Own on install. How grave it is?

John Newman jnn at synfin.org
Thu Jan 11 09:41:55 PST 2018



On January 11, 2018 4:54:00 AM EST, Kirils Solovjovs <kirils.solovjovs at kirils.com> wrote:
>
>The concerns are real and industry resolves this by applying the
>minimal 
>required patches from a media before connecting device to the network.
>
>K.
>


Or keeping a "golden image" which is kept up to date and cloned 
as needed (either physically or as vm), giving you a base
system which has passed whatever hardening and certificatation
process org has in place, and has whatever AV or other
security software and CM software etc pre-installed.


>On 2018.01.09. 12:20, Georgi Guninski wrote:
>> This is well known, haven't seen it discussed.
>> 
>> In short doing clean install (factory defaults) has a window of
>> opportunity when the device is vulnerable to a known network attack.
>> 
>> It used to be common sense to reinstall after compromise (probably
>> doesn't apply to the windows world where the antivirus takes care).
>> 
>> All versions of windoze are affected by the SMB bug to my knowledge.
>> Debian jessie (old stable) is vulnerable to malicious mirror attack.
>> 
>> More of interest to me are devices where the installation media is
>> fixed and can't be changed.
>> 
>> This includes smartphones and wireless routers.
>> 
>> Some smartphones might be vulnerable to wifi RCE (found by google?).
>> Some wireless routers might be vulnerable to wifi RCE or
>> default admin password attack over wifi.
>> 
>> Internet of Things will make things worse (some NAS devices are
>> affected).
>> 
>> Shielding the device might not be solution since updates must be
>> applied.
>> 
>> Are the above concerns real?
>> 
>> Have this been studied systematically?
>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20180111/3ec19e24/attachment-0002.sig>


More information about the cypherpunks mailing list