• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Likely security intrusion compromising my defense in court?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Macintosh

View previous topic :: View next topic  
Author Message
BobCov
Just Arrived
Just Arrived


Joined: 24 May 2009
Posts: 0


Offline

PostPosted: Sun May 24, 2009 4:29 pm    Post subject: Likely security intrusion compromising my defense in court? Reply with quote

My apologies to the moderator if I am mistaken in posting this here, but I'm interested in finding a good range of opinion and I have basically until the 27th to do so as I go to court in the US May 28th, 8:30am.

Uniquely, for this discussion only, I should note that I am of African-American descent. Yesterday, on a desktop Mac running 10.5.6 w/o anti-virus, I chose "restore previous" when I launched FireFox 3.0.

To my surprise, one of the two pages which auto restored was Yahoo Search. I never use Yahoo search. The search field had a search term in it which happens to be an offense racial slur pertaining to---you got it--African-Americans.

It's not my habit to insult and offend myself, so obviously I didn't do this.

What forensic data can I find in Mozilla which might show time and date stamp for the file holding the "restore previous" data? Does anybody here know how you'd manipulate that file to create the restore described above? I noticed that the search shows in the history drop down, but I cannot see any time or date stamps there.

My opponent in court is the only one in the last 30 years or so who has thrown that particular racial slur my way and happens to live adjacent to me in the same building, well within WiFi range. This person has the resources to hire somebody to break WPA2, which is what I think happened.

My wife's mac, for months, has frequently lost wifi connection while my windows laptops never lose it. Could this be the result of deauthentication from a wpa cracking tool? The Mac desktop is not on wireless, but if her machine was compromised, this may have allowed access to the desktop.

I haven't seen any indication of compromise of the other computers, but I have taken the following steps:
1. Put up a new access point with a 40 character random WPA2 password. The old password was ten digits.
2. Left up the old access point but with nothing attached to it. Hoping maybe this will keep an intruder busy on the old network. Maybe I should change the key there to give them a reason why they don't see any machines.
3. I'm writing this and changing passwords from within a Linux VM on a machine not normally on the network.
4. Setting up logging for the router. I did not see any unknown mac addresses in the most recent DHCP list, but I would have no way of seeing a static.
5. This is embarassing---installing A/V on the Macs.

I'm open to suggestions as to how to secure the network and what steps to take forensincally to try to identify how this happened. I do have time machine backups for the desktop which might be useful.

I've also noticed that neither Mac can complete the "Housecall" online a/v scan.

-Bob

PS The neighbor has falsely accused me of illegal activity directed towards her. It would be complicating if she had access to emails pertaining to the preparations for the case and it would be very bad if she was able to plant anything on the computers, such as illegal content, keyloggers, etc.
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Mon May 25, 2009 10:23 pm    Post subject: Reply with quote

Bob,

A few of my thoughts.

Quote:
This person has the resources to hire somebody to break WPA2
Do you leave near Fort Meade? Because this is highly unlikely, unless you have a default access point key.

Quote:
Does anybody here know how you'd manipulate that file to create the restore described above?
Why use a tool to do that when everything you describe in your post smells more like a Trojan horse.

Attacking your wireless is only half a job, someone would have to then hack your computer. An attacker is better placed to send you a link to an infected web page and infect your computer and take control of it. This would explain how no additional MAC addresses appear in your wireless router.

Quote:
I'm open to suggestions as to how to secure the network and what steps to take forensincally to try to identify how this happened.
Well, securing your network s cheaper than forensically investigating what has happened. To secure it you should format everything and rebuild everything with new passwords and a new configuration. To investigate what has happened you need to unplug everything, copy it without modifying it, then using some very expensive software and some skills that you probably don't have and a considerable amount of time which you also don't have.

Hope that helps.

Matt_s
Back to top
View user's profile Send private message
BobCov
Just Arrived
Just Arrived


Joined: 24 May 2009
Posts: 0


Offline

PostPosted: Wed May 27, 2009 12:50 am    Post subject: Reply with quote

matt_s wrote:
Bob,

A few of my thoughts.

Quote:
This person has the resources to hire somebody to break WPA2
Do you leave near Fort Meade? Because this is highly unlikely, unless you have a default access point key.


Hi, Matt
Thanks for your reply. I don't live near Fort Meade, but the latest I've read on WPA crack tools indicate that my key was very vulnerable. It was ten numbers, no alpha or punctuation. Using some of the new tools which utilize the GPU of high end graphics cards, this would apparently be very easy to do.

Quote:
Why use a tool to do that when everything you describe in your post smells more like a Trojan horse.


I wish it were a Trojan. It very well may be, but it still smells fishy because of the history of the person taking me to court. The choice of the search term is just too convenient of a coincidence

Quote:
Attacking your wireless is only half a job, someone would have to then hack your computer. An attacker is better placed to send you a link to an infected web page and infect your computer and take control of it. This would explain how no additional MAC addresses appear in your wireless router.


I use noScript, so it's unlikely I would have allowed a script for something I didn't recognize from a page I was not familiar with. There was no active logging recording everything in the router, so it's possible another mac address was present or it's possible that a mac of an existing machine could have been used. As I noted, my wife's machine frequently would go off the network for no apparent reason.

Quote:
Well, securing your network s cheaper than forensically investigating what has happened. To secure it you should format everything and rebuild everything with new passwords and a new configuration. To investigate what has happened you need to unplug everything, copy it without modifying it, then using some very expensive software and some skills that you probably don't have and a considerable amount of time which you also don't have.


When I get a chance I will be reformatting and reinstalling. In the meantime, I have not done anything on the other machine so that I can try to find out a time and date stamp for the cache entry. Who's to say this won't happen again after a reformat? I need to know more about exactly what happened.

Hope that helps.

Matt_s

Moderator note: edited to fix quotes - capi
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Wed May 27, 2009 9:33 am    Post subject: Reply with quote

Quote:
It was ten numbers, no alpha or punctuation.
This only makes this weak if the attacker knew you have only numbers in the key. Otherwise that is quote a reasonable size key. Bigger than it is worth brute forcing.

Quote:
Using some of the new tools which utilize the GPU of high end graphics cards, this would apparently be very easy to do.
Well I work in crypto and its not as easy as the media makes out. Its more accessible to non-intelligence agencies. But this still would be expensive and time consuming.

Quote:
As I noted, my wife's machine frequently would go off the network for no apparent reason.
You are describing something which happens to lots of people and there are so many other reasons why this might happen, ever heard of Ockham's razor?

Quote:
Who's to say this won't happen again after a reformat?
As I said, its highly unlikely that your wireless was penetrated as the cmputer would have to be hacked after the wireless was hacked. This is lots of work when there are other ways to skin a cat.

Quote:
I need to know more about exactly what happened.
The you need to examine the computer in question, you could always hire a local computer forensic expert to help but this is going to cost.

Matt_s
Back to top
View user's profile Send private message
zonemonk88
Just Arrived
Just Arrived


Joined: 05 Oct 2010
Posts: 0


Offline

PostPosted: Tue Oct 05, 2010 12:01 pm    Post subject: Reply with quote

I really hate to say this, and please do not think I am being an a$$ or trying to insult you,but based on the information you have posted so far, I think this really is just a coincidence and you are being way too paranoid. I could be wrong.

Edit:

LMAO! I just now realized the OP was over a year ago.......

Moderator note: please do not double post, use the edit button instead - capi
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Macintosh All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register