What if...

[Macced]

If at some point in the past my MBP's (early 2015 model) had been hacked and the MAC address of the network card and WIFI had been compromised, then how much protection does a VPN, or the OSX firewall actually provide? Most relevantly: does the fact that an attacker has access to those base level addresses of the hardware etc. mean that so long as I'm connected to the internet I'm accessible when they use Terminal commands remotely to try and access my mac? Would changing the user account password become the one critical way to prevent this kind of attack? (I note that when using terminal I'm always prompted for the user account pw)..

Regards

Macced

[harryb2448]

Maybe just don't go on the 'net.

Make sure you are using WPA2 or stronger and a new 18 digit password including number/s, capital/s etc.

[Raz0rEdge]

Knowing the MAC address means nothing. Your router already has a firewall on it, so you are all set. If you've disabled all of the sharing on your Mac then no one can get in. The VPN is useful when on public WiFi, but less necessary on your own home network. You should only be prompted for your password on the Terminal when you run privileged commands, not all the time.

Change any and all of your passwords if it comforts you.

[Macced]

Maybe just don't go on the 'net.

Make sure you are using WPA2 or stronger and a new 18 digit password including number/s, capital/s etc.

Thanks Harry. I'm using a 14 digit 'securely generated' pword via LastPass for all logins. It includes wildcards but may look at extending it to 18 digits pending further advice.

[Macced]

Knowing the MAC address means nothing. Your router already has a firewall on it, so you are all set. If you've disabled all of the sharing on your Mac then no one can get in. The VPN is useful when on public WiFi, but less necessary on your own home network. You should only be prompted for your password on the Terminal when you run privileged commands, not all the time.

Change any and all of your passwords if it comforts you.

Thanks for the reply. I'm actually not using a broadband router. My sole two means of internet access are mostly cellular, via the personal hotspot of my tethered iPhone 5s running iOS 12.1 and the iOS version of the same VPN service my MBP runs. Occasionally I use my campus WPAII network, but even then I just connect and then immediately turn on my VPN before doing anything online. So, in light of the now clarified internet access (no router firewall) and just OS-x inbuilt firewall, where do I stand in terms of vulnerability to remote access. If a person had my user account password, whats preventing them commanding my system via terminal or other methods?

[MacInWin]

Change your user account password.

[ferrarr]

Hands on access to your device?

[Macced]

Change your user account password.

Thanks MacInWin. It seems a bit pointless given the fact they can see everything I type in real time at present..... Perhaps change it after another clean install from the USB drive??
Also: Am I to assume from your reply that it is possible to command another mac remotely via terminal commands if the address is known??

- - - Updated - - -

Hands on access to your device?

Hi Ferrarr - No, they don't have physical access.

[MacInWin]

Thanks MacInWin. It seems a bit pointless given the fact they can see everything I type in real time at present..... Perhaps change it after another clean install from the USB drive??
Also: Am I to assume from your reply that it is possible to command another mac remotely via terminal commands if the address is known??

- - - Updated - - -


Hi Ferrarr - No, they don't have physical access.

You said,

If a person had my user account password, whats preventing them commanding my system via terminal or other methods?

which is why I said to change the password. And you have already been told that just because someone has the MAC address does not mean you are hacked or can be. (See Post #3) So at this point there is no way they can "see everything" you type, unless you know they have installed a key logger on your system. And if that is the case, you can get something like Malwarebytes (malwarebytes.com) and run it to see if there is any malware on the system. If you are that concerned about illicit installations, you could completely wipe out the entire hard drive and reinstall the operating system from scratch, but then you would lose all your own files. You could also transfer your files to an external drive, do the wipe and install and then reinstall any software you had and finally restore your files. There are no known ways to use a virus to install anything to a Mac, so if you disconnect from the net, move your files, wipe the drive and reinstall the OS, then copy back your files, change your login password to the machine and then get back on line, there should be NO way for anyone to track you in any way.

[Macced]

You said, which is why I said to change the password. And you have already been told that just because someone has the MAC address does not mean you are hacked or can be. (See Post #3) So at this point there is no way they can "see everything" you type, unless you know they have installed a key logger on your system. And if that is the case, you can get something like Malwarebytes (malwarebytes.com) and run it to see if there is any malware on the system. If you are that concerned about illicit installations, you could completely wipe out the entire hard drive and reinstall the operating system from scratch, but then you would lose all your own files. You could also transfer your files to an external drive, do the wipe and install and then reinstall any software you had and finally restore your files. There are no known ways to use a virus to install anything to a Mac, so if you disconnect from the net, move your files, wipe the drive and reinstall the OS, then copy back your files, change your login password to the machine and then get back on line, there should be NO way for anyone to track you in any way.

I've actually got MalwareBytes running as we speak, and like this and all previous scans in/around the last clean install it always finds nothing. Though now I'm on the Free version as my 'pro' trial period expired. This just means I don't have the real time protection, but it still checks for the same full db of viruses/malware right?

Per post #1 you'll also see I did do a complete wipe / reinstall (Disk erase after using CMD-Option and booting from a USB High Sierra installer). On that point, is it possible that a rogue app could have survived the restart by residing in the recovery partition which seems to be impossible to get rid of with the disk erase function?? If so would re-partitioning the drive be my best option? (I read that this gets ride of everything including the recovery partition). Is it even possible to write to the recovery partition (assuming they have access to any/all tools?)

Thanks again for your advice... its good to get the input of those more experienced here.

[Rocky97]

MAC addresses aren't accessible externally. This means websites cannot see your MAC address, this also means that a MAC address contains no meaningful info to outsiders.

Yes, if someone was to gain access to your WiFi network, it is possible your personal details yu enter on websites could be sniffed most importantly, but also, your computer could possibly have data accessed through means of finding vulnerabilities through port scanning etc. Therefore just ensure your wifi network is secure by using WPA2 level authorisation. Also it is best if you do not use a default password, these can easily be discovered through online databases, etc. Be careful about your choice of WiFi password, do not useca real word, dictionary brute force attacks are not difficult these days.

[Macced]

MAC addresses aren't accessible externally. This means websites cannot see your MAC address, this also means that a MAC address contains no meaningful info to outsiders.

Yes, if someone was to gain access to your WiFi network, it is possible your personal details yu enter on websites could be sniffed most importantly, but also, your computer could possibly have data accessed through means of finding vulnerabilities through port scanning etc. Therefore just ensure your wifi network is secure by using WPA2 level authorisation. Also it is best if you do not use a default password, these can easily be discovered through online databases, etc. Be careful about your choice of WiFi password, do not useca real word, dictionary brute force attacks are not difficult these days.

Thanks Rocky. I'm actually just using the 'USB only' 4G tethering to my iphone for internet and rarely the campus WIFI which is WPAII.. Good point though regarding the length of the password. I was reading on hacker forums that 8 characters gets cracked in 4 hours whereas 18 is up to 16 years....
What I really need here is someone whose pretty 3L33t with the whole hacking thing and who knows what the Mac's vulnerabilities are... Nobody yet has been able to reply and confirm whether rogue software can be put on the recovery partition, or whether partitioning is the one sure fire way to clear it out.... I'm all ears

[ferrarr]

The sure way to clear it out, is to have your own bootable USB drive, and not relying on the Recovery partition.

[MacInWin]

I've actually got MalwareBytes running as we speak, and like this and all previous scans in/around the last clean install it always finds nothing. Though now I'm on the Free version as my 'pro' trial period expired. This just means I don't have the real time protection, but it still checks for the same full db of viruses/malware right?

Yes, that is correct. Except that there are no viruses for macOS at this time, so it's not checking for something that doesn't exist. And because no known vectors for a virus to attack are known, it can't even check for potential activity on those non-existent vectors. But don't worry about ti, if a weakness is discovered or a virus created, it will be headline news and you can worry about viruses then.

Per post #1 you'll also see I did do a complete wipe / reinstall (Disk erase after using CMD-Option and booting from a USB High Sierra installer). On that point, is it possible that a rogue app could have survived the restart by residing in the recovery partition which seems to be impossible to get rid of with the disk erase function?? If so would re-partitioning the drive be my best option? (I read that this gets ride of everything including the recovery partition). Is it even possible to write to the recovery partition (assuming they have access to any/all tools?)

Thanks again for your advice... its good to get the input of those more experienced here.

First, anything is POSSIBLE, but the probability of a rougue actor getting to the recovery partition and doing harm is virtually nil. The recover partition is very small, under a GB, and holds a minimal boot system and the utilities to execute a re-install of the OS, if that is needed. And the partition is normally hidden except to system activity, so a nefarious actor would have to find some way to force your system to boot into that partition, gain control over it, install the malware of choice, then reboot the system to your regular partition and somehow find a way to get to the application in that hidden partition to run it. All of that requires full access to your machine, not some remote access. OK, can it be done? Yes, potentially. Is it reasonable to think you are a victim or potential victim of such an attack. Absolutely not. Don't sweat that avenue as it has so many obstacles to make it work that if the bad guy could do that, he could just walk off with your machine in toto.

No need to be paranoid about this, and no need to do anything beyond what has already been suggested...change passwords.

[Macced]

Yes, that is correct. Except that there are no viruses for macOS at this time, so it's not checking for something that doesn't exist. And because no known vectors for a virus to attack are known, it can't even check for potential activity on those non-existent vectors. But don't worry about ti, if a weakness is discovered or a virus created, it will be headline news and you can worry about viruses then.

Are you trying to say theres no viruses affecting the mac OS at present? Or do you mean no viruses that use WIFI access that the real time protection is presumably there to protect against?

First, anything is POSSIBLE, but the probability of a rougue actor getting to the recovery partition and doing harm is virtually nil. The recover partition is very small, under a GB, and holds a minimal boot system and the utilities to execute a re-install of the OS, if that is needed. And the partition is normally hidden except to system activity, so a nefarious actor would have to find some way to force your system to boot into that partition, gain control over it, install the malware of choice, then reboot the system to your regular partition and somehow find a way to get to the application in that hidden partition to run it. All of that requires full access to your machine, not some remote access. OK, can it be done? Yes, potentially. Is it reasonable to think you are a victim or potential victim of such an attack. Absolutely not. Don't sweat that avenue as it has so many obstacles to make it work that if the bad guy could do that, he could just walk off with your machine in toto.

No need to be paranoid about this, and no need to do anything beyond what has already been suggested...change passwords.

I appreciate your advice, but I'm asking for objective information here. Not your assurances that everything will be alright and that I'm being paranoid. You have no idea what I've been dealing with (interstate stalking) and the only reason I'm not burning you right now is because I too recall being in that state of true freedom where you can sit back and do what you like online without a worry in the world...

So, on that point, and if you are not feeling like an emotive retort: If they had the user account pass and could thus potentially command the mac remotely via terminal, is there not any command that can be used to reboot and load from a specified volume (such as the recovery partition)? Is that why you say 'OK, can it be done? YES potentially" ??

Regards,