Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to combat proficient hackers


  • Please log in to reply
36 replies to this topic

#1 palerider2

palerider2

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 05:24 AM

Hi All, To some extent I'm commenting on posts made in an earlier thread.

NickAu1 made a very important comment:
"Hacking Is done for a few reasons.
1 Information, You have something they want.
2 Money, You have something they want.
3. Because some script kiddie is bored and can. They may just want to upset you."

If you don't agree with that ^ you will not appreciate what I have to say, so please skip to next post.

The internet is supposed to be secure but, in reality, there are 'wiretaps' on it. So some people can read some or all the data that goes through particular subnets. They can use tools to filter out what is not of interest to them and reduce the amount of data being viewed/analyzed to a manageable size.

If a proficient (not necessarily professional) hacker does that and knows your ISP already, or your PC host name, they can quickly spot your traffic. Or they can isolate your traffic to one out of a handful of data streams and then take each one in turn. But essentially they have your IP address.

So here's my first question.
If your PC is protected by a NATing router (no UPnP) plus personal firewall, AV and has latest Win7 patches, how can the proficient hacker establish a session on your PC and do things to it that are consistent with the privileges of the account that you're using ?

Assume the PC has just been built so no RAT.

Cheers all
PaleRider (2)

NickAu1> There are dozens of unreported exploits that could be used, This is true for Windows, Mac and Linux.

Nick, thanks for that. My second question: If the hacker knows your IP address what can you do to protect yourself ? Are there any tools/utilities that one can use ? Or do you have to (futilely) rely on the hacker not having knowledge of unpatched Win7 vulnerabilities ? Thanks very much in advance.

PaleRider2

Edited by palerider2, 01 May 2014 - 05:33 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:37 PM

Posted 01 May 2014 - 05:42 AM

Hi,

unless you have a static IP, you can simply disconnect from the internet and reconnect. You will be attributed a new IP which the hacker won't know.


In addition a firewall will try to block all "non-legit' entries, so this will definitely make it more difficult for the hacker. If you are using a router, the hacker will first have to get past the router before he can attack you. So this will also protect you.
regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:37 AM

Posted 01 May 2014 - 05:45 AM

 

If the hacker knows your IP address what can you do to protect yourself ? Are there any tools/utilities that one can use ? Or do you have to (futilely) rely on the hacker not having knowledge of unpatched Win7 vulnerabilities ? Thanks very much in advance.

Its hard to say, It depends on how much they want you. It depends on how much they know, It depends on the OS, It depends on how much you know. On Linux there are tools that may be of some use in detecting the intrusion. I am sure Windows has them too.

Host-based Intrusion Detection Systems (HIDS)

Network Intrusion Detection Systems (Snort)

http://en.wikipedia.org/wiki/Network_intrusion_detection_system

 

Read this. . Determined or what.

http://arstechnica.com/tech-policy/2014/04/bank-robbers-use-kvm-switch-and-3g-router-to-steal-money/

 

Or this.

http://arstechnica.com/security/2014/04/how-i-used-heartbleed-to-steal-a-sites-private-crypto-key/


Edited by NickAu1, 01 May 2014 - 05:49 AM.


#4 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 05:51 AM

Hi Myrti My IP address is variable, as allocated by the ISP. Nevertheless, I have a problem. I really need to know how I can improve my situation, if that's possible. The proficient hacker appears to have access to a database of hacks. Regards PaleRider

#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:37 AM

Posted 01 May 2014 - 05:53 AM

 

Hi Myrti My IP address is variable, as allocated by the ISP. Nevertheless, I have a problem.

Are you sure you are not hacked? I think you need help from the Malware Response Guys. Do you have other pc's in the network? Do you use WiFi?

I think you need to read this.

http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

 

 

Off topic.

I had a nasty neighbour that had WiFi and without going into details I had some fun with him.


Edited by NickAu1, 01 May 2014 - 06:03 AM.


#6 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 06:04 AM

Haha Nick, you are definitely qualified :)) I don't have malware. I'm being hacked. After several years of this I'm pretty sure. I've learnt quite a few things along the way, of course. But it's slightly galling that there's no safe option. Basically it seems that the internet is unsafe and your safety is in other people's hands. PR

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:37 PM

Posted 01 May 2014 - 06:07 AM

Hi,

if you're using a router only traffic on very specific ports, eg port 80/8080 for http will be forwarded to your windows7. So any vulnerability on Win7 are more or less irrelevant because the hacker won't be able to get to your win7 in a way to be able to exploit them.

If he has, however, malware installed then he doesn't need to get access from the outside, as he already has something on the inside. If you're using a router and a firewall you're pretty much safe from hackers.

What is the problem you're having anyways?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:37 AM

Posted 01 May 2014 - 06:12 AM

Hi,

if you're using a router only traffic on very specific ports, eg port 80/8080 for http will be forwarded to your windows7. So any vulnerability on Win7 are more or less irrelevant because the hacker won't be able to get to your win7 in a way to be able to exploit them.

If he has, however, malware installed then he doesn't need to get access from the outside, as he already has something on the inside. If you're using a router and a firewall you're pretty much safe from hackers.

What is the problem you're having anyways?

regards
myrti

+1

 


 

First get the malware guys to clean up your pc to make sure you are clean.

 

If it continues after that you may need to assess you pc usage and enviroment.

Eg

Do you use Chat ( Paltalk ETC)  IRC or P2P stuff?

On Paltalk for example in a premium room the Admin can see your ip.

What sort of forums- sites do you visit. Admin on all forums can see your ip.

Look at firewall settings, Are the ports closed etc.

 

 

I now bow out of this topic and leave it to the experts.


Edited by NickAu1, 01 May 2014 - 06:36 AM.


#9 Kilroy

Kilroy

  • BC Advisor
  • 3,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:02:37 PM

Posted 01 May 2014 - 11:56 AM

The internet is supposed to be secure

Nothing could be further from the truth.  The Internet was not designed with security in mind and this is why we have the issues we have.  Security has been added.

 

 

 

So here's my first question:
If your PC is protected by a NATing router (no UPnP) plus personal firewall, AV and has latest Win7 patches, how can the proficient hacker establish a session on your PC and do things to it that are consistent with the privileges of the account that you're using?

 

Some NAT routers have been found to be insecure.  So, first they own your router and get on your network.  Second they exploit a zero day vulnerability, Third they own your machine.  No matter how careful you are, you can be compromised just due to the massive amount of software we use every day.  A single flaw in one piece of software isn't sufficient, but taken as a whole there is no way to be considered safe online.  Your goal should be a non-cost effective target.  In other words the time and effort to access your machine and data should be sufficiently high enough that only the truly dedicated would attempt the attack.  If someone is truly dedicated they will most likely attempt physical access and then there is almost nothing you can do.


Edited by RKilroy, 01 May 2014 - 11:57 AM.


#10 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 04:09 PM

Hi All Thanks for your replies and for the links that have been posted. I read all of them. To answer some of the questions/comments... NickAu1> "Do you have other pcs in the network? Do you use WiFi?" My PC connects to the router via a cable. There's another PC which connects to the router using WiFi but I disconnect my PC first before turning the WiFi signal on. So the two PCs are never networked to each other. Myrti> "if you're using a router only traffic on very specific ports, eg port 80/8080 for http will be forwarded to your windows7." This is where I'd like to focus, if possible. Myrti> "What is the problem you're having anyways?" In the original post I mentioned a clean PC. That was achieved by restoring the PC to factory defaults and adding applications that were clean i.e. the EXE files had known, good MD5 sums. The windows updates were then applied. The PC already had Win7 starter software installed and it was bought towards the end of 2011 just to give an idea of what the O/S factory defaults would be. If that PC was allowed to connect to the internet it would eventually be hacked. The consequences would be severe if an admin account was used for browsing e.g. keylogger installed, email accounts taken over. If a limited account was used for browsing the consequences would be very limited. I found that being careful with where the PC sent HTTP traffic affected the security of the PC. I therefore came to view port 80 as being a key element of the hacking that was in progress. NickAu1> "Do you use Chat ( Paltalk ETC) IRC or P2P stuff?" No. NickAu1> "On Paltalk for example in a premium room the Admin can see your ip." Finding my current IP is definitely part of the hacking process. If I disconnect and reconnect frequently or after visiting certain sites that can affect whether the PC gets hacked. It's already been identified that if someone knows your current IP address they can hack you, if they're good enough. And it's also been identified that people can have motivation for hacking for reasons that are nothing to do with money. You identified this correctly Nick. NickAu1> "Look at firewall settings, Are the ports closed etc." Comodo firewall is in stealth mode. Configured using a detailed tutorial online. RKilroy> "The Internet was not designed with security in mind and this is why we have the issues we have." This is fully in agreement with my experience. RKilroy> "Your goal should be a non-cost effective target." Most of the time that would be a good enough strategy. Agreed. Incidently my router is running OpenWRT firmware. I'm uncertain of the strength of that software against the attacks that you mentioned in your post. If I go back to this comment (below) I'd like to understand whether a man-in-the-middle attack would be possible on a legitimate HTTP session that originated in the PC e.g. originated by a background update program : quietman7 >"If someone wants access to your data, they will get it. And if they have enough tech savy, I doubt the average person can stop them." So should I be resigned to putting up with this remote access ? Are Windows vulnerabilities part of the attack process ? Can the hacker elevate their privilege and learn the router password ? The PC that I use for browsing is essentially a sacrificial PC. I'm prepared to revert it to factory defaults at any time. Is this the best that I can do ? I'm getting the vibe that if I can't implement HTTPS on ALL of my internet traffic then I have to accept that the PC isn't safe from this dedicated hacker. As a general comment, my experience has been that when I discuss this issue with folk, their instinct is to avoid discussing the technical question : can this hack be done ? For some people it's impossible to believe that hackers sometimes operate for non-financial reasons. Therefore could I just ask people to please respond 'in principle' on the technical question, even if they think it's a very unlikely scenario. There have been a number of comments like the one made by quietman7. I'm prepared to believe them and would like to know more, if possible. Thanks in anticipation folks.
Why does my formatting disappear ?

#11 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 06:16 PM

Myrti> "if you're using a router only traffic on very specific ports, eg port 80/8080 for http will be forwarded to your windows7." This is where I'd like to focus,

quietman7 >"If someone wants access to your data, they will get it. And if they have enough tech savy, I doubt the average person can stop them." 

 

Here's a little bit more information about what's going on.

 

The PC was being hacked daily and I was restoring it to factory defaults daily. I was trying to discover what was happening with TCP/IP connections and I'd researched enough to discover TCPview.

 

So one day I connected the PC to the internet, freshly built with TCPview running as well. And I just sat there for half an hour, watching TCPview. After a while I saw googleupdate run. I checked what triggers this to run and discovered that it runs every hour.

 

Something else caused me to focus on googleupdate (can't quite remember what that was) but several months later I added a rule to the firewall that googleupdate gets blocked on port 80.

 

Two interesting things came from that:

i) After about 10 attempts to use port 80, googleupdate will use port 443

So here's a way to make a background updater use https - nice.

ii) From that day on I had no problems on the PC

That is until fairly recently. So I went from being hacked daily to not at all.

 

That's got to be a big clue.

 

It would be nice if all background updaters had a fallback to https.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:37 PM

Posted 01 May 2014 - 06:28 PM

Hackers and malware writers come from differnet age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Below are a few articles which attempt to explain who these individuals are and why they do what they do.


Here are a few resources which you may be interested in reading.


.Investigating Hacking:

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:37 AM

Posted 01 May 2014 - 07:19 PM

 

Comodo firewall is in stealth mode

The idea that ports can be 'stealthed' is a myth. Stealth ports may or may not be effective for a random  port scan but in your case useless. A skilled attacker will find out if anyone is attached to the IP or not unfortunately. I wouldn't be too worried about having closed ports being shown,

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/

 

Something like this would be more usefull.

 

Seasoned attackers, and even some amateur cyber-vandals, find sport in trying to scan servers and hijack them at the same time (Figure 1). Firewalls and Intrusion Detection/Prevention systems can help, but if a single tool could truly stop all potential attacks, the Internet intrusion industry wouldn’t even exist.

The Portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition.

 The general goal of the program is to make the port scanning software process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task.

 

Portspoof presents various service signatures on some or all available ports, making it very difficult to discover which services are actually running on the computer. The application can simulate more than 8,000 signatures and has the ability to throw a couple of exploits back at the scanning computer.

 

http://www.linux-magazine.com/Online/Features/Trick-Attackers-with-Portspoof


Edited by NickAu1, 01 May 2014 - 07:57 PM.


#14 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 07:47 PM

 

 

Comodo firewall is in stealth mode

The idea that ports can be 'stealthed' is a myth. Stealth ports may or may not be effective for a random  port scan but in your case useless. A skilled attacker will find out if anyone is attached to the IP or not unfortunately. I wouldn't be too worried about having closed ports being shown,

http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject

http://www.chrisbrenton.org/2009/07/why-firewall-reject-rules-are-better-than-firewall-drop-rules/

 

 

It's an interesting fact. Totally agree with you Nick. (My PC can't be scanned as far as I know as it's true IP address is only known to the router.)

 

Thanks for all those links, quietman7 - some light reading ! As for the nature of the hacker, I know a bit about him (or it could be a her but I doubt it). I know a forum where he posts daily. He trolled me on that site which tells you something about him - he has an anti-social tendency. 

 

He also likes to see evidence of dismay in his victims. I think that's partly what makes him persist.

 

If anyone reading this knows a white hat who wants a challenge, I can introduce them to the forum where the troll lurks. This is genuine.

 

Back to the evidence that I've collected, how can a legitimate TCP/IP connection, that's generated on a victim's PC, be hijacked by a remote device which is sniffing the pertinent subnet where that connection goes ? 

 

Maybe I don't even need to know the answer (though I suspect sequence number guessing or similar) and the only relevant question is: can you do anything about it ? And are windows vulnerabilities part of this hack method ?

 

Can all of the updaters be made to use https ? (That would definitely help, if it was possible).

 

On one occasion, after I'd adopted the policy of browsing with a limited user, a connection was made to my PC and TCPview was tampered with. The update frequency of the application was turned OFF i.e. the pause option was selected. Now, at that time I didn't even know that there was a frequency option. So I can be certain that I didn't do it and nobody else was home....

 

Anyway, that was just one example of many, many attacks/interferences. I never doubted who had done it. But it was an extremely mild attack and so illustrates the benefit of not using an administrator account as default.


Edited by palerider2, 01 May 2014 - 08:00 PM.


#15 palerider2

palerider2
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:37 AM

Posted 01 May 2014 - 08:13 PM

 The general goal of the program is to make the port scanning software process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task.

 

Portspoof presents various service signatures on some or all available ports, making it very difficult to discover which services are actually running on the computer. The application can simulate more than 8,000 signatures and has the ability to throw a couple of exploits back at the scanning computer.

 

http://www.linux-magazine.com/Online/Features/Trick-Attackers-with-Portspoof

 

 

Haha. Loved reading that, Nick. And Grimm reading for the would-be hacker :)

 

Sorry, couldn't resist that one ....






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users