Domestic/Divorce "Hacking" - Specific things you check . . .

[britechguy]

Just got a call from a gentleman who is separating from his wife.

He has strong reason to suspect that she has been reading his e-mail (at least before she left) and is uncertain about other "stuff." I asked him specifically about email and he has been using webmail. I then asked if he used browser password management/memory and he confirmed that he had been. That always leads me directly to, "This wasn't a hack in any meaningful sense, someone who can walk up to your computer can just log in because you made it possible," even though I don't phrase it that way.

He has already changed his email password, and on a newly purchased tablet. I told him to cease and desist using any browser-based password management, as were she to return to the house it's a simple matter to extract what's saved there.

There is no indication that the wife is a "super IT/computer genius," just someone who can apply common snooping techniques when the need presented itself.

I'm just curious if those here have things they typically do on a home/office visit in a situation like this?

Things on my short list:
1. Advise client to change all passwords, and to use either my Portmanteau Method to come up with something long and that only he would know, or allow a password manager to generate them.

2. Use a stand-alone password manager to store his changed passwords.

3. Reset the modem router and reconfigure his home network. I may use the same SSID but the password would change. I'd also want to configure the whole thing from scratch.

Other ideas?

 

[frase]

Avoid, personally I would not want to venture into that minefield.

 

[britechguy]

Well, I'd prefer not to, but this guy appears to want to have someone check that he hasn't done something (or forgotten to do something) obviously stupid.

I'll certainly not be making any guarantees. No matter what I do, he's going to have to monitor carefully.

 

[River Valley Computer]

You'll

Well, I'd prefer not to, but this guy appears to want to have someone check that he hasn't done something (or forgotten to do something) obviously stupid.

I'll certainly not be making any guarantees. No matter what I do, he's going to have to monitor carefully.

You'll be SORRYYYYYYYYYYYYYYYY!

 

[GTP]

I went to this party, but it wasnt fun.
I avoid these situations now.

 

[brandonkick]

Resetting passwords of accounts considered "sensitive" would be first

Stopping the habit of using browser based internet user profiles, and allowing browsers to store passwords would be second

On any machines that are his directly, I'd simply put a user account password. Reset all network equipment, and change any default
credentials.

 

[britechguy]

Resetting passwords of accounts considered "sensitive" would be first

And that will be the client's job. He'll be explicitly told to do that, but it's definitely not my job to actually do it.

I appreciate all of the input, even warning me away, but I've already committed, so this may turn out to be a "once burned, twice shy" thing afterward, but I'm not backing out of an appointment I've already made.

 

[nlinecomputers]

For the most part I avoid these kinds of calls. You have covered most of the issues. But you didn't mention windows login passwords or MFA. The PC needs to be password protected so that you can't just sit down in front of it and access it. Key accounts like his email need MFA enabled so that you can't login to the account without access to your phone for a code.

Of course no device is safe if you have physical access to it but any such attack will require hacking into the machine. A good login password will prevent casual access.

 

[YeOldeStonecat]

Years ago we did a few of these, even became a reseller for SpectorSoft, which made secret "big brother watching/spouse spying software". (now it's called Veriato)

So thinking about changing passwords for everything....that's the easy part. Have him make a list of everything..and, change the passwords. For whatever services he has that support MFA...add that too. BUT...be careful of what he locks her out of, some things may need to be shared. One of the things where you'd want him to consult his lawyer first.

Change the logon password for his computer. Chromes password manager can only open up and reveal passwords if you authenticate it via the computers password....or another approval method you choose (like Windows Hello...fingerprint for example).

PIN on his phone(s)

I'd turn him to a password manager such as BitWarden (free)....and disable all browsers password manglement.

I also won't do these anymore, can turn into a huge...."yuge"...time sink that drags you down a rabbit hole you'll never see the daylight out of.

 

[britechguy]

@nlinecomputers & @YeOldeStonecat

Thanks for your inputs. I have definitely added needing 2FA where supported.

I will NOT be changing his passwords on accounts, period. That is a service I do not provide. I can assist him through several while I'm there, but it is up to the account owner to handle this part, not me, ever. I also don't get into anything regarding the legalities of what a given client may or may not be allowed to lock. I don't know what those are, and it's not my area of expertise, which is another reason I don't do the password resetting myself.

I will be advising simply not to use any browser's built-in password manager. There are lots of free, well-known password managers and that's what I install and suggest using, exclusively. Good tip, though, about tweaking the browsers to never offer to save passwords going forward!

And as far as time sink, I bill by the hour. It takes however long it takes and the client wishes to pay me. Since I don't and won't do the actual password changing and 2FA setup, that's the client's job, I really can't see this being much different than many of my service calls.

 

[nlinecomputers]

No one is asking you to literally change their passwords, but even you understand that many users need handholding through the process. You can do that and turn your head as they input what they have selected, and get paid doing it.

 

[britechguy]

@nlinecomputers

The impression I'm getting is that some expect me (or any tech) to hand hold throughout the process for all accounts. I can, and will, do this if necessary, but it seldom is.

I generally "get the ball rolling" and tell the client to finish for all the rest of their accounts ASAP. If they want me there, though, as a hand-holder for all of them then I will be there in that capacity. But even then, it's literally the client in the driver's seat at the computer, not me.

Most of my clients don't want to pay me for my mere presence for things they can do themselves once they know what it is they need to do.

 

[nlinecomputers]

Most of my clients don't want to pay me for my mere presence for things they can do themselves once they know what it is they need to do.

As are many of mine but I have just as many who are too gun shy to do it themselves simply fearing that they will somehow screw up and cause a nuclear holocaust or something. Or they need to be walked through each and every account or they will simply not so. Half a personal trainer's job is just being a drill Sargeant and yelling at you to get off your fat ass and do the work. It's much the same for our line of work.

 

[YeOldeStonecat]

Encourage them to use something like DINOPASS....the "complex" button. Instead of coming up with passwords themselves...which..a spouse might easily guess. Pretty easy to follow someones pattern once you know them.

 

[Blues]

For something like this I wouldn't rush to it but since the job is "I think someone is watching me" and not "How can I watch someone" I wouldn't have much issue with the job. I would do what I could to check for any installed tools to the device(s) that could be used and then guide them on what they need to change and avoid in the future to keep their security.

 

[britechguy]

It's much the same for our line of work.

When it's necessary. I have already stated, clearly, that when it is I'll do it.

In a case like this, the end user is already *very* motivated to do what's necessary. If he wants me to be a hand-holder/walk-througher then I will be. If he doesn't, I won't.

I am also a big believer in, "Teach a man/woman to fish . . ." One of the reasons that so many are so afraid is that they've had someone "doing for" almost always. That's not good, and I don't want to leave my clients in that state. They can gain confidence with doing password changes after just a couple, in most cases. The process is similar enough across the web these days.

 

[britechguy]

As a believer in full reporting (without any breach of confidentiality), this just in:

While out and about today I got a call from the new client saying that he wanted to make sure that, "if I find anything," it could be preserved such that it was admissible in court. Long story short, I called him back a short while later saying, in essence, "I don't do that, you need a forensic computer specialist if that's actually what you want and need. Talk to your lawyer, as they generally know the local practitioners of this specific area of computer expertise. I'm not one of them, and I don't do anything that involves testimony in court." I also told him my goal was improving his security going forward, but there is nothing I can do retroactively about what may have come before.

He has since called his lawyer and called me back and the appointment is still on, so I gather forensic analysis and evidence is not being sought.

He still has not given even the slightest hint that he has any desire to "spy on his wife" for lack of a better way of putting it. He really seems to be far more concerned about preventing her from spying on him, which I have no problem with. Setting up decent security practices is the same deal no matter what the reason for doing so.

 

[Computer Bloke]

Changing account passwords may not be enough to secure accounts that also have the typical "security question" route to account recovery. There's a very good chance that your client's soon-to-be-ex will know their mother's maiden name, where they went to school, the name of their first pet and all the other oh-so-secret things that are still used in many places to allow passwords to be reset.

This doesn't affect me personally as my mother's maiden name was Hrvo6tg#i2&. It's the main reason she got married.

 

[britechguy]

But, since most things can be set up with 2FA, the password will not "be enough" on its own, and I'd have to believe that 2FA would be part of the password recovery/reset process for those accounts where it is in place.

Essentially, I am not worried about "the remotely possible." "The highly probable" is what I'm seeking to defend against.

By the way, I've had to supply *all* answers to those "secret questions" during recent password reset attempts (for clients). In the case of myself, personally, there are probably four people, myself included, who know the name of my first pet. My childhood nickname is known by very, very few people as well.

When it comes to creating portmanteau passwords, I emphasize that the "fixed parts" should not be somethings that are easily guessed by others, even those you know very well. Very few people tell their current significant other the name of "the first person I kissed" as but one instance. There really are a lot of things known only to an individual, or by so few that when a couple of them are combined the probability of anyone being able to guess these things, let alone how you arrange them in a portmanteau, is so close to zero as to be effectively zero. If I were to use the number of the address of my first apartment coupled with the street name of the 4th place I lived as part of a portmanteau it would require someone to be targeting me, knowing how to find those two things, and know what else I use. It's just not going to happen if one is even a tad bit careful. [I just thought if I had used the name of the first book I ever recall having been read to me that would be really, really next to impossible for anyone to know or guess.]

 

[Computer Bloke]

I'm not asking you to change your beliefs but I can't count* the number of accounts I've recovered for clients armed with just a handful of background information, basic social engineering skills and a bit of low cunning.


*I'm quite good at counting so this means that it's a big number not, like, four or something.