security issue

[anyechka]

Dear All - just a quick security question. I've been going through a veryn asty experience the past months. Someone is coming up with the content of my web-mails, messenger chats and - worse still - even usernames and passwords I entered at https sites.
I'm using Macs only, two, both running on Tiger, and as far as I know there are no trojan horses spywares or anything out there that could have creeped into my system to spy me from "within". Mac are also unhackable, so that's also not an option...
Internet traffic intercept remains the only logical possibility - so I was wondering just how difficult would it be to intercept internet traffic if you know somebody's exact IP address? And especially https sites... Would a change of IP address be a good solution to this abuse?
Many thanks!

 

[r1ch4rd]

Macs are not unhackable. Make sure you have your firewall turned on (or turn on the firewall in your router). Intercepting your web traffic is possible but I don't think anyone would really go to the effort to read your messenger conversations. Who exactly has been coming up with this stuff?

 

[anyechka]

don't know exactly who, but i suspect it may have to do with my political engagement, reserach i am doing and views expressed on some fora (all non-US related - local European stuff ) also the conversations intercepted are with a selected group of people, not with all my contacts (though my stalker might be sending me only the "relevant" bits...). That's why I thought someone might have tracked down my IP address, while I was discussing these issues, hacked my hotmail account etc. What worries me the most is the breach of security on https sites - if my phone cell phone bills are so easy to get access to, how am i to protect my sources?

so... do you think that someone might have actually acquired access to my harddrive rather than intercepted my traffic? the main reason why i'm trying to udnerstand the minutiae is in order to know how best to protect myself: by reinstalling my drive, putting up the firewall, changing my IP address...

many thanks!

 

[r1ch4rd]

https is designed to prevent people from being able to read any packets that you send over the internet. However, if your computer is compromised then it's not really all that much use as people can get at the information before it is sent. The same applies if the server that you are sending things to is compromised, they can just get the information once it has arrived! Also, stealing your packets while they travel through the internet is not easy. They all take different routes and maybe not all of them will pass by the person eavesdropping.


If someone has got your plain text passwords then the problem is likely at the computer that you are logged into as passwords are hashed (encrypted) even when they arrive at the server. Amazon, for instance, will have no idea what your password is in plain text, they only know the hashed version of it. Have you logged on from any public computers or ones that don't belong to you? Another possibility is that you have been a victim of Phishing, have you followed any links in suspicious emails?

Changing your IP address probably won't do anything (if they found you the first time then they can find you again) especially if your computer is compromised.

I would definitely turn on your firewall (it can't hurt) but I'm unsure about the possibility of keyloggers or other nasties on your Mac. Maybe someone else knows some more.

 

[anyechka]

Thanks for this - if I understand you well, your guess is that I might have caught a bug after all, since https sites are basically uncrackable. So wiping the computer clean and re-installing the system may not be such a bad idea... If anyone knows anything about possible maleware keyloggers having been created for Mac - and programs to keep me safe, I'd be mcuh obliged! Thanks again! A.

 

[Stampyhead]

Thanks for this - if I understand you well, your guess is that I might have caught a bug after all, since https sites are basically uncrackable. So wiping the computer clean and re-installing the system may not be such a bad idea... If anyone knows anything about possible maleware keyloggers having been created for Mac - and programs to keep me safe, I'd be mcuh obliged! Thanks again! A.

They are not uncrackable, but they are certainly difficult enough to crack that someone wouldn't go to the trouble of attempting it just for some malicious behaviour. Also, security certificates come in different levels of security depending on what you need them to do. There are the low security ones that are simply used to make sure the site is who it says it is, and then higher security bit rates are used when you need more security, i.e. financial transactions or transmitting of other sensitive information.
Keyloggers for Mac do exist but unlike with Windows they can't be installed unless the installer enters the password for your computer's account. Therefore someone installing this sort of malware on your computer would have to know your password for the computer in order to do it.

 

[Queso]

If they are getting your passwords for sites using SSL a local keylogger is by far the most likely. Can you take a screen shot of what's running on your machine from Activity Monitor and either post the pic or a link to it here? Please don't wipe the machine before doing this, as it might help others if we can identify what's running.

 

[eric55lv]

What if there stalking you?

 

[anyechka]

If they are getting your passwords for sites using SSL a local keylogger is by far the most likely. Can you take a screen shot of what's running on your machine from Activity Monitor and either post the pic or a link to it here? Please don't wipe the machine before doing this, as it might help others if we can identify what's running.

I will do so as soo as back home behind my Mac tonight (in Europe we're already full speed into another workday . You guys say that someone must have known my admin password in order to install a keylogger on my computer - does this mean that this someone must have been physically behind my computer, or that I could have inadvertently installed a keylogger thinking I'm installing an update or an application needed to use features of certain sites etc.? I was so sure of Macs being imprevious to hacks and cracks that I never really thought twice before installing anything offered to me by any site. Ungh.

Once again many many thanks for all the help!

 

[Queso]

No worries. Another thing you might want to check is to open up a terminal and type

cat /etc/resolv.conf

The output should either match the address of your DNS servers or your home router if you have one. Anything else could be suspect.

 

[anyechka]

If they are getting your passwords for sites using SSL a local keylogger is by far the most likely. Can you take a screen shot of what's running on your machine from Activity Monitor and either post the pic or a link to it here? Please don't wipe the machine before doing this, as it might help others if we can identify what's running.

Here comes. Donnow if this is what you had in mind... Tomorrow I'll send the shot from the desktop computer. Many thanks!

209 pmTool root 2,30 1 3,64 MB 37,39 MB PowerPC
208 Activity Monitor ana 4,30 2 21,57 MB 100,04 MB PowerPC
198 Safari ana 0,00 7 58,04 MB 141,88 MB PowerPC
186 Mail ana 0,00 5 21,13 MB 140,79 MB PowerPC
185 mdimport ana 0,00 4 3,61 MB 39,73 MB PowerPC
184 usbmuxd nobody 0,00 2 564,00 KB 26,98 MB PowerPC
183 UniversalAccessApp ana 0,00 1 3,38 MB 78,61 MB PowerPC
182 System Events ana 0,00 1 2,88 MB 79,97 MB PowerPC
181 iTunes Helper ana 0,00 2 1,89 MB 69,27 MB PowerPC
180 Microsoft AU Daemon ana 0,00 1 1,88 MB 68,38 MB PowerPC
177 Finder ana 0,00 4 12,36 MB 104,86 MB PowerPC
176 SystemUIServer ana 0,00 2 6,37 MB 95,38 MB PowerPC
175 Dock ana 0,00 2 2,79 MB 56,54 MB PowerPC
172 mdimport nobody 0,00 3 2,20 MB 38,58 MB PowerPC
169 pbs ana 0,00 2 1,89 MB 54,12 MB PowerPC
168 cupsd root 0,00 2 1,42 MB 27,84 MB PowerPC
157 mds root 0,00 8 4,65 MB 44,04 MB PowerPC
132 crashreporterd root 0,00 1 200,00 KB 26,61 MB PowerPC
121 automount root 0,00 3 1,05 MB 28,73 MB PowerPC
117 automount root 0,00 5 1,21 MB 29,63 MB PowerPC
114 rpc.lockd root 0,00 1 196,00 KB 26,67 MB PowerPC
105 nfsiod root 0,00 5 184,00 KB 28,62 MB PowerPC
91 ntpd root 0,00 1 376,00 KB 26,86 MB PowerPC
77 lookupd root 0,00 3 1,30 MB 29,04 MB PowerPC
67 loginwindow ana 0,00 3 3,99 MB 76,58 MB PowerPC
66 ATSServer ana 0,00 2 2,95 MB 64,48 MB PowerPC
65 coreservicesd root 0,00 3 5,46 MB 35,23 MB PowerPC
59 WindowServer windowserver 0,30 2 15,14 MB 83,19 MB PowerPC
56 DirectoryService root 0,00 3 2,50 MB 30,41 MB PowerPC
55 distnoted root 0,00 1 776,00 KB 27,02 MB PowerPC
49 update root 0,00 1 220,00 KB 26,61 MB PowerPC
46 notifyd root 0,00 2 460,00 KB 27,21 MB PowerPC
44 securityd root 0,00 1 1,73 MB 28,52 MB PowerPC
43 memberd root 0,00 3 592,00 KB 27,66 MB PowerPC
42 diskarbitrationd root 0,00 1 1.024,00 KB 27,13 MB PowerPC
41 coreaudiod root 0,00 1 1,70 MB 30,66 MB PowerPC
40 configd root 0,00 3 1,75 MB 29,23 MB PowerPC
39 xinetd root 0,00 1 600,00 KB 26,76 MB PowerPC
36 syslogd root 0,00 1 408,00 KB 26,64 MB PowerPC
35 netinfod root 0,00 1 560,00 KB 26,95 MB PowerPC
34 mDNSResponder root 0,00 2 1.024,00 KB 27,37 MB PowerPC
33 KernelEventAgent root 0,00 2 596,00 KB 27,19 MB PowerPC
29 kextd root 0,00 2 1.008,00 KB 27,55 MB PowerPC
25 dynamic_pager root 0,00 1 164,00 KB 26,63 MB PowerPC
1 launchd root 0,00 3 360,00 KB 27,68 MB PowerPC
0 kernel_task root 0,20 35 48,66 MB 649,89 MB PowerPC