What are the red flags that some has accessed my computer without my consent?

Question

Level 1

4 points

What are the red flags that some has accessed my computer without my consent?

I'm wondering what I should be looking for to determine if my computer was accessed by someone without any permission, now and in the future. I've spent many hours trying to figure everything out and any input would be greatly appreciated. I'm not as sophisticated at all this as some people but I don't mind learning something new.

Some things I've noticed that make me suspicious someone has accessed my computer:

An incident where 10-15 random files opened without me clicking them and general lag

Intego's Content Barrier stopped a P2P connection at 5 AM when no one on my home wifi was awake

A number of connections from sharing, Finder, WiFI Proxy, WiFI Agent, System UIS and a established connection with an open port that ARIN said belonged to the USDA and I didn't visit them or anyone related via terminal command lsof -i

A ton of connections to random internet numbers in my Content Barrier that I did not visit

Websites that I visited several days ago listed in Content Barrier as being visited again

Console messages (These all make me paranoid and I know many are legitimate)

a. I see a ton of errors and faults connecting to IMRemoteURLConnectionA

b. Cache's being deleted with urgency

c. A user name <private> doing a lot of things and mostly blank logs with lots of "????" (actually just my account?)

d. Denying XPC connections

e. A 2 way tunnel something

f. This message which happened first when I turned on File Vault that keeps popping up after several restarts

Is any of this solid evidence that someone is doing something without my permission? If not, is there anything I can do to collect evidence on my own before wiping the computer and reinstalling Sierra? What can be done to catch someone in the future should they try to access my computer again?

I'd really like to know:

What would you do if you thought someone had been or was actively hacking into your account? Feel free to be specific.

Red flags in the Console and Terminal or anywhere else to look for like an if-then type event

MacBook Pro with Retina display, iOS 10.2, 2016 15 touch bar 460 2.9i7

Posted on Jan 3, 2017 10:22 PM

Reply

Answer 1

John Galt

Level 10

156,698 points

Jan 4, 2017 6:47 PM in response to ChaseM900

The system.log messages you describe are all normal. Sierra introduced major changes to the way system events are logged, to protect user data that might otherwise have been recorded.

If someone wanted to access your Mac, the easiest way would be to determine your login credentials. The most common way of obtaining them is to deceive you into providing them. That tactic continues to be astonishingly successful, yet it is still described as "hacking" — a uselessly broad characterization of vague nefarious intent with no clearly defined meaning. If I were to connect to someone's open wireless network and accessed its router using its default password "admin" does that make me a hacker, or just an opportunist? Either way I certainly wouldn't leave a calling card.

If you were so deceived there is literally no way to discriminate between someone else's unauthorized access and your own. Such a "hacker" will leave no telltale signs of intrusion. The solution is to erase the Mac and reconfigure it using credentials that you do not disclose to anyone.

"Intego" is a worthless defense against such intrusion, as are all non-Apple utilities in its category. The activity you describe is almost certainly normal, and can be the result of a number of normal network processes that go well beyond the obvious. I recommend you uninstall it according to its instructions, and follow the principles in Effective defenses against malware and other threats. Installing non-Apple "anti-virus" utilities such as "Intego" introduces additional vulnerabilities, increasing your threat profile.

To answer your question, a Mac is as secure as you make it. That implies using reasonably secure login credentials, secure wireless networks, supported and updated operating systems and software, and keeping all of those elements inaccessible to unauthorized others. Disable Sharing services you don't require. Don't write down passwords or let anyone look over your shoulder while you type them. Those fundamental security precautions will thwart attempts from the vast majority of opportunists seeking to lift things like Apple IDs, credit cards and similar financial information.

Reply