[deleted]

⁨24⁩ ⁨likes⁩

Submitted ⁨⁨8⁩ ⁨hours⁩ ago⁩ by ⁨ChidiAnagonye@infosec.pub⁩ to ⁨[deleted]⁩

[deleted]

source

Comments

Sort:hotnew top

neidu3@sh.itjust.works ⁨8⁩ ⁨hours⁩ ago
Skill: probably

Interest: Probably not

Source: Around the turn of the millennium, I enjoyed remote snooping on other people’s PCs for a short while. It was short because the contents of the PC of the average person turned out to be mindnumbingly boring.

source
CrazyLikeGollum@lemmy.world ⁨7⁩ ⁨hours⁩ ago
One rule of thumb for cybersecurity is that if an attacker has physical control over your device for any period of time you should treat that device as if it is already compromised, because that is how generally easy it is to compromise something you have physical access to.

However, do you actually have reason to suspect your roommate of being an attacker? Just because they have a degree, a job, and maybe some level of skill doesn’t mean they have the motivation, lack of integrity, and criminal intent to actually carry out such an attack.

If you’re concerned about something like that, there are things you can do to mitigate risk, like setting start up passwords, using disk encryption, powering off devices you’re not actively using, and physically securing unattended devices. However, basically nothing you can reasonably do will stop a determined attacker if they live with you and thus have or can easily gain physical access to your devices.

source
6nk06@sh.itjust.works ⁨6⁩ ⁨hours⁩ ago
Unlikely because computer science is not about cracking or security. It’s mostly maths and some programming.

source
Empricorn@feddit.nl ⁨6⁩ ⁨hours⁩ ago
You shouldn’t live with someone you don’t trust.

source
viking@infosec.pub ⁨8⁩ ⁨hours⁩ ago
You can buy a hardware keystroke recorder for a few bucks. Just plug it between keyboard and computer and it logs all inputs. Once they have the boot password (and maybe a bunch of others), installing malware and exfiltrating data is pretty straightforward. Doesn’t require a lick of IT knowledge either.

Bit more challenging on a laptop without external keyboard, but there are hardware solutions as well, though they’d require tinkering with your device.

Phones are harder to gain access to. Honestly if I wanted to get into your phone, I’d probably try to set up hidden cameras in spots where you are likely to enter your PIN (bed, toilet) somewhere under the ceiling and angled straight down. I’d probably try to switch the phone off as well any chance I got (long press the start button) so that you’d be forced to boot up and enter the PIN at any given opportunity to max my chances.

Actually hacking secure boot / accessing data from encrypted drives is beyond casual hackers, unless you don’t regularly update your devices and there are some active exploits published.

But seriously, low effort password sniffing is still the biggest vulnerability out there.

source
- adespoton@lemmy.ca ⁨7⁩ ⁨hours⁩ ago
  On the other side of this, I once had a co-worker who bought a keystroke recorder and attached it to his own computer.
  
  The person who had been messing with his computer saw the mini camera he had set up but missed the keylogger. He was able to figure out who it was and what they were up to from that.
  
  source
evujumenuk@lemmy.world ⁨6⁩ ⁨hours⁩ ago
It’s a gross approximation, but…

Your desktop or laptop computer is probably toast, your phone probably isn’t.

source
- ChidiAnagonye@infosec.pub ⁨6⁩ ⁨hours⁩ ago
  [deleted]
  source
  - Venus_Ziegenfalle@feddit.org ⁨5⁩ ⁨hours⁩ ago
    More secure is kinda too broad of a term but locked-down devices are naturally protected against tampering.
    
    source
Brkdncr@lemmy.world ⁨4⁩ ⁨hours⁩ ago
[deleted]
source
- ChidiAnagonye@infosec.pub ⁨4⁩ ⁨hours⁩ ago
  [deleted]
  source
  - Brkdncr@lemmy.world ⁨4⁩ ⁨hours⁩ ago
    That is not what I was saying at all.
    
    source
Deestan@lemmy.world ⁨4⁩ ⁨hours⁩ ago
Desktop computer: Installing a keylogger, for example, is cheap and require skills like “can purchase a cheap and simple technical part” and “can plug in a USB”, which are skills you can assume a CS student will possess.

Laptop: Same, but have to open the laptop and install a less standard straightforward loggrr on the internal cable. This require more effort and patience.

Phone: I have no idea, and I am a computer scientist who spends time thinking about this. I mean, all phones can be opened with corresponding equipment, and the touch screen is connected to the internal computer with a cable, but they differ in details per model and the space to work with is tiny. The research investment is significant and model dependent. Meaning, the effort cost is quite high and they’d need extremely strong motivation.

source
CTDummy@lemm.ee ⁨8⁩ ⁨hours⁩ ago
Given it’s illegal, it’s very unlikely. Why go through all the effort of getting a degree (and presumably a job in the relevant field) to risk losing it all and a criminal conviction to snoop on your roommate? If you’re that paranoid put BIOS passwords on your device and get a smart plug that’ll log whenever the device draws power.

source
NutinButNet@hilariouschaos.com ⁨8⁩ ⁨hours⁩ ago
I place little value on someone’s educational experience anymore since a lot of this can and is usually learned from nearly any place on the web or dark web.

It seems that for an evil maid attack to occur, someone would need to leave the device unattended, specifically with their admin/sudo account logged in so they can create the access they want later. That is, unless they discovered an exploit in the system that enabled them to gain that access by some other means.

The three best ways someone would be proactive against this attack are:

never leave your device logged in and unattended without some sort of passcode system being necessary to get in and execute commands/programs.

never leave “guest” accounts active on your device, even if they don’t have admin permissions. This can make it easier for someone to find other exploits to gain admin access.

always separate your accounts. Have a dedicated account for admin level escalations and use it only for that purpose and nothing else. If an attacker is to somehow get your attention away and leave your device unattended, at least this leaves them with no admin access on your main account

If you suspect your device has been compromised, the best thing to do is to shut down and disconnect from the network (unplug Ethernet cable and consider removing the WiFi card; even with the device powered off) and have a professional inspect it. I say that because even if you reinstall the OS or even get another OS, there’s no way to tell if something hardware was added to allow intrusion if we’re worried about physical access being compromised to the device.
source
Flax_vert@feddit.uk ⁨5⁩ ⁨hours⁩ ago
Depends how well encrypted your computer is. Your phone is probably fine, those are usually encrypted to hell by default.

source
Zwuzelmaus@feddit.org ⁨5⁩ ⁨hours⁩ ago
Everybody has had some ideas for “Evil maid” attacks during their youth… so yes, it it super likely.

source
couch1potato@lemmy.dbzer0.com ⁨5⁩ ⁨hours⁩ ago
I installed ophcrack to a usb flash drive and cracked my ex-gf’s windows password. No special knowledge except I googled how to crack a windows password. This was about 13 years ago though, no idea if that’s still a thing.

source
- viking@infosec.pub ⁨4⁩ ⁨hours⁩ ago
  Nah that was Windows XP, where the hard drive was not encrypted by default, and the password was stored in a hashed file on the computer itself, freely accessible via any boot stick. Actually cracking it still took some time (below 7 characters a few minutes, 7 about 1h, 8 chars up to 24h, longer… LONG). But if it was a common word, then a dictionary attack with a long enough word list (most word lists have like 400k words or so) would get it in seconds either.
  
  The funny thing with Windows XP was that since none of the data was encrypted, you could simply delete the password hash and set a flag in the registry and you would boot right into Windows with no password at all, and were then prompted to set a new password. That didn’t work since Windows 7 anymore.
  
  source
bamboo@lemmy.blahaj.zone ⁨6⁩ ⁨hours⁩ ago
Honestly, regardless of their education and experience, if you have this concern about a person, you should get a new roommate, assuming there’s more to your question than just a hypothetical.

All the time, there are shitty significant others who install a keylogger or screen recorder to monitor their spouse, because they’re fucked up. A lot of the time, they don’t have any technical background, and are the equivalent of script kiddies. They do this because they’re shitty people, not because they have a degree in computer science.

source
JeeBaiChow@lemmy.world ⁨7⁩ ⁨hours⁩ ago
I’d be more worried about phishing the lab PCs

source