.

My father is hacking me?!

<<

littleblondenerd

Newbie
Newbie

Posts: 2

Joined: Sat Oct 09, 2010 12:54 pm

Post Sat Oct 09, 2010 1:11 pm

My father is hacking me?!

Hello everyone,

My father, a (potentially) former NSA cracker, has been hacking my laptop computer ever since I left for college this year. I do not, however, have any concrete evidence or proof. From conversations that we have had, I am 99.9% certain that he has access to my computer (he set up an SSH on my computer, which I think that I have effectively disabled, but as I know almost nothing about SSH servers and how they work, I am not sure) through who knows how many programs and backdoors. I just installed the professional trial of eEye and ran a scan which showed that I have 5 high risk, 5 medium risk, and 14 low risk security issues. Here are the descriptions of a few of these:

Microsoft Windows contains a vulnerability in the SSL and TLS protocols when renegotiating session handshakes that could allow man-in-the-middle attackers to inject arbitrary data into encrypted TLS/SSL sessions.

The current MS RAS (Remote Access Server) is not encrypting data transfers. It is recommended to encrypt all transfers between client and server.

The current MS RAS (Remote Access Server) is not logging connections. It is recommended to log all RAS connection information.

It is recommended to enforce MSCHAP V2; this forces the server to drop any VPN (Virtual Private Network) connections that do not use MSCHAP V2 authentication.

By default, users are permitted to make RAS connections without any sort of authentication. It is recommended that you require users to authenticate themselves.

ICMP Timestamp request is allowed from arbitrary hosts.

Structured Exception Handling Overwrite Protection (SEHOP) is disabled on the target system. SEHOP is a mitigation that attempts to prevent an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique.

NTFS has the ability to support backwards compatibility with older 16 bit apps. It is recommended not to use 16-bit apps on a secure server since it could allow attackers to bypass access restrictions for files with long file names.

POSIX and OS2 should not be enabled. Enabling the POSIX or OS/2 subsystem can allow a process to persist across logins.




Can anyone help, please?
<<

elcapitan

User avatar

Newbie
Newbie

Posts: 28

Joined: Mon Apr 28, 2008 10:16 am

Post Sat Oct 09, 2010 2:13 pm

Re: My father is hacking me?!

I don't think a vulnerability scanner will help you in this instance. If he was a true "NSA cracker", it is likely the backdoor is sophisticated enough to avoid detection though common security software.

Your best bet is to wipe the disk on the laptop completely (or find someone you trust to perform this if you are unsure how to). Reinstall the operating system, update and secure it (e.g. firewall, security software, disable unnecessary services, etc.).

Then just communicate with your Dad via phone and pen/paper.  :)

P.S. Why is the MS RAS (Remote Access Server) enabled? Do you use this functionality? It is typically not enabled by default.

P.P.S. Did he give you the laptop or at anytime have physical access to it? If that is the case, I would put it on Ebay if you are truly concerned about him "hacking" your laptop.
CISSP, Security+, CEH, OPP, et alii
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Oct 09, 2010 3:11 pm

Re: My father is hacking me?!

There are a couple of solutions:
A) Buy a new harddisk and replace the old physically with the new one. Then install an operating system fully up2date. (Install a good firewall and anti-virus system too like Kaspersky, Symantec Norton 2010, or similar.)

If you're into computers, install Linux and configure it in a secure way.


B1) Your father may have installed a rootkit which does not get wiped by a regular Windows re-format. If you're not going for a new harddisk to be sure you don't got a hard2remove rootkit installed, get a "harddisk eraser" from IBAS or similar. (It's just a special magnet messing up the bits on the magnetic harddisk, in case it's not an SSD disc.)

B2) Perhaps, if there is a rootkit on your computer, a simple re-partitioning and format of the harddisk in Linux may erase everything. You can get LiveCD's in case you're not familiar with the linux console, and such a tool could be QTParted or GParted. I'm not sure how well Norton Partition Magic would work in this case.

B3) Do one of those Government Clearing of your harddisk where the data is wiped +5 times. (Depending on the method you choose, one of them will erase the data more than 30 times on your harddisk. It's a quite cool tool but I forgot the name unfortunately.)

C) Your father may have installed a rootkit in the BIOS, if so you need to replace the BIOS chip if possible. Otherwise buy a new motherboard or get a new computer. (Since it's a laptop, there isn't very much you can replace.)



Anyway, when you've done that and installed an Operating System do a FULL DISC ENCRYPTION!

Install TrueCrypt, and do a full disc encryption and set a good, long password with mixed upper and lower-case letters, numbers and symbols.

When you've done that set a password in the BIOS and make sure it is not possible to boot up on anything besides the harddisk. (Set the harddisk to be the first device in the boot order.)

Then you could set a password for booting up the computer as well.

There is however a reset jumper on most computers nowadays, which is able to reset the BIOS password. If you want to disable that functionality you need to do some hardware modifications to the motherboard in your laptop which I cannot recommend.


But if you follow most of what I wrote above, you'll be fine.

When you've installed your operating system and a firewall and an anti-viral system, don't visit websites your father suggests you  ;D (He may be a rogue hacker too.)

Avoid using instant messaging programs except IRC.

Use HTTPS (ssl) whenever it is possible and encrypted protocols as well.


Now we're on the paranoid path, but depending on how well you want to hide everything from your father and anyone else, you're getting pretty close.



If you just want to confirm whether he's spying on you or not, do the following:
1. Set up a LAN where NAT is enabled. (A simple network with local ip-addresses, a router and another computer.)
2. Set up the second computer to log all communication from your computer to the Internet.
3. Don't use the laptop for anything but browse to a few websites you visit and then check the second computer if there's traffic that shouldn't be there.

This is NOT something that's easy, but it's fun  :D


Good luck and have fun  ;)


PS: This reply was quite "brief" in how to do the above suggestions and these do not reflect my entire view on the possibilities on confirming whether your father has hacked your computer or not nor does it confirm how many ways there is to lock your computer down entirely. (In short, there's more to it than what I just said.)
Last edited by MaXe on Sat Oct 09, 2010 3:15 pm, edited 1 time in total.
I'm an InterN0T'er
<<

littleblondenerd

Newbie
Newbie

Posts: 2

Joined: Sat Oct 09, 2010 12:54 pm

Post Sat Oct 09, 2010 4:18 pm

Re: My father is hacking me?!

The laptop caught a trojan last year that required completely wiping the disk - my dad spent the summer reprogramming and reinstalling everything. So, yes, he had physical access to it.
And the MS RAS is enabled because that's what he uses to debug computers or fix technical issues when he's not around.
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Sat Oct 09, 2010 6:07 pm

Re: My father is hacking me?!

MaXe wrote:B3) Do one of those Government Clearing of your harddisk where the data is wiped +5 times. (Depending on the method you choose, one of them will erase the data more than 30 times on your harddisk. It's a quite cool tool but I forgot the name unfortunately.)



Windows - SDelete, Eraser
Unix based OS - shred command should do
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Sat Oct 09, 2010 7:00 pm

Re: My father is hacking me?!

This would be a very interesting movie ;D
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Oct 09, 2010 9:29 pm

Re: My father is hacking me?!

I have to agree with some of what the others said.

1) download Ubuntu work from that for a while. See if your dad still knows things you don't think he should.

2) buy a second cheap box, run linux on it, get an old school hub (not a switch), and then look at the traffic going out of your network.

Depending on where you go to school, you might be able to find someone to do it for you. For the price of a 6pack or 2.

*edit:

Or you could just ask him about your concerns.
Last edited by rattis on Sat Oct 09, 2010 9:54 pm, edited 1 time in total.
OSWP, Sec+
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Sat Oct 09, 2010 10:36 pm

Re: My father is hacking me?!

@chrisj

Let's not get crazy! Ask?!?! I think MaXe's suggestions are the most down to earth!  ;D

The only thing I'd add to MaXe's is not to use Truecrypt for whole disk encryption as the "Evil Maid" attack is pretty easy with physical access. I'd use whatever is native (that is, unless you're running XP)...pretty much every Linux distro will have native whole disk encryption, though...
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Sun Oct 10, 2010 3:15 pm

Re: My father is hacking me?!

Reading comprehension ftw:

So the computer has RAS enabled so dad can help out when he's not around...  he doesn't need to be an NSA cracker.  He doesn't even need to be able to hack his way out of a paper bag.  He has access to the machine.  Full disk encryption won't fix that.  It won't even help.

If you are worried about him on the computer, get tech support somewhere else.

Edited:  fixed copy paste error induced by writing response from my droid....
Last edited by former33t on Mon Oct 11, 2010 10:28 am, edited 1 time in total.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Oct 10, 2010 8:14 pm

Re: My father is hacking me?!

former33t wrote:To be able to hackReading comprehension ftw:

So the computer has RAS enabled so dad can help out when he's not around...  he doesn't need to be an NSA cracker.  He doesn't even need to be able to hack his way out of a paper bag.  He has access to the machine.  Full disk encryption won't fix that.  It won't even help.

If you are worried about him on the computer, get tech support somewhere else.


Agreed with former33t. 

It doesn't take rocket science, if you've got RAS enabled.  If dad has access, and is logged in as you, he's got access to whatever you have access to.  Assuming you've already mounted filesystems, or accessed the encrypted disks, there's nothing for dad to crack.  And if you haven't, all he needs to do is standby, until you do,

I held off on this thread response for a while now.  Sometimes, threads just don't feel right, and IMHO, IF your dad is truly current or 'almost former' NSA cracker, or however you want to term it, I'd think your computer is very possibly / likely the least of your worries, regarding your privacy.  Additionally, if you think he's watching you, or snooping, you'd know he very likely is watching everything you post to this thread, etc, and that, alone doesn't help your case, in terms of believability to me.  Either you're incredibly naive, or just looking for some attention, as to ask these questions openly, VIA a computer, under said circumstances (dad being 'Big Brother',) to me, simply doesn't compute.

Additionally, who pointed you to eEye's software?  How did you just stumble on that one, as there are plenty of malware detection and other programs out there, and in general, eEye's isn't the first one to come up via a simple Google search...  I suppose it's possibly the same naivety, and please don't take offense, if that's the case.  I just find it difficult to believe that you were searching on 'vulnerability scanning software,' if you're suspect of your father snooping on you.  If you thought he had access, I'd assume you'd be looking for things about detecting and disabling remote access / connections, etc., not for 'vulnerability scanners.'

I'm personally sort of curious as to the thought process that led from Googling on, for instance:

"parents snooping on computer"
"ssh how to"
"disable remote access"
...
...
...
"vulnerability scanners"

Again, I mean, maybe, so don't take offense.  And if so, tell me the search you used, that led you that route, as I'm interested.  But the logic flow isn't quite as clear to me, as, perhaps, it was to you.

Sorry for doubting, but I'm doubting...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

putosusio

Newbie
Newbie

Posts: 26

Joined: Wed Aug 12, 2009 8:20 pm

Post Mon Nov 08, 2010 1:34 am

Re: My father is hacking me?!

reformat and be done with it.

simple and effective.

p.s. if your dad was a NSA cracker, you're screwed.
Its not the fixing that's the hard part, its knowing what needs fixing.

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software