• jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    49
    ·
    5 months ago

    It’s actually good advice to periodically restart your secure devices. There are many exploits that can only persist in memory and not on the actual storage device itself. So by restarting you go back into a known good state. And any malicious actor would have to reinfect your phone, which may not be guaranteed

    • acetanilide@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 months ago

      This is fascinating to me because I was taught not to restart your computer if you suspected malware because restarting it would basically activate it

      • RGB3x3@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        2
        ·
        5 months ago

        You can’t activate malware by restarting your system. There’s no reason why an attacker would wait for a restart to do what they want to do.

        What can happen is that restarting doesn’t help fix anything related to malware if the malware has been written to gain persistence. It’ll edit the registry so that it can run on startup, so restarting your system makes no difference.

        • yildolw@lemmy.world
          link
          fedilink
          English
          arrow-up
          8
          ·
          5 months ago

          They might be thinking of malware spread on floppy disk or a usb stick. A restarting computer with sus media inserted might have treated them as a boot device back in the day and run the executable code with higher privileges

        • CameronDev
          link
          fedilink
          English
          arrow-up
          4
          ·
          5 months ago

          It would entirely depend on the design of the malware. If a malware author wanted to chronologically separate infection from detection, doing persistance and then not activating until next reboot wouldnt be unreasonable.

          For example, if a user visits a site, and 10 seconds later their PC gets cryptolockered, they can report the site. If they visit a site, and then a hundred others, and then 10 days later their PC reboots and gets cryptolockered, they will have no idea which site did it.

    • CameronDev
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      Only exploits that require human intervention would be defeated by this though. If you have a zero touch exploit that can privesc, the persistance doesnt need to be anything special, you can just wrap your exploit in an ordinary android app and request it be woken up on next boot.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        Not necessarily true. It could be a buffer overflow in text message processing, it’s still requires a text message to be sent to the phone.

        It could be a Wi-Fi or Bluetooth exploit, which requires locality.

        It could be a browser, webview, certificate exploit that requires a sophisticated chain of events with a low probability to intercept a web page and get the user to do something that isn’t guaranteed.

        The exploit might display itself to a user on the phone, so every time it’s applied there’s a risk of discovery.

        Not to mention many advanced persistent threats do not want their exploits to be analyzed, so they will not leave them sitting around to be collected, just waiting for the device to need a reinfection. That’s valuable signals capability that you give to your adversary they just need to analyze it.

        • CameronDev
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          Those all are things that require external human intervention though?

          If the malware is persistent, then one way or another it needs to leave an exploit on the device, it can either be a persistance exploit, or a privesc exploit.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            Right so the issue here is we are saying for the class of malware that is not persistent restarting the device will take it out of memory. Which is a strict positive

            • CameronDev
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              Yup. Although i’m not sure there are many (any?) malwares that don’t have some form of persistence. Exploits requiring human intervention are usually just the first stage, and persistance is the second.

              I dont know of any APTs that are purely memory only, but if you know of one please link so I can read up on it.

    • taladar@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      It is also a good idea for computing devices in general since not restarting means effectively restarting and finding out that the restart didn’t work properly or that you do not have all the information needed to log back in at the worst possible time, one you didn’t choose yourself. And if you do it often enough the number of updates/changes that could be the cause is significantly lower than if you keep things running for a long time before a restart.

    • Socsa@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      5 months ago

      It also guarantees you will cycle keys out of memory, which is always a good idea when crossing borders and whatnot.

    • Emotet@slrpnk.net
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      5 months ago

      Just be mindful when restarting automatically, as some OS offer. It’s neat not having to remember to manually restart every few days, but your pending notifications will get lost and, depending on your setup, your cellular/network connections will not automatically reconnect until you login.

  • qprimed@lemmy.ml
    link
    fedilink
    English
    arrow-up
    11
    ·
    5 months ago

    “have you tried swtching it off and on again” solves 90% of support requests - at least for a little while ;-)

    • taladar@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      18
      ·
      5 months ago

      It solves virtually none of them, it is pretty good at destroying all the evidence needed to actually fix the problem for good though.

      • Sabata11792@kbin.social
        link
        fedilink
        arrow-up
        15
        ·
        edit-2
        5 months ago

        I don’t have 40 hours to dedicate to a single error message that pops up only on Tuesdays during a full moon and Jeff just needs to print his stupid report.

      • qprimed@lemmy.ml
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        5 months ago

        we are not talking about backend systems here.

        we are talking about user devices in the wild, likely in an unknown state, with highly variable usage patterns by the user. someone with experience can usually determine how deeply to poke based on 30 seconds of questioning the user.

        “reboot” is absolutely valid when the issue is trivial, non-recurring and the equipment is not sensitive. if a reboot destroys logs then the device was not important to you to begin with.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        5 months ago

        My experience has been the exact opposite of this.

        Restarting a system gets it into a known state making debugging easier.

        There are times you don’t want to restart, if your a software developer and a long lived process is behaving erratically and you haven’t been able to figure out why via telemetry and this problem has been super hard to reproduce… But this is a very niche and rare circumstance. Most scenarios the first priority is to get things working ASAP, so the first thing you do is restart.

        Hell, many production systems restart periodically to just get closer to a known good state as a matter of hygiene.

        • taladar@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          Restarting a system gets it into a known state making debugging easier.

          And what are you going to debug when the problem does not occur and you do not know how to reproduce it? There is a lot of information you can only gather while the problem occurs. And yes, this is from the software developer and sysadmin perspective, not from the layman perspective. I would rather spend a little bit more time on the problem now instead of having it occur again and again without getting any closer to an actual solution.

          • jet@hackertalks.com
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            5 months ago

            The first piece of information you get is : does the problem persist beyond a restart

            Every investigation takes time, I’m glad that your able to satisfy yourself with in depth investigations when necessary.

            For non-life critical systems, the average protocol is to restart and see if it persists and only debug if the issue becomes problematic

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      1
      ·
      edit-2
      5 months ago

      They are very competent.

      National security agency. They understand security.

      The problem is usually around incentives… What is good for the national security may not be good for the individual and vise versa.

      When the incentives line up, they are the good guys.

      So when they talk about defending American infrastructure against state actors in the context of Russia or China, the advice is good.

      When they talk about why people don’t need end to end encryption or why public cryptography is a national threat… The advice is bad.

      • EmperorHenry@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        they don’t even need to put shit directly on our devices to get what they want really, they have a wiretap into all the advertising companies and all the internet providers and all the cellphone and land line providers. They have a wiretap into every remotely accessible camera system. They don’t need to come up with more invasive ways to get into all our shit but they keep doing it.

        • AwkwardLookMonkeyPuppet@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          It’s so blatantly unconstitutional, and yet they keep renewing the programs. We’re never getting our constitutional right to privacy back without extreme measures.

          • EmperorHenry@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            It’s so blatantly unconstitutional,

            Careful, someone called me a fascist for saying that about this issue.

              • EmperorHenry@infosec.pub
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                I was once called a “right winger” and a “trump supporter” over on reddit because I talked about how awesome self-governing local communities would be.

                Who better to decide what happens in a town than the people who actually live there?

                There’s paid trolls and bots that muddy the waters about everything.

      • lurch (he/him)@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        5 months ago

        wait, your phone doesn’t switch on to ring alarms? i thought all smartphones do that. all androud phones i have do. they don’t do a full boot, just sound an alarm and show options to fully start, snooze or end the alarm

        // edit

        I learned that some brands don’t implement that feature. For example: Samsung does not, but Honor does.

        • VindictiveJudge@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          ·
          5 months ago

          I have never heard of that feature. If I turn my phone off before going to bed, it’s because I want it to not ring the alarm at the usual time. Telling it to turn off makes it do a complete shutdown. What you’re describing would require some sort of hibernate mode.

          • lurch (he/him)@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            it’s not like hybernate on a PC. it’s more like the circuits in the phone (probably the BIOS) still have the clock running when off and know the time when to boot into that special mode. my newer phone even has a checkbox “keep alarm active” on that shutdown screen where you confirm the shutdown.