HIV+ Relative turns out to be a Hacker

[powerclown]

It seems the guest that I let into my house has hacked into my Windows XP Home laptop.

I had a windows login set up (buttons) with an administrator and password (me) and Guest access enabled for him to have internet access.

He has somehow bypassed the original administration/password login and created a new administrator and password. When I asked him about it, he took quite some pride in his accomplishment.

I took a look around the laptop and there are a few things of note. Control Panels now has a file named Borland Administrator something or other that he put there. He has registry backup files (around 8 or 9 files) in a separate folder. I haven't had a chance to check for any hidden files yet. I have a Mac G4, and he mentioned in passing the other day how Macs don't have registries. I believe he has done something through the XP registry, but I don't know what or how.

Does anyone have any idea how he has managed to bypass the former administrator and password and create his own? I have a desktop pc that I'm sure he would be eager to "inspect" as well. Anyone have any ideas as to how to further secure my computer? I know next to nothing about Windows XP security. He seems to have bypassed my first line of defense though.

Thanks...

[shakran]

you have an advantage over this hacker that most people don't. You know who and where he is. Use that to your advantage, and explain that you WILL prosecute him if he doesn't put everything back the way he found it.

[powerclown]

It's a little more complicated than that shakran. He is a close relative. I let him move in because he was on the streets of San Francisco without a home. I can't just have him thrown in jail - at least not at this point.

He has created a major, MAJOR lack of trust situation here.

I need to know how to secure my computers in the meantime.

[filtherton]

Bypassing the original adminstrator password and installing a program or two doesn't make him a hacker. A googler perhaps. If you typed "bypassing login password" into google you'd probably could too.

[catback]

Quote:

Originally Posted by filtherton

Bypassing the original adminstrator password and installing a program or two doesn't make him a hacker. A googler perhaps. If you typed "bypassing login password" into google you'd probably could too.

Technically it does make him a hacker as he has penetrated a level of security, doesn't matter how easy it was or how easy it is to learn. Another way of looking at is a lock picker, easy to learn about and/or get lucky with but if you do it you are a lock picker.

[powerclown]

Thanks fitherton.

[Cynthetiq]

Really it's about trust like you've stated in this thread and another. He's breached that and was being pompous about it.

I'd be inclined to show him the door, complicated or not. How much more trust are you willing to allow him to breach?

One extends their hand of generousity, someone takes advantage of it. That's just disrespectful.

I'd ask him to change it back the way he found it. Does he move the furniture around to his liking as well? I'd think not.

Explain to him simply, you breach my computer again, and you're out of this house. My house, my rules, don't like it, you've over stayed your welcome.

[Jinn]

What an asshole!

That aside, WHICH Administrator password? Many people don't realize that XP, in it's almighty-fucked idea of security, has two administrators (at least!)

There is a Computer Administrator, and there is an OS Administrator.

The Computer Administrator has the control to change all user accounts in safe mode, including the OS Administrator.

The OS Administrator has the control to change all user accounts in normal operation, including themselves (the OS Administrator).

I've saved many a hapless XP user by simply booting into Safe Mode. Because the Safe Mode (Computer) Administrator password is blank by default (especially with SLP installations from Dell and HP), you can simply log in and change the OS Administrator's password.

It's the biggest security leak in WinXP Home. I can't count the number of laptops that were "secure" only until I rebooted and hit F8. Voila, I delete your "secure" account and your computer is completely exposed - documents, pictures, etc.

I didn't even hesitate to post this, as it isn't "hacking." It's a well-documented 'feature' of WIN XP.

To fix: Reboot in Safe Mode, reset your OS Administrator password. While you're at it, create a password for your Computer Administrator too.

If he did anything more in-depth than this, it's fair to say that he's not someone you want in your household. If you want to offer him supervised computer access, set a BIOS password. He's either got to flash the BIOS memory by using a jumper on the motherboard, or pull the CMOS battery, also on the motherboard. Not impossible, but another level of security. He won't be able to boot without it.

[powerclown]

Jinnkai...you are Golden. Fantastic info...THANK YOU.
Like I said, I know next to nothing about XP security, because I never had a need to know about it...So I appreciate you sharing your knowledge. I'll give those things a try.

Cynthetiq: words of wisdom you speak. We had a talk this afternoon, and I expressed to him my dissatisfaction with his treachery, and generally making me feel like a refugee in my own home. He was quiet and apologetic, a curious contrast from his earlier boasting. Now I have to babysit him until he finds a place and gets a job. Someone smack me upside the head please...

[Daniel_]

//smack//

There you go, friend.

I'd still set a BIOS pasword for power on - all the methods that allow him to override that involve opening the case and are one way (I think) - I used the technique at work when I was confident that my IT manager was hacking my PC for non professional reasons (i.e. downloading porn on other people's workstations aftr hours so his net use log would be clean).

Once I got suspicious of him I set a power up BIOS password - he used the jumpers to bypass it but because that wiped the setting, I was able to prove that he had done it (other than myself he was the only person that knew how to do it) and as I'd breifed the MD up front about setting it and why when I came in the next day and found no login password I knew he'd done it.

Called the boss and got a large cardboard box ready - guy was cleaning out his office by morning coffee-break.

I have nothing against porn but when a workmate makes my HR file look like I've been staying late to d/l gay porn I am far from ammused.

Set the password - don't tell the guest - if it's there when you come back then he's been out of it, otherwise confront him and chuck him out, or at least put your PC into a locked drawer when you go out.

[powerclown]

Good story Daniel...and thanks for the info, man.

[newtx]

I think he is a turd. You tried to help him and look what he did for to you.

[Toaster126]

If it was a close relative of mine I'd still give them the ass kicking they would deserve for that.

I'm not sure whose way is better.

[Plaid13]

if hes going to act childish treat him like a child. put a badlock on your breaker box and shut the power off when your not home let him sit in the dark. just leave the power on for important stuff like the bathroom or whatever. Nothing like the satisfaction of treating a adult like a child thats been grounded. Personaly i would of thrown him out. i dont care who he is. If someone your helping out by letting them into your home does something like that to make you not trust them you have no reason to help them. you gave them a chance. For what you did taking him off the streets he should of spent his spare time washing dishes and scrubbing the floor mowing the lawn or something not messing with your stuff.

[Martel]

XP passwords are simple to break... all it takes is a linux environment bootable CD with a particular program and anyone can completely remove all XP account passwords with a minimal amount of effort. I have to do this at work all the time when people forget what they've set their administrator password to.

[ASU2003]

Like Daniel said above, boot-up passwords are much harder to get around. You can set that up in the BIOS. But that means you will have to log in for them to use the computer each time.

It isn't a perfect method, but it is a lot harder to get around that password than a windows one.

[powerclown]

Quote:

Originally Posted by ASU2003

But that means you will have to log in for them to use the computer each time.

I'm trying to go for a stealth approach to secure this laptop because he has basically taken the thing over...created resumes on it, set up email accounts, IM'ng for new 'friends' in the area, and posting to job sites...so he needs the laptop to check his email for jobs...etc. And I'm not going to need it for at least another 2 weeks.

Stage 1: I'm going to lock the bios for now, and disable any other bootup device except the HD.

Stage 2: I'm trying to figure out how to establish an XP administrator without a password or a login screen, but also an administrator that he can't change and therefore establish his own passwords. I don't want a login screen at this point because I don't want him to get suspicious. He'll need to use the laptop for his job search, but I don't want him to be able to setup his own passwords and lock ME out.

It looks like he hasn't touched the bios settings as far as I can tell. Dell (e1505) has a HD lock in the bios settings as well. I need to read up on this more as I don't know how this relates exactly to a system-level (bootup) password. I don't know whether he knows how to bypass setup and system bios passwords, but I want to wait until he is on the verge of moving out before I spring that on him, or preferably just storing the laptop in a secure location. It is frustrating that all these security bypasses are just a google away...it really seems like a semi-intelligent 10 year old can hack their way into Microsoft's almighty XP.

In a holding pattern for now...any thoughts/ideas welcome.
Thanks.

[Chris H]

I would also add a padlock on the back of the case if it allows one to stop him getting inside the case and tampering/changinf jumpers?

Chris

[MontanaXVI]

I might just be reading too much into this, but in the topic you had to type that this person was HIV positive, when this has NOTHING at all to do with the "problem" you are having, could it just be something you found out about, and it is just making you all the more mad at what they did to the laptop.

Either way, back on track just boot em out of the house and reclaim your stuff.

[ShaniFaye]

Montana its in reference to another thread where we were discussing this same person

[ratbastid]

The computer really isn't the issue here, nor his HIV status. The issue is about trust. Rather than (or in addition to) taking technological steps in reaction to this, you should talk to him about the consequences of his actions--something, from what you've said about him earlier, he would do well to learn about.

[NotAnAlias]

ERD Commander can nuke windows admin passwords just like that and set new ones, it's a piece of piss.

If you can get you hands on it (not sure if you can get it for free these days...wink wink nudge nudge) you boot to it and then go to the locksmith utility - you can reset your admin account there.

[powerclown]

I'll look into that NotAnAlias, thanks.

The problem is everytime I set an administrator login account/password, he either changes my current admin password, or creates an entirely new admin account w/ his own password. He even somehow has been able to install programs and change settings while in a restricted account. This one has me particularly baffled. XP is so full of security holes its ridiculous. Farcical.

Stage 3: Disable regedit. I've already locked the bios and disabled CD/diskette bootup. I've checked msconfig, and he is using a modified .ini setting, has most of the startup programs disabled, changed at least 6 or 7 registry settings...I'm pretty sure most of the hacks are being done in the registry, I haven't had time to identify exactly where yet.

[Cynthetiq]

Quote:

Originally Posted by powerclown

I'll look into that NotAnAlias, thanks.

The problem is everytime I set an administrator login account/password, he either changes my current admin password, or creates an entirely new admin account w/ his own password. He even somehow has been able to install programs and change settings while in a restricted account. This one has me particularly baffled. XP is so full of security holes its ridiculous. Farcical.

Stage 3: Disable regedit. I've already locked the bios and disabled CD/diskette bootup. I've checked msconfig, and he is using a modified .ini setting, has most of the startup programs disabled, changed at least 6 or 7 registry settings...I'm pretty sure most of the hacks are being done in the registry, I haven't had time to identify exactly where yet.

So it seems like he does not appreciate the roof over his head and the generosity and patience you have shown him. I'm of the opinion that he has overstayed his welcome.

You've set the rules and expectations, and he's continued to ignore them.

I'd say you give him ONE last chance. He's given all the opportunity to do what he needs to do which is check email and apply for jobs. Everything else is being disrespectful to what you've requested.

Next time it's discovered, kick him to the streets. While you may look like the asshole on it's face, he's not someone you want living in your house.

I'm wondering is he going through your papers and documents? Casing your valuables? Knowing where weaknesses are in getting back into your house?

Because that's what hackers do, at least from my experience of being one and my friends that are also hackers. I hack systems, not just computers, but whole systems of operations.

[Daniel_]

Remove computer access from him totally (by location controls or shutting off the power, or whatever) and make him walk his ass to town to use the library to look at the internet.

Not only will it keep your PC safe, it'll give him some excersise.

Job done.

[Lady Sage]

I sincerely hope this remains with only the computer issue. However, I strongly suggest locking up any key personal information, checks, bills and anything with account numbers on it. Better safe than sorry. You may or may not know how quickly a piece of that information can screw up the rest of your life.

[yotta]

If the attacker has physical access to your computer, it's not your computer any more. With physical access, the login accounts can be altered with a boot disk. In a laptop, you can password lock the hard drive, which is impossible to bypass without swapping the logic board, but most desktops can't do this. There are some hard drive controlers that encrypt with a keyfob, but you'd have to buy that.

[Daniel_]

Quote:

Originally Posted by yotta

If the attacker has physical access to your computer, it's not your computer any more. With physical access, the login accounts can be altered with a boot disk. In a laptop, you can password lock the hard drive, which is impossible to bypass without swapping the logic board, but most desktops can't do this. There are some hard drive controlers that encrypt with a keyfob, but you'd have to buy that.

Which is exactly why several people suggested setting a BIOS power on password.

[powerclown]

I went and bought a refurb Dell B120 for him instead. Then I restored my other laptop to its original, from-the-factory settings via the Dell Restore (a Norton Ghost image file). I locked the HD with a password (nice feature), set bios/system passwords, and put a lock on my room door. You are right, if other have access to one's laptop, especially an XP laptop, it's fair game to all sorts of mischief.

[yotta]

Quote:

Originally Posted by Daniel_

Which is exactly why several people suggested setting a BIOS power on password.

BIOS passwords can be bypassed with physical access.

[Cynthetiq]

Quote:

Originally Posted by powerclown

I went and bought a refurb Dell B120 for him instead. Then I restored my other laptop to its original, from-the-factory settings via the Dell Restore (a Norton Ghost image file). I locked the HD with a password (nice feature), set bios/system passwords, and put a lock on my room door. You are right, if other have access to one's laptop, especially an XP laptop, it's fair game to all sorts of mischief.

that's very nice and generous of you.

anymore breaches of trust on your machine is now a violation of terms of service for staying in your home.

does it again, toss him to the curb.

He's not got any business on your computer anymore.