Goodbye windows partition

[lilcosco08]

So I just realized that the reason my camera light was always on in Windows wasn't skype, but some person who was spying on me. And keylogged me. Then pulled up a chatbox and mocking me.

Needless to say I'm changing all my passwords, and deleting my windows partition. I don't see how this happened through Nod32

It's nice to know that I'm safe from that on my MBP

 

[wct097]

Sounds like a hack, not a virus. I've never heard of a virus author using it to spy on people and taunt them in a chat window. Most likely someone who had physical access to your machine, though network access would work if you had some security settings turned off.

edit: And if I'm correct, you're not 'safe from that on your MBP' if someone unscrupulous had physical access to your machine and installed whatever software they wanted.

 

[lilcosco08]

Set up a WPA code+other defenses incase he does.

Looks to me like he's a script kiddie

Anyways I'm not really worried, I just use that partition for games.
I think he got 1 lvl 6 runescape account. Great job.

 

[munkery]

edit: And if I'm correct, you're not 'safe from that on your MBP' if someone unscrupulous had physical access to your machine and installed whatever software they wanted.

The only way this can occur from a malicious individual having physical access to a Mac is if the user has not set up a firmware password.

Did anyone have physical access to your Mac?

Were you using Windows XP? This type of hacking across a network is much easier in Windows XP because the built-in administrator account is created with a blank password.

Windows XP administrator accounts are not secure in general.

 

[lilcosco08]

The only way this can occur from a malicious individual having physical access to a Mac is if the user has not set up a firmware password.

Did anyone have physical access to your Mac?

Were you using Windows XP? This type of hacking across a network is much easier in Windows XP because the built-in administrator account is created with a blank password.

Windows XP administrator accounts are not secure in general.

Win 7, firewall on, ESET smart security, unsecured network

I think that was my downfall

 

[munkery]

Win 7, firewall on, ESET smart security, unsecured network

I think that was my downfall

Did you have any sharing services, such as vnc, set up in an insecure manner? Blank password or dictionary word?

If not, then some exploitation occurred in Windows.

 

[Merkava_4]

I'd never have Windows on my Mac ... screw that.

 

[vincenz]

I finally got rid of my windows partition a couple months ago too. Originally I had it just to play games, but after a while, I used it less and less. No need for it anymore.

 

[zenio]

The problems the OP experienced are the very reason I have taken the time to really lock down my MBP. I use very strong passwords, encryption and nearly every form of security available. It's time consuming to setup but quite worth it.

 

[wct097]

The only way this can occur from a malicious individual having physical access to a Mac is if the user has not set up a firmware password.

Sure, assuming it wasn't already turned on and logged in.

Did anyone have physical access to your Mac?

Were you using Windows XP? This type of hacking across a network is much easier in Windows XP because the built-in administrator account is created with a blank password.

Windows XP administrator accounts are not secure in general.

I suppose it's 'possible' someone randomly choose the OP to hack, but the logistics of a hack like that are pretty tough with even the sloppiest of setups.

There are two basic ways to accomplish the scenario the OP laid out.

#1 gain physical or remote admin access to the machine and install software capable of 'spying using the webcam' and 'opening a chat window'.
#2 trick the user into downloading and installing the software mentioned above.

Now, the software itself...
Assuming the 'hacker' in question wrote it himself, he could have it make a connection to him over the internet so that he gains access to the machine. This isn't likely as it would make it exceptionally easy to trace back to the original author/hacker. Windows or any other firewall software would probably block it, but having gained physical or remote access, the attacker can easily override this.

Most likely, the software would simply open a port on the local machine to accept incoming connections. Additionally, the software would probably be freely available (VNC for example). To use this method, the attacker would need to have an open connection to the machine over the internet. Any commercially available router in use on virtually every home internet connection would prevent this with the factory settings.

Which brings me back to the fact that the hack in question is so logistically complicated to do remotely (hack the router, find an unsecured Windows computer/partition, hack the PC, install software, connect back) that it's not reasonable to believe someone with that skillset would simply use it to spy on someone and taunt them over a chat window.

It's probably someone who had physical access to the machine while it was powered on and logged in, and then also had access to the same network that the computer was connected to. College dorm, roommates, siblings, etc.

edit:
Re-read a couple things. Windows 7 is pretty secure out of the box. Windows 7 has RDP turned off by default. I sincerely doubt someone remotely hacked the machine unless he had some sort of 3rd party RDP (VNC) app set up without a password. Even on an unsecured network, this isn't likely.

OP, since you're obviously capable of setting up WPA on your router, how about checking your router's DHCP client table. If it's recent enough, perhaps you can see how many IP addresses are assigned. The MAC address for each client is kind-of like a digital fingerprint for anyone that's touched your network. Easy enough to fake, but probably not for someone doing that level of amateur hack.

 

[Winni]

So I just realized that the reason my camera light was always on in Windows wasn't skype, but some person who was spying on me. And keylogged me. Then pulled up a chatbox and mocking me.

Needless to say I'm changing all my passwords, and deleting my windows partition. I don't see how this happened through Nod32

It's nice to know that I'm safe from that on my MBP

Only until you install a Trojan on OS X. And yes, they do exist. Just download and install a pirated version of iWork 09, then you'll see one in action on your Mac.

You know, the greatest security risk always sits in front of the computer. The reason why somebody was able to remote control your web cam was because -- YOU! -- explicitly(!) allowed that malware to be installed.

 

[GGJstudios]

You know, the greatest security risk always sits in front of the computer.

Quite true! The best defense against that risk is educating yourself: Mac Virus/Malware Info

 

[munkery]

Sure, assuming it wasn't already turned on and logged in.

True.

This is a dual OS machine with Windows used for online gaming.

So, how was login to Windows secured? How was login to OS X secured?

I suppose it's 'possible' someone randomly choose the OP to hack, but the logistics of a hack like that are pretty tough with even the sloppiest of setups.

Why random? If an easy target, then the OP was targeted.

Exploiting a system in this manner can include using exploits/malware (with metasploit), password crackers for remote services, and more.

There are two basic ways to accomplish the scenario the OP laid out.

#1 gain physical or remote admin access to the machine and install software capable of 'spying using the webcam' and 'opening a chat window'.

What is required to get remote admin access?

1) Server side: A service, such as VNC, set up in an insecure manner (weak password, unpatched exploit, etc). Logistically not difficult to hack if on same network. If the service is set up then it is most likely excluded in firewall settings. Logistically not difficult to exploit if router is port forwarded as well. The open service would be found easily via a port scan with NMAP.

Also, if the user was using a Windows 7 admin account that does not require a password for UAC to authenticate by default, the attacker had full system access once in the target machine. (EDIT: I heard somewhere UAC requires local mouse/keyboard input to authenticate UAC? But, there presently is a publicly released and unpatched privilege escalation 0day for Windows 7.)

2) Client side: the partition hacked is for Windows gaming. Many online games in Windows require being run with superuser privileges and need to be excluded in firewall settings to function. This is a logistically easy vector to exploit.

#2 trick the user into downloading and installing the software mentioned above.

Hacking Windows gaming most likely includes malware. But the trickery would only include getting the user to connect to a server while gaming. The game would download the malware (malicious DLL?) from the server and then it would install without UAC prompt as the game process has superuser privileges.

Connecting to the server is the explicit act but the installation of malware from a remote source is not.

This isn't likely as it would make it exceptionally easy to trace back to the original author/hacker........

If the attacker did not perform the attack from his home IP and spoofed the MAC address of his machine, the likelihood of finding the attacker is very low.

No need to hack router if service port forwarded (server side) or it is a running service passed on by NAT/SPI (client side, as in an online game).

Software firewall not an issue if service is allowed through firewall.

Connecting back is just a matter of including a payload that does so.

It's probably someone who had physical access to the machine while it was powered on and logged in, and then also had access to the same network that the computer was connected to. College dorm, roommates, siblings, etc.

Must likely the true cause, for sure.

 

[wct097]

Why random? If an easy target, then the OP was targeted.

Sure, but I'm working on the theory that he was either targeted by someone who knew him and had physical & LAN access to the machine in question, or randomly over the internet.

The random hack being the least likely due to the logistics of hacking the router, then scanning the machine, finding an exploit, and actually exploiting it, then doing the spying. A pretty impressive repertoire for the type of hacker that would harass their victim by chat.

I'd put money on it being someone he knows personally. The second most likely culprit would be a neighbor accessing his unsecured network, though I think it would be unlikely that a Win 7 partition used mainly for gaming would have VNC (or the like) legitimately installed in an insecure way.

Exploiting a system in this manner can include using exploits/malware (with metasploit), password crackers for remote services, and more.

What is required to get remote admin access?

1) Server side: A service, such as VNC, set up in an insecure manner (weak password, unpatched exploit, etc). Logistically not difficult to hack if on same network. If the service is set up then it is most likely excluded in firewall settings. Logistically not difficult to exploit if router is port forwarded as well. The open service would be found easily via a port scan with NMAP.

Also, if the user was using a Windows 7 admin account that does not require a password for UAC to authenticate by default, the attacker had full system access once in the target machine. (EDIT: I heard somewhere UAC requires local mouse/keyboard input to authenticate UAC? But, there presently is a publicly released and unpatched privilege escalation 0day for Windows 7.)

To be clear, all of this assumes they're on the victim's private network, or the victim has his machine plugged directly in to a cable modem with no router in between (unlikely since he had wifi unsecured).

2) Client side: the partition hacked is for Windows gaming. Many online games in Windows require being run with superuser privileges and need to be excluded in firewall settings to function. This is a logistically easy vector to exploit.

Hacking Windows gaming most likely includes malware. But the trickery would only include getting the user to connect to a server while gaming. The game would download the malware (malicious DLL?) from the server and then it would install without UAC prompt as the game process has superuser privileges.

Connecting to the server is the explicit act but the installation of malware from a remote source is not.

I'll give you that one, but I still find it unlikely that a random hacker on the internet perpetrated this attack.

If the attacker did not perform the attack from his home IP and spoofed the MAC address of his machine, the likelihood of finding the attacker is very low.

And the liklihood of any law enforcement action is even lower, even with a home IP and non-spoofed MAC.

No need to hack router if service port forwarded (server side) or it is a running service passed on by NAT/SPI (client side, as in an online game).

Software firewall not an issue if service is allowed through firewall.

Connecting back is just a matter of including a payload that does so.

Lots of variables for sure. Obviously this was more than a typical drive-by malware infection. Based on my training and experience with IT security, I'll generally feel safe personally if it would take multiple vulnerabilities to exploit my system. Lets face it... nobody is doing Stuxnet level work to spy on a MBP user and harass them over chat.

 

[munkery]

To be clear, all of this assumes they're on the victim's private network, or the victim has his machine plugged directly in to a cable modem with no router in between (unlikely since he had wifi unsecured).

Why that assumption? Many server side services can be set up to work across the web.

How would the target have been exploited via weak wifi security to achieve that effect (spying/chatting)?

An insecure wireless set up doesn't make it easier to exploit an online game.

I'll give you that one, but I still find it unlikely that a random hacker on the internet perpetrated this attack.

The online game server admin (often teenagers/script kiddies) may specifically target the user if the user connects to the server and appears to be vulnerable to exploitation. This would be a targeted attack across the internet.

And the liklihood of any law enforcement action is even lower, even with a home IP and non-spoofed MAC.

But you also stated the following:

This isn't likely as it would make it exceptionally easy to trace back to the original author/hacker.

How does that make sense?

Lets face it... nobody is doing Stuxnet level work to spy on a MBP user and harass them over chat.

Finding new exploits is hard.

Script kiddies do what is easy. Using already available exploits such as DLL hijacking and unpatched publicly released 0days is easy.

Download Metasploit (or BackTrack Linux) and everything else the attacker needs is right here.

 

[ExiledMafia]

Definitely doesn't sound like a virus, probably a hack as stated earlier above. Make sure you remember everything you did to change the proper passwords, credit cards, etc....

 

[wct097]

Why that assumption? Many server side services can be set up to work across the web.

How would the target have been exploited via weak wifi security to achieve that effect (spying/chatting)?

An insecure wireless set up doesn't make it easier to exploit an online game.

Speaking specifically about scanning the victims network to discover the computer and any ports it has open. Can't generally do that across the internet unless the router is intentionally opened up or the PC is in the DMZ. If they exploit the PC from a game based attack then they don't need to scan the private network to find the PC and what ports it's listening on.

The online game server admin (often teenagers/script kiddies) may specifically target the user if the user connects to the server and appears to be vulnerable to exploitation. This would be a targeted attack across the internet.

No personal experience there, so I'll defer to you or someone else that knows the intricacies of game based exploits.

But you also stated the following:

How does that make sense?

Two completely different things. It may be very easy to follow a script kiddie's trail back to his home IP and actual MAC address, but that doesn't mean the FBI or local PD is going to waste time going after a script kiddie that was spying on a gamer using a homemade exploit. I work for a government entity and nobody(LE) would waste time investigating when we got hacked. We imaged the disk on the server in question, extracted the logs, called the FBI, and had everything ready for an investigation..... nobody ever even followed up.

Finding new exploits is hard.

Script kiddies do what is easy. Using already available exploits such as DLL hijacking and unpatched publicly released 0days is easy.

Script kiddies generally require a pre-made exploit tool and can't do much beyond that, which is exactly why I generally feel that a computer behind a consumer grade router is pretty safe from internet based targeted or random attacks without a client side mistake to open the door for an attacker.

Download Metasploit (or BackTrack Linux) and everything else the attacker needs is right here.

I can also highly recommend a SANS class or thee for anyone interested in learning more using some hands on tools in a classroom. The last one I took included a provided VM with most of the tools found in Backtrack, and a test network set up for us to get some hands on practice exploiting. Good stuff!

 

[munkery]

Speaking specifically about scanning the victims network to discover the computer and any ports it has open. Can't generally do that across the internet unless the router is intentionally opened up or the PC is in the DMZ. If they exploit the PC from a game based attack then they don't need to scan the private network to find the PC and what ports it's listening on.

Sorry, right.... can only port scan externally facing device. Then connect to PC via the port that is port forwarded for the service.

Connecting to server side services across the web is possible because if not, then how would you connect to remote desktop across web with the host behind a router? You can find guides on how to do it for legitimate purposes so ....?

Obviously, hacking an online game does not require any of this.

Two completely different things. It may be very easy to follow a script kiddie's trail back to his home IP and actual MAC address, but that doesn't mean the FBI or local PD is going to waste time going after a script kiddie that was spying on a gamer using a homemade exploit. I work for a government entity and nobody(LE) would waste time investigating when we got hacked. We imaged the disk on the server in question, extracted the logs, called the FBI, and had everything ready for an investigation..... nobody ever even followed up.

I was just acknowledging that at first you stated remote exploitation would be unlikely because the attacker could be found; then you turned on heel and said that being found would not be a deterrent because law enforcement would not do anything if only a prank. I agree with the latter; especially, if the attacker is in a different country.

Script kiddies generally require a pre-made exploit tool and can't do much beyond that, which is exactly why I generally feel that a computer behind a consumer grade router is pretty safe from internet based targeted or random attacks without a client side mistake to open the door for an attacker.

Exploit databases often contain publicly released unpatched remote and local 0days for Windows (including Windows 7) and that is all a script kiddie needs to do his business.

The DLL hijacking issue in Windows is not a huge set of client side mistakes?

 

[iThinkergoiMac]

The only way this can occur from a malicious individual having physical access to a Mac is if the user has not set up a firmware password.

Even that's not good enough. If you remove the RAM (and then, of course, replace it), the firmware password goes away. From there on out, it's simple enough. The only real way to completely protect your data is to encrypt the entire drive.

 

[munkery]

Even that's not good enough. If you remove the RAM (and then, of course, replace it), the firmware password goes away. From there on out, it's simple enough. The only real way to completely protect your data is to encrypt the entire drive.

Really, I was not aware that removing the RAM would do so. That is crazy. I guess the firmware password only is protection from tampering without theft. Definitely need some encryption in case machine stolen.

Why would you have to encrypt your whole drive? Wouldn't you really only need to encrypt the sensitive data on your machine?

Even then how is whole disk encryption going to stop someone from accessing your data if they can use the firmware options (safe boot, etc) to get your passwords, make a new admin account, etc?

 

[GGJstudios]

Really, I was not aware that removing the RAM would do so. That is crazy. I guess the firmware password only is protection from tampering without theft. Definitely need some encryption in case machine stolen.

It's too easy.

After removing / adding more RAM than before, Turn on the computer and immediately reset PRAM by holding the Command-Option-P-R key combination. Press the keys until you've heard two successive startup sounds.
Open Firmware password protection should be now disabled. Shut down the computer and return it to its original RAM configuration.

 

[munkery]

It's too easy.

Firmware password prevents PRAM reset without password but this requires PRAM reset? Apparently, it does work.

Once an attacker has the ability to dump the password hashes or make a new admin account, then how can you secure your data in any manner?

 

[GGJstudios]

Firmware password prevents PRAM reset without password but this requires PRAM reset? Apparently, it does work.

Changing the amount of RAM installed erases the firmware password, enabling a NVRAM reset.

Once an attacker has the ability to dump the password hashes or make a new admin account, then how can you secure your data in any manner?

Encryption is the only way. Once someone knowledgeable has physical access, most security measures are useless. Plus, even if your data is safe, it doesn't stop someone from replacing the hard drive and using your Mac.

 

[munkery]

Encryption is the only way. Once someone knowledgeable has physical access, most security measures are useless. Plus, even if your data is safe, it doesn't stop someone from replacing the hard drive and using your Mac.

FileVault wouldn't work because once they get your admin password via boot options, the attacker can log in and access the data because the data is accessible when logged in.

Are full disk encryption solutions different?

I wonder if sparse bundle disk images that remain locked when logged in would be safe?

 

[GGJstudios]

FileVault wouldn't work because once they get your admin password via boot options, the attacker can log in and access the data because the data is accessible when logged in.

Are full disk encryption solutions different?

I wonder if sparse bundle disk images that remain locked when logged in would be safe?

I've never tried encryption. I just maintain strict control over who has physical access to my MBP (only me and my wife). I'm sure you can MRoogle some encryption threads that may provide suggestions that work.