Long story short, the jealous ex of a woman I’m seeing has suggested that he may have hacked my employer-provided email. I don’t really believe it, but I want to check. I’m not sure if he might have hacked my computer itself, or our mail server. What can I do to try and find out?
My computer is a Mac running OS 10.2. I’m assuming I can call our provider and find out if they can check their servers, but what can I do about my own computer? Any help is greatly appreciated.
Well, I hate to give useless advice, but if you’re not relatively experienced, it’s tough to do, and I don’t know anything about Macs. I’ll say a bit about the process though:
The most likely type of “hack” is if he discovers your password. Is this possible? It doesn’t require any computer knowledge on his part to exploit, but it doesn’t take much on your end to fix it: change your password.
For him to do anything more sophisticated requires some knowledge; is he pretty computer savvy?
As I say, I know nothing about Macs and their email clients, but I suspect the issue isn’t there; it’s more likely at the server side. To do forensics and try to detect if the server had been hacked and by who requires digging into lots of log files and looking for traces of things that don’t belong. As I say it’s more sophisticated than space allows here, and it’s very different for different platforms and email software.
If in fact your employers email system is hackable (which is not good), they should tighten it up by updating to the latest versions of everyting applicable and applying all important patches first, then running a vulnerability scan and working with the results as necessary. If it’s infected with anything that must be dealt with first of course.
It’s very unlikely you’ll be able to determine whether you’ve been cracked from a technical standpoint unless you turn it over to your provider. Even in that case, it depends on your admins being smarter than the cracker, so there’s no guarantee you can get conclusive evidence even if you have been cracked.
From a social engineering standpoint, it may be a lot easier to verify the claims using basic misinformation. You can send yourself mail with something false but inflammatory and see if the contents get distributed. If you have access to a web server with logs, you could send yourself an email with a message like “here are the pics of your new girlfiriend we took” and link to something unique and unlinked on the server. If that URL is ever hit, you have fairly conclusive evidence of a crack, and you have IP info to use to pursue the cracker.
micco, thank you for using the word hack correctly, and for also using the word cracker.
Such intelligence makes me think there’s hope for humans after all. 
And, yes, it can be very hard to uncover a crack if the cracker is more intelligent than you. There are ways to detect intrusions (tripwire comes to mind), but it may be too late for that by now: If the cracker got root access, he could have compromised arbitrary programs, both for malicious purposes (leaving backdoors in login, turning init into a fork bomb, any number of awful things) and to cover his tracks (changed ps and top so they can’t see his `special’ processes, for example).
The only semi-sure way is a full reinstall and disk reformat. Other than that, you can tighten up ipchains (your firewall) and maybe install tripwire anyway (to see if anyone but you is altering files on your computer).
Just to cover the low end, if someone has “cracked” your email, it’s most likely they just guessed your password and read your mail rather than compromising the server. That is, from the server’s standpoint they were just another legitimate access and your account is the only one compromised. Someone who guesses your password can use an email client set to leave a copy on the server (rather than the typical email client config that deletes from the server after download) so you’d never notice that the mail had been downloaded and read before. If this is the case, you can fix the problem by changing your password, but you may want to use the misinformation I mentioned earlier to gather evidence before locking them out. In this case, the system admins are unlikely to be able to help much and they’ll just recommend you change your password. They might be able to give you a log of your access times which you could correlate with times you knew you’d checked mail in order to determine if there were other hits on the account.
FWIW Derleth, I refuse to get into that debate again. I have always used the words the way I used them above and I’ll continue to do so, but there are perfectly good arguments for the opposite use (using hack where you and I use crack). There is no “correct” usage and there is significant history to justify either position. There’s just no point in starting that fight up yet again.
Man, Derleth why do you have to throw in your personal little hijack into each one of these?