rswc90

Q: iMac (Mavericks) hacked by remote user

A couple of weeks ago I noticed my camera on - as I approached the computer it shut off. I thought that maybe a family member started to facetime me and change their mind (there was no ringing) That happened 2 times. I forgot to ask anyone about it.

 

A week later, my PayPal account was broken into, as was my bank account connected to PayPal. They took more than $2000.00. PayPal has not yet explained how this happened.

 

3 days ago, early on Sunday morning, I saw my computer screen lit up and all these windows opening and closing. At first I was unsure that I was actually seeing what was happening. Then I bumped the mouse and the windows started to close...fast. It finally hit me that someone was "there." I turned off the wifi (no cable connected) - then I went to the trash to see what was there -- nothing. So I opened up the browser history and saw all my bank accounts listed. I checked my e-mail and saw all these alerts from my banks stating that someone had incorrectly answered the security questions -- in 4 banks. the DID get into an old credit card account online. I communicated with all my banks. I also have emailed DYN.com as I use(d) their services for years -- as a paid subscriber, I thought they would respond to me -- I was wondering if that is how the remote access occurred. I have heard nothing from them either...

 

I looked in settings and there was an added user "Mrs Tester" was added as an admin. I deleted the account, unchecked remote login and screen share. I also changed my home network code and base station code.  I NEED remote login for my work.  I called Apple security and the guy told me that I had already done everything they would tell me to do. I have the hackers history. (bitcoins were the accounts he was going back to after each attempt at a bank) -- Of course I have changed all my pass codes and made them all unique -- do I call the police? How can I tell if my computer is safe again.

 

 

So there's my question...how do I scan to see if there's anything on  my system logging my key strokes etc. I installed "eset" trial user, as was recommended by the local computer store.   Any other thoughts? With all the password changes, is there a way I can get back online and use remote login?

 

I have to say, I feel like a naked man has been staring at me from outside my window... YUCK.

 

Thanks for your help...

Posted on Jun 4, 2014 4:22 PM

Close

Q: iMac (Mavericks) hacked by remote user

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next
  • by John Galt,

    John Galt John Galt Jun 22, 2014 7:31 PM in response to Loner T
    Level 9 (50,075 points)
    Mac OS X
    Jun 22, 2014 7:31 PM in response to Loner T

    Loner T wrote:

     

    Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

     

    Of course. So can everything else.

  • by Loner T,

    Loner T Loner T Jun 22, 2014 7:44 PM in response to John Galt
    Level 7 (24,601 points)
    Safari
    Jun 22, 2014 7:44 PM in response to John Galt

    John Galt wrote:

    Loner T wrote:

     

    Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

     

    Of course. So can everything else.

    In general, Internet connectivity is dangerous. . I am suggesting that Google or Apple, Windows or OSX or Android, there is no real bug-free piece of code. For example gotofail.com.


    But this does not help the OP. Mr. Hoffman seems very capable of a forensic investigation.

  • by John Galt,

    John Galt John Galt Jun 22, 2014 8:00 PM in response to Loner T
    Level 9 (50,075 points)
    Mac OS X
    Jun 22, 2014 8:00 PM in response to Loner T

    Is there a reason you are replying to my posts?

  • by Linc Davis,

    Linc Davis Linc Davis Jun 22, 2014 8:11 PM in response to rswc90
    Level 10 (208,022 points)
    Applications
    Jun 22, 2014 8:11 PM in response to rswc90

    You've been connecting to a VPN. If there really has been a network intrusion, that's the only means for it that I can see.

  • by MadMacs0,

    MadMacs0 MadMacs0 Jun 22, 2014 10:43 PM in response to rswc90
    Level 5 (4,801 points)
    Jun 22, 2014 10:43 PM in response to rswc90

    rswc90 wrote:

     

    Now, also, JAVA has been removed (or was never installed?!) on my MB Air and many things will not run. Even airline websites to book flights need java.  I have now updated JAVA on my iMac (the computer where I saw the hacker working) -

    Are you sure you are talking about Java and not JavaScript? They are two totally unrelated technologies.  I used to fly on a lot of different airlines and I never once needed Java to book a flight or do anything else on the site, but I certainly did need JavaScript for many many sites, including this one.  If you need Java to run applications on your MBA, that's different and there have not been any known use of Java applications in a malicious manner. That's different from using Java with your browser. If you must do the latter, just make sure to carefully manage the sites you use it on using your browser settings. For Safari that would be in Safari Preferences->Security->Manage Website Settings... button and choose the Java Plugin.

     

    In any case, there have been no known spyware attacks on Macs using Java, so even though it can and has been used as a malware installer, I don't think it plays any role in your current issue.

  • by Loner T,

    Loner T Loner T Jun 23, 2014 3:50 AM in response to John Galt
    Level 7 (24,601 points)
    Safari
    Jun 23, 2014 3:50 AM in response to John Galt

    John Galt wrote:

     

    Is there a reason you are replying to my posts?

    I am gently trying to suggest that maligning one company/product/software vs another may be misconstrued. All software has bugs, no matter which company sells it. Google or Apple or Microsoft or Samsung, all have challenges in this space of security and privacy.

  • by MrHoffman,

    MrHoffman MrHoffman Jun 23, 2014 6:17 AM in response to Loner T
    Level 6 (15,637 points)
    Mac OS X
    Jun 23, 2014 6:17 AM in response to Loner T

    Loner T wrote:

     

    Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

     

    Clarification: Keychain does not have an administrative override and an administrative user cannot see the Keychain-protected data.  Keychain encrypts all data using the user's own password.  Now if there's a keylogger or similar intercept add-on software installed — which does involve administrative access or finding a serious hole in OS X Security — then the attacker has the password for the keychain.  If the attacker has administrative or so-called root access, then the attacker has anything and everything else on the system.   Keychain breaches are also possible if the attacker has a copy of the data somehow (such as from an unencrypted backup acquired from a cloud service, or from a backup disk that's been stolen), and can perform a brute-force attack and can successfully find the password. 


    It's the potential for these keyloggers and weak passwords and other so-called backdoors — backdoors are paths that the remote accessor can regain access after a password change, for instance — that has led various folks here including John Galt and me to recommend the so-called nuke-and-pave approach.

     

    AFAIK, the public drop box and related technologies do not themselves allow the sort of remote access that would be required for an attacker to gain the level of access required for this attack.  (If that's possible, then I'd be interested in a link to some technical details or to a proof of concept for that; as likely would be Apple.)

     

    It's unlikely that the OpenSSL vulnerabilities — the so-called "Heartbleed" and the more recent updates to OpenSSL 0.9.8za — are involved here (though technically possible) as most OS X software does not use that package — most OS X applications will use the Secure Transport implementation — it was Secure Transport that was the location of the infamous "goto fail" bug — and not the OpenSSL transport.  The older OpenSSL that is present is available for compatibility with older installed software packages, meaning most stuff does not use OpenSSL.  Further, having a functioning NAT firewall makes attempting to exercising these OpenSSL attacks remotely against the client rather more difficult; you'd either need to catch and man-in-the-middle the outgoing connection, or catch the user accessing a badly breached web site, or establish port-forwarding in through the firewall.  Which is possible, but not easy.

     

    Barring an existing local network compromise or an ISP-level DNS compromise (allowing the attacker to insinuate themselves in the outgoing network connections), remote user ingress via Network Accounts, Guest Access, and the public folders — even anything involving OpenSSL or Secure Transport — are all blocked by a functioning NAT firewall.

     


     

    There are many potential paths to a security breach — some such as getting the end user to install rogue software or a rogue update are easier than others — and figuring out which attack was used involves some digging around in the context of the system, assuming that the attacker has allowed that information to continue to exist in the compromised system and in the backups.  The usual path out involves a reset and a reinstallation, and properly-chosen new passwords everywhere (chosen to avoid the current best-available brute-force password attacks) and to digital certificates and passphrases where those are available and permitted.

  • by John Galt,

    John Galt John Galt Jun 23, 2014 7:11 AM in response to Loner T
    Level 9 (50,075 points)
    Mac OS X
    Jun 23, 2014 7:11 AM in response to Loner T

    I am gently trying to suggest that maligning one company/product/software vs another may be misconstrued. All software has bugs, no matter which company sells it. Google or Apple or Microsoft or Samsung, all have challenges in this space of security and privacy.

     

    Try harder.

     

    Apple's business model does not depend on collecting personal data. Apple has no interest in amassing personal information about their customers, while Google's business model is to collect and sell it to others. Google derives nearly all its revenue from doing so, while Apple derives substantially all their revenue from selling hardware specifically designed to protect one's personal information and keep it secure from unauthorized others.

     

    Apple's products are exactly what they appear to be, whereas Google's product is the user - hundreds of millions of them around the world sufficiently lacking in mental acuity who believe they are using a product "for free". There are an inexhaustible supply of them. As business models go, it's brilliant.

     

    Samsung merely copies Apple, admittedly, and badly.

     

    I don't know what Microsoft does.

  • by Loner T,

    Loner T Loner T Jun 23, 2014 7:49 AM in response to John Galt
    Level 7 (24,601 points)
    Safari
    Jun 23, 2014 7:49 AM in response to John Galt

    John Galt wrote:

     

    Apple's products are exactly what they appear to be, whereas Google's product is the user - hundreds of millions of them around the world sufficiently lacking in mental acuity who believe they are using a product "for free". There are an inexhaustible supply of them. As business models go, it's brilliant.

     

     

    Passing judgement on the mental acuity of a user is fraught with pitfalls and assumes that the user is "dumb" enough to become an unsuspecting victim. I beg to differ. This tangent is probably best discussed in a separate thread, without hijacking this one.

     

    Mr Hoffman wrote:

     

    It's the potential for these keyloggers and weak passwords and other so-called backdoors — backdoors are paths that the remote accessor can regain access after a password change, for instance — that has led various folks here including John Galt and me to recommend the so-called nuke-and-pave approach.

     

    Such an approach also requires a change in user habits, otherwise the user will arrive at the same juncture again. OP has shown willingness to do this well.

     

    I think we should let OP have their thread back. Security of information and privacy perhaps need a separate discussion.

     

    Hopefully, both John and you agree. Always something new to learn. Thank you, both.

  • by rswc90,

    rswc90 rswc90 Jun 27, 2014 3:08 PM in response to rswc90
    Level 1 (10 points)
    Desktops
    Jun 27, 2014 3:08 PM in response to rswc90

    UPDATE:

     

    I just finished reinstalling from a CLEAN INSTALL -- I am certain I have tons of programs that I used and have lost BUT -- I wiped the computer clean 3 times! Then downloaded and reinstalled Mavericks. I a slowly adding back the mail accounts, calendar stuffs and all the programs that come initially installed (like iMovie and iPhoto) that are NOT installed again when Mavericks is reinstalled.

     

    Thank you all for your thoughts and patience for this newbie. I am out several hundred $$, as PayPal will NOT reimburse me.

     

    I have the IP address of one of the hackers (my bank captures them with every login!) but the police laughed at me when I tried to share my info. They don't care. they don't investigate.

     

    my Social Security.gov password was changed a week ago (NOT BY ME) so I changed it to a random passcode. little by little...paso a paso!

     

    Thanks...

  • by thomas_r.,

    thomas_r. thomas_r. Jun 27, 2014 5:09 PM in response to rswc90
    Level 7 (30,934 points)
    Mac OS X
    Jun 27, 2014 5:09 PM in response to rswc90

    rswc90 wrote:

     

    I have the IP address of one of the hackers (my bank captures them with every login!) but the police laughed at me when I tried to share my info. They don't care. they don't investigate.

     

    That IP address is most likely of no use to the local police. It's almost certainly well outside their jurisdiction... it may not even be in the same country.

     

    Plus, it probably would just trace to a coffee shop or a library or somewhere, and not to a location that could be linked to the hacker. Only a very dumb hacker does his hacking from his home.

  • by Loner T,

    Loner T Loner T Jun 27, 2014 6:22 PM in response to rswc90
    Level 7 (24,601 points)
    Safari
    Jun 27, 2014 6:22 PM in response to rswc90

    rswc90 wrote:

     

    UPDATE:

     

    I just finished reinstalling from a CLEAN INSTALL -- I am certain I have tons of programs that I used and have lost BUT -- I wiped the computer clean 3 times! Then downloaded and reinstalled Mavericks. I a slowly adding back the mail accounts, calendar stuffs and all the programs that come initially installed (like iMovie and iPhoto) that are NOT installed again when Mavericks is reinstalled.

     

     

    I would also suggest that you either get rid of or get any or all of your backups also removed to prevent accidental restores in the future. It is a lot of unrewarding work, but should be somewhere on your recovery checklist.

     

    rswc90 wrote:

    I am out several hundred $$, as PayPal will NOT reimburse me.

     

    I suggest that you escalate this over the phone with PayPal support. This motivates me to stop any business with PayPal and it's affiliates.

     

    rswc90 wrote:

     

    I have the IP address of one of the hackers (my bank captures them with every login!) but the police laughed at me when I tried to share my info. They don't care. they don't investigate.

     

    The IP address that websites see is usually a Public routable IP that may hide hundreds or thousands of private IPs using a technique called Network Address Translation (NAT), very similar to your home network. You can have tens of devices, but your connection to the Public Internet usually goes through your ISP which gives you a single IP. It need not be static either, so many customers may have it in use at distinct points in time using something called DHCP. The ISP you have is your DHCP server and the equipment at your house is the DHCP client. You can find out more, if you are interested in such stuff.

     

    The ISP that provides such DHCP IP leases may track the device that has a specific IP over a period of time, but unless Law Enforcement requests it, ISPs are not required to provide that to LE.

     

    Also, hackers usually come through many "slave" computers which may also be infected so tracing such through is a hard task. From an LE perspective, unless you have lost millions of dollars, it may not be cost effective for LE to look for such culprits. You can always persevere and see if your efforts will be rewarded. If there are hundreds of such complaints which point to a group of hackers, then they may do something. I am not justifying their lack of interest in your plight, but looking at the problem from a different perspective.

     

    Your bank, if attacked, for example by such hacker(s) may go after them and get LE involved in such an endeavor.

     

    rswc90 wrote:

     

    little by little...paso a paso!

     

    Thanks...

    It is heartening to note that you are willing and brave to start all over again, whether by choice or circumstance. Some may just be disheartened and daunted by a second foray back into the cesspool.

  • by rswc90,

    rswc90 rswc90 Jun 30, 2014 6:42 AM in response to rswc90
    Level 1 (10 points)
    Desktops
    Jun 30, 2014 6:42 AM in response to rswc90

    UPDATE:

    I have done a clean install, changed pass codes etc - lost ALL my programs that are not Apple products. Many of them were downloaded, like Adobe Professional 8 - and do not seem to be available now online -- am I risking security if I reinstall Adobe 8 from my time machine?  I have never done that, and TM is turned off right now -  I have many, many programs just like this - I don't even know I use them until now - when I try to open something and it says there is no program assigned to open it! Any thoughts? Thanks.

  • by thomas_r.,

    thomas_r. thomas_r. Jun 30, 2014 7:28 AM in response to rswc90
    Level 7 (30,934 points)
    Mac OS X
    Jun 30, 2014 7:28 AM in response to rswc90

    You cannot reliably restore an app like this from Time Machine. You can restore the app itself, but you will have difficulty finding and restoring all the various support files that it requires. And that's assuming it's safe, which cannot be guaranteed.

     

    You will need to reinstall this software from scratch. If you no longer have the install disks, that will be a problem. You'll either need to find a used copy of Adobe Professional 8 on eBay, or upgrade to newer Adobe products that are equivalent. If you purchased it as a download originally, and you still have the serial number, you can try contacting Adobe about re-downloading it.

  • by rswc90,

    rswc90 rswc90 Jun 30, 2014 7:37 AM in response to thomas_r.
    Level 1 (10 points)
    Desktops
    Jun 30, 2014 7:37 AM in response to thomas_r.

    Been there -- done that -- Adobe is not responding to my emails. thanks anyway...

Previous Page 2 of 3 last Next