The Computer Corner

July 2017
What to Do if You've Been Hacked

For the second time in two months, Windows users have been subjected to a global malware attack. To protect yourself against this new one, called “Petya,” I recommend staying current with your Windows Updates and running Malwarebytes Premium.

Signs You've Been Hacked

It's either easy or hard to determine if you've been hacked. In the case of ransomware, it's extremely easy to know when you've been hacked: You get a request for money.

However, the goal of most of the best hackers is to leave you blissfully ignorant of any wrongdoing. This way, your machine and your network access remains a resource for them to exploit. For example, the NSA tools that were recently released to the public were designed to allow for silent access to a system. The exploits released back in April have been patched by Microsoft, but they point out the goal of these nation-state attackers is to be stealthy and covert.

So, if the goal of these tools is to be silent, how can you then know when you have been attacked? This is often the hardest of all - often you only know if you have a firewall software that is set to alert you to something unusual connecting to your system. One that I've been testing lately is Glassware which gives a visual view into the connections my computer is making and identifies what country the connections are coming from. While "chatty" — it initially alerts you to traffic as it learns the normal connections your system does —  Glassware does show a lot of detail about what is going on in your computer system to expose if something or someone nefarious is accessing your system.

Forensic examiners also use log files and examine code newly introduced into a system. Often attackers will use file names and services that are like actual windows files and services to try to hide their tracks. Then it becomes a case of understanding what files and logs are normal and which ones are not and then determining what the malicious code was intent on doing. It's not an easy process to examine a system.

If attackers are sloppy often blue screens of death, slowness, and programs erroring out in random fashion is a sign that an attacker has entered code into your system and is now spying on you. However, unfortunately, blue screens of death, slowness and programs erroring out in random fashion may also be a sign of bad drivers and poorly coded software. The key is to think back to when these strange events began, and if you remember installing any software around the time of when the odd events started to occur. Whenever you receive a blue screen of death, be sure to run the BSOD viewing tool to see if it points to a driver.

The First Steps to Take After You Suspect You've Been Hacked

I'm often asked what steps you should take if you suspect your computer has been hacked, or if someone, or some other business or other foreign country are spying on you or using your computer for their own (usually nefarious) purposes. My short answer: Stop using your computer immediately and depending on what or who has attacked you, take immediate action.

If you've been hit by ransomware, backdoors, or any number of malware attacks whereby you were merely roadkill on the information superhighway, it's painful to realize that you don't have much recourse beyond a clean reinstall of Windows or a system rollback to your last clean backup. The Federal Bureau of Investigation or any local authority won't care about your attack because the financial impact is not high enough for them to care about it.

It may be difficult to ascertain exactly when you were infiltrated, so the best way to recover from an attack is to rebuild your system from scratch. If that sounds like something you don't want to do, try this three-step alternative:

  1. Hope you made a full image backup of your system when you set up a new system.
  2. Restore your current system back to the good image backup.
  3. Add whatever programs you need back by re-installing them.

Since Windows 10 is delivered digitally and tied to the motherboard and other key elements of your computer, don’t worry, you haven't lost your Windows 10 key. If you have the click-to-run version of Office, you often will have it tied to a Microsoft account and thus can download the Office install again. Windows will automagically activate itself and so will Office.

If you don't have either Windows 10 or the click-to-run version of Office, then you must have your product keys written down and in a safe spot so that, should you need to reinstall from scratch, you can do so. You can extract your product keys from your current system using a free utility with the cute name: Magical Jelly Bean Key Finder.

If you suspect that your system has been specifically targeted, especially if you are possibly being used to target another company, the best action you can take is to preserve evidence so that an investigator can review any log files on your system looking for traces of what the intruder may have done and when they came into your system.

The best way to preserve evidence is to remove the existing hard drive, then purchase a new hard drive and completely rebuild your computer. If that isn't feasible, you can use a forensic tool to take a backup of the entire drive that includes slack space.
Access Data's FTK Imager can be used to take a backup of the computer system which can then be used by an investigator to unearth any trails left by the attacker. You can use the tool to save a copy of the hard drive to an external USB drive.

Ways to Prevent Attacks

One of the best ways to prevent attacks is to install patches in a timely manner.

Many of the recent ransomware attacks came from targeted emails and Word files that launched macros to gain access to the system. Petya infects a computer via a malicious RTF (Rich Text Format) document opened in Microsoft Office or WordPad.  RTF files have been used to attack computers before and probably will be again. Within a network, the virus spreads using a Microsoft file sharing system.

Remember, the best thing you can do is always be a little bit paranoid and question the source of the links or files you receive. I've never seen malware jump from a Windows desktop to an Apple iPhone and back again, so if you are ever in a situation where you are unsure of the source of an email, open the email on your phone, not on your desktop.

As a Department of Homeland Security guidance says: Stop, Think, Connect. Always hover over links. Don't blindly open files or attachments. Consider uploading links and files to whenever you have any question or concern about a file or link.

These steps may slow you down just a little bit, but it may save your system from attacks
Please share your tips or experiences with your own tech with the Sangat. Email me and tell me your story, and keep sending me your suggestions for column topics, along with your own favorite smartphone app recommendations and reviews so I can share them here. Just email them to me at