some porn. Open Browser... oh, new version? *sigh* Ok, download and install it. ...waiting... Ok, now... huh? What happened to my plug... oh. Of course. Incompatible. Fine, but I'm not going to visit any porn pages without a decent ad blocker, so first of all, update the plugins."

(half an hour of browsing, finding them, or not finding them and searching for a replacement later ... And another few minutes later including washing your hands...)

So. Game time! Fire up Steam... updating... Ok, restart steam... While it's doing that, let's start Teamspeak... Oh. Updating... must be patch day all over the world...

Finally a good game of $whateverfps. Huh? Patch? I don't wanna, not again! Oh, no multiplayer without, huh? Ah, anti cheat stuff. Ok, make it so...

And so on, and so forth. THIS is what actually bugs me about Windows. The piecemeal updating process. You can't just keep your machine running to have it update its stuff and actually, you know, USE it when you are sitting in front of it. It seems to be critical to steal the user's time and show him that they actually patch their half baked software.

And it's not like the software (and its patchers, launchers and oh-so-important taskbar tools) wouldn't run anyways and could technically do a daily check for updates. Dear Adobe, care to inform me why you insist that your launcher is running (and turning it off only means it gets reinserted into the Run key as soon as I dare to open an Acrobat document) and steals my ram for zero return, yet STILL require me to be present for every damn update you might want to run? Why is there no option in Steam to automatically patch and restart Steam if I'm not currently playing a game?

Rolling that all into a single package handling goodie would be a blessing. And MS actually manages to do just that with their updates, the kicker is that of all the various companies that have their fingers in my system, MS bugs me the least!

Re:Two basic steps (0)

Anonymous Coward | more than 2 years ago | (#39799065)

What's wrong with a password of "123456"?

It's 20% better than the combination on my luggage.

Re:Two basic steps (-1, Troll)

Tough Love (215404) | more than 2 years ago | (#39798699)

3) Reveal Microsoft Spinmods on Slashdot

Re:Two basic steps (2)

Anonymous Coward | more than 2 years ago | (#39798915)

1) Get rid of Windows

2) Never use it again

Because if we get rid of Windows, all the malware writers in the world will give up and stop trying to steal money from people who don't update software and use "pa55word" as their password...

Re:Two basic steps (5, Insightful)

Opportunist (166417) | more than 2 years ago | (#39799413)

It's really hard for me to say that, but getting rid of Windows isn't going to do jack. Idiots using computers will be vulnerable to malware, no matter what kind of OS they use. Unless the OS is secured away from its user, there is no safety if the user himself is the biggest security hole.

The key to the whole issue is the Dancing pigs [wikipedia.org] problem. In a nutshell:

"Given a choice between dancing pigs and security, users will pick dancing pigs every time."

People don't even notice the warning message, and they don't care. Why? Because they got way too used to it. UAC pops up and wants you to say yes to something, and people will click yes without thinking what's going on. Why? Because they learned the wrong lesson. They lesson they SHOULD have learned is that this window tells them to go and think whether what they are about to do should really require administrative privileges. Should displaying some childish webpage require the rights to dig into your system's bowels?

What they learned is "if I click no, it does not work". That's pretty much it, this is the way people work and think. They don't WANT to know what this window means. For them, it could as well not exist and if anyone ever tells them how to turn it off (and yes, you can), they will without thinking twice and be grateful that they got rid of that nuisance. And, bluntly, it doesn't make a lick of a difference for them anyway!

Why the heck would this be different with, say, SE-Linux? You know SE-Linux? Allegedly one of the more secure and hardened Linux flavors in the world. Hand it to Mr. Moron now using Windows 7 and it will be "pwned" in minutes. Allow me to illustrate.

Let's assume he is using Linux, even properly configured by a good friend of his who made the horrible mistake of telling him the root password. In comes my trojan, disguised as some kind of, say, torrent speed enhancer. I'll even be blunt and forward in the reasoning just why he has to install it as root.

"The software needs elevated privileges to install and properly configure the device driver needed to establish a secure connection with the controlling server to maximize the success and streamline the process. This also allows the software to work without any user interaction necessary, you will not have to enter the password ever again for this software to function properly"

In short, let me install my rootkit and hook up a connection to my bot herder server.

What will Mr. Moron read in this sentence. He doesn't understand it, at least not all of it, but he knows a few words out of that and here's what he puzzles together from this:

"The software ... technobabble ... install and properly configure (ok, it does that by itself, I guess, but only if I type in the password. If I don't, it probably won't work properly)... more technobabble ... server (server is good, I want to connect to one. I think) to maximize the success, streamline process (yeah, I want that!). No user interaction necessary later on. Never have to type the password again (great, so just once and then it works on its own. 'k, no problem, once doesn't count, right?)

He WILL hand over his credentials. Without thinking twice. And he will have forgotten about it before the trojan makes his first report to his controlling server.

It doesn't matter what system you give him. Security is the minimum of the system's capabilities and its user's capabilities. Not the average. The minimum thereof.

Lol (0, Funny)

Anonymous Coward | more than 2 years ago | (#39798697)

Me Ballmer! Me blame users for our security holes! Ooh ooh ohh ooh! *hurls chairs* Get out now! Me angry!

Applying security patches is a good idea? (5, Funny)

Gothmolly (148874) | more than 2 years ago | (#39798703)

So basically they're saying if you had better passwords and applied patches, you'd avoid security problems?

Nice to see MS on the cutting edge of security research.

Re:Applying security patches is a good idea? (0)

Anonymous Coward | more than 2 years ago | (#39798825)

You have a condescending tone, because you did not catch the condescending tone that MS researchers had when writing the report.

Reread it as "Oh look, if you'd actually done what everyone has told you to for years, this would not have spread. PEBCAK error as usual."

Re:Applying security patches is a good idea? (2)

Cro Magnon (467622) | more than 2 years ago | (#39799029)

Which is more than you can say for too many of its customers.

Why are we still using passwords? (4, Insightful)

betterunixthanunix (980855) | more than 2 years ago | (#39798739)

We have better authentication methods, we are just not bothering to deploy them. How many times do passwords have to fail before we acknowledge that they do not provide the sort of security that we need?

Re:Why are we still using passwords? (4, Insightful)

Lunix Nutcase (1092239) | more than 2 years ago | (#39798751)

We were waiting on you to implement it since it's so easy of a change to make.

Re:Why are we still using passwords? (1)

betterunixthanunix (980855) | more than 2 years ago | (#39798797)

Did I say it was easy? Yes, it will take work, but we are not even trying right now. Does your bank offer anything better than passwords?

Re:Why are we still using passwords? (0)

Anonymous Coward | more than 2 years ago | (#39798843)

My bank uses a one-time pad in addition to the basic user id + password combination.

Re:Why are we still using passwords? (5, Informative)

arth1 (260657) | more than 2 years ago | (#39799113)

My European bank used a one-time pad in addition already 13 years ago. They replaced it with a code generating card a while ago, for improved security (no one can make a copy of a code that's not generated yet).

My US bank still uses plain passwords.

It also uses debit and credit cards with just a magnet strip (which European stores won't accept anymore), and offers cheques (which the rest of the world stopped using in the 80s). And forget about having a giro system or SWIFT. It's truly like the dark ages over here.

Re:Why are we still using passwords? (1)

Desler (1608317) | more than 2 years ago | (#39798873)

They must be since otherwise what was the point of your snotty post? They might not be 'bothering' to deploy them because they aren't ncessarily better nor easy to deploy.

Re:Why are we still using passwords? (2)

hackula (2596247) | more than 2 years ago | (#39798879)

Did I say it was easy? Yes[.]

Sorry, I could not resist.

Re:Why are we still using passwords? (0)

Anonymous Coward | more than 2 years ago | (#39798899)

Did I say it was easy? Yes, it will take work, but we are not even trying right now. Does your bank offer anything better than passwords?

My bank uses hardware for user authentication. Are you seriously suggesting that every single place I have a password is supposed to snail mail me a physical device so I can authenticate myself? Exactly what simple and universal method of user authentication that can replace passwords in every device, site and service are you talking about?

Re:Why are we still using passwords? (1)

Opportunist (166417) | more than 2 years ago | (#39799461)

My bank offers text messages with one time password. After they found out that even printed OTPs can be abused.

Believe it or not, I've analyzed a trojan that got by OTPs myself. Really clever. Relies on the fact that what you see and what gets transmitted isn't necessary the same in the average browser.

Re:Why are we still using passwords? (0)

Anonymous Coward | more than 2 years ago | (#39798809)

Alternatively,

We were waiting for the SSN replacement so we didn't have to update the same field twice.

Re:Why are we still using passwords? (0)

Anonymous Coward | more than 2 years ago | (#39799547)

Step 1: Websites start using OpenID en-mass
Step 2: OpenID providers can implement whatever authentication mechanism they wish
Step 3: If your OpenID provider does not use another auth mechanism, at least you only have 1 password, and people might actually be able to remember more complex passwords (without trying to use different passwords for every site)

Optional Step 4?: OpenID browser addons
It is not up to "betterunixthanunix", it is up to any individual website to choose the right path.
Frankly I'm sick of creating a username/password for every tiny phpBB forum(etc) I want to participate in.

biometrics are not that much better and don't to w (2)

Joe_Dragon (2206452) | more than 2 years ago | (#39798765)

biometrics are not that much better and don't to well for say a sheared admin or other maintenance password.

Re:biometrics are not that much better and don't t (1)

Sique (173459) | more than 2 years ago | (#39798839)

If possible and if the systems in question allow for it, you could still authenticate the admin with RADIUS+, and have the access to the RADIUS+ server done with two factor authentication or biometrics.

Re:biometrics are not that much better and don't t (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39798935)

what about local admin / laptops that may not be linked to the sever?

Re:biometrics are not that much better and don't t (3, Funny)

Pope (17780) | more than 2 years ago | (#39799381)

Severed and sheared? Your workplace sounds way too violent.

Re:Why are we still using passwords? (3, Insightful)

DdJ (10790) | more than 2 years ago | (#39798823)

We have better authentication methods...

Would you kindly name three?

(Please be specific. Then, we can explain how for a given set of reality-based situations, they're not in fact actually "better".)

Re:Why are we still using passwords? (0)

Anonymous Coward | more than 2 years ago | (#39798895)

how about a RSA security key that syncs up with a database so you can use the same "password" everywhere and it is always secure.

Re:Why are we still using passwords? (2)

Desler (1608317) | more than 2 years ago | (#39799019)

I hope you aren't referring to SecurID tokens...

Re:Why are we still using passwords? (1)

hackula (2596247) | more than 2 years ago | (#39798969)

Requiring a lower case, an upper case, a symbol, disallowing dictionary attack prone words, and a minimum password length of 12 would probably go a long way. Most companies do not do this because they care a lot less about the customer's security than they care about their checkbook (Mine included. Most customers complain if you give them more security.).

Re:Why are we still using passwords? (2)

a90Tj2P7 (1533853) | more than 2 years ago | (#39799051)

That's a bit extreme for normal users. The more complexity you force on them, the more likely they are to just write the password down. It's generally accepted to force 8 characters minimum, 3 character types (between lower-case letters, capital letters, numbers and symbols) and not allow them to use any of their last 5 passwords or change the password again on the same day. Now admin accounts, 15 characters is reasonable.

Re:Why are we still using passwords? (2)

b0bby (201198) | more than 2 years ago | (#39799411)

That's a bit extreme for normal users. The more complexity you force on them, the more likely they are to just write the password down.

I have to say, in a small office environment, I'm less worried about people writing down passwords than having easy passwords which can be brute forced remotely. But I agree that 8 random characters with upper, lower & numbers should be enough for normal stuff.

Re:Why are we still using passwords? (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39799073)

That kind of policy is the reason why people use P@ssword0000001 as their password, and then increment it by one every time they're forced to change.

Re:Why are we still using passwords? (4, Interesting)

arth1 (260657) | more than 2 years ago | (#39799267)

Indeed.

And not only that, but by imposing published restrictions on the password, you reduce the number of possible passwords, making brute force attacks easier.

Just by saying "at least one digit", you reduce a brute force attacker's job by at least a factor of 9.5 (given you use ASCII; even more if you allow ISO-8859-x or Unicode). You reduce the time until any random password is cracked by about an order of magnitude. Or, put another way, the cracker can use a partial rainbow table that covers almost ten times as much of the total space.

Re:Why are we still using passwords? (3, Insightful)

jedidiah (1196) | more than 2 years ago | (#39799273)

That's only necessary if you are forced to change your password frequently.

Then you're stuck with coming up with new passwords all the time and something that you will actually remember. (assuming you don't just start writing them down)

Re:Why are we still using passwords? (3, Insightful)

Desler (1608317) | more than 2 years ago | (#39799369)

And when you start doing that the user will then just write their password on a sticky note since it'll be complex to remember. And if other sites have the same policies they will just duplicate that password around. So, you've just made things more insecure.

Re:Why are we still using passwords? (2)

houghi (78078) | more than 2 years ago | (#39799045)

People always talk about passwords without looking at the other part: usernames.
Often I am not able to select my username. I have more usernames then passwords. At work I have one password, which is less secure then it could be, because I need to change it every month.
I have at least 7 different usernames.
first letter first name up to 8 characters total with the last name
first letter and full last name
3 letters first name upt to 8 for the last name
last name only
first name only
department name
company name

This is at work. That does not imply that it is all from the company I work at. Several are from external companies. And I also did not count the usernames I need to share and thus are not really mine.

And this company is not that bad. With another I had also 3 different digipass machines and for 1 application I needed 3 differnt logins and passwords.

The reason that passwords are still used is because security is seen as a problem that involves only one user on one server with one access. It does not take into consideration the fact that people have many places they need to access.

Han Solo said it best (5, Funny)

swm (171547) | more than 2 years ago | (#39798747)

It's not my fault!

Basic Security? (0)

Anonymous Coward | more than 2 years ago | (#39798771)

Is that like locking your doors? But what if I need to run into my house in order to escape a horde of Zombies? What if I need to run into somebody else's house? What if my wacky neighbor needs to come in and deliver a punchline?

People just don't think!

Conversely, (0)

Anonymous Coward | more than 2 years ago | (#39798813)

The software had a poor security model that allowed poor passwords, did not educate the customer with what a 'good' password choice is, and did not have a convenient update system easily understood by the customer.

And it's your friggin customers -- understanding how they work with your software is your core business. This is an interface failure.

Re:Conversely, (2)

Desler (1608317) | more than 2 years ago | (#39798965)

Because you can't use poor passwords on Linux or any other *nix system? Oh wait, you can. And when I've set my password using anything from Ubuntu to Slackware there was no educational text telling me not to use bad passwords or anything of the sort. But don't let facts get in the way...

Re:Conversely, (1)

lister king of smeg (2481612) | more than 2 years ago | (#39799303)

you generally don't have to tell a nix user because they already know

Re:Conversely, (1)

arth1 (260657) | more than 2 years ago | (#39799337)

Ubuntu and Slackware doesn't use pam_cracklib.so or similar?
That's news to me.

Re:Conversely, (1)

Desler (1608317) | more than 2 years ago | (#39799457)

I didn't say that, but the default behavior especially in both Debian and Ubuntu, which I just checked, didn't stop me from setting my password to 'password' or '123456'.

Re:Conversely, (1)

Locutus (9039) | more than 2 years ago | (#39799341)

so where did the parent say anything about Linux or *nix being better, worst or anything? Since you brought it up, are you now saying that Linux and/or *nix are consumer OS's? Strange because that's not what we usually hear from the Windows lemming crowd.

Besides, I've seen and used *nix systems which wouldn't allow weak passwords so it's doable.

LoB

Patching existing vulnerabilities (2)

damn_registrars (1103043) | more than 2 years ago | (#39798861)

We had the conficker worm run wild at my work not long ago. Even systems that were well secured by passwords ended up falling victim to the worm due to unpatched vulnerabilities. Yes, bad passwords don't help, but Microsoft needs to own up to the fact that a worm such as conficker is perfectly capable of infecting well-secured (password-wise) machines if they are not patched for the vulnerabilities that Microsoft left behind.

And being as some patches and updated break compatibility with critical software, patching is not always a trivial matter. Some systems need to stay essentially frozen in time with regards to updates, while still being on the network. Of course then an infected system is added to the network and away we go again.

Re:Patching existing vulnerabilities (0)

Anonymous Coward | more than 2 years ago | (#39799059)

From what I know, conficker exploited MS08-067 [microsoft.com] . This is a critical exploit in Server service in Windows which allows remote code execution; weak passwords maybe contributed but I'm sure it wasn't a primary factor in conficker spread, otherwise we would have a lot of worms infecting hundreds of thousands using this method.
Just because you have systems frozen in time you shouldn't just leave them connected to the network; implement additional controls: stop all the non-essential network listening services running on the system (especially Server service), and implement a strict firewall to the system.

Two simple steps (1)

XiaoMing (1574363) | more than 2 years ago | (#39798877)

If only:
1. Everyone were meticulous in following the guidelines which require passwords being more shift+number than letters, and capable of memorizing new ones on a regular schedule.
2. Everyone kept better care of their computers (regular updates) than they do for their own bodies (regular physicals, anyone?).
Then we could have prevented this whole thing!

Real world implications of having to remember numerous non-dictionary passwords, and expecting those who see the computer as a magic box to the interwebs to treat it better than many of them probably do their cars as far as maintenance goes, is far beyond simple.

They might as well be saying that mentally wiring humanity differently is simple. And that's just silly for Microsoft to say (because that's Apple's mindset!).

Like autorun? (3, Informative)

Anonymous Coward | more than 2 years ago | (#39798881)

Which wasn't even properly disabled when you tried to disable it through the UI in Windows. Who were the idiots not following security best practices when they came up with that idea? Infected flash drives and non-disabled autorun were the main vectors for Conficker around here.

Microsoft hasn't changed (-1)

Anonymous Coward | more than 2 years ago | (#39798887)

I should expect an answer like this from MicroSoft. Weak passwords and systems that aren't updated, the finger points away from MicroSoft and towards the user. Maintaining unique strong passwords is truly a serious burden on the user. Updates on top of being a burden is a chance for intrusion that MicroSoft is way to eager exploit.

Microsoft Intelligence (0)

Anonymous Coward | more than 2 years ago | (#39798925)

Just two attack methods:
1. weak passwords
2. stolen passwords
3. software vulnerabilities

'nuff said

plu5 3, troll) (-1)

Anonymous Coward | more than 2 years ago | (#39798953)

to an7 BSD project,

How many can't patch? (0)

chill (34294) | more than 2 years ago | (#39798973)

What percentage of infected machines had pirated copies of Windows XP and couldn't get patches because of âGenuine Advantageâ validation?

If Microsoft really wants to help the security situation, when XP is officially EOLed remove the restriction on herring all the updates.

Re:How many can't patch? (1)

chill (34294) | more than 2 years ago | (#39799009)

Herring. Thank you Android auto-correct.

Re:How many can't patch? (1)

Anonymous Coward | more than 2 years ago | (#39799133)

I seem to recall that Microsoft allows everyone to install security updates, even if their license doesn't pass validation. I know a couple people running pirated Windows 7 and they're fully up to date, Windows Update doesn't complain at all about licensing.

having to change passwords all the time leads to w (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39798981)

having to change passwords all the time leads to weak ones or the password being put on a post it note.

Re:having to change passwords all the time leads t (1)

CanHasDIY (1672858) | more than 2 years ago | (#39799179)

having to make up your own passwords, then having to change them all the time leads to weak ones or the password being put on a post it note.

FTFY.

I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.

Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lower case letter, and 1 number, still changes every quarter.

With a faculty of about 150 users, we cracked approximately half of the user-defined passwords within 5 minutes of firing up JtR. My personal favorite was cracked in less than half a second:

Dolphin1

My experience is, it's less about how often the passwords change, and more an issue of users not having a good sense of what it takes to secure their data.

Re:having to change passwords all the time leads t (2)

tlhIngan (30335) | more than 2 years ago | (#39799593)

I used to work for a public university; when I started there, our passwords were auto-generated random strings of 8-12 alphanumerics and symbols, and we received new passwords every fiscal quarter. Our security team would run various password cracking apps on the systems, and only once did an auto-generated password get cracked.

Two years after I started there, they changed the password policy - users had to make up their own passwords. Still minimum 8 characters, at least 1 capitalized letter, 1 lower case letter, and 1 number, still changes every quarter.

With a faculty of about 150 users, we cracked approximately half of the user-defined passwords within 5 minutes of firing up JtR. My personal favorite was cracked in less than half a second:

Dolphin1

My experience is, it's less about how often the passwords change, and more an issue of users not having a good sense of what it takes to secure their data.

Or there's a mismatch between IT's perception of security with the user's. What did the password to your accounts control? If it was just access to a PC in the lab, most users would just go "meh" as they have their own PCs. And if it had any data, it would be schoolwork, work not regarded as super-secret.

OTOH, if it actually was important to them, say, it held the meal plan credit or something, they'd pick more secure passwords (if someone breaks in, I could starve).

Ditto grades and transcript - for a lot of people ,they don't care if a determined hacker sees their grades - big whoop.

You'll find the same thing applies to corporate users as well - they feel the stuff they do isn't as important as the company makes it out to be, and thus end up going "why bother - what can a hacker do with my data?".

One of IT's jobs is to stress how important the data is, and why. The HR person may not care about the data (it's not THEIR data), but they should because all the employee information is in there. What IT needs to stress is that aspect - that so few people have access to that information, should it get out, suspicion would fall on them

Re:having to change passwords all the time leads t (1)

clarkn0va (807617) | more than 2 years ago | (#39799307)

And MS knew that. [microsoft.com]

Passing the buck? (1)

Ichijo (607641) | more than 2 years ago | (#39798991)

...exploiting software vulnerabilities for which updates existed.

Seeing as Microsoft wrote it in the first place, I think it's fair for them to share some of the blame.

Well, kinda. There is flawed reasoning here. (3, Insightful)

shumacher (199043) | more than 2 years ago | (#39798997)

The assumption here is that an attacker choosing the easiest way has no other route. It would be safer to say that the route used by the worm would have been unavailable if basic preventative steps had been taken.

It's like the old joke. "Ever wonder why whatever you're looking for is always in the last place you look?" "Well, sure, once you've found it, why keep looking?"

Microsoft seems to think the authors would have stopped looking without finding an exploit route. Instead, they found one, and stopped looking.

Better authentication? (3, Insightful)

140Mandak262Jamuna (970587) | more than 2 years ago | (#39799001)

Each and every site admin comes up a different idea for more secure authentication. Then clueless management insists on dumbing it down shredding what little remains.

For example E-trade will give you the RSA key fob. Am I supposed to get a dozen key fobs from each of my bank, brokerage, mutual fund, anf 401-K administrator? Schwab would not let me use special characters in passwords. I think they also have a ridiculous 8 char limit. In this day and age where GPUs are being used for dictionary attacks? 8 char? Fidelity wanted an all numeric password because they wanted the phone based log-in used by their older customers to work in web too. On top of all that they have the password reset procedure which asks for stuff that you can find on the facebook profile.

Then there are idiotic Paychex which will lock you out after two failed login attempts. There is this site securetransfer.com that requires some 16 char password with at least two capitals two numerals and two special characters to get 100% strong password quality rating. Then there are clueless admins who tell you "never write down the password". Hello! Is there any end to this password madness?

Why can't they give me two levels of access? Read only access that lets me see account balances and verify that the check has cleared. And the write access that requires one more password that allows me to transfer funds and trade securities. May be even a third level password to send cash out of that institution to outside.

Prompt passing (1)

sjames (1099) | more than 2 years ago | (#39799021)

I just got caught up on some of my reading. One of those articles was about how people who 'foolishly' applied their black Tuesday patches were unable to print out their tax forms. I think that might just explain why so many systems are so far out of date.

Updates are a big part of the problem, really .... (3, Insightful)

King_TJ (85913) | more than 2 years ago | (#39799209)

It's nice to keep telling people "you wouldn't have the security issue if you did all the updates right away". But to that, I'd like to tell the OS developers something else:

You wouldn't have the concerns about unpatched systems if you designed the OS so it could apply the downloaded updates without requiring system reboots!

And yes, though I'm not a software developer, I do know a little bit about this, and why it's a "tall order" (core services you can't just delete and replace with updated versions while they're in use, etc.). But I guess I'm saying this doesn't seem impossible to overcome, if someone wanted to make the functionality a priority in a new OS's design?

Unless we reach that point, people will always be delaying installation of new updates because it interferes with work they need to get done, or they're afraid an update could potentially break something they rely on and don't have time to deal with, if it goes wrong. System patches/updates need to become a less intrusive, more seamless process -- and one that can easily "roll back" any new update that turns out to cause issues. It should automatically notify the developer when this happens, and should flag the problem update so it doesn't get re-installed (but subsequent, supposedly corrected versions DO get installed ASAP).

With today's multi-core CPUs, maybe it's even possible to design systems so two instances of the OS/application environment can be run in tandem during an update process? Hand off the running processes to a parallel copy of the current environment, invisibly to the user, when an update is about to take place. Then patch the first environment, which now has no "core services" in use by apps anymore, and shuttle the apps back over to the patched environment when it's ready?

Re:Updates are a big part of the problem, really . (0)

Anonymous Coward | more than 2 years ago | (#39799309)

Not only is it possible to overcome the rebooting issue, there are tools for Linux that all you to update the kernel while it is in use. Essentially it is possible to update an entire Linux system while it is in use. Had Microsoft implimented a similar feature in Windows and made updating less of an "in your face" process and combined that with some built in password management that's similar to keepass but more simple and integrated then the users would have more updated systems and stronger passwords.

Re:Updates are a big part of the problem, really . (0)

Anonymous Coward | more than 2 years ago | (#39799393)

The problem is that an update might involve any part of the system. What if it's the web browser? What if it's in the C standard library? What if it's in a library that is used pervasively but there's no good way to tell who's using it, like an encryption or compression library? How do you determine what needs to be restarted and what doesn't? What happens when something like an X server needs to be restarted (where restarting it means that all of its clients also need to be restarted)?

Making sure that all the running processes in your system are completely patched without simply rebooting is a non-trivial task. Generally you end up with one of the two extremes: Windows, where you usually just reboot; and Linux, where you usually don't restart everything that was patched so you have vulnerable processes still running.

dom

Re:Updates are a big part of the problem, really . (1)

coolmoose25 (1057210) | more than 2 years ago | (#39799469)

Updates are worse than just the hassle of them. Many of the updates take away, or fundamentally change, the way the underlying software works. IIRC, iTunes had a great example of this early in their release schedule... At some point, Apple wanted to stop people from doing something with their files...like being able to turn them into MP3's or something like that. They released an "Update" that stopped that ability. (I may be remembering some other similar functionality)... Anyway, I remember consciously NOT upgrading, even though it nagged every time it started up, so that I wouldn't have this functionality removed. At some point, one of my kids clicked "Yes" and the functionality I was trying to preserve disappeared. I abandoned iTunes at that point because Amazon had finally come up with a viable music store that sold MP3's directly. About a year later, after Amazon started eating their lunch, Apple allowed "unprotected" files, but they were still AAC files, not MP3... Like I said, I never went back.

The point is that as long as companies use updates to make things that used to be free cost something now, or otherwise preclude you from doing certain things, the "safe" thing to do from a users point of view is adopt the "If it ain't broke, don't fix it" mentality, thus opening their systems to unpatched and potentially dangerously out of date software. My main point is that this isn't all the user's fault.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?