What am i supposed to do when i am targeted?

[Krooluticon]

I've reinstalled windows multiple times followed numerous manual ways to lock down windows and also tried a bunch of Secure Host Baselines they got past the crappy free router from my ISP... bought myself a expensive set of Ubiquiti security gateway router/switch/AP with Deep packet inspection reinstalled hardened windows. i found logs in my router the very next day and i wrote them down on a paper but the real logs are now gone from both my pc and the router.... but i got the paper and iv'e taken some courses to better understand the EventViewer and its evident there as well...wtf can i do my ubiquiti setup had a price point of 1025USD well i can think of one last thing is a next-gen Unified Security Gateway which cost upwards of 769USD a year last hope i guess oh and something like Linux.. but i like Windows.

 

[Node]

Hire an IT Administrator to handle your issues?

 

[AlanOstaszewski]

1. Why you bought useless (for you) and very expensive hardware?
2. I don't know from your text what problem do you have. Maybe I'm not so good in english.
3. Give Linux at least one try. I understand that you love Windows. Do you use software that isn't compatible with Linux?

What about changing your ISP?

 

[SHvFl]

I assume you mean hm computers so i don't see the chance of you actually being targeted. Why exactly do you think you are getting hacked? What are the evidence that led you to believe that?
Btw event viewer is not going to show you anything useful in your case.

 

[ForgottenSeer 58943]

I've reinstalled windows multiple times followed numerous manual ways to lock down windows and also tried a bunch of Secure Host Baselines they got past the crappy free router from my ISP... bought myself a expensive set of Ubiquiti security gateway router/switch/AP with Deep packet inspection reinstalled hardened windows. i found logs in my router the very next day and i wrote them down on a paper but the real logs are now gone from both my pc and the router.... but i got the paper and iv'e taken some courses to better understand the EventViewer and its evident there as well...wtf can i do my ubiquiti setup had a price point of 1025USD well i can think of one last thing is a next-gen Unified Security Gateway which cost upwards of 769USD a year last hope i guess oh and something like Linux.. but i like Windows.

First, I believe you. I've been targeted and know many dozens of people that have, it's not as rare as people think these days - sadly.. Fortunately, I can help you with these matters and you appear to have the money to do what is necessary to stop the nonsense. One thing you need to realize is these people/govt/corporations - whoever is doing it are very patient. They'll carefully monitor what they can and then develop an attack strategy tailored for your setup. By altering setup and being unpredictable you can often throw a wrench into it by causing their TAO to have to refocus mid-stream - which is incredibly frustrating to them.

First thing is first.. They'll walk right through Ubiquiti gear... Unifi stuff isn't security hardened, not by a long shot. For example SSH is left open, you need to putty into each AP to CLI SSH off. Second, the product uses things like WebRTC and Java.. If you are really serious about stopping someone then you won't use Ubiquiti stuff. At least until Chris B. from PfSense is done totally revamping Unifi series in a couple of years. In the short term, a dead-man-switch on your PC's may help until you get your network fully locked down. Or you could use RollbackRX and rollback your systems every single day until everything is secured properly.

IF you are really being targeted you can find this out pretty easily via multiple methods.. But one thing I will tell you, they've successfully reverse engineered many AV products and they can also intercept the update process for some AV products. I don't want to name names, but we've seen this happen on several leading AV's. A crucial thing here IMO is to utilize an AV product that uses signed, encrypted update channels. The very second your AV is stuck in a loop or won't update it's time to uninstall it - we've found. If your AV's become compromised then you know you are being targeted and it isn't some script kiddie. Security through obscurity should be examined.. Sure, they can develop backdoors for major AV, but will they invest the time/resources in developing one for some random AV from some smaller but reputable firm? Probably not. If Comodo can reverse engineer Eset with Chinese contractors, you know our govt or proxies can do the same thing. Careful.

Get a real UTM on your network, maybe try a Fortigate 60E w/Sandboxing. SOC3 chip on it, extremely hardened, nothing happens with it unless you allow it. (Default-Deny Policy by default). Once deployed, you need to harden it even more.. Turning off SSH, Telenet, Remote Admin, closing the 541, 123 and other ports it does leave closed but visible. (Via quick CLI command) Run a port scan and CLI anything else to stealth/disable/noresponse. Turn on extreme IPS, blah blah blah. If not Fortinet, Try one of the higher end ZyXEL boxes, they use Kaspersky Gateway and are pretty decent. I'd avoid the common TAO devices like Cisco, Checkpoint, Juniper, etc. Sorry but Unifi stuff is crap in comparison.

Once your front door is closed, work backward, securing each part as you go.. Switches, AP's, etc. The key here is testing everything for holes yourself. Limiting logging/telemetry, etc. Wireless should be your next focus. Make your SSID's complex and use _optout_nomap, something like: 6;^~K(v87dXp_optout_nomap. If you can install a WIDS and RogueAP suppression mode AP - it depends on what wireless controller your UTM has and if you can do this - research it. This will suppress all rogue AP's with a local DDOS. It will suppress all attempts to spoof, clone and pineapple your SSID. Look into advanced WiFi security like digital fences and other stuff.. Learn about wireless security, apply that knowledge. On your wireless computers use a device that disables the NIC when the device shuts down so they never have standby NICs, ever..

Keep all firmware updated throughout your network. If a firmware won't apply factory reset whatever the device is. If it still won't apply, return the device or throw it out. It's been compromised.

Lockdown your network. No traversal unless a device must. If it must, examine 'windows' where it can. For example Tivo's update in a small window and only really need to talk out the WAN during that window. Schedule them to be off WAN until that window is needed to reduce threat surface. Turn off all external port forwards unless needed and if needed try to put them into windows of use. (Schedules)

Once you reach the endpoints everything else on your network should be locked down. Other guys on this forum can help you with locking down endpoints.. Default Deny programs/policies, reducing threat surface by keeping crap like Java and if possible .net off your systems. Installing what is needed and only what is needed. Don't leave crap like Origin or Steam running unless needed. Lock down windows settings. Limit/eliminate logging/telemetry. Password managers. changing passwords, not using popular insecure email services. Chrome lockdowns, the list goes on and on and on.

If you really are targeted and become a total jerk to them with your security then they'll take it to level 1.. Fake door repair vans while you are on vacation, utility guys asking to inspect your internal electrical panel, fake rebates for home inspections or whatever.. If that happens you'd better be prepared with cameras, locks they can't walk through in 7 seconds, alarm system, etc.

PM me if you have any questions. I was purposely vague in this response believe it or not. I avoid detailed public disclosures these days.

 

[AlanOstaszewski]

Fake door repair vans while you are on vacation, utility guys asking to inspect your internal electrical panel, fake rebates for home inspections or whatever.. If that happens you'd better be prepared with cameras, locks they can't walk through in 7 seconds, alarm system, etc.

Thanks for the tip!

 

[Krooluticon]

Might as well mention that i RECENTLY found Imonitor under system processes on my 1 year old android phone just messing around with it one day had my suspicion but still good to find it guess i wasn't crazy , never used it for much certainly never rooted it cause i never had the need or the know how check this out: Android phone spy software | Spy mobile android | Android spy app | Spy for android and that spyware anyone can buy the question is were did they get the time to root it? did someone intercept the package and install it then i retrieved it it?! pretty sure this room is bugged as well i got myself a RFscanner pricey one but the room is a mess going through all will take a while.
... this is becoming ridiculous if i must say so myself.

 

[ForgottenSeer 58943]

Thanks for the tip!

I sort of died inside when Glenn Greenwald posted that when 'they' were looking for Snowden and his data they got through 6 of his 7 alarm systems. If you feel you are a target then you should get locks that they can't get through. Watch videos, talk to pros, research. Utilize ones with a master keying system so you control the ability to have keys made. I won't name specific locks but it won't be long before you find the real ones. Not the fake security sold at Home Depot and Lowes.

Sometimes their offers are tempting. I recall (years ago) getting an unsolicited, professional letter from a automotive testing center that claimed to be sponsored by the manufacturer offering $1000.00 to take my vehicle for 24 hours for some undisclosed testing including a free rental car. Research at the time indicated a potential honeypot, can you imagine the surveillance tech that can be integrated into a vehicle over a 24 hour period.

 

[ForgottenSeer 58943]

Might as well mention that i recently found Imonitor under system processes on my 1 year old android phone just messing around with it one day had my suspicion but still good to find it guess i wasn't crazy , never used it for much certainly never rooted it cause i never had the need or the know how check this out: Android phone spy software | Spy mobile android | Android spy app | Spy for android pretty sure this room is bugged aswell i got myself a RFscanner pricey one but the room is a mess going through all will take a while.
... this is becoming ridiculous if i must say so myself.

It's only paranoia if you can't prove it. The stories I could tell you... Who did you tee-off? The sad part about all of this is that you don't even have to do anything illegal to draw unwanted attention to yourself... Ugh. If you even brought this up 10 years ago you'd be bombarded with photos of tinfoil hats and foil lined rooms. In the day and age of Snowden, Vault7 and other things - unfortunately all of this is the reality we exist in.

Anyway, another tip - watch your power use. Often self-powered devices can be placed at locations and it will slightly alter your draw.. We used to use oscilloscopes and other crap to watch for this. Now there are devices for homeowners that can scan and identify individual things taking power from your lines. The Sense Home Energy Monitor

They can draw intelligence from 60Hz home power lines. Essentially filtering out irregularities and filtering in anomalies and using systems to parse that data out. MxDNA was developed to dissipate anything other than 60Hz out in the form of heat. It's actually a counter-intel tool. Another method is to use Stetzer filters or KVAR on your home line to filter many anomalies rendering 60Hz intelligence gathering almost impossible. They can harvest ambient EMF for intel gathering. Easy way to defeat that (and damage their gear in some cases) is to use Negative Ion Injectors. These drop enough EMF chaff into the air to really disrupt the sensitive tech. Ultrasonics is another method, in that case, you need ultrasonic scramblers that sweep through a wide frequency range.. Believe it or not some ultrasonic pest protection devices actually hit some of those ranges. Pink Noise is your friend. White Noise is predictable, Pink is much more effective. A true pink noise generator in a room will offer impressive levels of privacy from a variety of intelligence technologies. Virtually everything they have also has a countermeasure. However keep in mind depending on who is messing with you, they could have virtually unlimited resources. In that case all you can is reduce the impact or go back to using smoke signals..

IMO I think you need to shore up physical (L1) security. If you are honestly targeted nothing you do will work very well if you can't keep them out of your home and off of your property.

 

[_CyberGhosT_]

Question=
"What am i supposed to do when i am targeted?"
Pray, pray that the villain on the other end is not experienced or very motivated, lol
Honestly, call the proper authorities seeing your call could save the next victim on the list, and who's next could be
a loved one or a friend.
I would like to think that after my anger and need for retribution cooled to a slow boil I would be capable of making the decision to
help get the fella or gal put out of commission "the right way"

 

[ForgottenSeer 58943]

help get the fella or gal put out of commission "the right way"

What if it is the govt? Or a foreign government?

One good thing, most of their techs at some point require maintenance. If you've closed off physical security everything will eventually break or run out of steam. Then they can't fix it, replace it, or tune it up and you are good to go - provided you've shored up the physical security.

Also you could practice counter intelligence. Switch out any suspicious activity with a huge amount of normal activity over X amount of time. You know, start becoming interested in the Kardashians or Dancing with the Stars. Maybe keep sitting through all seasons of the Game of Thrones. Eventually they'll lose interest or realize whatever triggered the closer look was a false positive. Of course, if you are savvy, whatever drew their attention (and these days it can be almost anything) would still take place while you do the Kardashian thing, but you've moved that other junk to dark channels to do it. We're not always dealing with the sharpest sticks, they get bored like anyone else.

 

[Nico@FMA]

I've reinstalled windows multiple times followed numerous manual ways to lock down windows and also tried a bunch of Secure Host Baselines they got past the crappy free router from my ISP... bought myself a expensive set of Ubiquiti security gateway router/switch/AP with Deep packet inspection reinstalled hardened windows. i found logs in my router the very next day and i wrote them down on a paper but the real logs are now gone from both my pc and the router.... but i got the paper and iv'e taken some courses to better understand the EventViewer and its evident there as well...wtf can i do my ubiquiti setup had a price point of 1025USD well i can think of one last thing is a next-gen Unified Security Gateway which cost upwards of 769USD a year last hope i guess oh and something like Linux.. but i like Windows.

@Krooluticon

I am not sure if someone already addressed this but if i understand your topic correctly then you have found evidence of potential hacking attempts within your router correct? And you also stated that the logs in both your router and local system are gone?
Just making sure that i understand what you are saying. With that in mind let me ask you a few questions:

1. Did you install your local system from a legit windows copy? (Not some downloaded ISO or torrent with a loader/pirated fake validation)
2. Did you install your system FRESH (Partition/format) or did you just install OVER a already existing installation?
3. Did you install your service packs from a off-line source or on-line source?
4. Did you install ANY pirated software?
5. Did you hook up your PC to the net right away?
6. Did you change/tweak any windows/local system or router settings? And do you run your Windows under admin or guest mode?
7. Did you install any Internet Security program?

The reasons i ask these questions are simple and i will list them here:

1. Why did i ask if you installed Windows from a legit source? Often pirated ISO's and torrents are infested with malicious programs who MIGHT generate security problems and fill your logs with errors and events. Since there is NO telling if your windows copy from source X is clean and original.
2. Why did i ask if you did a fresh install? Well there are enough security issues and malware related problems that might survive a new windows installation and as such carry over previous problems to your new installation. Something that would virtually never happen with a properly repartitioned HDD and a good old fashion format.
3. Why did i ask if you installed your OS SP's from a on-line or off-line source? The thumb of rule is that its better to install from a say locked down USB stick + Service packs + basic protection programs without being connected to the net, you want to increase your minimal security PRIOR to going on the net to avoid early infections and problems that might cause your PC to crash overtime and you also want to make 100% sure that your PC is in a clean state in order to allow your security to work properly. Because most people install their computer while being on-line, and more tech savvy people know that your PC is at its weakest security wise during installation, first Internet contact and during the initial configuration. Amongst many other reasons....This applies to the rest of my questions as well.

Another thing i would like to point out your router will constantly talk to your ISP and send and receive hundreds of packets every hour this is done to make sure that across the whole spectrum of your Internet connection your ISP has all the data required to provide you with Internet services, TV, Phone, Fax, and VOIP but also updates and that kind of stuff. Some of these connections might look like someone is trying to be funny but also poorly written router firmware might class totally legit events as potential security issue. That being said there are a whole range of other issues that might cause your logs to fill up with event alerts and errors without actually being a error.

One option that is always good and very telling is to factory reset your router (don't change a single thing) and unhook your PC and any other device that might be connected to your router either by wire or wireless. And then monitor the logs in say a hour or 2. (Connect with a properly configured PC (Updates/SP's, security software and all the basic ABC's) login to your router (Please note that playing around in a router and its settings is a BAD idea unless you know what you are doing as each setting might have far reaching consequences) And see if the logs fill up again. If this is not the case then hook up your devices 1 by one and give each say a hour or 2 to be active on the net and then check the logs again. Because often devices like Phones and TV/Media/games related devices might trigger security events. My point is that you NEED to be 100% sure that whatever is causing the logs to fill up with seemingly malicious alerts and events is NOT because of legit reasons. For a person who might not understand technical logs, logs in general might appear to be scary. So using a basic elimination allows you to backtrack your own steps and validate if you are compromised from the inside or outside. Each scenario has its own remedies to fix it so reply to my questions and we will see based upon your replies whats going on.

PS: Lets assume for one second that you are being monitored, and lets say that the government is doing that then you will NOT be able to know about this as even your router logs will NOT show it. Since they probably intercept your on-line activities at ISP level. So you can rule this pretty much out.
Finally if its a person trying to be funny then this can be fixed very easy, because if you are not technical savvy enough just one phone call to your ISP (who has real time access to the same logs and in most cases also server side logs to see if this is really the case and if it is confirmed that someone is trying to be funny they punch a few buttons and hit a few switches and your are "liberated" and the "funny" dude has a problem.)
If its malware that causes these weird connections and alerts then we can help you to.

As you can see there are hundreds of reasons why things happen so let us know.

Kind Regards,
Nico

 

[ForgottenSeer 58943]

Nico has some nice methods there to help diagnose for sure.

However I don't believe it is relevant as to 'who' is doing it. Simply put into place proper technologies and behaviors to eliminate or reduce the impact of ALL of them. That way going forward you have better overall security and privacy and cultivate the awareness of it within yourself.

 

[Nico@FMA]

Nico has some nice methods there to help diagnose for sure.

However I don't believe it is relevant as to 'who' is doing it. Simply put into place proper technologies and behaviors to eliminate or reduce the impact of ALL of them. That way going forward you have better overall security and privacy and cultivate the awareness of it within yourself.

Even tho i do agree with you that its usually not important to know who is doing it, yet what is important is where it does come from.
I mean you can add all the software in the world to combat a problem like this but if you do not know how you got there in the first place then you:

1. You don't learn anything.
2. You bloat your PC with a jungle of exotic programs and eventually lose track of whats important.
3. Running the risk of assuming the problem is fixed, yet the problem might very much persist regardless what security you have running. Because one needs to remember there are zillions of programs out there both good and bad, yet out of all the established security programs there are only a few who can handle a infected installation process properly. It would not be the first time that a highly rated security program is being installed on a already infected system and utterly fails in securing your data.
4. Keep in mind reducing the impact might all be nice and dandy, but you are really not fixing anything. After all avoiding problems is MUCH better then trying to solve them. And this is specially important on a Windows PC or device since Windows is generally horrible when it comes to pre-infections and problems that result directly from a event like that. It gets slow, it generates lots of errors and eventually you are being forced to either redo the PC from scratch or face the prospect of operating a OS that increasingly has a mind of its own. When you have determined what the source and reason is for your problems you can come up with a solution that might not require getting all kinds of programs and security apps. One of the most common mistakes is that people encounter a problem, and then run a whole series of security related apps which basically is trying to shoot down a fly with a shotgun. They hit all kinds of things with that shotgun but usually mis their mark. yet the system is classed as clean, and its exactly those users who end up with dataloss and other problems.
5. Finally MalwareTips as a community has the aim to enrich the users with proper info in order for everyone to understand, learn and eventually become tech savvy as not every member here does know what they should or should not do and neither does everyone know what to do when they got a security program running. Its easy to install lets say KAV (or any flavor) and hit scan and when the scan is done quarantine or remove and consider it all done but thats sadly not the case. Specially with infections and problems that have a deeper origin. That being said it all starts with the basics and understanding basic things, otherwise the topic starter might as well get his PC to a repair shop pay $250 for cleaning up his PC. And since the TS has asked what he should do one might as well start with the basics don't you think?

Kind Regards,
Nico