Hacker

Describe the "hack". And describe how you reset that HDD to "factory settings"?

No encryption on your router, i.e., is it wide open, or are you sure it's "locked down"? If not then enable its encryption (WPA2 recommended). Enable its firewall. Or at lease enable the mac's firewall (Security system preferences, Firewall tab).

You can erase and reformat your HDD until you are blue in the face. But that has nothing to do with someone getting through your router.

Nothing you described so far suggests that anything at all was written to your Mac or that anyone had illicit access to your Mac. You're jumping to conclusions. You'd probably get better and faster help if you provided details of your setup.

There is an unknown MAC address connected to my modem/router

OK. Even the crappiest router these days comes with a MAC filter. If you know enough to see there's an unknown device connected to the router, why didn't you simply kick the ******* out -- turn on the MAC filter and allow only known MACs to connect? MAC addresses can be spoofed relatively easily, but it's a first step. And what has it got to do with your Mac anyway?

My router is locked down

What does that mean?

my computer was kicked off and assigned the IP of 169.254.69.27

That's a link-local IP. Probably self-assigned by Bonjour -- because, for some reason, it couldn't get one from the router (for any number of reasons). Doesn't really tell us anything.

I reconnected the unknown MAC address showed back up

Well, we don't really know anything about your setup. But let's assume you have w/less router and suspect a hacker is stealing bandwidth through Wi-Fi. Any decent router should have an option to turn off Wi-Fi off (not turn off SSID broadcasting, but turn Wi-Fi off altogether). So connect to the router with an Ethernet cable, turn off Wi-Fi, then configure it to your heart's content -- set strong passwords, turn on the MAC filter (btw, I'd try to make quite sure that the unknown MAC address wasn't from one of my own devices -- do you own a smartphone?), and so on. Then turn Wi-Fi back on with WPA2 on -- that's sine qua non.

A hacker can only access your system if you have software running that can allow access to it.

the main things to do is lock down your network.

1 - Use wpa2 security, and change the password to a strong password, this will stop him being able to access the wifi router directly.

2 - disable the internet temporarily (leave your lan on) and see which apps are trying to access the internet, or listening to the internet, and then check what these applications are, search google for apps to do this.

3 - once your happy everything is ok, open your internet connection and check the apps again.

one main thing here is to find out how they are talking to the computers, make sure you have turned of bluetooth network and wifi on devices that have it open for sharing, this is the easiest way into you network.

Best thing find an app that can see what applications and processes are accessing your network.

Once you have everything locked down, then change all your passwords and security questions on all your account, itunes, emails, everything.

Then you should be able to sleep better.

Ohh also check for secondary emails and auto forwarding of mail in your web mails, if your email gets compromised one easy way they can still get your data is if they have setup a permission to forward all emails to another email address, so always check forwarders and secondary emails on all accounts.

Hope this helps

When Tracey mentions those 8Mb on a Windows PC any hacker can access, I suppose she's referring to the Master Boot Record. EFI isn't the Mac equivalent of a PC's MBR; it's something else entirely. An Intel Mac is firmware-protected, and whereas an MBR can be overwritten or edited at will, you could zero out your whole drive a million times, and not delete, or even touch, the EFI partition (about 200Mb in size). In effect, EFI is branded by Apple on Apple machines. More info on the subject here: http://refit.sourceforge.net/myths/

Now, your MAC address problems. I agree with those who say that hacking into a WPA-protected network is possible, but it's not that easy. Please remember that EVERY electronic component has a MAC address. Your router included. Can you describe exactly how your network is set up? How many devices? What are your DSL line characteristics, bandwidth-wise? When connected in Ethernet, do you still see that unkown MAC address showing?

TraceyHamilton wrote:

PC there's approximately 8MB on a HD that a hacker can use

Is this about the last cylinder? This is not a Win forum, but could you please elaborate? (Just a link to a source would do.)

do you know if this can be done with the EFI partition?

According to TN2166, the EFI system partition (ESP) is, at present, not used by Apple. (The note dates to 2006, but I found no indication that it has been deprecated.) So I assume you could delete it. I don't think it would be wise to do so, because, even though it's not used, it's expected to be there, and who knows what could happen if it isn't. I don't know if ESP survives formatting the disk -- from TN2166 I would assume not, but I can't be sure. However, you can destroy any data on it, thus: change the partition type to MBR, format the disk as FAT32, then change the partition map back to GPT and format it as JHFS+. There's no ESP in MBR, so that's that.

Can I erase this partition (not delete)?

I don't see why not. I would use eraseVolume. Btw, when you do

$ diskutil info /dev/disk0s1

what do you get?

Keep in mind that the theory of a hacker storing data on ESP doesn't make much sense to me. OK, assume it's done, so what? Nothing there or anywhere else can be executed automatically, without some mechanism in the OS to do so. Once you erase the disk and re-install a brand-new OS, anything the hacker might have installed to load something from ESP is gone. Maybe his data is still on the ESP (I don't think so, but let's assume it to be so), but there's no way to execute it or to get at it -- unless the hacker gains again access to your Mac in some way that doesn't involve ESP.

WPA2 encryption

That's good, but there are still no details about your setup -- and still I see no indication that your Mac has been compromised.

FrenchToast wrote:

you could zero out your whole drive a million times, and not delete, or even touch, the EFI partition (about 200Mb in size). In effect, EFI is branded by Apple on Apple machines. More info on the subject here: http://refit.sourceforge.net/myths/

The information in the link given is quite accurate, but there's nothing there about 'not touching' the EFI system partition. One should make very clear the distinction between EFI and ESP (EFI system partition). When formatting a disk >2GB with the GPT map, ESP is the first partition and it's about 200MB. However, nothing is installed on it, not even a file system. The raison d'être of the ESP is to hold boot-time device drivers for EFI, this function is supported by Mac firmware; but it is simply not used at present, and no Apple tool makes use of ESP. EFI on Macs is in BootROM, while the boot loader is on the partition selected through BootROM.

fane_j wrote:

FrenchToast wrote:

you could zero out your whole drive a million times, and not delete, or even touch, the EFI partition (about 200Mb in size). In effect, EFI is branded by Apple on Apple machines. More info on the subject here: http://refit.sourceforge.net/myths/

The information in the link given is quite accurate, but there's nothing there about 'not touching' the EFI system partition. One should make very clear the distinction between EFI and ESP (EFI system partition). When formatting a disk >2GB with the GPT map, ESP is the first partition and it's about 200MB. However, nothing is installed on it, not even a file system. The raison d'être of the ESP is to hold boot-time device drivers for EFI, this function is supported by Mac firmware; but it is simply not used at present, and no Apple tool makes use of ESP. EFI on Macs is in BootROM, while the boot loader is on the partition selected through BootROM.

What I've highlighted in your last post is quite right: most users think that erasing their hard drive will also delete boot sectors and EFI partitions. By 'not touching', I meant just that: zeroing out an Intel Mac hard drive will have no effect on the ESP, whose sole purpose on modern Intel Macs is to host firmware update files prior to installing them on next boot. As I said, an Intel Mac is controlled at firmware level, and even accessing the ROM content is (fortunately) no easy task, let alone editing it. You need some serious tools to do so, and at your own risk, at that.

This doesn't fix Tracey's problem: if she does have an intruder in her home network, it means she has to find a way to secure said network. WPA2 is certainly a start, and safe use a pre-requisite: with numerous devices connected to her router at any given time, up goes the risk of letting some unwanted presence in the network. That's why I'd like to know the exact nature of all devices connecting to this network, whether via WiFi or otherwise.

One other thing: Tracey, do you have a Network Attached Storage (NAS) device hooked to your network, e.g. a shared hard drive where all the household can deposit or retrieve files from?

TraceyHamilton wrote:

I think we've gotten a little off track here.

Mm. You go to a zoologist and tell him, "I've found this new species of camel with three humps. But forget all that, just tell me if camels eat grass"…

So you have this hacker who not only juggles MAC addresses -- that's ho-hum -- but breaks WPA2 and uses the ESP to store his stuff? Maybe it's because I'm just an average user and don't know any better, but this sounds fairly sensational to me. Sorry, but we'd be less (or more) than human if we just forgot all about it and concentrated on the rather mundane details of ESP.

FrenchToast wrote:

ESP, whose sole purpose on modern Intel Macs is to host firmware update files prior to installing them on next boot.

I'm sorry, but I'm afraid I can't agree. TN2166 states unambiguously: "The EFI firmware in Macintosh computers fully supports the ESP, although Apple does not currently use it for anything". (The stress is mine.) The rEFIt page agrees: "Mac OS X doesn’t actually use it; the EFI System Partition is completely empty on a standard Intel Mac". I would add, it's not just empty, but it doesn't even have a file system, so it's impossible to store anything on it. Of course, it's perfectly possible that this has changed, but where is this change documented? The rEFIt page states about firmware updates that, "some people believe they require the EFI System Partition to be present". The operative words here are "believe" and "present" -- there's nothing about storing updates on it.

zeroing out an Intel Mac hard drive will have no effect on the ESP

Again, with respect, I beg to differ. I should expect that, if one erases a drive (not a volume on the drive, but the whole drive), all partitions, including ESP, will be erased. I cannot demonstrate it now, but I see nothing in TN2166 or anywhere else to indicate that ESP has a special status in this regard. Of course, I'm perfectly willing to be proven wrong.

Well folks, that's it for me. I'm signing off. The Glühwein is ready, the table is set, so, it's

HAPPY NEW YEAR, MACOPHILES!

OK, the champagne has been drunk, the cake has been eaten, so, ladies and gentlemen, it's back to our scheduled broadcast.

Here's what I tried.

(1) I took a 4GB FAT32-formatted SanDisk Cruzer Edge Media USB thumb drive. (Attached as disk1.)

(2) I used Disk Utility > [select drive] > Erase > Mac OS Extended (Journaled). DU re-formatted the drive, automatically changing partition map scheme to GPT.

(3) $ diskutil list shows that an EFI System Partition (ESP) was created as disk1s1. $ diskutil info says unambiguously "File System: None".

(4) I used diskutil to create a FAT partition on ESP, giving it the name "ESP"

$ diskutil eraseVolume MS-DOS ESP disk1s1

The operation was successful, and the new volume automatically mounted. It behaved in Finder just like any other volume.

(5) I copied some files on it in Finder. No problem.

(6) Again in Disk Utility, same action as in (2).

(7) Repeat (3). So, an ESP was created, without ANY file system. Which means that whatever data I placed there in step (5) is gone. For good. Poof!

(8) I used Disk Utility > [select drive] > Erase > MS-DOS (FAT). DU re-formatted the drive, automatically changing partition map scheme to MBR.

(9) $ diskutil list shows only one partition on the drive, the DOS_FAT_32 partition. There's no EFI System Partition.

AFAIC, this is conclusive.

(a) The notion that the EFI System Partition survives a re-formatting of the drive is a MYTH. Even re-formatting the drive without changing the partition map scheme erases any data on ESP.

(b) No EFI System Partition is created when the partition map scheme is MBR.

Caveats:

(1) The boot drive cannot be re-formatted, because the OS cannot allow the boot partition to be erased. Thus, to be absolutely sure all data on ESP is destroyed, one has to boot from another device.

(2) Every time I tried it, on my system, Disk Utility changed the partition map scheme from GPT to MBR and vice-versa automatically. Other users do no see this behaviour; they report that the partition map scheme must be set manually -- see

<https://discussions.apple.com/thread/3600212>

I don't know how to account for this difference. But, as it exists, it is not beyond the realm of possibility that there are other differences as well; and that one of them could be that Disk Utility does not erase ESP automatically. I doubt it very much, but it is not impossible. However, eraseVolume should obliterate any data on ESP, and the ESP itself is destroyed if the partition map scheme is changed, manually or automatically, to MBR.

(3) According to Wikipedia (accessed today), Macs do use ESP "as a staging area for firmware updates". However, the Apple KB HT2434 document cited in support says nothing of the kind -- it merely states that firmware updates will not install on a Mactel if the boot drive partition map is not GPT. Other sources given are an Intel Developer Forum presentation (which has no reference to Macs), and a posting on <ubuntuforums.org>, which I could not access.