I am concerned that I'm somehow being actively hacked: Update
"ttyymmnn" (ttyymmnn)
02/27/2019 at 11:43 • Filed to:
None
|  0
|  33 |
Last night I
!!!error: Indecipherable SUB-paragraph formatting!!!
about some hacking concerns on my home network, and I thank everybody for their replies. I have two more
questions
that I’m hoping
the hive can
answer for me.
I spent a fair bit of time on the phone this morning with a representative from Spectrum security. Laughably, the only way to find out that there has been nefarious activity on an account is when a customer
calls
them after Spectrum
locks
the account. They have no active way to alert customers. Anyway, h
e told me that
if somebody got a hold of the public IP address that I get from Spectrum at the modem,
they have access to my whole network and computers. Is this true?
He also told me that I should get a new public IP address for the modem, which m
akes sense.
He told me that the only way to do this is
to unplug the modem for 24 hours. I asked specifically if
there is
something that they cou
ld do on their end to renew it
and he said no. The
only
way to do it is to unplug the modem for 24 hours. I asked him what to do if it doesn’t work (I noted the IP address before I shut off the router so I can compare) and he basically said don’t be so negative, it will work. Does anybody know if he is correct
?
The more time I spend on this issue, the more I have
come to believe that the hack only extends to email, and that my computers have not been compromised. Nevertheless, I’m going to take action to scan and protect the machines while trying to avoid nuking them from orbit, even though that’s the only way to be sure. Or so I’ve heard. I’m also going to work on ditching Spectrum email forever.
Thanks.
!!! UNKNOWN CONTENT TYPE !!!
DISCUSSION (33)
Nibby
> ttyymmnn
02/27/2019 at 11:46
| 3
|
HammerheadFistpunch
> ttyymmnn
02/27/2019 at 11:46
| 5
|
what kind of crappy ISP can’t refresh your ip?
getFuckedHerb
> ttyymmnn
02/27/2019 at 11:48
| 3
|
Well, first, #1 is bullshit for the most part, knowing doesn’t expose you in some special
way (every website you visit knows your IP address) but knowing is typically a requirement for any nefarious activity.
#2 is probably true because he can’t force the DHCP lease (your modem says to their system “give me an addres yo! system says “This is yours unless you disappear
for 24 hours!”)
to expire (above his pay grade)
and that is the simplest method of doing so. It will likely work.
My question. Wouldn’t it be a shocker if it turned out they could and the guy Ttyymmnn talked to didn’t know what he was talking about?
very likely. I worked in tech support for a few years and it was a little shocking to me how clueless many of my colleagues
were. I was too at first but I figured stuff out quick, some people just didn’t and figured they could get the same pay doing a much lazier job. Smart buggers.
That sounds a lot like “the only way for first level support to do it is to unplug the modem for an indeterminate amount of time, so we tell you 24 hours just to be sure. Second level, of course, could do it in five minutes, but I want to get credit for closing this case so I don’t want to pass it to them. And this particular issue isn’t on the script I’m supposed to follow, so this is how I’ll handle it.”
the rep’s main goal was to get him off of the phone so that hopefully he would call back tomorrow and get somebody else.
Not a Sunburst Miata
> ttyymmnn
02/27/2019 at 11:55
| 6
|
I work as an ethical hacker. With just your public IP i can scan and find out what kind of router you have and any services you’ve left available
externally but unless you have really old software,
a really shitty router,or IoT devices,
there isn’t anything to worry about. If you want me to take a look, contact me at msayani21@gmail.com
Another possibility
is that you all used a service that was compromised and recently had the emails/passwords dumped. Password reuse is extremely common so attackers can try those password combinations on many other accounts and services. Use something like lastpass to generate secure passwords per site. If you have questions, check out my blog at sciencemoez.com! I try to write about cybersecurity in a way that everyone can understand
sounds about right.
Well, the modem
is unplugged right now. Otherwise, I might consider your offer
. OR YOU MIG
HT BE TRYING TO STEAL ALL
MY LOL CATZ1!!1
Thanks for the reply, and I will definitely hit your site. If you don’t mind a reply or two, I might have some more questions going forward. While this has been a huge PITA, it has also been a huge learning experience.
facw
> ttyymmnn
02/27/2019 at 12:02
| 3
|
Anyway, he told me that if somebody got a hold of the public IP address that I get from Spectrum at the modem, they have access to my whole network and computers. Is this true?
�
Not unless they are doing something very wrong. You router should have a firewall which will protect you. As Chris Uthe notes, your IP is seen by every site visited, ever game server connected to, etc. There used to be issues where routers didn’t properly implement firewalls for IPv6, but no modern hardware should have that problem. The only other way you’d be exposed is if your router was configured to place a machine in the DMZ (essentially treating it as being in front of the firewall), but again, that would not be a normal setting.
Also, I did until very recently have a very old router, though I don’t know if it was necessarily shitty. I upgraded the router about a week ago. But this hack (or whatever) likely took place before the upgrade.
ttyymmnn
> facw
02/27/2019 at 12:05
| 0
|
Up until a week ago, I was using a very old router. This may have happened before I upgraded. But still, it certainly had SOME security built in.
facw
> ttyymmnn
02/27/2019 at 12:06
| 2
|
It should not take 24 hours. It might be that waiting 24 hours will work, but they should be able to do it faster than that. It might also happen faster than that on it’s own. I’d unplug your modem and router
for like 10-20 minutes (if you haven’t already) and see if you get the same thing when they come back up. If that doesn’t work, I’d call them back and ask politely but firmly to have the call escalated if they tell you you need to just have no internet for 24 hours.
A
very old router is probably still safe from the first issue, as it likely wouldn’t support IPv6, or at least not have it enabled out of the box.
ttyymmnn
> facw
02/27/2019 at 12:29
| 0
|
On the other hand, I can al
ways tether my laptop to my phone if I need to, and my boys won’t spend the afternoon staring at YouTube. So it’s actually kind of a win.
ddavidn
> ttyymmnn
02/27/2019 at 12:34
| 1
|
Just throwing in some backup for the other professionals here. Your public IP isn’t secret, should gain a hacker access to very little (no personal data), and changing it won’t solve your problem if you’ve been hacked. A password leak or virus/malware scenario is a lot more likely to cause this kind of actual damage. Switch to gmail, use two-factor when possible, and check
http://www.haveibeenpwned.com/
Spamfeller Loves Nazi Clicks
> ttyymmnn
02/27/2019 at 12:56
| 1
|
This is all complete ass-covering bullshit from Spectrum and fuck them and their employee for spreading bullshit.
Hi. I’m RootWyrm. I know more about security than you. All of you. Combined.
See, security is a big part of what I
actually do for a living
. I am very, very good at what I do for a living. And let me tell you a fact that you can and should pass on to Spectrum.
That was 100% fear-mongering bullshit with absolutely no basis in fact unless they are criminally incompetent and not utilizing DOCSIS devIpFilters correctly. Furthermore, if they are going to make their allegations, it is their moral and
legal
obligation to expire the lease on the DHCP server immediately.
What is FAR more likely going on is that Spectrum’s email server is COMPLETELY insecure and someone got your email password. Once they have your email password, it is game over, and you can’t detect it. Spectrum on the other hand, can, because they in-house their mail system. They SHOULD have detected foreign IPs logging onto your email.
But like all MSOs, they are both incompetent and indifferent. They do not care in the least about security beyond theft of service and ways to profit off either refusing to implement it or where it cuts into their profit.
And believe me, I would fucking know. I worked for a larger MSO for a time. Which is why I refuse to work for them now. If you put me on Spectrum’s network with a standard CPE, I guarantee you I could map their headend and own the CMTS in a matter of minutes.
Change ALL your passwords and GTFO Spectrum’s email service. Literally anything would be better. And demand to know why Spectrum hasn’t implemented
BASIC FUCKING SECURITY MEASURES
to detect unusual activity on their mail servers.
WilliamsSW
> ttyymmnn
02/27/2019 at 14:53
| 0
|
I have nothing useful to add, but hope you get it figured out quick!
I had someone try to wire $8,000 out of my checking account about 18 months ago - never did figure out exactly what happened, but getting new accounts, new online access, and stopping the use of 1 email address took care of it. Fun times.
Not a Sunburst Miata
> ttyymmnn
02/27/2019 at 14:54
| 0
|
Check your router’s firewall settings and make sure UPnP is disabled. sometimes smart devices like Echos or smart tv’s will use that protocol to poke holes in your firewall and allow external services to access your network. Set a strict NAT policy, and if your router allows it, set your “untrusted devices” like smart devices, on their own VLAN to segment them from the rest of your personal devices.
Yeah, but you can look at yourself in the mirror. I had a job once where I went from 8 am Monday until 5 PM Friday and did. Not. Do. One. Thing. Sat in my cubicle and surfed the Web until I got bored with it. The manager was about having a big group. I made an okay salary, too. Couldn’t live like that.
Thanks. And, to top off this week of fun, I just got a text from one of my son’s that his brother lost his phone at school today. Let the good times roll.
That sounds like great advice, but all of that makes little to no sense to me. I understand firewalls, but how to do the other things will take some research.
Even an old router still firewalls. You should be able to log into it at some level and see a list of devices on the network.
Do you have any “IOT” things? Like a camera, thermostat
, ring doorbell, smart oven,
etc? Those things phone home and have been noted as being hackable if they still have default passwords etc.
Usually a
home modem/
router can be browsed to by opening http://192.168.1.1 and the password is often on a sticker/label on the router itself.
I have a Ring Doorbell, and that’s it. I don’t think it still has default passwords, but I can check.
ttyymmnn
> facw
02/27/2019 at 16:19
| 0
|
I called back and talked to a supervisor. He said that they could push out a new IP address, but that it would require a factory reset of both the modem and router. Not sure why. And then there was no guarantee that the IP address would be different. Whatever. I’m done thinking about it. My brain hurts. I’m just going to tether my laptop if necessary, and tell the boys to read a book. I’ll plug it back in tomorrow and see what happens.
Never quite a smooth as we might wish...
ttyymmnn
> facw
02/27/2019 at 16:30
| 1
|
When I called this afternoon
I asked a question that the agent
needed to bounce off his supervisor. I heard him furiously typing typing typing and said, “Maybe it would be faster if I just spoke to your supervisor.”
He replied, “Well, you didn’t
ask
to speak to a supervisor
.”
“Okay,” I said.
“C
an I speak to your supervisor?”
“Sure. Hold on a second.”
The supervisor was actually quite helpful.
SMH
BoxerFanatic, troublesome iconoclast.
> ttyymmnn
02/28/2019 at 01:55
| 0
|
Get a new ISP.
A: If they don’t provide you with a residential gateway router
with a firewall and Network Address Translation, they are GARBAGE.
If your LAN devices have private IPs, while your Modem’s WAN port has a public IP, then you have a residential gateway with NAT, and if the firewall is even halfway decent, and configured correctly, then your public IP address is like your license plate number. Available to the public, and not a security threat.
If your ISP gives you a router with the firewall turned off, or with so many open ports that it is ineffective at keeping intruders OUT of your LAN, then they are committing FRAUD, and you should again, get a new ISP.
Any router you get at walmart has a basic residential-grade router, and if the default administrator password is changed, should provide adequate security for most people... and of course there are stronger options from there.
B: if they tell you you need a new public IP, and it takes 24 hours... they have their DHCP lease settings screwed up. Again, a properly secured network means that having your IP is like having your car’s license plate number. And getting a different one will make little difference, and it shouldn’t take a DAY to get a new IP lease.
Logging in to your Modem, and telling it to release and renew it’s DHCP lease should get a new IP, but may just get the same one... but if the lease half-life is 24 hours, they have their settings screwed up.
A public IP pool should have a lease period of hours, and a half-life of minutes, not days. Public IPv4 addresses are a finite commodity, and need to be re-allocated quickly as internet-facing
equipment gets changed. IPv6 exists because the IPv4 address pool on the internet has long since been allocated, and why MOST internet connected devices are behind NAT, with many
private classless IP addresses behind just
one IANA-registered
public IP address.
Hacking into your email account on an internet hosted email server is another matter, and can be done by intercepting or reading your email credentials from your computer or device, but ultimately is a security threat of unauthorized access to an email server. Spammers or others who try to hijack email accounts can get email addressed black listed or locked down by sending out thousands of automated messages or other behavior, but calling tech support should be enough for them to change your email login credentials, and discuss abuse investigations into hacking activity, and if severe enough, they should be able to allocate you a different email address, as well as new, clean credentials to use.
if you suspect people have infiltrated your information through your computer or other devices, running anti-virus and anti-malware scans is important
. If they find results, clearing caches, and changing passwords to the computer itself and any online resources that that computer accesses becomes important.
Those scans should include
searching for key loggers that track keystrokes for discovering passwords,
and root-kits that continually re-install viruses or malware after they get scanned and cleaned, to re-infect the system. Reputable tech support providers will either do that directly, or have recommendations for solid cyber-security solutions beyond standard anti-virus scanners like Windows Defender, Avast, AVG, TrendMicro, and others... and anti-malware scanners like Malwarebytes.
Trend Micro Housecall
and McAfee Stinger are
free downloadable on-demand scanners that are a bit different than also-important
installed background-scan anti-virus... and are geared toward search and destroy on a system that is suspected of being infected.
With the number of online logins anymore... a password manager, such as Keeper or LastPass becomes more and more
important, to track your passwords, generate secure or even random passwords, change them, and encrypt them behind a master password locked vault. Some have features that will help change passwords for all the sites and items that are tracked, if you suspect infiltration and compromised security. Two-factor authentication also becomes another level of safeguard in terms of needing more than just a password to gain access to resources.
Thank you for such a lengthy reply.
I can’t really get a new ISP since Spectrum is the best deal in town considering bandwidth and price. I will, however, ditch their email and move entirely over to gmail and their 2FA.
If your LAN devices have private IPs, while your Modem’s WAN port has a public IP, then you have a residential gateway with NAT, and if the firewall is even halfway decent, and configured correctly, then your public IP address is like your license plate number. Available to the public, and not a security threat.
Unfortunately, I understand very little of this. I recently upgraded the router, and it has whatever level of security it has out of the box. I changed nothing aside from default password
. It’s possible, however, that any snooping might have taken place when I was still on the older Linksys router.
If your ISP gives you a router with the firewall turned off....
I am using my own modem and router.
B: if they tell you you need a new public IP, and it takes 24 hours... they have their DHCP lease settings screwed up.
I had another chat with a Spectrum supervisor yesterday afternoon. He said that the only other way to get a new IP was to do a factory reset of the modem and router. He also said that doing that would not guarantee a new IP.
I still don’t understand enough about all of it to know why the resets
are
necessary.
At the end of the day, I figured I could just tether my phone to my laptop if necessary, and the kids would deal with life without youtube for a day. I probably didn’t really need a new IP, but it wouldn’t hurt. And i
t was actually kind of nice having it all turned off, and I may do more internet blackout days on my own
.
At the end of the day, and the more I think about it, I’m not entirely convinced that anybody got into my network. I think it was more a case of stolen email
credentials from the boys’ game servers,
and game passwords that matched their email passwords. Needless to say, all that has been changed. The games how have gmail addresses associated with them that I monitor set up with 2FA. The old ISP email address have been shut down and deleted.
I ran MSE and Malwarebytes on the three kid PCs, and no malware was detected save one adware thing. What I didn’t recognize I quarantined or deleted. I also scanned my iMac and found nothing at all.
Going forward, is there some way to create a line through the router that goes to the boys’ PCs for gaming that is somehow separate or walled off from the rest of the house? I know nothing about ports and all that, but if anything, this has been an exercise in education for me.
Thanks again.
BoxerFanatic, troublesome iconoclast.
> ttyymmnn
02/28/2019 at 23:04
| 0
|
A consumer-grade router should be OK on default settings, aside from a customized admin password. Logging in and looking at it’s settings can be educational.
I don’t know your ISP’s DHCP settings or environment, but I am a Network Operations technician for an ISP... and there is very little reason that a factory reset to your router or your modem would be required, or actually be effective at getting a different public IP address.
A modem translates between two different network types, like DOCSYS over Coax, or ADSL over copper pairs, or ISDN... to TCP-IP ethernet that your router understands. It is a digital language translator.
Your Router bridges
between two TCP/IP networks, from the
public IP address on a
Wide Area Network
to a private pool of addresses on a Local Area Network
, behind a security firewall.
The m
odem should be passing data packets through between the ISP’s network transport routers, and your residential gateway router, including DHCP that assigns your residential gateway router that public IP address. There aren’t likely two public IP addresses, as public IPs are too scarce to require doubles per subscriber.
If your modem has a public IP, and your router gets a single private IP from the modem
, and then re-translates to a pool of LAN IPs for your devices
, that is called Double NAT, and while it works, it is usually just a waste of milliseconds to translate a second time.
The only thing that any
IP needs is a MAC hardware interface address to associate with, that uniquely identifies that network port from every other network port. (16 hexadecimal digits).
DHCP is a handshake between devices
. A device like your G
ateway Router,
gets a lease from a DHCP server, and a lease lasts for a designated period of time. At half that time, a check is performed to make sure both parties are still available, and the lease is renewed. If the check is not verified due to the device not being online, the DHCP server waits for the device to come back online, and resumes the same lease for a new lease term.
If the lease expires,
the IP address is put back in the available pool, and re-assigned to a different MAC address device in sequence, and if the original MAC address comes back online, it begins the negotiation from scratch, and gets a new lease with whatever IP address is next in the pool to be assigned,
very likely a different one than it had.
Your Gateway Router gets an IP address from your ISP... but it turns around and acts as a private DHCP server to your connected devices. NAT is how it joins that ISP network to your local private network.
If your ISP doesn’t use DHCP, if it uses longer term reservations to keep IPs and MAC addresses associated together
, or
if it actually uses strictly
assigned IPs and
routes, then it becomes a different matter, but it still has to somehow associate a virtual-domain IP address, with a physical-domain MAC address.
Network
Ports are a virtual concept a step more specific than IP addressing
, identified by numbers (0
through 65,535)
that operate like a socket connection between two data devices. A firewall either
blocks that socket from connecting, or allows it... and in most cases, allows outgoing socket connections that your devices initiate, but blocks
incoming socket connections that are uninvited. A socket connection allows 2-way communication, but is classified by which end device
initiated the socket connection.
Port Forwarding, such as what game systems, remote access cameras, and other devices use,
allow known incoming connections on specific ports
through the firewall. Some more recent systems will auto-negotiate this arrangement between the device wanting incoming connections, with the router to configure the port forwarding rules, this is called UPnP, or Universal Plug-n-Play.
Port forwards basically associate incoming socket connections on specific ports to a specific LAN IP address and port number. Sometimes the port number on the outside of the firewall and the device inside the network are the same, but they aren’t necessarily required to be. Incoming connections to the firewall can also be restricted to come from a specific internet IP address or range, or unrestricted to come from any device.
Of course this depends on the device
inside your LAN, receiving the forwarded port connection
being secure on the specified
ports, such as having login credentials, or an encryption key
to access the service being provided by that device on that port, and tha
t service only
performing a specific task, not allowing unrestricted access to the device’s software. Most modern tech is fairly secure, but that isn’t a given, so port forwarding is only recommended when you are familiar with what device is receiving
, and what services are being allowed through the firewall.
DMZ is an option, but I don’t think you’ll want to employ that, it is basically equivalent to port forwarding every and all
ports
to the DMZ-specified LAN
device, unless a specific port is forwarded
to some other LAN device. It is like putting one of your LAN devices OUTSIDE the firewall, even though it has a private IP address.
What you may want, in terms of sequestering the game systems
, is a guest network on an isolated subnet. Some routers do this, others don’t have that feature... but a new one is fairly likely.
Basically this option sets up a secondary WiFi network,
or a
separate from your main one, and then uses a different private DHCP pool than your home’s LAN, and isolates those guest IP addresses to only access the internet. They can’t see the other devices on your network, like your computers, home automation devices, cameras, or mobile devices that are on your primary LAN.
Wired ethernet LAN
ports on your router, or any down-stream ethernet switches,
are usually assumed to be on the main LAN, not on the guest network, but there may be ways of configuring the router’s LAN
ethernet port, or the specific
device connected via ethernet, to use the guest subnet, instead of the primary subnet. Devices on the guest subnet are intended to be isolated from your trusted main LAN subnet, where your computers, printers, cameras, etc... are, and are available to communicate with each other freely.
The guest subnet should still be firewall protected by your gateway router
, but if ports are forwarded to a guest-network device
, and outside influences get through the firewall to a device on the guest network that isn’t fully secure, they would not be able to “see” the rest of your LAN devices.
Obviously, the guest network is also intended to serve when you have visitors, that you can allow them to connect their data devices to the internet via your ISP connection through the guest Wifi credentials
, but sequestered away from your LAN devices. That is also usually the case with businesses that offer guest WiFi access, obviously sequestered from their corporate business LAN... although sometimes the guest network and the corporate LAN
don’t even occupy the same network appliances
, to effectively “air-gap” the two networks from each other physically, not just virtually.
Wow, this an awful lot to chew on. I’ll need a little time to work through it. Thanks. I’ll be in touch.
Not a Sunburst Miata
> ttyymmnn
03/01/2019 at 10:33
| 0
|
IF you have a consumer grade router liky Linksys or Netgear, they’ll have point and click options to turn those settings on and
off. If you have any questions feel free to send me an email!
Rusty Vandura - www.tinyurl.com/keepoppo
> HammerheadFistpunch
MoCamino
> HammerheadFistpunch
syntax-check demands a 5 seater honda element
> HammerheadFistpunch
