Microsoft’s Security Intelligence Report Volume 12, released earlier this week discusses the continuing challenges of the Conficker worm in enterprises. Conficker came about in later 2008 and continues to plague Windows systems despite patches for the originally exploited vulnerability being available for over 3 years. Conficker continues to spread via one of two methods: exploiting weak passwords or unpatched systems and according to Microsoft’s Tim Rains, in an article by eWeek, 92% of recent infections are due to the exploit of weak passwords.
In terms of exploiting weak passwords, the Security Intelligence Report states “This type of attack uses the credentials of the logged-in user to access local or network resources, or else attacks password-protected resources using a built-in list of common or weak passwords.” How is it that weak passwords are afflicting enterprises? Microsoft’s threat encyclopedia entry on Conficker C notes some of the passwords that Conficker uses including: 1234, password, and admin. While Tim Rains noted in a Network World article that some Conficker variants use key loggers, the passwords Conficker is targeting is your typical stupid passwords. Good thing you never use any of those!
But wait, doesn’t everyone use Active Directory with complex password requirements? For many organizations, the answer is probably yes, but having good GPO policies does not guarantee these settings are in place (read What GPO Security? for more insights). Weak password infections from Conficker are just as likely a result of an attack on local administrator accounts. Microsoft recommends in the Security Intelligence Report, “If local passwords are used for some resources in an organization, resource owners should be required or encouraged to use strong passwords for them as well.” Good recommendation, but how realistic is that. Ask yourself some questions:
- Is the password for your local account on you home PC (if you use one) complex?
- When was the last time you changed your password?
- Do you think users logging in with local administrator accounts in the enterprise are any different?
- What about the local administrator account that IT uses?
- Yeah the one that was imaged 5 years ago and hasn’t been changed since?
- Is it complex?
It is nice to think that everyone uses domain accounts, but that is not the case (again read What GPO Security? for more insights). Most users want to be secure, but they want computing to be easy more. Why use a complex password that is easy to forget or type when you can create a local account and login with a simple password? Most of us will choose the path of least resistance and complex passwords are more painful than simple ones.
This Conficker research confirms the need for good password security for all accounts including the ones we would like to pretend do not exist. With Arellia Local Security Solution, you can find your local administrator accounts, eliminate unauthorized accounts, and secure the authorized accounts with complex passwords and cycling intervals. Arellia is integrated with the Symantec Management Platform (SMP) allowing customers with Altiris or other SMP-based solutions to extend their investment to include configuration security. Click here for more information on Arellia solutions.