What are some examples of things that makes him suspicious of being compromised?
Whenever I or somebody else sends an email, within a few hours there is a reply to him from someone that should not have had access, talking about the very thing in the email. This person would have had access previously to the computer, but not in the last 18 months or so. I suggested to him that maybe they had previously in his hotmail settings set up some sort of autoforward to her email, but he has since changed his email address with the same problems. Skype chats also seem to be compromised. He's convinced that there has previously been put some sort of spy software that sends information, or allows someone much smarter to remote access or something. I've told him to wipe his computer... but he wants to... get medieval... I mean... legal...
I've sent these to him, but he's a bit slow to respond. But, if I was to guess it would be:
Thanks, I've passed this on to him, thanks for that!
Well first off he needs to ensure he is using wireless security; either WPA or WPA2.
But don't use WEP as it can be cracked in less than 60 seconds (<<MP3 link). Next he must secure that wireless network with a
>>strong password<<. Routers can handle up to 63 character passwords and I recommend using all 63 characters. Use the link I provided above to get a pseudo random password with maximum entropy. I would also recommend changing the routers admin password as well.
For the purpose of all this and given the situation, I would suggest connecting the MacBook to the router with a LAN cable and turning off the wireless card on the laptop just to be sure no one is sniffing the packets wirelessly. Because it sounds like he is the victim of a
man in the middle attack (<<MP3 link). Someone who has gained access to his wireless network and is using a packet sniffer intercepting all the unencrypted traffic flowing across. Another thing he should do is when browsing the web where he enters usernames, passwords or any other sensitive data or even emails, make sure the site is using HTTPS and not HTTP. The 'S' is a different protocol and uses a different port for sending web traffic and it is encrypted. So that anyone using a packet sniffer can still intercept the traffic, but will be unable to read it. The HTTP protocol transmits data in clear text so any time you enter a username and password on a site where it starts with the HTTP, that username and password will be broadcast to the whole world so they can see it.
I don't know if Hotmail uses HTTPS (SSL) by default or not, but if it doesn't have him try manually typing in the address
https://www.hotmail.com and see if it works. I'll bet it does. Also check the settings within Hotmail to see if it has the option to use SSL by default and enable it if it's available. Some web-based email providers do not encrypt their connections by default but do have a security certificate so that you can connect securely if you want to. GMail didn't used to use HTTPS by default, but last year or the year before they enabled it to be on by default. Prior to that you could turn it on in your user settings.
Once the passwords and encryption protocol (WPA2) are changed, then he can go ahead and use the wireless network again, unplugging the LAN cable. Then I would change my other online passwords again like Hotmail and any other that he suspects is compromised using a strong password. I would recommend using the same password generator I linked to above, but grabbing maybe the first 10 characters or more if he wants. I use
>>Lastpass<< to manage my passwords and even generate some too. It's secure and it helps remember some of those really long random passwords that you just cannot memorize. It integrates with your web browser and is cross platform (multiple browsers and OS's with one account).
There is a very slim possibility that if what is going on as I describe above, that the attacker is also cracking the SSL protocol (HTTPS). SSL has been bullet proof since it's inception until last year when a
proof-of-concept attack on SSL was successful (<< MP3 link). I think it's unlikely but not out of the realm of possibility. Additionally, I don't know of any
rootkit attacks (<<MP3 link) on OS/X but on Windows, rootkits that are malicious that get onto a Windows machine are capable of compromising a system in such a way that they are undetectable to any anti-virus, or anti-malware programs. If one suspects they have a malicious rootkit on their system the only way to get rid of it is a full format of the HDD and reinstall of the OS.
Also, I attached two images, the first one showing an unsecured login to another site of mine (I blacked out my password because it was in clear text but you can still see my username) using only the HTTP address. The second image is the same site, same login except I added the S making it HTTPS and thus changing the protocol to encrypted. As you can see, or actually not see my username and password. I sniffed those packets off my own wireless network using a packet sniffer, freely available for download on the Internet.
I hope this information is helpful and that he and anyone else reading this employs some or all of these measures to protect themselves online.
