Q: iMac (Mavericks) hacked by remote user

Loner T wrote:

 

Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

Of course. So can everything else.

John Galt wrote:

Loner T wrote:

 

Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

 

Of course. So can everything else.

In general, Internet connectivity is dangerous. . I am suggesting that Google or Apple, Windows or OSX or Android, there is no real bug-free piece of code. For example gotofail.com.

But this does not help the OP. Mr. Hoffman seems very capable of a forensic investigation.

Is there a reason you are replying to my posts?

You've been connecting to a VPN. If there really has been a network intrusion, that's the only means for it that I can see.

rswc90 wrote:

 

Now, also, JAVA has been removed (or was never installed?!) on my MB Air and many things will not run. Even airline websites to book flights need java.  I have now updated JAVA on my iMac (the computer where I saw the hacker working) -

In any case, there have been no known spyware attacks on Macs using Java, so even though it can and has been used as a malware installer, I don't think it plays any role in your current issue.

John Galt wrote:

 

Is there a reason you are replying to my posts?

I am gently trying to suggest that maligning one company/product/software vs another may be misconstrued. All software has bugs, no matter which company sells it. Google or Apple or Microsoft or Samsung, all have challenges in this space of security and privacy.

Loner T wrote:

 

Passwords saved in Safari can be seen in cleartext using Admin privileges and Keychain.

Clarification: Keychain does not have an administrative override and an administrative user cannot see the Keychain-protected data.  Keychain encrypts all data using the user's own password.  Now if there's a keylogger or similar intercept add-on software installed — which does involve administrative access or finding a serious hole in OS X Security — then the attacker has the password for the keychain.  If the attacker has administrative or so-called root access, then the attacker has anything and everything else on the system.   Keychain breaches are also possible if the attacker has a copy of the data somehow (such as from an unencrypted backup acquired from a cloud service, or from a backup disk that's been stolen), and can perform a brute-force attack and can successfully find the password. 

It's the potential for these keyloggers and weak passwords and other so-called backdoors — backdoors are paths that the remote accessor can regain access after a password change, for instance — that has led various folks here including John Galt and me to recommend the so-called nuke-and-pave approach.

AFAIK, the public drop box and related technologies do not themselves allow the sort of remote access that would be required for an attacker to gain the level of access required for this attack.  (If that's possible, then I'd be interested in a link to some technical details or to a proof of concept for that; as likely would be Apple.)

It's unlikely that the OpenSSL vulnerabilities — the so-called "Heartbleed" and the more recent updates to OpenSSL 0.9.8za — are involved here (though technically possible) as most OS X software does not use that package — most OS X applications will use the Secure Transport implementation — it was Secure Transport that was the location of the infamous "goto fail" bug — and not the OpenSSL transport.  The older OpenSSL that is present is available for compatibility with older installed software packages, meaning most stuff does not use OpenSSL.  Further, having a functioning NAT firewall makes attempting to exercising these OpenSSL attacks remotely against the client rather more difficult; you'd either need to catch and man-in-the-middle the outgoing connection, or catch the user accessing a badly breached web site, or establish port-forwarding in through the firewall.  Which is possible, but not easy.

Barring an existing local network compromise or an ISP-level DNS compromise (allowing the attacker to insinuate themselves in the outgoing network connections), remote user ingress via Network Accounts, Guest Access, and the public folders — even anything involving OpenSSL or Secure Transport — are all blocked by a functioning NAT firewall.

There are many potential paths to a security breach — some such as getting the end user to install rogue software or a rogue update are easier than others — and figuring out which attack was used involves some digging around in the context of the system, assuming that the attacker has allowed that information to continue to exist in the compromised system and in the backups.  The usual path out involves a reset and a reinstallation, and properly-chosen new passwords everywhere (chosen to avoid the current best-available brute-force password attacks) and to digital certificates and passphrases where those are available and permitted.

I am gently trying to suggest that maligning one company/product/software vs another may be misconstrued. All software has bugs, no matter which company sells it. Google or Apple or Microsoft or Samsung, all have challenges in this space of security and privacy.

Try harder.

Apple's business model does not depend on collecting personal data. Apple has no interest in amassing personal information about their customers, while Google's business model is to collect and sell it to others. Google derives nearly all its revenue from doing so, while Apple derives substantially all their revenue from selling hardware specifically designed to protect one's personal information and keep it secure from unauthorized others.

Apple's products are exactly what they appear to be, whereas Google's product is the user - hundreds of millions of them around the world sufficiently lacking in mental acuity who believe they are using a product "for free". There are an inexhaustible supply of them. As business models go, it's brilliant.

Samsung merely copies Apple, admittedly, and badly.

I don't know what Microsoft does.

John Galt wrote:

 

Apple's products are exactly what they appear to be, whereas Google's product is the user - hundreds of millions of them around the world sufficiently lacking in mental acuity who believe they are using a product "for free". There are an inexhaustible supply of them. As business models go, it's brilliant.

 

Passing judgement on the mental acuity of a user is fraught with pitfalls and assumes that the user is "dumb" enough to become an unsuspecting victim. I beg to differ. This tangent is probably best discussed in a separate thread, without hijacking this one.

Mr Hoffman wrote:

 

It's the potential for these keyloggers and weak passwords and other so-called backdoors — backdoors are paths that the remote accessor can regain access after a password change, for instance — that has led various folks here including John Galt and me to recommend the so-called nuke-and-pave approach.

Such an approach also requires a change in user habits, otherwise the user will arrive at the same juncture again. OP has shown willingness to do this well.

I think we should let OP have their thread back. Security of information and privacy perhaps need a separate discussion.

Hopefully, both John and you agree. Always something new to learn. Thank you, both.

rswc90 wrote:

 

I have the IP address of one of the hackers (my bank captures them with every login!) but the police laughed at me when I tried to share my info. They don't care. they don't investigate.

That IP address is most likely of no use to the local police. It's almost certainly well outside their jurisdiction... it may not even be in the same country.

Plus, it probably would just trace to a coffee shop or a library or somewhere, and not to a location that could be linked to the hacker. Only a very dumb hacker does his hacking from his home.

rswc90 wrote:

 

UPDATE:

 

I just finished reinstalling from a CLEAN INSTALL -- I am certain I have tons of programs that I used and have lost BUT -- I wiped the computer clean 3 times! Then downloaded and reinstalled Mavericks. I a slowly adding back the mail accounts, calendar stuffs and all the programs that come initially installed (like iMovie and iPhoto) that are NOT installed again when Mavericks is reinstalled.

 

I would also suggest that you either get rid of or get any or all of your backups also removed to prevent accidental restores in the future. It is a lot of unrewarding work, but should be somewhere on your recovery checklist.

rswc90 wrote:

I am out several hundred $$, as PayPal will NOT reimburse me.

I suggest that you escalate this over the phone with PayPal support. This motivates me to stop any business with PayPal and it's affiliates.

rswc90 wrote:

 

I have the IP address of one of the hackers (my bank captures them with every login!) but the police laughed at me when I tried to share my info. They don't care. they don't investigate.

 

The IP address that websites see is usually a Public routable IP that may hide hundreds or thousands of private IPs using a technique called Network Address Translation (NAT), very similar to your home network. You can have tens of devices, but your connection to the Public Internet usually goes through your ISP which gives you a single IP. It need not be static either, so many customers may have it in use at distinct points in time using something called DHCP. The ISP you have is your DHCP server and the equipment at your house is the DHCP client. You can find out more, if you are interested in such stuff.

The ISP that provides such DHCP IP leases may track the device that has a specific IP over a period of time, but unless Law Enforcement requests it, ISPs are not required to provide that to LE.

Also, hackers usually come through many "slave" computers which may also be infected so tracing such through is a hard task. From an LE perspective, unless you have lost millions of dollars, it may not be cost effective for LE to look for such culprits. You can always persevere and see if your efforts will be rewarded. If there are hundreds of such complaints which point to a group of hackers, then they may do something. I am not justifying their lack of interest in your plight, but looking at the problem from a different perspective.

Your bank, if attacked, for example by such hacker(s) may go after them and get LE involved in such an endeavor.

rswc90 wrote:

 

little by little...paso a paso!

 

Thanks...

It is heartening to note that you are willing and brave to start all over again, whether by choice or circumstance. Some may just be disheartened and daunted by a second foray back into the cesspool.

You cannot reliably restore an app like this from Time Machine. You can restore the app itself, but you will have difficulty finding and restoring all the various support files that it requires. And that's assuming it's safe, which cannot be guaranteed.

You will need to reinstall this software from scratch. If you no longer have the install disks, that will be a problem. You'll either need to find a used copy of Adobe Professional 8 on eBay, or upgrade to newer Adobe products that are equivalent. If you purchased it as a download originally, and you still have the serial number, you can try contacting Adobe about re-downloading it.