We don't like to think about it, but it can happen. Whether by hacking or by theft, someone can gain access to your computer and everything on it. When the unthinkable happens, here's how to pick up the pieces.
Last week, I inadvertently posted a screenshot online that gave someone remote access to my entire computer — one of the worst things that can happen with your personal machine. Thankfully, they didn't appear to do much — besides post silly pictures of Jack Nicholson on Lifehacker — but it could have very easily been disastrous, and it got me thinking about what would have happened if someone with more nefarious intentions were able to get in. So, I talked with Zachary Blake, a cybersecurity analyst for a company that works for the Department of Defense, about how to recover from this kind of disaster — along with a few lessons I learned from my own experience.
Figure Out the Point of Entry and Clean Up the Mess
Stopping the intrusion in progress is your number one priority. You can't clean the house until you've got the entire party out and locked the door. For me, this part was easy: someone had accessed my computer with TeamViewer. If you're not familiar with the application, TeamViewer gives someone COMPLETE remote access of a machine. A talented hacker could have logged into my machine, downloaded an executable, ran it, covered their tracks by deleting the installe and logged off, leaving a backdoor on my machine to use later. I needed to do more than just turn off the application. I couldn't trust my computer at all.
For less obvious intrusions you'll need to do a little detective work to find the gateway. First things first: disconnect it from the internet while you work with it. You don't want it infecting other systems on your network and you want to ensure you're the only one on your machine now. Then take a look at your Task Manager or Activity Viewer to look for suspicious activity. Malicious attackers try to be as discreet as possible, so Blake emphasises the importance of knowing your machine. You should be familiar with the processes that run when you're using certain applications. Look at your Task Manager or Activity Viewer to see what CPU usage looks like when you're on your machine working. Know what kind of CPU and memory usage are normal. When you see CPU usage and memory usage spike, you have a better chance of identifying when something is wrong.
Additionally, look at your network traffic. Programs like Wireshark can monitor all of the network traffic coming to and from your machine so you can look for abnormalities. Blake suggests monitoring your system right after booting up. There shouldn't be much activity, but if there is, you should know what applications are the cause of it. Email, chat, or other internet-connected apps that run on startup may appear, but be on the lookout for programs you're not familiar with, too. You should also be able to match it to things you want accessing the network, and if you can't, something could be wrong. If you can't get your machine to boot up, we've got you covered.
Once you've cut off access to the intruders, you need to see what kind of damage they did. If they had complete access — like they did with mine — the sky's the limit, so there's a lot of ground to cover. Here are the steps you should take:
- Make sure your antivirus and anti-malware is up to date and disconnect from the internet if you haven't already. Enable your virus protection software if it's disabled, and run a full system scan. You should have separate antivirus and anti-malware applications on your machine, and you should run full system scans with both. Sometimes one can catch something that the other won't, and you want to be as thorough as possible.
- Remove whatever bad stuff your scans find, but keep this in mind: just because you found one piece, it doesn't mean you found the whole puzzle. A malware scanner like Malwarebytes can find the executables and scripts, but there could be a browser plugin or extension that will keep downloading it. Everything is a suspect. Take a close look at all of the little things you've downloaded and installed, and remove anything that looks suspicious.
- Change your passwords after an incident like this. Before you change them, though, make sure you've removed all malware from your machine. No point in changing your password when a keylogger is watching your every keystroke. Change the passwords for your email accounts, your bank account, and your social accounts first, then follow up with anything you've ever accessed with the compromised machine. Again, you want to be as thorough as possible. If you're not 100 per cent confident that the compromised machine is clean, it may be wise to do this from a different machine and log back in once you're sure the compromised system is safe.
- With your passwords changed, log out of every instance of your accounts. Sign out of every email session, social media session, and whatever else you were logged into. Doing this, along with the password change, will boot anybody who accessed your accounts from elsewhere and force them to use your new password — which they won't have. Make Tech Easier has a handy guide to logging out of Gmail, Facebook and Dropbox remotely. It might be a good time for you to sign up for two-factor authentication too, if you haven't already. You should also clear your session cookies, cache, history and other cookies in your browser.
- With the entry point gone, the malware removed, and your passwords changed, you can breathe a little easier. You should still keep a watchful eye on everything, though, because you might not be out of the woods just yet. Go through your email and look for suspicious activity. Look for strange emails sent or received, email addresses added to your account, and other activities you know you didn't do. Check and double check everything on your machine for a while to make sure the threat really is neutralised.
- In the event you can't figure out what's downloading the malware or allowing the unwanted access, you still have a last resort: going nuclear. One sure way to take care of any nasty activity is to wipe your hard drive and reinstall your operating system. Completely blowing it all away is the only sure method to get your machine back to being 100 per cent safe. This does mean, however, that all of your files will be lost. Blake suggests backing up your system regularly for when these types of things occur. There's no excuse for not backing up your computer. Just make sure you use a backup that was before the intrusion.
If you're not backed up and you absolutely need some documents off of your machine, you can scan individual documents or folders with your antivirus and anti-malware applications. Most malware does not attach itself to personal document folders, but Blake cautions that reintroducing any file from the old system could possibly reintroduce the malware.
Prevention Is Your Best Defence
It should come as no surprise that preventing access to your system is the best way to keep it safe. So let's start there: here are some of the best things you can do to build up your castle wall:
- Make sure you have your firewall configured properly. Blake points out that this is the easiest way to make yourself vulnerable. A misconfigured firewall leaves dangerous ports open and can make your computer visible to anyone on the internet. Once it's running, check that it's doing its job properly. The How-To Geek recommends port scanning your router at ShieldsUP!, a website that tests your router for vulnerabilities. If there are open or exploitable ports, the site will notify you. Otherwise, you're all clear.
- Email is a powerful tool for the bad guys. Phishing scams can allow attackers to get information on you, or at least get their foot in the door. Blake suggests taking extreme caution with attachments, and to be wary of all types of documents. Some documents won't appear to do anything when you try to open them. They will simply disappear, but the attacker just got you to install a backdoor to your machine. Email addresses can be spoofed, so just because the email is from your friend or co-worker that doesn't make it safe. For some more tips, check out our guide on detecting phishing scams.
- Make sure you have a good antivirus application. Static antivirus scanners are helpful, but make sure you have something that proactively scans your system and is always alert. Blake also suggests you have an antivirus and anti-malware application on your machine. Sometimes one application can catch something that the other one won't. If you need a good antivirus app for Windows, we recommend Avast! Free Antivirus.
- Make sure you know your security holes. There are some weak points that almost everyone is vulnerable to, so get familiar with them. Having Universal Plug and Play (UPnP) enabled on your router can leave it vulnerable for certain types of attack, and be sure to turn off Wi-Fi Protected Setup (WPS) on your router as well. Additionally, using weak passwords and browsing insecure websites are all things that can make gaining access to your machine easy. Make sure you keep everything up to date: browsers, antivirus applications and your OS. If you're not sure you have the basics covered well enough, check out our online security checklist.
- Be wary of public Wi-Fi. Once you connect to a network that has other people on it, there's no guarantee of safety. Chances of an attack are low, but it only takes once for someone snooping to get something useful. If you must use a public Wi-Fi service, Blake recommends using a VPN to ensure that no one can snoop on your traffic. We can show the many reasons to start using a VPN. Remember, just because a Wi-Fi network has a password doesn't mean it's secure — if there are other people on it, you need to stay safe. We've talked about the safety of public Wi-Fi networks before.
- You also want to protect your machine from unwanted physical access. You might think you can leave your laptop open for a few minutes while you run to the bathroom, but it only takes a few seconds to unload a malware payload and even less to grab your machine and run. Always keep your computer physically secure and in your sight line. Keep your OS locked with a strong password if you must leave your machine unattended, but only do so in an environment where someone can't steal your computer. Backup your machine regularly so you don't lose all of your data if your machine is stolen. Encrypt your hard drive if you're able. You should also have a remote wipe option enabled for your computer. If someone manages to make off with your machine, they won't be able to do anything with your information and data.
- Remember, the user is always the weakest link in the security chain (especially in my case). I can have the best security applications in the world on my machine, but if I let someone in with a simple information-filled screenshot, it doesn't matter. Always be careful of what you share online and always be on the lookout for social engineering attacks. You can be a target just as much as the next person, and social engineering is most likely how they will try to get to you. Don't share information with someone unless you are 100 per cent positive you know who it is.
These precautions aren't foolproof, of course, but they can help lower the chances of unwanted access.
It can feel violating when someone accesses something you've deemed private. You might feel a little helpless, but it's important to bounce back and take control of your security. Make sure you have all the proper barriers in place, be prepared to clean up the mess when someone gets in, and — for heaven's sake — don't post screenshots online that could give ne'er-do-wells direct access to your machine.