On Tue, Sep 19, 2017 at 1:41 PM, Steve Kinney <admin@pilobilus.net> wrote:


On 09/19/2017 07:37 AM, Georgi Guninski wrote:
> Is it still good practice to reinstall everything after you are owned?
>
> It used to be, but after reading about windows viruses I am not sure it
> is.

Well if somebody who reads the CPunk list is "fixing" a failed Microsoft
operating system, that implies that the computer in question belongs to
somebody else who demands Microsoft.  In that case, industry best
practice is to follow the most expensive path possible:  "It is morally
wrong to allow a sucker to keep his money."  The more of a client or
employer's money you spend, the more important your job appears to be
and the more /you/ can charge.

So you will want to go shopping, and buy any "upgrades" that are
available.  Assure that the anti-virus and related tools installed are
the very most expensive.  If possible replace hardware, not just
software.  Explore the potential for adding firewall appliances etc. to
the network the compromised system plugs into - every security incident
is a window of sales opportunity and, thanks to the popular press and
the efforts of Microsoft and other snake oil vendors, the sky is not
necessarily the limit.  Start building a case to change out /everything/
IT related at the shop in question for the most expensive and massively
over-built infrastructure possible - where and as this becomes possible,
it qualifies as a Total Win.

Also bear in mind that once Microsoft has been specified, "security" is
out the window and compliance with popular misconceptions and IT sales
literature constitute due diligence on the security front.  As a
practical security objective, you will want to see the largest number of
security incidents your client or employer will tolerate going forward,
as you play the part of a heroic warrior battling hordes of Evil Genius
Super Hackers on their behalf.  Do this well, with a straight face and
the assistance of talking points from your vendors, to meet the only
security objective that matters:  Your job and retirement security.

Remember that an occasional /real/ loss of important assets will assure
that your client or employer values your services very highly.  If
things get too quiet around the shop for too long, dropping a couple of
anonymous tips on security issues at your shop in "hacking" forums -
make them look like a disgruntled ex-employee looking for pay-back - can
do wonders to boost your importance in the eyes of management.

:o)








Georgi, 

Yes - in addition, since some attackers have been shown to compromise not only UEFI firmware, but also blobs in peripheral devices, a re-flashing of those components from HW land. In many cases, this type of recovery is 'impossible'. 

Practically, individuals will take a stab on guessing attacker capability between; zero sophisticated persistence and h/w re-install survivability and act accordingly. It is difficult to get that right, if not impossible.

Broadly, the types of activities you perform on various hardware would dictate the appropriate response. For example, you might not go about generating a root CA on the computer you routinely clean adware from, and you might not consider that computer 'safe for the task' after a OS reinstall, instead favoring fresh, network interface stripped, or purpose built HW.

-Travis

--