I've long been a proponent of not imposing strong login passwords on business users. There are several reasons for this, not the least is user willingness to write down complex passwords and post them where conveniently accessible—by anyone. This behavior defeats strong passwords every time.
Now there might be a reason to reconsider, maybe...
A complex computer worm has infected corporate networks and has affected more than 10 million computers this week, experts say. Infecting computers in the U.S., Europe and Asia, the Downadup worm - which focuses on Microsoft Windows - scans company networks trying to guess passwords in order to access corporate networks, experts found. If the password is guessed, the worm can then infect a computer and the entire network of servers it is connected to.
As a result, experts are calling for all computer users to install a patch from Microsoft and to use long, difficult passwords that cannot be deciphered.Source: Security patch and passwords defend against the Downadup worm, Help Net Security, 18 January 2009
It checks for a suitable computer around the network using NetServerEnum, then attempts to log on to any found computer with one of the following login credentials:
- Using the existing credentials of the infected user account; if this account does not have admin privileges on the target machine, this operation will not succeed.
- Acquiring the list of usernames from the targeted computer using NetUserEnum API, then attempting to log on to the targeted computer using the existing user accounts and one of the following passwords: (See F-Secure site for list).
The controllers of Downadup don't seem to want anything more than payment for forcing users to install rogue anti-virus software. However, infected machines (conservatively, between 500,000 and 1 million at this time) can also be forced to participate in spamming, or worse.
Like most exploits that take advantage of both system and configuration weaknesses, there are several ways an organization can protect its network from worms like Downadup.
- Patch, patch, patch. Although most organizations like to test before applying a patch, how long does it take? Or rather, how long should it take for a network manager to apply a patch for a vulnerability so critical that Microsoft issued MS08-67 outside its normal patch cycle? Effective patch management processes should enable a quick response when critical security patches are released. And you might not have to patch 100 percent of your systems to achieve a reasonable level of protection. See Herd immunity and security patching: How much patching is enough? Don't allow the excuse that every system can't be patched as a reason to ignore patching altogether.
- Be sure to set password policies that protect against internal and external attempts to bypass system access controls, including:
- Locking accounts after three to five unsuccessful login attempts.
- Forcing password changes at least every 90 days.
- User awareness about how to select a good password or passphrase, including tools to test their strength.
- Segment your network and control traffic. Limit the number of systems, including servers, an infected desktop or server can reach.
- Implement log management to quickly detect anomalous behavior.
- Implement, manage, and monitor anti-virus protection at the desktop level and for email at the perimeter and on email servers.
- Monitor for extrusion.
- Document and practice an incident response process.
There are other control layers to consider, but these should be very effective in preventing a worm like Downadup from performing as designed after gaining a foothold in your network. In any case, I still believe strong passwords are no substitute for patching and a solid layered security controls framework.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.