Here’s a great article for your education. Note that the site no longer exists but I had the text saved off for this type of discussion.
Many computer users are “innocent” victims of internet and computer vandalism. Their computer has been attacked or even totally breached and its totally open to some hacker on the other side of the world. Or some co-worker or friend or wife (!!!) has installed some monitoring program onto it to see what are users doing with it which makes them easy to read all email, passphrases and so on. What ever the motives and goals for these people are we can only imagine. The problem is, that people who are not familiar with the computers and operating systems are usually totally unaware of all this. When they finally have a clue, they dont know what to do about it. I try to give some tips on how to reach in such cases where you believe that you are under attack or hacked.
How can you know?
How can you know you have been attacked or your system compromised? It might be hard or it might be very easy. If you have a firewall like ZoneAlarm, it might have logged a suspicious program trying to setup a server or your antivirus alerted you about some trojan. Or your internet connection is jammed or your firewall is screaming like its the end of the world and you are under DoS attack? Or you have strange new “features” in your computer or when you surf in the net? Or you are forced to go on strange sites when you surf the internet? Anyway, you should be sceptical, even paranoid. You can rarely know for sure. In generally, if you dont pay attention, you usually cant see it. Think. What is wrong here? Nothing? Why my system is not running as it should be? What was that warning I ignored before? What was that screen that popped up and wanished? Why did it take so long to boot? Why my settings have been changed, I know I didnt change them? Why are some files missing? What strange email I have “sent” from my computer that I dont recall? What is starting up in my computer? Why is my internet connection “working” hard even tought Im not doing anything?
One way to know that something has happened in your system (like new files have been installed, existing files altered, etc.) is to run full system-wide file check using specific tools like (free) NIS Filecheck that will create cryptographically strong hashes from the files you specify or all files based on their extention you specify. Since no two files can have the hash unless they are exactly the same file, it cant be fooled. The point is, that you create such database with this program from all relevant files (like based on file extensions like exe dll ocx vxd sys bat scr ini com cmd reg drv vbs inf msi wsc 386 pif wsh), when you know that your computer is safe and clean from infections. When you are about to reinstall something or update your programs in secure manner, you should first check for changes in your computer (incase you are currently infected with trojans etc.). After that, update/reinstall what you want to, and then also update this list or create a new list using this program. Now, if and when you suspect that you are infected or some files in your computer are tampered, you can run this program again and compare the results. It will notify you on ALL changes on those files and it is impossible for any virus/trojan to hide itself in your computer from this program. You can simply check the results like:”Hmmm… What is this new filename.exe that is now in my system? Why is explorer.exe not the same explorer.exe it was before, has some trojan tapped into it? etc.” This way you can easily narrow down the search for the intruder. Also, the file and its databases are pretty small (few megabytes) so you can for example, burn it to cdrom or put in usb drive and carry it with you all the time so nobody can tamper it.
What to do if you (believe) that you are under attack? First, dont panic. If the hacker has gotten into your system, he might have already done the damage. If he isnt in yet, he may never get in. If the attack is net-based (like port scan, DoS attack or DNS spoofing that you somehow spot), then the best option might be to disconnect. Pull the plug out to be sure. On the other hand, if you know your defences are good, it might be wise to figure out who is trying do to or doing what to your system. If you disconnect, the hacker might notice it and figure out that you spotted him.
Remember that if you get hits to your firewall from outside, that simply means that your firewall is doing its job and that you are safe so there is no particular reason to disconnect. Its still worth investigating, since it could be a sign of someone trying to connect to a trojan horse that is in your computer or look for vulnerabilities in your computer to exploit. However, if you get very strange hits to your firewall from inside your computer to out, then it is very important to disconnect to make sure that whatever it is, and that it will NOT get out to the net no matter what happens next. After you have made sure that hacker is not getting in/out of your system, then you have time to figure out and react to the attack much better.
Under DoS or used for DoS?
If your internet connection is jammed or firewall is screaming, then you might be under DDoSA. Distributed Denial of Service Attack or participating to a DoS attack. By checking your network connections, their sources and targets and the amount of data transfered, you can try figure this out (please look “Network Connections” paragraph below). If you are target, then you need to either A) change your IP address B) adjust your computer and firewalls settings so it will hopefully block it C) contact your ISP and ofcourse D) check that you have the recent updates to your operating system. You might also concider buying a new networkcard or atleast changing its MAC number, and changing your computer and username to be sure that you cant be tracked or targetted again. Usually, you might need to do all of them.
DDoSA is used to fill your connection and computers resources so it (your computer if you are the target or the target computer if you are being used to DoS someone) cannot be used at all. It is usually done just to harrash or revenge you since it isnt a real “threat” to your computer, unless you are the source of such attack! If you are the source of DoS, then you must concider your computer completely insecured. If you are target for DoS, it just prevents you (and perhaps dozens other people too since they can share your connection somehow) from using the net. There are plenty of different DoSA:s like “Smurf”, “SYN flood”, “Ping flood”, “DNS attack”, “Teardrop”, “Stream”, TFN”, “Trinoo”, “Stacheldraht”, “TFN2K”, etc. etc. But its not that important to know about them since there usually isnt much you can do without your ISP and he will tell you about it.
After you have recovered, it is crucial to avoid the same practises that putted you at the risk before. Be very carefull about your new IP address, use proxies to hide it. If you where source of DoS attack, you must be very carefull and check your computer carefully since it can be concidered completely insecure (if something could be installed onto your computer to commit DoS attack, what else is installed or can be installed onto your system eh?).
If the hacker is not inside your computer but just scanning your ports, then you dont have much to worry about. If the hacker is scanning ONE or only few ports, then he might be trying to find a trojan horse and connect to it. He might be just guessing or he has planted an trojan horse onto your computer and is trying to connect to it. What ever it is, it is something you should react to then.
Please be carefull before you jump into conclusions here: 99% of all firewall alerts (atleast in ZoneAlarm) are not real “alerts” meaning that someone is actually trying to connect to your computer, but just internet backround noise. You can judge the severity of the connection attempts from the logs and checking what ports are used. Also, ZoneAlarm also gives you more information about the blocked connection if you want to. You can also check Google for more info: just type in “Port xxx” where xxx is the number of the port you are getting hits.
Again, only continous attempts to connect to your computer from the same IP are something to worry about. or attempts to connect from your computer to the network. Everything else…just forget it ok? Dont panic or start posting to newsgroups, forums or email any system administrators! DONT.
One very important thing to do is to run from command prompt (without quotas) “netstat -an”. This will give out ALL connections in and out of your computer. Naturally, before you do it, close all other programs (but not your firewall!) and connections. Check out for ANYTHING that has been marked as “Listening” or “Connected” and DOES NOT HAVE 0.0.0.0:0 as IP address. There might be couple things that are “Listening” but are at IP 0.0.0.0:0, meaning that they are listening in your computer for your computer…this is long thing to explain so just IGNORE THEM, they are NOT trojans!!! If you spot something ELSE that is listening or connected, figure out what port it is using, like if the IP is 123.456.789.111:666, then the port used is 666 and the IP is 123.456.789.111. What ever you discover here, write it up to piece of paper for further reference.
You can also use free tools like Active Ports to see that what programs are using what ports to connect where. This is very usefull since tools like this will help you finding remote access trojans (RAT:s) or other software that is in your computer and has connection to outside world.
There are also several trojans and spyware that redirects your network traffic. This can be very dangerous and you usually cant notice it unless you know exactly what to look for. One way that is used, is to alter your computers HOSTS file (which normally is in your system). HOSTS file tells Windows where to redirect some specific network addresses. You can find hosts file in Windows 2000 and WindowsXP under C:\windows\system32\drivers\etc folder and in Windows95/98/ME under C:\windows folder. If you are uncertain what should hosts file contain, you can delete the whole file from your computer, or replace it with “good” hosts file that will redirect your traffic from for example, advertisers pages to hell (so that you wont see advertisements when you surf in the internet!). You can download such “good” hosts file from example here.
Second way of redirecting your traffic is to change your DNS servers address information and therefore put your computer to use false DNS information. DNS changes address names (like www.markusjansson.net) to IP addresses so you cant get something from the net with domain name instead of IP address. If you are using rogue DNS server, you can be directed when typing www.markusjansson.net to some hackers server instead of the homepage. Or, when you are using some internet based bank service, you are redirected to hackers faked “bank” page! Its difficult to detect DNS hijacking, you have to look your network settings and make sure that DNS servers are the ones that your ISP have given to you (or they are putted on “automatic”). You can do this by going to “Network Connection” etc. and finally to the TCP/IP settings. Ofcourse, always when you use some secure network service like bank, make sure you check that the connection is really encrypted (locked lock in the browser somewhere tells you that).
Third way of redirecting your traffic is to put your modem (if you have one, that is) to dial some other number when connecting to the internet (or otherwise too) than your ISP:s given number. Usually these numbers are expensive “service numbers” and programs that usually change your numbers are called dialers that can be downloaded from porn pages etc. However, some clever hacker might use similiar programs to spy on your network connection by making your computer phone him and he then contacts your real ISP, making him sitting between you and your ISP in the network. You can check where your modem is dialing from its settings or from internet connections settings.
Fourth popular way of redirecting is so called “homepage hijacking”. In these cases, usually spyware program, changes your internet browsers homepage to whatever the creator of spyware wants to, and it rechanges it back every time you start your computer. This problem is easy to fix by running Spybot S&D and removing all spywareshit you can find your computer and then changing the homepage back to what you want to.
Fifth way of redirecting your network traffic is to use proxy. Proxy servers are very usefull when you want to hide your IP address, but since the proxy you are using can also listen to all your communications, you should be very carefull what you allow to be used as proxy. Some trojans could simply add hackers server as your proxy to all communications and therefore easily snoop, alter or bash your connection to any sites you visit. You can check proxy setting from Internet Explorer, go to “Tools” – “Internet Options” – “Connections” and select “Lan Settings” or dial up settings (depending of what kinda connection you have), and check for proxys and if they are not something you or your ISP has ordered you to use, you might want to remove them from the lists. You should also check for proxy settings from your other browsers and software that is used to the net or in the net.
Sixth way of redirecting your network traffic is to hijack your phonelines or WLAN connection. Its not as hard to do as it sounds like, and its usually very hard to detect. However it cant be done with at trojan horse program or anything like that, the attacker needs to have physical access near to you. Please look at “hardware hacking” section at the bottom of this page for more information about this kind of attacks.
Virus or trojan inside?
First thing what to do after you have secured your connection, is to run full antivirus. Scan all files, inside compressed files, etc. etc. and make sure you have the latest virus definitions. If you dont, get them but dont close your firewall, just open a small hole for the program that gets the updates and then again disconnect. Antivirus software that is not updated is prettymuch useless since it cannot detect latest viruses, so it is VERY IMPORTANT to always have updated and running antivirus on your computer!
If you dont have antivirus installed on your computer, or it is disabled by some virus/trojan, you can run online antivirus scan to check and remove viruses and trojans from your computer. For example, you can use Panda online or Symantec security scanner (virus scanner to be more exact) to check for viruses. They both require Internet Explorer and those pages being putted to “Trusted sites zone” inorder to work.
If you are using FAT16 or FAT32 as your file system in all your partitions, then you might concider also running F-Prot for DOS. The point of running it is, that you boot to DOS using a clean bootup disk. Then run the F-Prot for DOS in DOS…this way it will be able to check and remove viruses it discovered from all files and you can be sure that IT has not been tampered with. Remember to check its settings too, so it scans all files, compressed files and uses heuristics…and that it has latest virus definitions installed! If the virus scan finds out something, then it usually can fix it on the spot. If not, well…then we have a bigger problem.
Its always a good idea to check your HDD:s atleast twice, using different antivirus programs. However, it is important to remember that you should NOT install two different antivirus programs running into your computer at the same time, because they can really mess eachother and your computer too…rather scan your computer with your own antivirus and use internet-based scanning tool like Panda online or alternatively remove your hard drive and attach it to your friends computer and use he’s operating system and antivirus to check it. Paranoid person might check using three different antivirus programs and one antitrojan program. You can never be to carefull with trojans. Remember, that getting a clean result from antivirus/antitrojan program(s) does NOT mean you are clean! Not a chance! Most new trojans arent detected by even latest definitions files of antivirus and antitrojan products!
If you are not sure is a particular file a trojan or not, try Google and what comes up with that name. If you get saying its a trojan, then delete the damm file on your computer! You you cant do it (the file is in use), then 1) disconnect 2) use Ctrl + Alt + Del to kill ALL programs 3) try to delete it again. If you still cant delete it, then you need to boot to DOS (if you are running FAT16/32) and delete it from command prompt. On NTFS filesystem, you need to try other means like booting from WindowXP cdrom to NTFS command prompt and delete it from there, or to disable it from starting up and booting to “safe mode”. If you dont get more information of the file from the internnet, then concider renaming it to something like xxx.old that way you can restore it later if you noticed its not harmfull. ANYTHING suspicious…use Google to check for more information about it. It WILL save you, your system administrators and others a LOT of time and effort.
If you are using NTFS file system, please note that it is possible to hide a trojan inside “alternative data streams” so it is practicly impossible to detect. Only TDS-3 (not freeware) can look inside alternative data streams for trojans. You can also use freeware tool called Crucial ADS to check inside alternative data streams.
Also, try running Ad-Aware (with recent sigfiles and proper settings ofcourse, DONT use the default settings and default sigfile or you will NOT find anything) and see what comes up. Remove what you can find, there is no reason to have spyware on your computer. Besides Ad-Aware, I recommend that you run Spybot its a bit similiar program but is also very good on finding trojans. However, please notice that if you are using any F-Secure products in your computer, these programs might find several Backweb components in your computer, please do not remove them, they are used by the F-Secure antivirus and are NOT spyware.
There has been rumours about advanced trojan horse / viruses that attack your computers hardware like motherboard or graphic cards bios and infect them. In theory, such viruses could exist that can infect those components and later infect your software too. Some parts of the virus could remain in hidden sectors (like clusters marked as “damaged”) of your hdd and survive formatting and even overwriting (!) and then be launched by the “mother program” from the bios level. Detecting and cleaning up such viruses is very difficult, but you might suspect such infection if you have not connected to network, have installed everything using secure source (original cdroms, etc.) and still you get infected somehow! Only way to clean up this kind of infection is to reflash all bioses in your computer and overwrite all sectors (even damaged ones) in your hdd:s. Even this might not be enought however, so you better just concider this kind of computer compromised and buy a new one.
Check what processes you have running. You can do this with “Ctrl + Alt + Del” on Win95/98/ME and “Ctrl + Alt + Del” / “taskmanager” / “process” on WindowsNT/2000/XP. Check for anything strange like “backdoor.exe” or “app.exe” or “tool.exe”, “service.exe”, “help.exe”, “system.exe”, “windows.exe” or anything that has some lame name on it. It is very hard to spot what should be running and what not if you are not familiar with the programs. However, if you are, its pretty easy to spot new programs and locate them after that using “seach” tool in Windows (and when you search, remember the settings so that it actually searches ALL files on your system, not just visible files!). You can also check what programs have been changed by seaching for program that where last changed in a week or so and limit your seaches to .exe files, this will hopefully tell you about possible installed trojans. If you dont know what a particular file is, again, use Google to find out. It will safe you a lot of time and trouble.
Please note that some trojans can also “tap” into existing programs using trick called .dll injection, so checking what programs are running does not necessary spot the trojan! Some trojans can also be hidden so that they do not show in Ctrl + Alt + Del on Win95/98/ME. If you want to be sure what is running in your computer, you need a tool like Process Explorer which is freeware. It will show you every program and dll that is running. Only program that you need to be running in Windows95/98/ME is explorer.exe. Others are stuff like antivirus, firewalls and such so they “might be” needed or then not. Please note that some trojans name themselfes like explore.exe or exporer.exe, if you find any such program running, terminate it, it is very likely that it is a trojan.
If you still dont have a clue, remember to check what gets started up during reboot. You can check it by just simply running “msconfig.exe” and “startup” which will tell you something about what is starting up. Also, you better check win.ini and system.ini files too to see what they contain. If you are running Windows2000 or WindowsXP, you should also check and disable all not-needed services, here is how to do it …however, be carefull when disabling services from starting up, since you should have atleast antivirus software and firewall, that create their own services down there and they should ofcourse not be disabled!
One EXCELLENT tool to automate this search is to use freeware program called Hijackthis which will go throught most of virus/trojan/spyware hiding places! Run it, but be carefull about what you intend to remove with it. You can find some information about its finding in this page, so you better read it out! You can save logs from earlier scanning to remind you what is supposed to be there so you can later compare the results and remove the unwanted stuff. Hijackthis is very, very efficient tool to kill almost all kinds of malware from your system!
Again, if you dont know what you are looking at, it wont tell you much but if you have some knowledge about what SHOULD be started up, then you know what to look for. Ofcourse, remember that there are plenty of clever trojans around that can hide themselfes at the existing .exe files like explorer.exe so you cant spot them in either registry or in running processes. They are nasty ones. Here is an excellent site about what programs you might be starting up.
If your system is just a mess, its likely that the hacker was there. Or some virus or worm has “exploded” in your system. Or someone has tampered with your system. Depending upon how hard you have been hit, you need to concider how to move on. If its just a mess, try to fix it up with antivirus, settings, startups, registry and boost your security. If its a total mess, its just easier to recover by restoring a image of your system (which you have ofcourse created with a program like Norton Ghost) from an image you KNOW is a safe one. There is no point of restoring image you created yesterday, it might have the same trojan already inside! If you are up to restoring an image, better restore an image that has been created more than a week ago. Before restoring the image, remember to backup your recent documents and such that you have created after that image was created…backup to floppy or such, dont backup to partition you are about to wipe by writing an existing image ontop of it!
If you have a reason to believe that your system has been compromised or it has been messed up really bad and you dont have an image file to recover from, then you are out of options. OR, if you believe that the hacker has installed a “root kit” to your computer which will allow him to totally control every program, command and procedure that goes on in your computer making it absolutely impossible for you to recover from it, then you are in trouble. Then all you can do is to disconnect from network, backup documents, picture and other files (but NOT any program files etc!) to save place (like floppies or other HDD or cdroms). Then you must boot to DOS (or with WindowsNT/2k/XP boot from CD) or otherwise commit format. Format your system partitions (Usually C:), but to play it safe, format all partitions, repartition and install everything back from the scratch. Use only original program CD:s, floppys and internet sites you can trust; you cant be sure is the cause of you mess in some pirated software or other piece of code you cannot trust. You might be surprised to realize that it is actually quite fast to reinstall your system. It might be much faster to reinstall everything than try to figure out what went wrong and how to fix it…and formatting and installing everything again is the ONLY way to be sure that whatever happened, will not happen again (unless you again executed the program that caused it in the first place). Be carefull with document files, they can contain macroviruses, but if you setup your settings properly and scan them with antivirus, they shouldnt be a problem when you restore them to your clean system.
When you are done
After you have recovered, you need to think what might have happened. What kinda trojan/attack it was? Did it or did it not penetrate your defences? If it did, what could it do? What could that particular trojan (if you could identify it) be used to? If your system has been compromised, you need to change ALL you passwords and you need to do it fast (before the villan uses the perhaps captured passwords or changes them and locks you out of your email etc.) AFTER you have secured your system. Make sure you remember your new passwords (or use a program that saves them in encrypted form so you only need to remember one passphrase, like Password Safe). After changing your passwords, you might want to warn your friends about it (if your system was compromised, ofcourse there is no reason to alarm them if you just got your ports scanned). Tell them quickly what happened and that if they have received some emails / attachments from you, they should not open them. Dont spread hoaxes or alarm them if your system was not compromised. Do it ONLY if you are sure it was compromised from inside.
Think. Think hard. What have you executed lately? Did you receive some weird email? Are you sure you had all the updates to your Windows and antivirus updated and properly running too? What about settings on your programs olike browser and antivirus, where they safe? Who else has been using your computer and what did they do? Are you sure? Could have someone tampered with your computer without your knowledge? Try to find answers to these kinds of questions inorder to locate where did the (possible) infection came from.
At last, think how can you prevent it ever happening to you. If you know or think you know what caused it and why, you can pretty easily avoid it next time. If someone was scanning your ports, make sure you have them *all* closed now and forever until you REALLY need some of them to be open. If it was an attack from inside your computer, concider altering what you do with your computer…like for instance, stop loading programs from unreliable sources, switch your browser and email client to something more secure (like Opera), concider upgrading your antivirus or getting an antitrojan too and so on. If you used to let other people use your computer, limit who can use your computer (good settings and Guest account in WindowsXP works like a dream…IF you have a good password onto them!) and to what and make sure they understand to follow your security guidelines (the most important being: dont run programs you cant trust). If they dont get it, dont let them use your computer. Plain and simple.
Want to revenge? Usually, dont bother. What you can do is, if you are SURE about it…I mean SURE, not guessing but are absolutely sure that you have been hacked or under hacking attempt…is to report about it. Make detailed descriptions about what has happened, when and how. If you get IP address of the S.O.B. who attacked you, good. If not, you can ask it from your ISP and tell them you where under attack. Figure out who is on the other end of the line, use services like Whois or Traceroute to figure it out. There are good (non-free) programs like net.demon to help you out. Then, after you have figured it out, send email to firstname.lastname@example.org (where the xxx is the domain of the S.O.B. who attacked you) and explain them about it. Remember to attach (not as an attachment but in text) the data you have collected, like the IP, time and date, type of attack, ports used and what do you know so far. If you are not sure about it, ask your ISP about it and tell them you want to file a complain against the S.O.B. he can help you out or even do it for you!
The kind of message you might want to send:”Hi! Someone in your domain at IP XXX.XXX.XXX.XXX has scanned my ports 666 and 999 which are used for trojan XXX. I scanned my system and found trojan XXX so I have good reason to believe that the same person attempting to connect to me planted it somehow. This all happened at time XXXX at XX.XX.XXXX and lasted until XXXX at XX.XX.XXXX. Here are my firewall logs so you can check it out………..<snip>……. Please check your logfiles. I want to know that you also have this logged on your system incase I will press charges against this villan…..<snip>…. Yours XXXXXX”
If you have suffered severe damage, like lost your files and/or much time, I suggest haunting the S.O.B. down and pressing charges against him after you have collected some data. Your data will not hold up in court, but it can be used to assist the police investigations a lot. If the villan is in other country, then again concider how much you can actually gain and loose if you do so. In any situation, if you have suffered from the attack, you should also contact your ISP, he might be able to tell you something about connections to your computer and assist you further, more importantly, he can tell you how to press charges because he is more used to handling situations like this than you are.
Remember: Shit happens. Sometimes someone sends you email that has a worm inside. Or you download and execute a trojan. Or misconfigure your system as an invitation to hackers. Its not the end of the world, nor something to worry about that much. It might have been an accident too. Usually just fix it and be smarter next time you use your computer. Life goes on…
How to spot a hardware based keylogger? How to spot TEMPEST attack? Cameras watching you as you type your passphrases? Someone tampering you phonelines etc? How about just lurking over your shoulder when you use your laptop computer? Its hard but not impossible. Again, prevention is the key issue here. Prevent anyone from entering the space where the computer is located and you have fixed this issue. Or if you are using a laptop computer, make sure you carry it with you all times even when you dont need it. Make sure tought that its not stolen…and if it is, you have nothing to worry about since all your sensitive data is protected by strong cryptography and passphrases and plaintext copies are wiped…right? RIGHT?!?
Hardware keyloggers can be very dangerous. But you can check your keyboard and especially the line in it. Anything special about? What about in the mainboard? Any strange, removable box between your keyboard and computer or inside your keyboard? Even a tiny one? If there is, bingo! You might have found an advanced keylogger! These babys are pretty cheap actually. They can store a huge amount of data of your keypressings and there is absolutely no way you can discover then unless you know what you are looking at and where to look at. No software can find them. Sometimes they send to data as wireless to 10-50 meters away to main station that sends them forward. One way to prevent hardware keyloggers is to continously monitor the surrounding of the computer and especially all wires onto it. Best way is to use a laptop computer and always carry it with you, even when you are not using it, then you can be sure nobody is installing hardware keylogger onto it. Here are some examples of hardware keyloggers.
Under TEMPEST attack? Maybe you are just a paranoid but again, you can never be to carefull. but how to spot it? Directly, you cant spot it, since its totally passive attack. However, equipment used for TEMPEST attack has to be stored somewhere, in the flat near to you or in the van parked outside your house etc. If you want to protect against TEMPEST, you need to implement so serious security precautions that they are beyond the scope of these pages. In general, if nothing in EM can get out of the room you are in, TEMPEST is pretty much useless. That means, if you cant operate a radio or GSM phone in the room you are in, then you are propably safe from TEMPEST. A metal cage around the room should be enought to produce Faraday’s cage, but its very hard to properly shield the room because EM signals can easily leak from corners, doors, air ventilation systems, etc. Its also good idea to use UPS or similiar power systems to “level” the power consumption and prevent EM signals from emitting to the power lines. One way to prevent TEMPEST is to use more than one physically similiar computers nearby, running all the time with random event happening (like seti@home calculations, graphics, etc. etc.). That way they will mess up each other EM signals and make TEMPEST much, much harder, or even impossible. Also, lowering your monitors contrast will make it much more difficult to spot ie. individual letters from its screen using Van Eck radiation. The easiest source for TEMPEST is your monitor and its contents (what you see in it, to be more exact), by default it can be monitored even more than 50 meters away using relatively simple and cheap equipment. Doing TEMPEST attack against your computers CPU, memory, keyboard (unless its wireless keyboard!), etc. is much harder, but not at all impossible if advanced attacker is in the game. You can read a bit more about tempest and how to protect against it from this page of mine. At this page you can read about low-cost tempest countermeasures.
Cameras and microphones and such can be tricky. Its easy to put a GSM phone in the room online so that it can be used as microphone! There are cases where Bluetooth capable GSMs have been hijacked from over mile away, using security vulnerabilities, making it possible for attacker to easily eavesdrop the GSM and the room that it is in by simply making the GSM silenty call the hackers anonym phone. Very easy and cheap. You can buy devices that check for online GSM phones and they arent that expensive either. Some schools use them to make sure that students arent cheating at exams using their GSM phones (in here Finland atleast). Anyway, back to computers…the point is, that if you can hear the keyboard pressings, you can easily reconstruct what was typed. Dont underestimate microphones! Old CIA trick for microphones was to drill a hole in the wall and put the microphone inside and then paint the wall on that spot to look exactly like the rest of the wall…or then someone might be using laser-microphones to your windows and collecting the sounds with that. Cameras are troublesome too. They can be hidden onto…well..anything. Finding them might be easy or it might be very hard. Just look around for anything strange in your room, especially somewhere up or in some holes. Firealarm systems are classical places to hide cameras. Remember, that today you can buy cameras freely that are just couple centimeters in size, so they are very hard to spot. If you find it, rip it off and take it to someone who knows more about it…and search for more, if “they” could have planted one, they could have planted a dozen of them. If you discover that you have been spyed upon like this, concider EVERYTHING compromised. Everything! Here are some examples about how to prevent/detect this type of attacks.
Are you phonelines wiretapped? You cant know for sure has someone tampered your phonelines (unless you ask phonecompany guys to check it out which will cost you…). Doing it is actually very easy, just open up the box in the street and rewire the phone connection. If you have reason to believe someone might be doing it, concider all your communications compromised. Never use unencrypted connections, use services like www.anonymizer.com to encrypt all traffic in you www-surfing and be cautious about man-in-the-middle attacks! Also remember, that not only your internet connection might be eavesdropped, but also all your regular phone conversations as well.
GSM does, by default, provide some level of encryption, a level that just might be enought to fool a hacker next door, but not enought to prevent someone who knows he’s job to wiretap and listen all your communications. It is not only possible to listen to your conversations, but to also clone your cellular phone over the air. The COMP-128-1 that is usually used (you can ask your provider do they still use it) for security, is totally broken and does not offer any real protection against someone who know’s their business. COMP-128-2 is advanced version and gives much better protection, however, it still only gives about 54bit workload to hacker, so its not that good. COMP-128-3 is best option, since it has full 64bit workload to hacker, which is enought to give atleast medium security to you. Also, the A5/1 used for encryption can be broken in less than a second using a laptop computer, so you better hope that your provider uses A5/3 (Kasumi) which is much more secure. In UMTS they use better security features (like Kasumi!) and it is concidered much, much safer than GSM, so in security perspective, you should move to UMTS as soon as it is available to you. Also, I must point out that with GSM, its always possible to use “false base station” trick to eavesdrop your conversations. False base station trick means, that hacker is using he’s own GSM base station near you and your GSM connects to that base station (without your knowledge) and that station simply tells your GSM phone to not use any encryption at all, so the hacker can listen and re-route your conversations easily. Its a classical man-in-the-middle-attack and most GSM phones do not alert their user when encryption is turned off or reverted to insecure level (like COMP-128-1 and A5/1)! Some GSM:s can tell the user if the network changes or encryption is turned off, but which ones do and do they always is unknown so count on it. If you have reason to believe you could be under this kind of attack, you must contact your cellurar phone network provider. One good way to counter “false base station” attack is to move around. Drive a car for example, its very difficult for hacker to keep your moving GSM phone attached to hes station instead of real base stations. Luckily, there are GSM:s available that allow end-to-end encryption (with similiar GSM:s ofcourse) with protection against man-in-the-middle-attack aswell, you can try Google to find suitable ones for your needs. If you want more information about mobile security in general, here is one good link. And here are some examples of good end-to-end-crypto-GSM:s.
What about WLAN then? How can it be hacked? Oh boy, this is big subject. To put is simple, yes, WLAN can be hacked, usually pretty easily and without users knowledge. Snooping the information that goes airborne is passive, so there is really now way to detect it. If attacker is doing something else than just snooping, then you can spot them as hard as any normal network connection hijacking/attacks. By default, WLAN is always very insecure and open to anyone to (ab)use, so you better do your homework on securing it up, if you are about to use it. The most common 802.11b is totally insecure regardless of how you set it up, but 802.11g and later 802.11i are secure if you adjust the settings properly. To put it simple, select either WPA-PSK or WPA2-PSK and put a good passphrase=key onto it, lets say 63 marks long. Thats all you need to do to secure your WLAN from eavesdropping and abuse! Everything else is useless (like WEP, MAC-filtering, disabling SSID broadcast, etc.) in terms of security! If you are using WLAN, make sure you secure it up for good, otherwise you not only expose your data and connection to crackers, but also allow other people to use your bandwitch for criminal activities. Here are few links related to WLAN security, I suggest you read and implement what they say if you are concidering or using WLAN in any situation. Wireless attacks explained is good document for general information about different kinds of attacks. Secure your Wi-Fi is short guide for securing WLAN.
Devices that have Bluetooth (like PDA:s, cellurar phones, etc.) are under risk too. The security of Bluetooth is very minimal and there has been several vulnerabilities that allow such devices to be taken under control without users doing anything. Please consult this page for more detailed information about recent cases.
One thing is to concider when using a laptop computer: A screen mask. It is hard to explain, but you can put a mask on the screen of your computer, that changes the polarization of the light so that human eye cant see anything except pure white in it. When you wear a pair or specially tailored sunglasses, you can, however, look at the screen as normal since they “cut out” the polarity. This means, that people around you that dont have similiar sunglasses (regular ones wont help), wont be able to see what is in your screen, but only you can! Ofcourse, they can still look what you type with your laptop computer, but not whats in the screen! Ask more about this kinda system from computer suppliers or security experts in your local area.
If that message is appearing, definitely there is someone out there trying to penetrate your computer system and possibly steal important information. The best thing you have to do is to don’t try to connect to the Internet. Scan the entire system using a good and effective antivirus software in an offline mode.