I’ve got a bad feeling about this

Ryan Hicks
Ryan Hicks
Security Engineer
18 Feb 2021

How to tell if your computer’s been hacked and what to do about it

Having nefarious people take over your machine is something that we all worry about from time to time. Some of us—security folks for example—worry about it almost constantly. The truly scary part is that there are many people who have their devices hacked [You might occasionally see the term “cracked” instead. It’s a bit pedantic, but there are some folks who got miffed that the term “hacker”—originally meaning someone highly skilled who could make computers or software do unexpected and cool things—has been morphed into a pejorative. These folks prefer “cracker,” “cracking,” and “cracked."] without ever even knowing it.

The nasty folks take over machines to use in DDoS attacks, to cover their tracks when breaking into other machines, to sneakily store stolen or illegal content, to engage in espionage activities against the target, etc., etc., etc., ad nauseum. It’s in the attacker’s best interest to keep a low profile and be “a good guest” to avoid alerting their unwitting “host” to their presence. If you’re attacked and you’re lucky, you’ll notice something and ask yourself:

What’s going on here?

If a nasty folk has taken over your machine, here are some areas where you might notice things out of the ordinary:

People you know

In many cases it may be that people you know are able to see that something is amiss before you notice. While the bad guys have ways of concealing things from you on the device they’ve taken over, they can’t do that to devices they don’t control. You might get a message saying something like the following:

  • “I got a weird email/text/IM from you the other day. Why do you need all my banking information?”
  • “Why did you make that bizarre post asking people to send you bitcoin for a charity nobody’s heard of?”
  • “How were you online last weekend? I thought you were hunting lions in the Serengeti without a satellite connection?”

Tools you use

Most attackers—well, the skilled ones anyway—will take great care in covering their tracks. But there’re lots of tracks to cover. Between history lists, caches, personalization, sent message storage, version control, and the myriad features that modern apps provide, covering all the possible tracks is like trying to clean muddy footprints off of a white shag carpet.

If you keep a close watch on the tools you use you might be able to notice if one of the bad guys has surreptitiously taken over your device.

  • Sent messages: Many tools we use to communicate with people keep track of what’s been sent, though where the tracking info is kept may not be immediately obvious.
  • Settings: If your settings show changes that you don’t remember making, it could be a sign of trouble.
  • Last login times: Quite often it’s possible to see the last time your account was logged into and/or used.
  • Last opened tracking: Documents and files often have “last opened” and/or “last edited” tracking. A good indication that somebody has been rifling through your files is if many of them have the same “last opened” time. - Especially if you haven’t looked at them in quite a while.
  • Browser history: Though unusual, it might happen that an intruder may go so far as to take direct control of your browser. Be on the lookout for strange things in your browser history.

Accounts you have

The cautionary advice above regarding tools also applies to your accounts. Here are some things to watch out for:

  • If you start receiving messages from people or organizations that you’ve never contacted but they seem to think you have.
  • If you start seeing unusually large storage usage or activity amounts on your accounts.
  • If you start seeing unexpected auto-completions or suggestions from your services.

Your money

A sneaky thief might not clean out your account all at once. They might not even be interested in stealing your money. Instead, they may use your account to move or launder their ill-gotten gains. If your account is showing strange debits or credits or if expected transactions are being sent to unusual places, it might be time to investigate.

[However, it’s important to keep in mind that many legitimate transactions can look bizarre as some organizations set up different entities for billing for regulatory or tax reasons. In such cases, the billing entity might have a wildly different name from the entity you transacted with. Also, organizations that provide adult content or other products and services that beg discretion may use innocuous sounding names for billing purposes.]

Yup, they got me. Now what?

What if a red flag from the list above has revealed that some miscreant has pwned (gaming speak for “owned,” often used in relation to hacking) your device or accounts? Then it’s time for quick action to end the damage and prevent further damage.

Get some help

Modern attacks can be very sophisticated, and it can be difficult to remove all the nasty little things the attackers use to hide their activities and enable them to come and go as they please. These nasty things used to be called “root kits” [On Unix/Linux and MacOS machines the primary administrative account is called “root.” Hacking a machine and gaining root access meant total control of the machine and was referred to as “rooting” the machine. Special tools called “root kits” helped the hackers maintain control.], but are now usually referred to by the somewhat verbose TLA (Three Letter Acronym) APT: Advanced Persistent Threats.

Getting rid of APTs is a highly specialized activity and might even require wiping your hard drive and reinstalling the operating system (affectionately referred to as “nuking and paving”). In the case of a company asset, it’s important to verify that the machine is in a secure state. Further, it may be necessary to perform forensic analysis to evaluate the extent of any damage done. This gets especially complicated if you need to comply with various laws or contractual obligations or have to maintain certain certifications.

If the thought of tackling any and all of the above (rightfully) frightens you, don’t be ashamed to ask for help. Got a neighbor that has some weird job that involves lots of jargon? Maybe buy lunch for one of the IT folks? Cajole, convince, or compel whomever you know that does this sort of thing to lend you a hand.

Change all your passwords

Yup, all of them. Once a device has been compromised in this fashion, you have to assume that the fiends know everything, even if it looks like they might not.

Further, if they’ve seen passwords by logging your keystrokes or they have access to rainbow tables [In modern systems (that are properly set up) passwords are never stored. Instead, the password is hashed and the hash is stored. Attackers will often create lists of passwords and their respective hashes to be used as attack tools.], they may be able to gain insight into what sort of passwords you’re likely to make.

So not only should you change all your passwords, you should change the manner in which you make them as well. Better still, use a password manager that will create randomized strong passwords for you.

Those pesky network devices

Your router (the boxy thing the cable people plugged into the wall that provides WIFI) might not have come with a secure password, or (worse) its credentials might’ve been grabbed by the jerk that hacked your machine. There’re a lot of settings that might have been changed—or were just bad to begin with—that should be fixed after an attack. This goes back to getting help. Your ISP folks are the best bet.

Social Media Sanitization

Attackers routinely scour social media posts to gain information about attack targets. This information can be used for social engineering, guessing passwords, guessing security questions, etc. At the very least, try to lock down accounts so that very little information is public.

When posts are public, avoid mentioning or alluding to sensitive information and preferences that would enable strangers to have the same understanding and knowledge about you as would your friends. Yeah, this advice is somewhat vague. It’s as much an art as a science.

Two-factor authentication (TFA)

TFA can be a great help in preventing attacks and mitigating the damage if they do occur. SMS messages to your phone is a common and convenient TFA method, but it does have vulnerabilities (e.g., SIM cloning and SIM hijacking) of its own. Buying a hardware key (e.g., yubikey) [We have no relationship with yubico that I’m aware of. I just happen to personally like their stuff.] is a very safe and effective TFA method.

The topic of hardware keys and how to use them in TFA is huge. [I glossed over a whole bunch of things in the paragraph above. By “whole bunch,” I mean about six gazillion. Sort of like saying: “Antarctica? Oh yeah, it’s a bit chilly. Maybe take a sweater or something.” If you want to learn more about TFA, start here.] If you don’t want to worry about TFA too much, just buy a hardware key and do what its manual says. Even if you don’t think about it at all beyond that, you’ll be light-years ahead in the whole “security thing.”

Should hardware keys seem impractical to you, keep in mind this rule of thumb: hardware keys are better than just an app, which is better than an SMS, which is better than nothing.

Good luck out there. Stay safe and always know that we’re here if you need us.