What if...

Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
If at some point in the past my MBP's (early 2015 model) had been hacked and the MAC address of the network card and WIFI had been compromised, then how much protection does a VPN, or the OSX firewall actually provide? Most relevantly: does the fact that an attacker has access to those base level addresses of the hardware etc. mean that so long as I'm connected to the internet I'm accessible when they use Terminal commands remotely to try and access my mac? Would changing the user account password become the one critical way to prevent this kind of attack? (I note that when using terminal I'm always prompted for the user account pw)..

Regards

Macced
 
Joined
Nov 28, 2007
Messages
25,564
Reaction score
486
Points
83
Location
Blue Mountains NSW Australia
Your Mac's Specs
Silver M1 iMac 512/16/8/8 macOS 11.6
Maybe just don't go on the 'net.

Make sure you are using WPA2 or stronger and a new 18 digit password including number/s, capital/s etc.
 

Raz0rEdge

Well-known member
Staff member
Moderator
Joined
Jul 17, 2009
Messages
15,734
Reaction score
2,059
Points
113
Location
MA
Your Mac's Specs
2022 Mac Studio M1 Max, 2023 M2 MBA
Knowing the MAC address means nothing. Your router already has a firewall on it, so you are all set. If you've disabled all of the sharing on your Mac then no one can get in. The VPN is useful when on public WiFi, but less necessary on your own home network. You should only be prompted for your password on the Terminal when you run privileged commands, not all the time.

Change any and all of your passwords if it comforts you.
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
Maybe just don't go on the 'net.

Make sure you are using WPA2 or stronger and a new 18 digit password including number/s, capital/s etc.

Thanks Harry. I'm using a 14 digit 'securely generated' pword via LastPass for all logins. It includes wildcards but may look at extending it to 18 digits pending further advice.
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
Knowing the MAC address means nothing. Your router already has a firewall on it, so you are all set. If you've disabled all of the sharing on your Mac then no one can get in. The VPN is useful when on public WiFi, but less necessary on your own home network. You should only be prompted for your password on the Terminal when you run privileged commands, not all the time.

Change any and all of your passwords if it comforts you.

Thanks for the reply. I'm actually not using a broadband router. My sole two means of internet access are mostly cellular, via the personal hotspot of my tethered iPhone 5s running iOS 12.1 and the iOS version of the same VPN service my MBP runs. Occasionally I use my campus WPAII network, but even then I just connect and then immediately turn on my VPN before doing anything online. So, in light of the now clarified internet access (no router firewall) and just OS-x inbuilt firewall, where do I stand in terms of vulnerability to remote access. If a person had my user account password, whats preventing them commanding my system via terminal or other methods?
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
Change your user account password.
 
Joined
May 21, 2012
Messages
10,696
Reaction score
1,152
Points
113
Location
Rhode Island
Your Mac's Specs
M1 Mac Studio, 11" iPad Pro 3rdGen, iPhone 13 ProMax, Watch S7, 2018 15" MBP, AirPods Pro
Hands on access to your device?
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
Change your user account password.
Thanks MacInWin. It seems a bit pointless given the fact they can see everything I type in real time at present..... Perhaps change it after another clean install from the USB drive??
Also: Am I to assume from your reply that it is possible to command another mac remotely via terminal commands if the address is known??

- - - Updated - - -

Hands on access to your device?
Hi Ferrarr - No, they don't have physical access.
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
Thanks MacInWin. It seems a bit pointless given the fact they can see everything I type in real time at present..... Perhaps change it after another clean install from the USB drive??
Also: Am I to assume from your reply that it is possible to command another mac remotely via terminal commands if the address is known??

- - - Updated - - -


Hi Ferrarr - No, they don't have physical access.
You said,
If a person had my user account password, whats preventing them commanding my system via terminal or other methods?
which is why I said to change the password. And you have already been told that just because someone has the MAC address does not mean you are hacked or can be. (See Post #3) So at this point there is no way they can "see everything" you type, unless you know they have installed a key logger on your system. And if that is the case, you can get something like Malwarebytes (malwarebytes.com) and run it to see if there is any malware on the system. If you are that concerned about illicit installations, you could completely wipe out the entire hard drive and reinstall the operating system from scratch, but then you would lose all your own files. You could also transfer your files to an external drive, do the wipe and install and then reinstall any software you had and finally restore your files. There are no known ways to use a virus to install anything to a Mac, so if you disconnect from the net, move your files, wipe the drive and reinstall the OS, then copy back your files, change your login password to the machine and then get back on line, there should be NO way for anyone to track you in any way.
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
You said, which is why I said to change the password. And you have already been told that just because someone has the MAC address does not mean you are hacked or can be. (See Post #3) So at this point there is no way they can "see everything" you type, unless you know they have installed a key logger on your system. And if that is the case, you can get something like Malwarebytes (malwarebytes.com) and run it to see if there is any malware on the system. If you are that concerned about illicit installations, you could completely wipe out the entire hard drive and reinstall the operating system from scratch, but then you would lose all your own files. You could also transfer your files to an external drive, do the wipe and install and then reinstall any software you had and finally restore your files. There are no known ways to use a virus to install anything to a Mac, so if you disconnect from the net, move your files, wipe the drive and reinstall the OS, then copy back your files, change your login password to the machine and then get back on line, there should be NO way for anyone to track you in any way.

I've actually got MalwareBytes running as we speak, and like this and all previous scans in/around the last clean install it always finds nothing. Though now I'm on the Free version as my 'pro' trial period expired. This just means I don't have the real time protection, but it still checks for the same full db of viruses/malware right?

Per post #1 you'll also see I did do a complete wipe / reinstall (Disk erase after using CMD-Option and booting from a USB High Sierra installer). On that point, is it possible that a rogue app could have survived the restart by residing in the recovery partition which seems to be impossible to get rid of with the disk erase function?? If so would re-partitioning the drive be my best option? (I read that this gets ride of everything including the recovery partition). Is it even possible to write to the recovery partition (assuming they have access to any/all tools?)

Thanks again for your advice... its good to get the input of those more experienced here.
 
R

Rocky97

Guest
MAC addresses aren't accessible externally. This means websites cannot see your MAC address, this also means that a MAC address contains no meaningful info to outsiders.

Yes, if someone was to gain access to your WiFi network, it is possible your personal details yu enter on websites could be sniffed most importantly, but also, your computer could possibly have data accessed through means of finding vulnerabilities through port scanning etc. Therefore just ensure your wifi network is secure by using WPA2 level authorisation. Also it is best if you do not use a default password, these can easily be discovered through online databases, etc. Be careful about your choice of WiFi password, do not useca real word, dictionary brute force attacks are not difficult these days.
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
MAC addresses aren't accessible externally. This means websites cannot see your MAC address, this also means that a MAC address contains no meaningful info to outsiders.

Yes, if someone was to gain access to your WiFi network, it is possible your personal details yu enter on websites could be sniffed most importantly, but also, your computer could possibly have data accessed through means of finding vulnerabilities through port scanning etc. Therefore just ensure your wifi network is secure by using WPA2 level authorisation. Also it is best if you do not use a default password, these can easily be discovered through online databases, etc. Be careful about your choice of WiFi password, do not useca real word, dictionary brute force attacks are not difficult these days.

Thanks Rocky. I'm actually just using the 'USB only' 4G tethering to my iphone for internet and rarely the campus WIFI which is WPAII.. Good point though regarding the length of the password. I was reading on hacker forums that 8 characters gets cracked in 4 hours whereas 18 is up to 16 years....
What I really need here is someone whose pretty 3L33t with the whole hacking thing and who knows what the Mac's vulnerabilities are... Nobody yet has been able to reply and confirm whether rogue software can be put on the recovery partition, or whether partitioning is the one sure fire way to clear it out.... I'm all ears :)
 
Joined
May 21, 2012
Messages
10,696
Reaction score
1,152
Points
113
Location
Rhode Island
Your Mac's Specs
M1 Mac Studio, 11" iPad Pro 3rdGen, iPhone 13 ProMax, Watch S7, 2018 15" MBP, AirPods Pro
The sure way to clear it out, is to have your own bootable USB drive, and not relying on the Recovery partition.
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
I've actually got MalwareBytes running as we speak, and like this and all previous scans in/around the last clean install it always finds nothing. Though now I'm on the Free version as my 'pro' trial period expired. This just means I don't have the real time protection, but it still checks for the same full db of viruses/malware right?
Yes, that is correct. Except that there are no viruses for macOS at this time, so it's not checking for something that doesn't exist. And because no known vectors for a virus to attack are known, it can't even check for potential activity on those non-existent vectors. But don't worry about ti, if a weakness is discovered or a virus created, it will be headline news and you can worry about viruses then.

Per post #1 you'll also see I did do a complete wipe / reinstall (Disk erase after using CMD-Option and booting from a USB High Sierra installer). On that point, is it possible that a rogue app could have survived the restart by residing in the recovery partition which seems to be impossible to get rid of with the disk erase function?? If so would re-partitioning the drive be my best option? (I read that this gets ride of everything including the recovery partition). Is it even possible to write to the recovery partition (assuming they have access to any/all tools?)

Thanks again for your advice... its good to get the input of those more experienced here.
First, anything is POSSIBLE, but the probability of a rougue actor getting to the recovery partition and doing harm is virtually nil. The recover partition is very small, under a GB, and holds a minimal boot system and the utilities to execute a re-install of the OS, if that is needed. And the partition is normally hidden except to system activity, so a nefarious actor would have to find some way to force your system to boot into that partition, gain control over it, install the malware of choice, then reboot the system to your regular partition and somehow find a way to get to the application in that hidden partition to run it. All of that requires full access to your machine, not some remote access. OK, can it be done? Yes, potentially. Is it reasonable to think you are a victim or potential victim of such an attack. Absolutely not. Don't sweat that avenue as it has so many obstacles to make it work that if the bad guy could do that, he could just walk off with your machine in toto.

No need to be paranoid about this, and no need to do anything beyond what has already been suggested...change passwords.
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
Yes, that is correct. Except that there are no viruses for macOS at this time, so it's not checking for something that doesn't exist. And because no known vectors for a virus to attack are known, it can't even check for potential activity on those non-existent vectors. But don't worry about ti, if a weakness is discovered or a virus created, it will be headline news and you can worry about viruses then.

Are you trying to say theres no viruses affecting the mac OS at present? Or do you mean no viruses that use WIFI access that the real time protection is presumably there to protect against?

First, anything is POSSIBLE, but the probability of a rougue actor getting to the recovery partition and doing harm is virtually nil. The recover partition is very small, under a GB, and holds a minimal boot system and the utilities to execute a re-install of the OS, if that is needed. And the partition is normally hidden except to system activity, so a nefarious actor would have to find some way to force your system to boot into that partition, gain control over it, install the malware of choice, then reboot the system to your regular partition and somehow find a way to get to the application in that hidden partition to run it. All of that requires full access to your machine, not some remote access. OK, can it be done? Yes, potentially. Is it reasonable to think you are a victim or potential victim of such an attack. Absolutely not. Don't sweat that avenue as it has so many obstacles to make it work that if the bad guy could do that, he could just walk off with your machine in toto.

No need to be paranoid about this, and no need to do anything beyond what has already been suggested...change passwords.

I appreciate your advice, but I'm asking for objective information here. Not your assurances that everything will be alright and that I'm being paranoid. You have no idea what I've been dealing with (interstate stalking) and the only reason I'm not burning you right now is because I too recall being in that state of true freedom where you can sit back and do what you like online without a worry in the world...

So, on that point, and if you are not feeling like an emotive retort: If they had the user account pass and could thus potentially command the mac remotely via terminal, is there not any command that can be used to reboot and load from a specified volume (such as the recovery partition)? Is that why you say 'OK, can it be done? YES potentially" ??

Regards,
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
The sure way to clear it out, is to have your own bootable USB drive, and not relying on the Recovery partition.

Yeh thanks Ferrarr. I've already have High Sierra on a bootable USB courtesy diskmaker x. It turns out that booting using internet recovery causes the mac to load up from firmware obviating the need for the bootable USB and allowing the user to completely partition the drive (including the recovery partition).
https://discussions.apple.com/thread/7160939
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
There are NO viruses for Mac at this time. Not through any vector. Nor is any vector for any future virus known at this time. Basically, macOS is pretty secure. Anything that installs to your machine has to have YOUR permission to install.

They COULD potentially, if they had your password, try to come in remotely and have your system reboot, but on that reboot, they would have to have direct access to your keyboard to enter the password or select the recovery partition to boot because in the boot process you have to have a keyboard entry before the network connects. But I told you to change your password. I said that because even if they have your current password, they won't have the new and therefore won't be able to do even that reboot. The reason I said "potentially" is that if you ask a question about "Can something be done?" I have to say "yes, anything is possible." Pigs could fly, all the air in the room could decide to exit through the window and leave a vacuum, you could flip a coin and have it land on the edge, you could be hit by a meteorite tomorrow, etc. But the probabilities of all of those is really, really small and not worth worrying about. But NOTHING is guaranteed in this world, ever. Anything can happen.

And that's as objective as it's going to get. At this point you sound like you are never going to trust anything, ever again, which is kind of sad. If you are that afraid of this "internet stalker" then don't go online. Seriously, there is a life without the internet, and it sounds like in your case it would be a better life.

You have a very secure computer in the Mac, you say you use VPN, you have reinstalled the OS and you can (and should) change your passwords. That's about all any person can do to keep a bad actor out of your system. Don't let the stalker win by creating such paranoia.

I used to work in the highly classified computer industry where our data was super-classified and sensitive beyond belief. Our assumption in that industry was that there was NEVER a truly secure system. Two people cannot keep a secret. And computers are always going to be able to be cracked. The closest to a secure system I ever heard about was a CIA system that had double filtered power supply to a computer in a vault with total electronic shielding, no printer, one terminal in a locked vault with two guards on it 24/7. And nothing went in or out of the room except cleared agents. Basically the operator went into the room, took nothing in, did the query on the terminal, got the answer, memorized it, and walked out, taking nothing out. Even their pockets were emptied and checked by the guards. We thought it COULD be secure, but we could not guarantee it. Because as I said, NOTHING is guaranteed. So you can see why my mind runs to could/should/ought to instead of will/does. Don't let my paranoia and hair-splitting about "can something be done" get to you. I already drive my wife crazy, but after 40 years of being in that industry, it's just how my mind works.

If you want to go one more step, you could encrypt your hard drive. The risk in doing that is that if you ever forget that password, there is NO way to recover it, or the data on the encrypted drive. Given your paranoia, what I would suggest if you decide to do this is to take the Mac offline totally (No network, no WiFi, no BT), make a backup, test the backup, and then open System Preferences, Security & Privacy, click on the FileFault button and turn on FileVault. It will ask for you to create a password and then will create a recovery key for you. Then let it run to encrypt your hard drive. It will take a long time to complete, so let it run until it is done. If you interrupt it, you will end up with a totally unstable drive that probably won't boot any more. You will have to recover from the backup or from the internet and format the drive to recover it and repeat the process. So DON'T INTERRUPT IT. (Yes, I am shouting.) Of course, if you are still convinced that this bad actor can see every keystroke (which I seriously doubt, given what you are doing), then you may work that on the entry of that FV password this stalker will have it, too. But probably not.

I say that because with FV turned on, when your system boots you will have to provide the encryption password before it even starts to boot, and then you will have to enter your account password after it boots. But any "intruder" to your system will be totally stymied by the FileVault encryption because the FV password comes well before any network connection is even opened, so even if a bad actor could somehow force a reboot from outside, the FV password will keep it from booting. Once you know it's done encrypting, you can turn on the network (WiFI and BT) again. Oh, and if you make backups of this encrypted system, make sure to encrypt them, too. You can do that in most backup software, including TimeMachine.

You can read more about FileVault here: https://support.apple.com/en-us/HT204837
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
There are NO viruses for Mac at this time. Not through any vector. Nor is any vector for any future virus known at this time. Basically, macOS is pretty secure. Anything that installs to your machine has to have YOUR permission to install.

They COULD potentially, if they had your password, try to come in remotely and have your system reboot, but on that reboot, they would have to have direct access to your keyboard to enter the password or select the recovery partition to boot because in the boot process you have to have a keyboard entry before the network connects. But I told you to change your password. I said that because even if they have your current password, they won't have the new and therefore won't be able to do even that reboot. The reason I said "potentially" is that if you ask a question about "Can something be done?" I have to say "yes, anything is possible." Pigs could fly, all the air in the room could decide to exit through the window and leave a vacuum, you could flip a coin and have it land on the edge, you could be hit by a meteorite tomorrow, etc. But the probabilities of all of those is really, really small and not worth worrying about. But NOTHING is guaranteed in this world, ever. Anything can happen.

And that's as objective as it's going to get. At this point you sound like you are never going to trust anything, ever again, which is kind of sad. If you are that afraid of this "internet stalker" then don't go online. Seriously, there is a life without the internet, and it sounds like in your case it would be a better life.

You have a very secure computer in the Mac, you say you use VPN, you have reinstalled the OS and you can (and should) change your passwords. That's about all any person can do to keep a bad actor out of your system. Don't let the stalker win by creating such paranoia.

I used to work in the highly classified computer industry where our data was super-classified and sensitive beyond belief. Our assumption in that industry was that there was NEVER a truly secure system. Two people cannot keep a secret. And computers are always going to be able to be cracked. The closest to a secure system I ever heard about was a CIA system that had double filtered power supply to a computer in a vault with total electronic shielding, no printer, one terminal in a locked vault with two guards on it 24/7. And nothing went in or out of the room except cleared agents. Basically the operator went into the room, took nothing in, did the query on the terminal, got the answer, memorized it, and walked out, taking nothing out. Even their pockets were emptied and checked by the guards. We thought it COULD be secure, but we could not guarantee it. Because as I said, NOTHING is guaranteed. So you can see why my mind runs to could/should/ought to instead of will/does. Don't let my paranoia and hair-splitting about "can something be done" get to you. I already drive my wife crazy, but after 40 years of being in that industry, it's just how my mind works.

If you want to go one more step, you could encrypt your hard drive. The risk in doing that is that if you ever forget that password, there is NO way to recover it, or the data on the encrypted drive. Given your paranoia, what I would suggest if you decide to do this is to take the Mac offline totally (No network, no WiFi, no BT), make a backup, test the backup, and then open System Preferences, Security & Privacy, click on the FileFault button and turn on FileVault. It will ask for you to create a password and then will create a recovery key for you. Then let it run to encrypt your hard drive. It will take a long time to complete, so let it run until it is done. If you interrupt it, you will end up with a totally unstable drive that probably won't boot any more. You will have to recover from the backup or from the internet and format the drive to recover it and repeat the process. So DON'T INTERRUPT IT. (Yes, I am shouting.) Of course, if you are still convinced that this bad actor can see every keystroke (which I seriously doubt, given what you are doing), then you may work that on the entry of that FV password this stalker will have it, too. But probably not.

I say that because with FV turned on, when your system boots you will have to provide the encryption password before it even starts to boot, and then you will have to enter your account password after it boots. But any "intruder" to your system will be totally stymied by the FileVault encryption because the FV password comes well before any network connection is even opened, so even if a bad actor could somehow force a reboot from outside, the FV password will keep it from booting. Once you know it's done encrypting, you can turn on the network (WiFI and BT) again. Oh, and if you make backups of this encrypted system, make sure to encrypt them, too. You can do that in most backup software, including TimeMachine.

You can read more about FileVault here: https://support.apple.com/en-us/HT204837

Hi Jake,

I want to extend my full gratitude for the detailed clarification you've now provided. I think you can appreciate what I'm experiencing. I'd like to know more about a couple points you raised. Before I ask though I will reply to your query re: Filevault - I actually turned it on straight away after the last clean install and endured the full 4-5 hours (High Sierra is notorious for this but it seems wiser to use the most patched OS thats still reasonably current than risk this https://www.servercentral.com/blog/os-x-high-sierra-zero-day/ )

I also want to thank you for clarifying the actual mechanics of why a remote reboot of my system is effectively impossible given the need for keyboard access at the startup prompt. These kinds of key facts are vital as I try to understand how I've been compromised.

I'd like to get your input on the following possibility and I think its of great interest not just to me but many others who use Filevault here. When a drive is encrypted using FileVault AFTER the installation of OSX (not during) it syncs the password used to unencrypt the drive each time at startup with your user account password. So, if I had been exposed to a keylogger, isn't it possible that they would quickly have obtained my user account pass given the frequency with which I use it for my daily computing such as unlocking the mac after a screen break or installing new apps?, and therefore be able to unencrypt the drive at will using terminal commands?. Or would a keylogger be impossible to install by virtue of developer protections that operate by default in OSx?

A side point: I installed Wireshark for the first time about a week ago and ran it for a few hours not really having a clue what it was doing. I soon found that I had exhausted 6Gb of my monthly data allowance which doesn't sound much, but is 20% of whats available on my sole means of internet access (Remember: Tethered iPhone) It was in promiscuous mode, if thats of any relevance, but is this reasonable given my own data use during the 3 hours would have been no more than 30mb of HTTP browsing?

I've also been running Little Snitch for a couple weeks now. Only a few 'incoming requests' but they were all using openVPN (My VPN service) so I'm guessing this bodes well? The only peculiarity is that when I go through the tiring process of authorising the connections the VPN app makes to connect in the first place, sometimes the user is listed as root and sometimes the name of my macbook. Is this normal? (am guessing so)

Thanks again for your advice. I really appreciate it so that I can get this sorted sooner rather than later. I think we are all entitled to privacy at this basic level.
 
Joined
Jan 1, 2009
Messages
15,446
Reaction score
3,800
Points
113
Location
Winchester, VA
Your Mac's Specs
MBP 16" 2023 (M3 Pro), iPhone 15 Pro, plus ATVs, AWatch, MacMinis (multiple)
FV can only be invoked after the OS is installed. It's part of the OS, so you have to have the OS to have FV. When FV encrypts the drive, it gives you three options to gain access if you lose your password. In the document I linked for you, it says
Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:
If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.*
If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.*
If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.
So, you get to pick what you want. Given your level of concern, I would open for the last option, a local recovery key that you can print out and store somewhere only YOU can get to. And as it says, once it's done, you use your password (remember, I said to change it) to unlock the encryption. But that unlock happens BEFORE the boot, and before any network connections, so even if someone has the password, they won't have access to your keyboard.

You said
So, if I had been exposed to a keylogger, isn't it possible that they would quickly have obtained my user account pass given the frequency with which I use it for my daily computing such as unlocking the mac after a screen break or installing new apps?, and therefore be able to unencrypt the drive at will using terminal commands?. Or would a keylogger be impossible to install by virtue of developer protections that operate by default in OSx?
I'm not sure what you mean by "exposed to a key logger" in that quote, because you have reinstalled the OS from scratch, which eliminated any key logger that may have been installed. So just because you HAD been exposed does not mean you ARE now exposed. Do you have hard evidence of being key logged now? I am unaware of terminal commands that might decrypt the drive, if someone could gain access to it, but I suppose one could somehow do that (again, I never say nothing is possible, but some things are pretty much only remotely possible (pigs, air, meteorites)). Again, the way macOS works is that you must provide YOUR password to install software, as you said, so any malware that gets installed gets installed because you provided the password. There is no "magic fairy dust" to install anything. The macOS is one of the more secure systems available to consumers, there are no viruses and no known vectors for viruses in the current version.

I cannot speak to Wireshark or Little Snitch. If you want to see what is working your network, open Activity Monitor (In the Utilities folder) and click on the Network tab. Then you can see in the Sent Bytes and Sent Packets what processes are using the network. 6GB seems high to me, but again, I don't have any feel for what your connection involves (WiFi, VPN, cellular, wireshark, little snitch, etc) so there may be some interaction in all of that that is triggering usage. But maybe Activity Monitor will show that. You can click on the column headers to sort the entries to have the highest hitters at the top where you can compare.

I've had my personal data stolen now six times, each time triggered me to change my passwords and in one case to change email providers. Now I'm getting the scammer email that says "here is your password just to prove I have access" with one of the stolen passwords from 4-5 iterations back. But it's a scam because NONE of my accounts now use that password, so I just ignore it. I'm not letting uncertainty set in.

So, unless you have evidence that you are NOW being key logged, I think given what you say you have done it's unlikely. And if you have no key logger now, then change your password and the bad guys don't have a chance.
 
OP
Macced
Joined
Nov 29, 2018
Messages
29
Reaction score
0
Points
1
FV can only be invoked after the OS is installed. It's part of the OS, so you have to have the OS to have FV. When FV encrypts the drive, it gives you three options to gain access if you lose your password. In the document I linked for you, it says
So, you get to pick what you want. Given your level of concern, I would open for the last option, a local recovery key that you can print out and store somewhere only YOU can get to. And as it says, once it's done, you use your password (remember, I said to change it) to unlock the encryption. But that unlock happens BEFORE the boot, and before any network connections, so even if someone has the password, they won't have access to your keyboard.

You said I'm not sure what you mean by "exposed to a key logger" in that quote, because you have reinstalled the OS from scratch, which eliminated any key logger that may have been installed. So just because you HAD been exposed does not mean you ARE now exposed. Do you have hard evidence of being key logged now? I am unaware of terminal commands that might decrypt the drive, if someone could gain access to it, but I suppose one could somehow do that (again, I never say nothing is possible, but some things are pretty much only remotely possible (pigs, air, meteorites)). Again, the way macOS works is that you must provide YOUR password to install software, as you said, so any malware that gets installed gets installed because you provided the password. There is no "magic fairy dust" to install anything. The macOS is one of the more secure systems available to consumers, there are no viruses and no known vectors for viruses in the current version.

I cannot speak to Wireshark or Little Snitch. If you want to see what is working your network, open Activity Monitor (In the Utilities folder) and click on the Network tab. Then you can see in the Sent Bytes and Sent Packets what processes are using the network. 6GB seems high to me, but again, I don't have any feel for what your connection involves (WiFi, VPN, cellular, wireshark, little snitch, etc) so there may be some interaction in all of that that is triggering usage. But maybe Activity Monitor will show that. You can click on the column headers to sort the entries to have the highest hitters at the top where you can compare.

I've had my personal data stolen now six times, each time triggered me to change my passwords and in one case to change email providers. Now I'm getting the scammer email that says "here is your password just to prove I have access" with one of the stolen passwords from 4-5 iterations back. But it's a scam because NONE of my accounts now use that password, so I just ignore it. I'm not letting uncertainty set in.

So, unless you have evidence that you are NOW being key logged, I think given what you say you have done it's unlikely. And if you have no key logger now, then change your password and the bad guys don't have a chance.

As it turns out thats exactly the option I chose when I activated FVault2, both on this occasion and back at the end of 2015 when I got the MBP (The recovery key option). I've just checked out a few sites that purport to explain how filevault actually works and it appears that it encrypts and decrypts on the fly. However I think we all know that we're not being prompted for our decryption password at every keystroke or mouse movement, which must mean its effectively decrypted the moment you unlock your user account until when you logout or your screensaver comes back on. So again, whats to stop someone who has your IP address from doing a remote terminal command and simply entering the user account password when prompted? If entry of the user account password makes the drive fully accessible locally, whats preventing it being accessible to someone remotely who has a good knowledge of all the terminal command AND the user account pw? What would also then stop them from uploading some form of malware or trojan to that same drive? I'll google this pixie dust you speak of in the meantime .-)
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top