.comment-link {margin-left:.6em;}

I Hate Linux

Monday, March 12, 2018

Laptop power states can lead to paranoia

A few weeks ago I had a spooky event, from which there were important learnings and since nothing bad happened, is the sort of thing I can happily share, rather than hang my head in shame.

Background

For ages I've made my main home desktop machine (whichever that happens to be) accessible via Remote Desktop. Even when sitting on the couch on a laptop, I am most likely controlling the desktop as it has all of my tools, apps, etc... as well as plenty of storage and RAM.

This also comes in handy when at work so I can maintain separate browser environments in the case I want to search/view something I don't want showing up in official logs (ie, I don't want to worry the security/hr people if I happen to look up the specs of a particular firearm at work, nor do I want to be accused of being a shill for this or that on a web forum based on an ownership lookup of the IP range I am on at the office).

WTF?

A few weeks ago I was working on some things physically at my desktop when I got logged out, being told that *someone else* was connecting remotely.

Was my Microsoft Account password compromised? How? It's rather complex and very carefully used. It's never even be written down on paper or to a instance of notepad.

I was able to log in locally quickly, yanked the network cable and started the fun process of changing all critical passwords, taking a backup image of the hard drive, then going to bed... it was late.

Some cursory examinations of my router and Windows logs told me a disturbing story... that I was seeing connection attempts to the default Remote Desktop port every 3-5 seconds, for as far back as the log had memory... and from places all over the world.

The day after

Upon getting to work, I mentioned the event to my lead and the head of the networking team, as the day before they had wondered if I had uploaded an unusual amount of data from my work machine (which I didn't believe I did). Fearing the incidents might be related, I figured I should ask them to look into their network logs on their end.

It turns out their firewall views inbound & outbound traffic oddly, so someone in our subnet downloading a fair number of large MacOS updates tripped some data-ex-filtration warnings.

Breathing a bit of a sign of relief, back at home I installed a new hard drive with a fresh install of Windows in case something on the old had been compromised.

Feeling confident that I had contained whatever damage could have been done, I enabled Remote Desktop again, but on a non-obvious port and got back to my life...

Until...

A week and a half later while sitting at my desktop... it happened again!

You could argue that without 2FA on my Microsoft Account, it was bound to happen eventually (previously not enabled due to issues with Xbox)... but to have it happen again, so soon with a completely new password, 2FA enabled (not that it matters for desktop RDP) and on a random port? Who the hell did I piss off to get popped like this so quick?

Again, I yanked the network cable, turned off the PC and went to bed... not having the energy to deal with the issue at the time.

What if...?

The next morning, I had a theory... what if some other device of mine was legitimately logging in? I went looking first at my personal laptop and found it was in fact awake at the same time as the previous nights event... exactly 3 hours after my last use.

Hmmmm.

That night I tested the theory, I opened up my laptop, connected to the desktop via RDP, closed the lid, and made my way down to my desktop a couple of hours later, making sure I was sitting there when sure enough, I got logged out.

As it turns out, after 3 hours of being asleep, my laptop will boot to a full power state for a moment to go into a full hibernation mode. During this time, the RDP app re-asserts itself and will kick an local user out from whatever it is logged into... even though waking the laptop during this window will see the RDP application asking for a password to connect to the remote session.

Benefits & learnings

On the plus side... the event gave me an excuse to upgrade the size of the SSD in my desktop, buy a few fresh sets of underwear, and some major takeaways:

1. I never should have had the default port exposed,
2. Two-factor authentication should be supported out of the box on the client (though Duo can be used for free to do so), alas Microsoft has abandoned the home desktop user,
3. I need to be more diligent about watching failed logons, no matter how confident I am that a good password isn't going to get compromised.