On Tue, Sep 19, 2017 at 1:41 PM, Steve Kinney <[1]admin@pilobilus.net> wrote: On 09/19/2017 07:37 AM, Georgi Guninski wrote: > Is it still good practice to reinstall everything after you are owned? > > It used to be, but after reading about windows viruses I am not sure it > is. Well if somebody who reads the CPunk list is "fixing" a failed Microsoft operating system, that implies that the computer in question belongs to somebody else who demands Microsoft. In that case, industry best practice is to follow the most expensive path possible: "It is morally wrong to allow a sucker to keep his money." The more of a client or employer's money you spend, the more important your job appears to be and the more /you/ can charge. So you will want to go shopping, and buy any "upgrades" that are available. Assure that the anti-virus and related tools installed are the very most expensive. If possible replace hardware, not just software. Explore the potential for adding firewall appliances etc. to the network the compromised system plugs into - every security incident is a window of sales opportunity and, thanks to the popular press and the efforts of Microsoft and other snake oil vendors, the sky is not necessarily the limit. Start building a case to change out /everything/ IT related at the shop in question for the most expensive and massively over-built infrastructure possible - where and as this becomes possible, it qualifies as a Total Win. Also bear in mind that once Microsoft has been specified, "security" is out the window and compliance with popular misconceptions and IT sales literature constitute due diligence on the security front. As a practical security objective, you will want to see the largest number of security incidents your client or employer will tolerate going forward, as you play the part of a heroic warrior battling hordes of Evil Genius Super Hackers on their behalf. Do this well, with a straight face and the assistance of talking points from your vendors, to meet the only security objective that matters: Your job and retirement security. Remember that an occasional /real/ loss of important assets will assure that your client or employer values your services very highly. If things get too quiet around the shop for too long, dropping a couple of anonymous tips on security issues at your shop in "hacking" forums - make them look like a disgruntled ex-employee looking for pay-back - can do wonders to boost your importance in the eyes of management. :o) Georgi, Yes - in addition, since some attackers have been shown to compromise not only UEFI firmware, but also blobs in peripheral devices, a re-flashing of those components from HW land. In many cases, this type of recovery is 'impossible'. Practically, individuals will take a stab on guessing attacker capability between; zero sophisticated persistence and h/w re-install survivability and act accordingly. It is difficult to get that right, if not impossible. Broadly, the types of activities you perform on various hardware would dictate the appropriate response. For example, you might not go about generating a root CA on the computer you routinely clean adware from, and you might not consider that computer 'safe for the task' after a OS reinstall, instead favoring fresh, network interface stripped, or purpose built HW. -Travis -- [2]Twitter | [3]LinkedIn | [4]GitHub | [5]TravisBiehn.com | [6]Google Plus References 1. mailto:admin@pilobilus.net 2. https://twitter.com/tbiehn 3. http://www.linkedin.com/in/travisbiehn 4. http://github.com/tbiehn 5. http://www.travisbiehn.com/ 6. https://plus.google.com/+TravisBiehn