Hello and welcome back to Looking Out! We’re starting on the next topic, our second most popular theme: “How can I tell that someone is in my system”? Just like if you wanted to know if someone was in your home without you knowing, you want to know if someone was in your computer. After all, we keep some pretty personal pieces of data on there from family photos, bank passwords, and other reaches of our privacy we don’t want others to see. To catch people who try to break into our homes, we use security systems like cameras, alarms, and flood lights to try to deter would-be criminals. While there are similar systems for computers (log-in notifications, acceptable hours, biometric log-in, etc.), for those who don’t have the security already in place, how do we know someone has gotten in or has tried?
We’ll start with some quick tips today before diving in a little deeper this month. These are quick checks you can use on your computer to set your mind at ease. First, I’d like to get some of the benign signs out of the way. These symptoms aren’t evidence of someone hacking in but are annoying nonetheless. For example, a slow PC doesn’t mean you have a virus. The more reasonable explanation could be aging hardware, a program that needs an update, or just the computer having a bad day (it happens!). Files going missing are the same thing: not necessarily direct evidence of a hack, but it could be that they were highlighted when the delete button was pressed accidentally and a screen never popped up to confirm “are you sure you want to delete this?” However, if your master password Excel sheet goes missing (and please for the love of all that is good in this world, do not keep all your passwords in an Excel Sheet labeled ‘Passwords’), that would be a cause for alarm beyond losing the keys to your online portals.
Now on to the real signs that someone is in or trying to get in. First up is a password change notification that you didn’t ask for. That’s a dead giveaway that somebody, somewhere has gotten to the point that they got into your email and have reset an accounts password. If that’s the case, act immediately, and change any other related passwords to your compromised email. This can get bad quickly, because now someone has the ability to impersonate you using the account who’s password just changed. However, seeing one of those emails is no need for immediate panic. Check to make sure it’s legitimate. Some phishing scams work by sending fake password change notification emails, direct you to a fake website to “reset” your password, and then grab your real one there.
Second sign is a user account on your computer that you don’t recognize. Through one means or another, an attacker can create a user on your computer and through that user deploy any software they want to. For Windows machines, go to Control Panel, and then User Accounts. From there, look at what accounts are on the machine. If there are any you don’t recognize, remove them. However, if you have an IT department, ask them about the accounts first. Some backup systems use local accounts to do their job, so you don’t want to disable your backups accidentally.
Third, we can check for any strange programs that may be running. Start your task manager, open up the processes tab, and take a look at the Apps that are running and the background processes. Don’t go by name, a number of background processes have wonderfully generic names like servicehost or agentcore and others. What you are looking for is a strangely named process coupled with way too much memory or CPU or disk use. If you’re uncomfortable ending the process, ask your IT provider to help you out in taking a closer look at it.
Fourth, we have the odd emails and checking email rules. When an email account is hacked and starts spewing out more infected messages, usually your contacts will respond back with something along the lines of “Hey friend, I got your email but I can’t open the attachment, what is it?” or “Hey friend! Your email has been hacked!” Luckily if we get those emails, we can change our password and hope to stop the bleeding. However, some more insidious attackers will set up an email rule within your system to hide any further messages related to the spam. Every email system can set up rules, so make sure to check out that there isn’t one in there hiding a specific email from you. (On the flip side, email rules are awesome for organizing your email. Check them you when you can!)
Our last tip, and most advanced tip, is to check for any attempted Remote Desktop Protocol connections. Open up Event Viewer, and go to Windows Logs. Then click on System. Don’t worry if you see something that says Error or Warning, those errors are completely normal. However, we are looking for an error with the Source “TermDD” Event Viewer has a lot of entries, when I opened mine up recently it had 35,335 events going back a few months. The easiest way to check is to click the Source column and sort alphabetically. From there, scroll around until you find the T’s. If you don’t see any TermDD events, that’s just fine, means nobody was trying to remote in! But if you do see some TermDD events, click on them and some of the details should appear on the bottom of your screen. You can see what IP address someone tried to connect from and if it was successful. If it’s too confusing to understand, don’t worry, ask your IT provider!
It is scary to think someone’s been in your PC, either pretending to be you to take your identity or to steal information. But with a vigilant eye and the right protection, we can keep the bad guys out and your information safe. These quick tips are a start, but the best defense is more than seeing if someone has been there, it’s keeping them out in the first place. Next time we’ll talk about the different avenues an attacker can use to get into a system or start to see how data is getting passed back and forth. Till next time!