Serious Security Breach Windows 7 Account! Need help!

[DarkAngelSent]

A classmate in my program in university has been able to log into my account after I locked my laptop to goto the bathroom. While I do not know any specifics or details. I can give the following Information.

1) ALL My Account Passwords have been reset to blank.
2) The Laptop was Restarted to do this
3) Im using Windows 7 Professional, with a Ubuntu 9.1 Installation on 2ndary boot.
4) My Ubuntu has a password that he does not know. I do not think he could have used it.
5) He does not know my password, he only wiped it somehow from the account.

He was able to log into my desktop in which I caught him just as he logged in. He was not able to tamper or have access to windows functions like control panel etc as he did not have the time to.

How can I prevent this from happening again and what did he do?

I googled Windows 7 Password Reset but I was not able to find any solutions that meet the above criteria. Im stumped and I do not like the idea of him being able to access my laptop if im not there.

***Solved***

 

[brady]

Change your passwords. There are a few different ways this could have been done on your machine... All in which I don't feel is appropriate to share on this forum due to security reasons.

Disabling auto run will probably do the trick...

 

[DarkAngelSent]

My CD Tray and USB's were not used.

I want to prevent this from happening again. Either way I need to know what he did to prevent it. Can you please tell me what he did?

 

[iseeuu]

A classmate in my program in university has been able to log into my account after I locked my laptop to goto the bathroom. While I do not know any specifics or details. I can give the following Information.

1) ALL My Account Passwords have been reset to blank.
2) The Laptop was Restarted to do this
3) Im using Windows 7 Professional, with a Ubuntu 9.1 Installation on 2ndary boot.
4) My Ubuntu has a password that he does not know. I do not think he could have used it.
5) He does not know my password, he only wiped it somehow from the account.

He was able to log into my desktop in which I caught him just as he logged in. He was not able to tamper or have access to windows functions like control panel etc as he did not have the time to.

How can I prevent this from happening again and what did he do?

I googled Windows 7 Password Reset but I was not able to find any solutions that meet the above criteria. Im stumped and I do not like the idea of him being able to access my laptop if im not there.

Hello DarkAngelSent, and welcome to Windows Seven Forums!

Some basic security steps to take that will help here would be to secure the computer bios with a password. Also, for convenience during install, we sometimes set the CD-Rom as first in boot order. This would allow someone to use a CD to circumvent passwords. Set the Hard Drive as first in boot order to prevent this.

Use the password feature when your computer comes out of sleep or hybernation, or after the screen saver.

Enable the Default Administrator account and give the account a password. Then disable the account again.

Please let us know if you need help with these suggestions.

Cheers!
Robert

 

[Bare Foot Kid]

Hello DarkAngelSent, welcome to Seven Forums!

Here's an option in case you ever get "locked out" of your machine; see the snip below and follow the wizard prompts.

 

[brady]

My CD Tray and USB's were not used.

I want to prevent this from happening again. Either way I need to know what he did to prevent it. Can you please tell me what he did?

Are you in a domain environment there? But like I said earlier, allowing you to "recreate" the breach would be unethical. Thus the reason the explanations for what this person may or may not have done is not really up for discussion.

 

[DarkAngelSent]

I am not in a domain environment as it is my own laptop.

He did not have access to any windows controls, as he had circumvented it without the ability to log onto windows.

He did not utilize the CD Drive or USB Ports
Therefore he did not use the windows password recovery CD or other peripherals etc.

I have already put a bios password in as a precautionary step (as i know he had to reboot) And i have as recommended by the user above, placed my Hard drive as my primary boot device.

I also do not find the discussion of how he did this as unethical. This is after all my own machine, and as a Network Securities Student, one of the key points we are taught is that if we are not able to perform the security breaches or recreate it, we cannot learn from it or take steps and measures to prevent it. This being a Windows 7 Forum, I find that out of all the other places over the internet, THIS is the place one should/would discuss an issue like this as it pertains and has relevance to the operating system and configuring and securing the environment.

 

[seekermeister]

Check User Accounts and see if the Guest Account is enabled. If so, it probably isn't password protected.

 

[iseeuu]

I am not in a domain environment as it is my own laptop.

He did not have access to any windows controls, as he had circumvented it without the ability to log onto windows.

He did not utilize the CD Drive or USB Ports
Therefore he did not use the windows password recovery CD or other peripherals etc.

I have already put a bios password in as a precautionary step (as i know he had to reboot) And i have as recommended by the user above, placed my Hard drive as my primary boot device.

I also do not find the discussion of how he did this as unethical. This is after all my own machine, and as a Network Securities Student, one of the key points we are taught is that if we are not able to perform the security breaches or recreate it, we cannot learn from it or take steps and measures to prevent it. This being a Windows 7 Forum, I find that out of all the other places over the internet, THIS is the place one should/would discuss an issue like this as it pertains and has relevance to the operating system and configuring and securing the environment.

DAS;

Your point is well taken. Please consider from our point of view: breaking into someone else's computer IS unethical. We are not the place to educate people on HOW to break in to a computer, but we are willing to make suggestions on how to secure your computer.

If your assessment of the means of intrusion into your computer is correct, I can only think of two means of access: the Default Administrator account can be enabled without a password, so it needs to have a password so even if it is enabled, it cannot be accessed.

Second: a key logger might have been used to capture your password without your knowledge. It could be software or hardware.

 

[DarkAngelSent]

The Administrator account has a password and was disabled during initial configuration.

There are no key loggers on my machine.

What really is stumping me is that he had to restart the machine to do this. This is leading me to beleive that he tampered with a windows file. Perhaps deleted a file containing the user account passwords in particular. (I dont know what windows calls it as i only know it for linux). Again he had no access to the windows environment itself. So i dont think a software keylogger would be something id account for. Nor did he have peripherals such as hardware keyloggers.

 

[iseeuu]

The Administrator account has a password and was disabled during initial configuration.

There are no key loggers on my machine.

What really is stumping me is that he had to restart the machine to do this. This is leading me to beleive that he tampered with a windows file. Perhaps deleted a file containing the user account passwords in particular. (I dont know what windows calls it as i only know it for linux). Again he had no access to the windows environment itself. So i dont think a software keylogger would be something id account for. Nor did he have peripherals such as hardware keyloggers.

Well ... if I may be allowed to joke with you (in a totally friendly way) unless he had a "magic wand", there is no way he could login to your computer, either linux or windows, without your password, or some external operating system.

BTW this tutorial is a legit way to enable the Default Administrator Account when one has damaged his computer and no longer has any administrator rights with any user accounts. That is why I recommend giving the special account a password. http://www.sevenforums.com/tutorials/56864-user-account-password-change-winre.html#post517551

Cheers!
Robert

 

[seekermeister]

Your mention of Linux makes me wonder if you are dual booting with a Linux distro? If so, and he could access that, he could read Windows files with it I'm not certain, but I think that could be done with a Linux Live CD.

 

[brady]

I think this thread has gone far enough with information relating to certain access points.

 

[Thorsen]

Encrypt the Hardrive like with www.truecrypt.org

 

[Thorsen]

If you think he could get into the boot menu or bios, you can disable the keys on startup like...you will not be able to use them either if you need to though.

Edit apologies: Sorry Brady I didn't read your post, I was trying to offer a way to protect not bring up securtiy flaws and what not

 

[Thorsen]

There are also programs like Eraser to get rid of sensitive data so it cant be dug up from your computer if it is compromised. or get a program to create an encypted vault for your files. If you think he might have a program to hack your password, remember the longer the pass the better. even if he could decrypt your pasword, if its 20 chars long, it will take him months(?) to crack it as opposed to days(?) for a 6 alphanumerics

 

[wee]

A reboot with a hirens bootable cd and use of tools would make any of the problems possible. Also a Live Ubuntu CD would give full access as well and it is easy to reset the Ubuntu password from a command line on boot.

I would report this person to the proper authority if it is relevant.

 

[Zomby88]

My CD Tray and USB's were not used.

I want to prevent this from happening again. Either way I need to know what he did to prevent it. Can you please tell me what he did?

Did you ask him what he did ? Did you bring it to a higher authority ?
Is this your own personal computer ? If it is ... Well Then ......

 

[DarkAngelSent]

Yea I had a gut feeling he used my ubuntu to access my windows files. But I have a secure alphanumeric password for both the root and my account pass on my Ubuntu as well as my W7. I have already set a bios password as well and set my HDD as my primary boot device.

As for reporting him. (while I am a bit pissed that he tampered with a configuration without telling me first (ie delete my account passwords), its just something he does. Hes a classmate and we both study in the network securities field. ie, he does it to try to motivate me to keep updated on security flaws and weaknesses. This is why he wont tell me exactly what he did. Unfortunately, I cannot seem to figure out what he did and its unnerving that he can break into my account when he pleases (though i have the bios passwd set now). The methods for "resetting" the windows password do not meet the criteria of events and procedures he used.

If this issue really is a "flaw" or weakness in the operating system. I would think that this knowledge should be public knowledge so that the community and people around the world can work to protect themselves. While I understand why some users are compelled to keep this under wraps, If you hide these weaknesses, your basically just saying. "Yea ok, theres a problem, but were not gonna tell you what the problem is." One of the first things they teach us is that Obscurity is the worst form of network security. If these people know about this weakness, they must have learned it somewhere, and if that flow of information and education stops, the new generation of security admins will not have the proper education to protect the systems they are hired to protect. I cannot help but feel that this is more than just an attempt at obscurity, as the logic behind the argument to me is flawed based on the security through obscurity principle. Instead (while intentional or unintentional) the feeling of oppressing the learning and education of emerging students in regards to that information can only serve to increase the gap between amatures and professionals.

As I see it, security breaches like this are like a festering wound. If you leave it unattended for too long, itll become worse and worse. Ignoring it and witholding treatment does nothing to serve the community. With that in mind, I think its unethical to withhold this kind of information that the community of users have a right to know about to protect themselves with.

Thank you Iseeuu. The method you described seems to fit the criteria. Ill explore into this in greater detail and get back to you with my results.

 

[dmex]

Yeah he used your ubuntu OS to bypass your login, Following this guide to reset a ubuntu password is quite trivial because recovery mode drops you into a root shell by default without requiring a password :huh:

I recommend removing ubuntu.

How to reset your password in Ubuntu