HT202303: iCloud security and privacy overview
Learn about iCloud security and privacy overview
Q: My root has been hacked along with my admin. I cannot perform any boot sequences as those are now password protected as well. Is t ... more
-
Aug 4, 2015 10:17 PMby Drew Reece,Why do you think your Mac has been hacked?
Specifically how do you know the root account & the admin account are affected? What evidence have you got?
See if you recognise any of these screens, it is possible for a Mac to be locked via iCloud, in which case only your iCloud account may be compromised…
About the screens you see when your Mac starts up - Apple Support
Logging in to your iCloud account would be one way to confirm if the 'Find my Mac' feature has locked your Mac, have you checked that? Does this Mac have any history with another user, e.g. has it been purchased second hand etc?
-
Aug 5, 2015 10:01 AMby JaeDeLoach,Find my Mac is locked and pw protected. Command + R or any boot commands are pw protected. I am constantly getting fake pw requests from things like cloudd ( DD at the end,) there is also a whole series of these files under whats called launchd. I cannot access anything through permissions and my disk has been partitioned. I can keep going.... I am new to Mac, and this is my first one, but I am not new to navigating operating systems.
My wifes ex-husband is a network engineer and this exact same thing happened when they broke it off with her mac and blackberry. I promise you I am not paranoid; although I know how this looks.... I will provide whatever evidence you need to help. I am on my work PC now though, and don't have access. Not to mention I know they are running a gatekeeper.
-
Aug 5, 2015 10:55 AMby Eric Root,If you live near an Apple Store, make a Genius Bar appointment to have the computer tested. Supposedly there is no charge for testing. Use 2nd link if not near an Apple Store or aren’t in the US. Hardware Repair - Keeping Confidential Data Safe
-
Aug 5, 2015 11:47 AMby Drew Reece,JaeDeLoach wrote:
a)
Find my Mac is locked and pw protected. Command + R or any boot commands are pw protected. I am constantly getting fake pw requests from things like cloudd ( DD at the end,)
b)
there is also a whole series of these files under whats called launchd. I cannot access anything through permissions and my disk has been partitioned.
c)
I can keep going.... I am new to Mac, and this is my first one, but I am not new to navigating operating systems.
d)
My wifes ex-husband is a network engineer and this exact same thing happened when they broke it off with her mac and blackberry.
e)
I promise you I am not paranoid; although I know how this looks.... I will provide whatever evidence you need to help. I am on my
work PC now though, and don't have access.
f)
Not to mention I know they are running a gatekeeper.
a)
This can happen if your iCloud account is compromised. Someone can lock your Mac & it can look 'hacked' – it is not a hack, it is simply an abuse of the iCloud 'Find my Mac' feature. This can happen when someone else knows your iCloud password & thinks it is funny to lock the device or it could be malicious etc.
Review your iCloud account, reset the password - is the Mac associated with your Find My Mac account? If not it could be connected to someone else's account, an Apple store is a good place to ask for help with this. Once again if this was pre-owned it could be associated with another users account (we need detail to help).
Are the iCloudd messages coming in via email or some other way? That may just be normal spam?
b)
launchd is a critical part of OS X, it is normal to have many launchd jobs, you need compare to a similar clean system to know that they are abnormal. The permissions many of these files is a security feature it is normal for a user to be unable to edit system level jobs.
I don't know what you mean by 'and my disk has been partitioned', has some data been reformatted - how do you know if it is password protected?
c)
It looks like you are finding things & possibly assuming the worst, OS X has quite a lot of security built in, many restrictions are placed on normal and admin users. You need to be very careful in judging if the OS has been 'tampered with', frankly it is not a job for someone new to OS X. Apple may be able to tell you how to recover from the situation or if you need to seek the help of law enforcement.
d)
I don't know what you mean by 'broke it off with her Mac & Blackberry'. My guess is that a Mac was locked after someone left a company or a relationship ended? Once again this could be someone locking a Mac with iCloud - not necessarily a 'hack'. Corporations can also lock devices if they have their own management server.
e)
Yup, it is tough to look sane with all this , please try to avoid jumping to conclusions before the evidence is in.
f)
Gatekeeper is part of OS X. It is designed to protect new users. It stops applications from running if they are from insecure sources. Keeping it set to 'Identified developers' is actually a good thing for security.
OS X: About Gatekeeper - Apple Support
More info on the 'gatekeeper' you found might help.
If you want more help here please provide more detail otherwise see what an Apple store says. If you are certain it is an attack you should power it off & take it to your local law enforcement but the info posted here can all be explained by normal features as far as I can see.
