|
Oh my god I can't resist.mindphlux posted:If you think flattening and reinstalling every time a machine gets infected with malware is sane advice, you are [...] someone who has never worked in a business environment quote:if brodude lawyer whose time is worth $500/hr is back up and running again (in 30-45 minutes) for the next 8-12 months quote:I can't find any trace of the original malware identified (and haven't found any utterly disgusting rootkits), tell me why flattening is a better option. quote:Also, computers are generally on a network, so really by your logic I should be flattening the entire network every time anything remotely serious rears its head. Welchia, by the way, was a supposedly white-hat worm which did nothing except patch the vulnerability it used and spread to other machines with that vulnerability. At least, that's all anyone could tell that it did, but we still had to wipe the whole machine because you can never be sure. quote:**** and yes, let me spend my time trying to "educate" the entire metro area of my city on how to properly operate a computer so they don't get a virus. Well, you can't, but maybe there'll be more incentive for them to get educated when they realize the actual cost of getting back up and running after getting one.
|
# ¿ Oct 22, 2015 19:14 |
|
|
# ¿ May 21, 2024 09:08 |
|
OWLS! posted:Man, I respect you infosec guys, and I get why you have to be in paranoia mode at all times, but sometimes you gotta break it down for the mortal folks. It isn't about winning fans. Having wrong ideas about computer security is loving dangerous. Selling wrong ideas about computer security, and passing them off as "good enough", is really loving dangerous. We don't usually get mad at people who just don't have a clue ("mortals" as you put it). What gets us really mad is people who don't have a clue acting as though they do, arguing against people with clues, and especially people selling their nonexistent clues to other people and lulling them into a false sense of security. We may sound paranoid to an outsider but oh man you should see what someone who is actually honestly paranoid about this stuff looks like. Check out #badbios if you want a taste.
|
# ¿ Oct 22, 2015 19:58 |
|
Khablam posted:Usually people only get as mad-angry as you do over this when they feel like their USP is being infringed upon. I get it, 10 years ago you were a ~genius~ if you could stop mom's PC from having that weird popup, but now that people have largely worked this out for themselves I'm dying
|
# ¿ Oct 24, 2015 23:42 |
|
Uh, I was the one that brought up the badbios guy and I did it specifically as an example of someone who has in fact gone off the deep end. No one has brought that thing up as an actual risk.
|
# ¿ Oct 25, 2015 23:28 |
|
mindphlux posted:sorry about your aspergers Sick burn, dude!
|
# ¿ Oct 29, 2015 06:38 |
|
Khablam posted:None of that changes one's SOP though. For, if nothing you throw at the machine reveals a problem, how are you determining there is one? Why are you even looking for the problem to begin with? You seem very distressed about not getting an answer to this question so I guess I'll try to help you out a little bit. Let's say you got an obvious malware package of some kind. It got there through some vulnerability or other, maybe you forgot to update Flash in the last 8 hours. The less sophisticated malware goes ahead and makes itself known, loudly trumpets its presence by throwing up porn popups or what have you. You clean it using your magical 200 tools (god only knows why you think this takes less time/effort than just reinstalling and restoring from backups, but we've gone in circles a few hundred times with that already). It looks "clean" to you now, your tools did not detect anything but the malware that was very good at loudly trumpeting its presence anyway, now they don't detect anything and you don't see any porn popups. You release the computer to the customer with a clean bill of health. However... Unbeknownst to you, another, much more stealthy, piece of malware also used the same attack vector at around the same time. This one is new enough not to be caught by your heuristic/signature scanners, or it's sophisticated enough to evade these things, or both. This one does not loudly trumpet its presence, because its goal is not to make money for its creator by blasting porn popups all over the screen or trying to sell fake antivirus (but I repeat myself) - it's trying to use the machine to join a botnet and collect passwords. To this end, it does things like hide its network connections, it keylogs, it installs its own root cert (or defeats certificate verification in another way) and MITMs financial websites, it slurps up your emails, and so on. Now your machine is being used to DDOS whatever thing the SEA doesn't like this week and oh yeah, all your credit cards have been sold on the black market, your bank account just got drained, and if you're a lawyer maybe some of that confidential information in your email just got leaked. Or if you're a software developer maybe the source code to your company's crown jewels is up on The Pirate Bay. Enjoy the years of your life you'll spend dealing with the identity theft and trying to recover your funds, to say nothing of the damage to your professional reputation. If you had just flattened, reinstalled, and restored from backup, none of this would have happened (or at least, it would have been much less likely) - you had an opportunity to catch this because someone less stealthy used the same attack vector and alerted you to it, but you just removed the obvious infection and left it at that. Is that enough of an answer for you?
|
# ¿ Oct 29, 2015 19:03 |
|
So you didn't bother to read my post at all. Did you spend, like, all day on that one? Because you mentioned "you didn't answer my logical questions" (which aren't all that logical, really) in there and, well, I did, so ... To summarize: it's likely that the same infection vector will be used by both an undetectable malware package and a detectable one, so if you actually find one, your chances that you have more that you aren't finding go way up. In that case, you should just reformat. That way you're basically guaranteed to get them all! This differs from "well I could be owned right now and not know anything" in terms of, well, the risk factor. Your equating the two is super disingenuous. Well, either that or you actually don't understand the difference, I suppose.
|
# ¿ Oct 30, 2015 02:21 |
|
Hey I have a question. Did you read the OP of this very thread you're posting in? The one which defines what this thread is about? I.e. Viruses which do interesting and devious things? Like evade detection? I'm just curious. Please answer my logical questions. Thanks.
|
# ¿ Oct 30, 2015 02:37 |
|
|
# ¿ May 21, 2024 09:08 |
|
co199 posted:(IS/Risk vs IT pissing match) huh. What a complete shock.
|
# ¿ Oct 30, 2015 19:13 |