UKC

A friend got a call today saying a problem with her router and they could fix it.  Long story short, they created a PayPal for her with her credit card details and they had access to the computer for 2 hours, 1 hour unattended.

We have contacted the bank and police.

My question is, what should I do to make her computer safe to use before I let her go back into the internet?

She is very worried.

Had the same problem with my 87 y.o. mum. Thank God she had a GP appointment to keep and had to cut the conversation. The fraudsters had managed to get her to download a couple of things but didn't have time to drain her bank account. This was despite us having given her all the usual warnings.

The problem is that older folk don't want to cause offence, are generally still respecting of "authority"whatever form that takes and as you age the part of the brain that governs judgement and discrimination begins to lose effect. Couple that with IT naivety and you've got a recipe for fraud.

Back up everything important from its hard drive to an external drive or usb stick straight away. Then remove the storage device and don't plug it back in again.

If they've installed ransomeware it gives you the option of formatting the entire system without losing anything.

As a first simple step I would look to see whether they have installed an application on her PC. If she is using Windows then go into Apps & features and search by installation date to see if anything comes up with todays date. Does she have a firewall and anti-virus software installed that may pick up any unusual activity?  

In reply to Rigid Raider:

At the time that I first read his post about his stalker, there were two "dislikes" on his OP. They have gone now (at the time of writing this - I am not coming back to edit this post yet again if things change)

The Lemming is convinced that at least one person automatically hits "dislike" on nearly all his posts, following him around the forum to do this.  Sometimes I think he thinks it's me so I'll declare here and now that I have not  hit dislike" on a single The Lemming post during 2018, and also salute The Lemming for helping such people as described in the OP.

The only way to be completely sure is to reinstall it, having (obviously) backed up all personal data first.

I assume we're talking Windows ? Create a bootable anti virus disk/USB drive on another machine and boot hers up with to scan for any malware etc.

Make sure her user account only has standard user credentials and not administrator credentials, keep the admin password secret so that the user has to ask you for it if they want to install software. It can be a pain sometimes to do this but without admin rights you limit the damage scammers can do. It's saved me from a world of pain at times with end users...

Destroy the machine. Attempt no data recovery.

Hi everybody, thanks for the advice.  Its much appreciated. 

The funny thing is that my friend's late husband was responsible for all the home IT duties.  This was understandable seeing as he wrote the software for the original Premium-bonds ERNIE.  Fun trivia fact.

As it is, I'm the go-to guy when any IT problems crop up, and this one has given her the most stress.  Normally my friend is switched on to such things but, this morning she got sucked in and almost lost a sizeable amount of cash.  They all sound so plausible.

As for backing up.  Well for years I have been banging on to all my friends about the importance of backing up and my friend was reminded many times.  But you know how it is, backing up isn't really important and just a pain in the proverbial.  Well I pointed out to my friend that backing up only comes into its own when the sh1t hits the fan.

I'm not 100% confident that ransomware has been installed, but I ensured that the internet was disconnected before I turned the computer back on.  Some small command line boxes popped up for split seconds while booting up, which got my spider senses tingling.  I can't back-up till tomorrow but while I'm at it, I will hit the Nuclear Option and wipe the hard drive clean and do a fresh install.

After a clean install, what useful security apps/software would people suggest I install?

Why destroy the machine ? A secure erase and reformat of the hard drive would clear everything off or buy a new hard drive/SSD if you're paranoid..

As you probably know it's going to take a while to re-install the OS and all the associated programs etc that the user has collected, not to mention a probable large amount of software updates. However, once you've got the system as you want it I would strongly advocate using a system imaging tool such as Macrium Reflect which is free for home users. I've used this at a couple of schools I support for a number of years and it is a brilliant tool, especially on the Servers where it can save you days of work restoring the system as it was. You should save the system image to an external drive and also create a bootable restore DVD with the tool so that if this ever happened again or the hard disk crashed you can restore the whole system image from that time. On average it takes about 20 mins or so to restore the C drive and it just works.

Re-programmable firmware in the hard drive controller, webcam controller, bios and god knows what else can act as reservoirs for malware.

A secure erase from a compromised machine is not a secure erase.

As a serious question: would you advocate reflashing the BIOS with a clean copy from the Computer manufacturer's website before the OS reinstall and would you expect that to remove any malware that might be resident in the BIOS ?

An OS reinstall won’t touch a compromised BIOS - with the possible exception of MacOS where the boot firmware is from the same manufacturer as the OS, which can sometimes - rarely - update the firmware.

I can’t advocate reflashing the bios as I don’t trust the computer that will be used to do it, and I doubt you can physically pull the chip out and flash it in a 3rd party device these days.

Best option if you want to keep the computer would be to remove all USB devices, disconnect all disk and flash drives, boot from a “live cd” and reflash the bios from that.   

In reply to Rigid Raider:

There is no 'ignore' function here, but at the time of Lemming's post about his "stalker" which subsequently slightly derailed his own thread there were no off-topic or unhelpful posts to ignore. 

For those who find the likes/dislikes distracting there are browser extensions available for Chrome and for Firefox that will strip them out and display UKC as if likes & dislikes did not exist.  Lemming is well aware of those, they were actually created by a kind and technically-minded soul in response to one of his own threads, but he prefers to continue see likes/dislikes (and whinge about the latter).

Edit to add:
If it's of interest to anybody, the thread in question is this one: https://www.ukclimbing.com/forums/off_belay/open_request_to_site_ownersplea...
and the browser extensions to ignore likes/dislikes can be found here: https://github.com/alansaul/UKC-Extensions

I have forgotten how to do this.  And I've word my own computer a few times.

If this has happened to my grandparents I would do the following:

1. Contact the police
2. Contact the bank
3. Contact PayPal
4. Back up all personal data
5. Reinstall windows

 While it is possible that the bios be compromised I wouldn't be overly concerned. Sounds more like a grab and run sort of operation. 

I shall indeed create a clone and keep it on my NAS box.

Will a fresh Windows 10 install fit onto a DVD?

Much appreciated.

Edit

Unfortunately I have been told that the addon is not compatible with Firefox Quantum 50.0.2.

No bother - I actually didn't see your reply until after my edit to add Reaver2k's link, I was guessing you were still not interested. 

If you are going to give it a try though, that does seem like a good idea to me.  The like/dislike buttons obviously still annoy you greatly, there's really no good reason to continue to see them if you can get your browser to strip them out.

Edit: Oh, bugger. 

A few times I’ve noticed I’ve previously disliked a post at the top of a thread by mistake and undone it.  It seems to be a mobile interface clumsy thumbs thing.  Once the OP (not lemming) ranted and raved about it being their dislike stalker.  Which it wasn’t.  People need to stop being paranoid about these things.

No worries.

On the plus side, I have had some excellent advice on fixing my friend's computer however I'm not going to the trouble of farting around with any BIOS setting or flashing.  Its all about evaluating risk.  The call taker on the Action Fraud Cyber Crime suggested I contact an IT shop or try and use System Restore to a few days back.

I shall not do Option One as its expensive and option Two does not instil me with the confidence that the operating system is disinfected.  I'm going with Option Three, and wiping the hard drive and re-installing a clean OS.

Cheers everybody.

Wipe it and clean install.

But more importantly, she probably had all her passwords stolen since most people save them in the browser.
Make sure she is changing her passwords on all the online services she is using, and uses new, never used, strong password. She must start this update process with her main email account.

I ran her email address through "Have I been pawned".  That will most definitely be changed tomorrow.

Tell the bank, police etc..

DO NOT TURN THE COMPUTER ON until you have disconnect turned off the Wi-Fi, router etc..  then take it to some geeks, who will try and recover what they can. There is a chance it can never be cleaned.

Log them on elsewhere and change all passwords. On everything and anything, not just on what was involved here. 

In a word no, you could consider a USB flash drive though. 7dayshop to take one example do 32GB flash drives from around £10 though I would still put a copy on an external hard drive just in case....

I'm creating a USB bootable tool right now.  I'm hoping that I don't need the key and that Microsoft will do its magic and find this for me when reactivating.  I'm not sure if my friend has a 32bit or 64bit OS.  I'm guessing I will need two USB's to cover both options, or will Microsoft show pity and activate irrespective of 32/64bit architecture?

The ease of reactivating the OS licence will depend upon whether or not the digital device (ie laptop) is linked to the users Microsoft account. If it is then it should be fairly straightforward to reactivate the licence as this link explains. https://support.microsoft.com/en-us/help/20530/windows-10-reactivating-afte...

If not then you'll need to contact Microsoft. If you haven't yet overwritten the corrupted device you could find your existing licence key by using something like JellyBean Keyfinder which might help if you need to contact Microsoft.

I would have thought you'd be on a 64 bit version of the OS, the 32 bit version is more restrictive in terms of what drivers are available etc and the only reason you'd really want to use it is to support specific  old applications

Nuke it from orbit. Its the only way to be sure.

I'm sorry ... i work in IT.

First instance - unplug it from the internet and keep it that way until you've decided what your next move is.  Justification - you need to assume that they've installed something that gives them remote access.

Next move - You need to assume that they have access to all your accounts email etc.  Reset everything.  Every single website that you have a login to - reset the password.  Those services that offer multifactor authentication (gmail for example) - enable it and use it from now on.  Never Ever Ever .. use the same password twice.  If they have access to your accounts they will have guessed (rightly in vast majority of cases) that you probably use the same email and password for most sites.

Specifically to your question "make her computer safe to use"

ANS:  Wipe it (with a tool that writes 1's or 0's onto the hard drive to remove all trace of everything)  , clean install ... start over again.  Its exactly what would be done in IT world.

Some are suggesting back up stuff now.  Backups are a strategy for before this happens - not after.  The risk you run here is that you backup something bad.  That being said ... many will do it anyway.

Going forward, you can get a 1Tb hard drive off amazon for about £35-£40.  Take it out the box, encrypt the hard drive, backup everything important every, say, 3 monthly, put it back in the box to keep is safe and clean ... and give it to mate/family to keep at their house for you.  Repeat.  Its the safest and cheapest long term solution for offsite backup.  You do the same for your mate.

I am sorry this has happened to you.

Remove the keyboard and mouse to prevent it happening again.

Bung in a new HD, they are cheap as chips. Reinstall onto that.

Reinstall all the progs from scratch.

Take the old HD and mount it in your linux box.

Recover what documents and pics you can onto a USB. Be aware that some office docs or pdf can contain hostile embedded macros or links.

Virus scan the docs before you import onto the new box. (Or open them in linux and convert the format to plain text or another office format without macros.)

Use a password manager, such as Last Pass, to secure all passwords. Last Pass can do an auto password change, that will magically update all the passwords without further user interaction.

One you're recovered all data from the old drive, you can nuke it from linux. Buy an external USB caddy and use the disk for backups. Keep the backup drive unplugged from the host machine when not actually backing up.

I wish this was an option.

I'm sure this sort of advice is well meant but it's utterly impractical. The idea I could remember 40+ different passwords is absurd.  It has to be a few special ones (e.g. bank) and repeat passwords for low value stuff.

In fairness ... I agree 100% with you - it is entirely unpractical.  Couldn't agree more. 

However - its also true.  It is the holy grail of security rules online.  Certainly with your money moving accounts/services (bank etc) - unique & strong passwords and multi/dual factor authentication is an absolute must.

The first thing they do when the break into one account (typically email), is try to leap frog into the next account/service as they ladder up until they're into something useful i.e. your bank/paypal etc.  That laddering is all based on same email address being used with many services and, typically, the same password as well.  (See below - password not actually all that important if you use a single email address for everything anyway.  They'll just request password resets and get email sent through to the account they are already into.)

Their typical trick after getting into an account is to immediately reset the password locking you out of it.  Many applications these days contain a dedicated field for "password reset email address" somewhere deep in your account profile settings.  By default this will be set the same as your login email i.e. login email = password reset email.  An easily layer of security is to create yourself a new email account, pw_reset@gmail.com for example, and set it for every important service/application you use.  Use it for absolutely NOTHING but password resets.  If someone hijacks your account you'll be able to get it back even if they're still in your main email account by virtue of the fact the password reset email will sent to this other email address that only you know about it (You never ever put this email address into any site ever ... it must remain secure.  If using GMAIL ... make sure you are using their Authenticator app for 2 factor authentication as well.)

That being said ... cough up for LastPass and you will only ever have to remember 1x password for the rest of your life.  The passwords you do use for everything else can be unique and very very strong.

https://haveibeenpwned.com/ ... check your email addresses here.  If website you used years ago (with same email and password you use now) has since been hacked ... you're details might be up for sale.

Cheers.

Thanks - really helpful post.

An alternative to last pass, which costs money, is Keepass.  It is completely free and can be used on loads of devices at the same time.
I have 50 to 60 passwords and they are all unique.  You could put a gun to my head and I genuinely could not remember any of them. They are all computer generated and gobildygook.

I just have to remember one simple phrase and this allows me to see and use any password.  I just cut and paste most of the time.

It took a while to trust this idea of not remembering passwords for banks, Amazon or PayPal but it was worth it for complete safety of never repeating a password.

I even use a Keepass add-on for Firefox and it puts in all user names and passwords for me, without me having to remember anything.

Learning how to use a password manager was a revelation.

Don't know if I am being paranoid but a small command prompt window popped up for a split second when I turned my own computer on this evening.

I did use the same USB pen in both computers to back stuff up. Kaspersky did not pick anything up.

Am I just being paranoid?

Either way, I'm going back to an old clone to be safe.

My concern with these is the single point of failure. If someone hacks them they have all your passwords and details. Then what??

Good luck trying to crack my phrase.

I did some research about the fastest supercomputers and how long it would take to crack the phrase.

I'm happy that this would not happen in my lifetime. In fact it would take billions of years. Who's going to spend that much time and resources to hack me?

The phrase uses dictionary words only. No numbers or special characters used.

Find a friend who knows their IT and get them to take a look. You could make it worse with your fumbling.  Firstly turn off the router whilst you wait for friend who knows what they are doing.

I think I am capable of formatting a hard drive and reinstalling an OS.

It's not rocket science.

Exactly you are capable of completely f***ing up their computer, wiping out their data and applications at your first attempt. Formatting should be a very last resort. It is more complicated than rocket science.

Nobody.  They’d just drop a £50 USB keylogger onto your computer and get the phrase that way, or temporarily stick a spy camera on you, or one of a dozen other approaches.

Personally I’m highly suspicious of random 3rd party free password managers.  At best they are an unknown, unvetted security hole.  At worst...   I have about 15 keys for various doors, gates and padlocks.  I don’t let some random geezer look after them for me for free...

I’d not give my keys to a random geezer.  I’d be 100 times less likely to give them to Kaspersky.

Jolly good - far safer than recovering potentially compromised applications or document files.  Ideally, Lemming would Mr Bean the computer into oblivion.  

Mission accomplished.  USB pen inserted, booted into USB and wiped all data on first attempt. This included wiping everything the fraudsters installed on the computer yesterday.

I prefer to nuke from orbit than waste time trying to disinfect.

Actually it's very easy. I have a different password for hundreds of sites and I can remember them all.

Pick a secure password, and then a method to combine it with the website name. Then you get a unique password for each site.

Pick a more secure one for your email and bank. 

Required xkcd:
https://xkcd.com/538/

Although now assuming you were being truthful about dictionary words only, it would take considerably less time to break it, as you can run a dictionary attack.

How long would it take a super computer to crack a phrase with  around 25 characters, maybe less maybe more?

You don't know how many words are used and how long each word is.

25 characters totally unknown would take a long long time, but knowing it is words reduces it loads. The number of characters are irrelevant (well sort if, we we know how many characters you could make a rainbow table of words that make that length). Now it is down to the number of words that define how long it would take.

178000 words in the dictionary, working on about 1 trillion a second (not unbelievable either).

1 word < 1s

2 words < 1s

3 words ~ 6000s (just over 1 and a half hourish)

4 words ~ 31 years (16 Lemming lifespans)

5 words ~ 5,681,786 years (2840893 lemmings lifespans)

I don't know how old you are, but I would hope 1 - 4 words would be cracked in your life time. What is more likely is someone will just dump a key logger on your computer, or as with the XKCD hit you with a wrench until you tell them. What is more likely again is no one will ever try to crack your passwords.

On a side note, quicktothepub would be more secure than pneumonoultramicroscopicsilicovolcanoconiosis if doing a dictionary attack

I've recently switched to using routines expressed in machine code for some passwords as it is easy to remember and is likely to be proof against many kinds of attack plus it's easy to end up with a reasonable length of "phrase".

I'm quite safe to use dictionary words if there are enough of them and nobody knows how long the words are.  No need for fancy rules from sites asking for capital letters, numbers or characters either.

unfortunately there are still some idiots responsible for setting password rules - I'm not assuming it is the programmers necessarily, as it could be stupid managers who still think an attack is going to be somebody taking alphabetical guesses.

And who think a valid response is to publish these silly rules when an account is set up so that potential attackers can research before attack.

You still find sites and systems that restrict you to 12 characters or fewer

Joe Public = You're good.  Unless you are trading Crypto, 99% of the population is good.

However... worth a chit chat on it anyway . 

The main point of failure with LastPass is you.  Even though it syncs passwords across all your devices - LastPass has no idea what your master password is or any of your passwords held within your vault.  Yes, there have been vulnerabilities in the past (google it).  It is infinitely more likely that you'll break the golden rule and divulge your master password (or forget it as many do) than it is that LastPass will divulge your password details to someone else.  

Note some of the other benefits of LastPass and others:

1. You'll probably not know the passwords it sets for the sites you use.  i.e. (from above) Put a gun to your head - you wouldn't know the password if someone asked you for it.  If you don't know it ... you can't give it away. 
2. The passwords they set are bomb proof.
3. They can periodically cycle your passwords which further reduces the probability of someone stealing your passwords.

It has faults.  But for 99.99% of the population it would increasing your online security 100x fold.

Cheers.

Great idea ... I do that too!

Only if you take an embarrassing alphabetical approach rather than using some basic word-frequency statistics to determine the ordering...  

FYI ... I use multiple email addresses.  I think it's recommended practice.

1. Most important - Burner Email.
2. Friends and family email. 
3. Trusted (money moving) email.
4. Password reset email.

Burner email is the most important.  Anytime some random website asks you for an email - give them this.  If you/they get hacked, who cares ... just close it down and move on.  Suggest something like <name>_burner_1@gmail.com and then just increment the number as you.  I'm on #5 now.

Friends and family.  Only give it out to friends and family    Never put it into a site EVER.

Trusted.  Banks, ISA's, PayPal etc ... money moving.  Nothing else.  Never put it into a site you don't trust.

Password reset.  Usually partners up with Trusted i.e. used together in the same services that support different passwords for login and password reset.

One rule ... the email accounts never email one another.  That defeats the purpose. 

I like your strategy for differing addresses, especially for banking stuff.  I do have different mail addresses but I think I will incorporate your method for added security.

Even with helping my friend, I have learnt an awful lot of new safety advice for my new digital life.

But I am lazy doing lazy man's maths! 

Don't forget that dual/multifactor authentication on your email either.  Along with the multiple segregated email addresses, strong passwords etc ... this is the stuff that makes your email properly secure.

If you using gmail (I don't know about other services) you can get an app for your phone called Authenticator (https://en.wikipedia.org/wiki/Google_Authenticator) that works a bit like an RSA hardware token i.e. 6 digit random number that counts down every 15 seconds and generates a new random number again at the end.  When you sign in from a different device for first time ... its going to ask you for that number.  

The reason why it's secure is because someone now needs to be in possession of email address, your password, your mobile phone, and be able to unlock it to get that cycling number ... before they can get into your email address. 

The probability of that all coming together (and someone actually going to the great lengths to put it together) is exceptionally low i.e. It will never happen to Joe Public.

Sounds like you're all kitted out now! 

1 word in a dictionary attack = 1 letter in a normal attack.  By restricting yourself to dictionary words you instantly limit the possibilities for a hacker. It doesn't matter how long the words are, a word is a word. OK, so there are more words than letters in the alphabet, but you're still making things too easy _unless_ you're using lots of words.

3 word dictionary attack assuming 17,000 words in dictionary = 1/17,000th*1/17,000th*1/17,000th = 8 to-39 ish.

5 letter alphabet attack assuming 26 letters in alphabet (single case) = 1/26th*1/26th*1/26th*1/26th*1/26th* =2 to-23

6 letter = 5to-46

...so a 6 letter normal password only using 1 case is already more secure than a 3 word passphrase.

6 letter password using both cases, digits and 8 special characters = 9 to -60

How many words in your passphrase? (Don't answer, just work out it's comparison with a 'normal' password and see if you still think it's secure enough.)

Personally, I use a 8-14 character passwords made up from a passphrase (a lyric from an obscure song) - I take the first letter of each word in the phrase and pad with some digits / special characters. It's immune to a dictionary attack because no words are used, and it's long enough to foil a brute force attack.

For example, you could take the Dirty Harry phrase 'well, do ya feel lucky punk' and use the first and last letters of each word to give wldoyafllypk - use 'hacker speak' to use numbers and characters to give

w!d0y4f!!ypk

at 1to-3779.........or 110thousand years.

Hackers rely on users being lazy with passwords, so don't be lazy!

I am happy with using a passphrase comprising of bog standard dictionary words, and am confident that it will take several millennium to crack.

Passwords are a different thing, and I use a Keepass password generator to create these. 

As I said I am more than happy to let a State owned Supercomputer to 'have at it' while trying to crack my passphrase.

how many languages in the dictionary and how many names/name variations/nicknames?

To go through all of those and get all the words in the right order with or without spaces is a monkey with a wordprocessor job.   Dictionary attacks as I understand it are only really effective when a small (underlined) number of common(underlined) words are used in a shortish password/phrase

ps the beauty of using machine code is that it's easy to remember quite a long string and to alter it in a non intuitive way by altering the operands.  Your method I'd have to write down my password!  I prefer more than 14 characters generally.

In reality I use a variety of strategies with least care for throwaway single purpose accounts that matter least

Plenty of languages, but you target properly if you're a hacker - use an english dictionary attack on english websites. Plenty of nicknames and names as you say, but plenty of people use common words and spellings - certainly enough to target.

I suggest others read through the UK Government's guidance on passwords - the current best pragmatic recommendation is 3 random words. https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

Yes completely random digits have more complexity and are harder to crack - but words are easier for humans to remember and for fingers to type. A secure password is only good if you can use it.

Another blog some of the more pracitcal and human sides of security: https://www.ncsc.gov.uk/blog-post/not-perfect-better-improving-security-one...

Better than all of these though is to use a password manager. That way you don't have to worry about remembering any of these passwords, and you can make them as long and random as you like.