How do I find out if a keystroke logger has been installed on my Mac?
December 9, 2010 7:48 AM   Subscribe

My nephew believes his gmail and facebook accounts have been hacked by a coworker. Hacker may have had physical access to nephew's Mac laptop. Is there a (simple) way to detect if a keystroke logger has been installed? And/or is there any anti-spyware software you can recommend? Is there something other than a keystroke logger that we should be looking for?

Please keep answers as dumbed-down as possible - while I'm pretty PC literate, I've never used any Apple products other than an iPod/iPhone, plus I'm halfway across the country from Nephew. He's also new to Mac's, and he doesn't know what operating system he's running on it. We can find that out, though, if it's needed. The computer was new this past Spring, if that's helpful.

I've seen some of the previous questions here, but most of them are old enough that they're probably outdated. This one is helpful, but mostly is suggestions of how to retrieve your gmail account, which is not an issue here. He has not been shut out of his account, he's just having his privacy invaded.

Thank you in advance...
posted by MexicanYenta to Computers & Internet (18 answers total) 11 users marked this as a favorite
If he really believes that the system has been compromised to that degree, only a complete OS clean reinstall (back up his data, make sure you have software reinstall disks for anything you can't download, reformat the disk, reinstall everything) will provide complete assurance.

Followed by changing passwords on all his accounts, which of course can be done on another computer during the reinstall (DO NOT log into those accounts from the suspect computer until the reinstall, of course).
posted by IAmBroom at 8:10 AM on December 9, 2010

We received a warning from our IT department about public wifi and the new Firesheep extension for Firefox. (This is an add-on for Firefox that allows anyone to easily see anything on a local network, like Facebook logins.) We were told specifically not to log in to the company's Facebook account via public wifi due to this. Has the computer been used on an open network?

Also, it's not a good idea to stay logged in on Facebook or Gmail when you leave the site. For one, this leaves you wide open if someone gets physical access to the machine. It also leaves you open to a cross-site scripting attack (where a script tries to access other websites via your computer, such as Facebook, common financial sites, etc. These attacks can succeed when a user has not logged out.) Always log out of important websites when you aren't using them.
posted by azpenguin at 8:51 AM on December 9, 2010

MexicanYenta: My nephew believes his gmail and facebook accounts have been hacked by a coworker.

He has not been shut out of his account, he's just having his privacy invaded.

What is the actual basis for him thinking this? Keyloggers are, for the most part, a technological Boogyman. Sure, they exist, but they're very rare and hard to use, so what you're after has to really be worth your while. They're also hard to find, which makes it easy for people to blame vaguely suspicious activity on them.

I'm betting that your nephew's security has not, in fact, been compromised, and that he's misinterpreting something that happened in an unfamiliar computer environment.
posted by mkultra at 9:07 AM on December 9, 2010 [2 favorites]

Yikes - do not apply the nuclear option (reinstalling everything).

I'm with mkultra: a keylogger (or other malware) is exceedingly unlikely. However, if he doesn't password-protect his computer then it's possible someone gained access to his machine without his knowledge.

I'm still unclear on what happened to make him think his accounts were broken into. It all sounds pretty far-fetched - why does this coworker have it in for him, exactly?
posted by O9scar at 9:47 AM on December 9, 2010

If his account was hacked, any information in the account has already been accessed. Keylogger on a Mac is unlikely. Now what he should do is google "mac desktop security" and learn about making his Mac more secure. He should promptly change his Mac, Facbook and all other passwords.
posted by Mom at 9:56 AM on December 9, 2010

Writing this as if you, the poster, are doing these things. Here's my recommendation:

Top left corner of the screen: Click on the apple, then click "About This Mac" to find the version info.

Mac systems are theoretically more secure out of the box than Windows computers are. But this isn't foolproof and you shouldn't rely on it being true.

Start with the System Preferences. Click on Accounts, choose the account in question, then click Login Items. This will show a list of programs that run when the computer starts up. Anything suspicious can be removed by selecting it and clicking the little minus (-) at the bottom. Pay attention to things that are checked - these programs start out hidden and are not visible to the user when logging in.

Go back to the main Preferences window and go to Security. Under General, check the boxes to ensure that (1) passwords are required to wake the computer from sleep or screen saver, (2) automatic login is disabled, and (3) secure memory is used. (You can enable "Log off after X minutes of inactivity" but this will shut down any open programs. If a screen saver is set to turn on after a few minutes of inactivity, you don't need to have the computer log you off automatically - the screen saver will lock the system until the password is entered if the first option above is set.)

Now (still in Security) under Firewall, make sure the firewall is enabled.

Back to the Preferences pane. Next check Sharing. No sharing options should be active.

OK. Go back to Accounts, and check the password. Make sure there is one. If there is one, change it if you think the current one was compromised.

Now go to the apple in the top left corner again. Click it, choose "Software Update..." and let that run, installing any updates that appear. Then (if it doesn't do it on its own) restart. The computer should stop at the login screen, should require a password to continue loading, and should require a password when it wakes up from sleep or screensaver. Check to make sure this happens.

Next check your web browser security. If you are using Safari you ought to be fairly well OK, but if you run Firefox you can be even more so by installing the HTTPS Everywhere extension. This forces secure, encrypted connections for sites that have the capability to do so but don't always actually do it, like Facebook. Check extensions/add-ons/plug-ins for updates if possible. (Firefox has a test page that will tell you when plug-ins are out of date. It works in Safari too.)

The last two things to check are (1) the sites themselves, and (2) the user.

Sites: Check the passwords. Change them if you suspect anything. Don't re-use passwords across different sites. (Lots of people, myself included, do this WAY more often than we ought to!). Log out when you are leaving, and if you're concerned about the password security don't use browser features that remember login info. Yes, that makes things less convenient, but it also makes them more secure.

User: Start trying to learn about computer security. Figure out habits you have that might make you vulnerable and work to address them. Learn enough about things to understand what is and what may be a risk, and to recognize things that look innocuous but could actually compromise your security (phishing attacks, for example).
posted by caution live frogs at 10:01 AM on December 9, 2010 [3 favorites]

What is the actual basis for him thinking this?

Because private information that has only been discussed with one other person, in gmail, is now being discussed amongst his coworkers. This has been going on for several months, and involves separate, individual conversations with different people that took place in gmail. He keeps to himself at work and doesn't socialize with co-workers, so it's not that someone he trusts is talking about it. Honestly, there's no question in my mind at this point that his account has been hacked. He has changed all this passwords, now we just want to make sure they can't get the new passwords.

Sorry I can't be more specific, but this has become a very serious issue for him. And yes, there is a definite possibility that they accessed his computer, which unfortunately was not password protected.
posted by MexicanYenta at 10:02 AM on December 9, 2010

FWIW, I was of the "oh, you're just being paranoid" school of thought for several months, but at this point, even I'm convinced.
posted by MexicanYenta at 10:08 AM on December 9, 2010

I think you are looking for complicated explanations rather than simple ones. Instead of assuming his account was hacked I think it's more likely that a co-worker walked by his computer, jiggled the mouse, and saw the gmail account open on the browser.

Solution - close gmail when you aren't using it, put a password on the computer, and always lock the machine when you step away.
posted by It's Never Lurgi at 10:11 AM on December 9, 2010 [2 favorites]

There is a free keylogger called logKext. It is stupid easy to install and will make a file in the home folder (I think) that is simply a log of everything that is typed. However, since no one looks for this stuff, it will probably go unnoticed.

If I was at home I could reinstall it on my comp and tell you what the name of the file is that you should look for (although the location could probably be changed).

I would have your friend search his computer for "logKext" and "kext," if anything comes up, he's been keylogged. It's easy to get rid of though (I'm pretty sure).
posted by darkgroove at 11:14 AM on December 9, 2010

I'm confused. Is he accessing gmail on a work computer? His it staff has access to do pretty much anything on a work computer.
posted by empath at 11:22 AM on December 9, 2010

Its Never Lurgi: I think you are looking for complicated explanations rather than simple ones. Instead of assuming his account was hacked I think it's more likely that a co-worker walked by his computer, jiggled the mouse, and saw the gmail account open on the browser.

This is a much more likely scenario than someone installing a keylogger. Alternately, it's totally possible that someone obtained his password, either because he wrote it down somewhere or someone just guessed it. If he's changed his password he should be fine.
posted by mkultra at 11:24 AM on December 9, 2010

Yikes - do not apply the nuclear option (reinstalling everything).

I'm with mkultra: a keylogger (or other malware) is exceedingly unlikely.

O9scar is right. I missed the part about this being a Mac (and recently had to clean-install my WinXP system, after a virus attack). FAAARRRRR more likely is that they simply read his email while he was away (with his email loaded).
posted by IAmBroom at 12:30 PM on December 9, 2010

There are a few ways they could have gotten his passwords, but I can't explain them because to do so might compromise his anonymity. The fact is that his emails *are* being read on an ongoing basis. Please just accept that as fact, without asking how we know, because I simply can't tell you without putting his anonymity, and therefore his job, at risk.

His passwords have all been changed. We are simply trying to cover all bases and ensure there isn't a keystroke logger on there, so that they can't access the new passwords. Unfortunately, "change passwords, he should be fine" won't do, because at this point, his career is at stake. Yes, it *is* that bad.
posted by MexicanYenta at 12:56 PM on December 9, 2010

1. Shut down all the applications and then check all the processes that are running. I am not sure if Activity Monitor does a thorough job, so it may be better to do this in a terminal (ps -ax is the command, I think).

2. Check every process (Google is your friend) to understand what it does.

3. If you find a keylogger, use Google to see how to get rid of it.
posted by vidur at 5:23 PM on December 9, 2010

Well, there are a couple of other things you can do. Check if/when his gmail account has been accessed from any unknown computers by clicking detail at the bottom of inbox. Install and run an application called little snitch which will show if any application is trying to access the internet.

If you do a clean install, remember to add a firmware password to the machine: This will make it *much* harder to fiddle with the computer.
posted by brorfred at 5:52 PM on December 9, 2010

I'd make sure that the secondary questions attached to each email account - mother's maiden name and all that - are changed to something else, with hard to guess, possibly nonsensical answers. Also many services like gmail and facebook request secondary email addresses to use for sending password recovery requests. That should be checked too.

Finally, has he checked his facebook privacy settings? Is it possible that one coworker simply found him online (or just found his identity), and started reading his facebook posts?
posted by ZeusHumms at 9:49 PM on December 11, 2010

« Older Logan-bound   |   Copy Copy Newer »
This thread is closed to new comments.