1 Login Failed When Back from Supermarket

I got back from the Supermarket.

I saw a 1 login failed message when I logged in. I don’t remember trying to log in earlier in the day.

I am subletting a place. It’s possible someone could have access to it. When I left to go to the supermarket there was a homeless person outside with a bag and multiple candy bars and sodas in a bag which I could see because they were sitting down. When I got back there was a candy wrapper on the ground and no signs of entry.

My system doesn’t look tampered with. I was gone about 50 minutes. Although I was gone 50 minutes, sometimes I leave and am gone for just a few minutes. The message saying there was one failed log in attempt was from 50 minutes ago. If someone tried to login and failed they did it almost immediately after I left or it was me and I forgot I did this. I don’t think I forgot because I remember how surprised I was when seeing the message.

There was one time prior to that when I left and came back and something was turned on and I thought “I thought I turned that off.”

Qubes was locked but not off when I left and when I got back.

Could someone have accessed my system and have done a RAM dump? I have TPM 2.0 but it’s not supported in Qubes.

I had attached a hard drive several days before and used a complex password to decrypt some files. I had not done a reboot. Could someone that did a RAM dump have that password from RAM multiple days later if the VMs were closed?

Is there a way to check the last opened time for VMs? There were some VMs that were closed.

There isn’t a reason a nation state would want to spend a lot of resources on me. I am not an extremist. I have views on software and networking that are a bit unusual. I sometimes have done unusual programming stuff for learning purposes but not anything that would increase a threat model that much.

It seems most likely that I tried to log in that morning and just forgot doing it but I really don’t think I did.

Sometimes you read about people who get feelings or something strange happens and they just ignore everything. What should I do? What logs should I look at? Is there anything in dom0 I should inspect?

I don’t think there are cameras or microphones placed in the apartment, but I can’t be sure. I used a detector but they don’t always work. It would be hard but not impossible to hide something like that. I did not change the locks temporarily when I got here but would know if someone got in through a window.

Should I format the hard drive multiple times, destroy my computer, and start again? I never thought my threat model was high enough for an evil maid attack and I am probably just being stupid.

If you have a pet freely wandering in your home, I’d suspect them to have hit random keys. (I’m serious)

Something like that. I would treat it as compromised for sure though.

Are you suggesting that a homeless person entered your property, tried to log into your Qubes OS machine once, failed, and then ate a candy, left the wrapper on the ground, and left?

I have encountered this in the testing of Qubes 4.2. It has been fixed with updates.

Sounds like you need this:

Unlikely, unless you had software continuously keeping that in your RAM.

So, the homeless guy wasn’t an international spy? Damn…the story was just getting good…

Look, in all seriousness, you’re probably fine. It’s highly likely that your logs will show something innocent, or possibly the bug I was referring to.

But if you’re truly worried, by all means, rebuild your system.

Are you suggesting if a state is investigating someone and doesn’t have enough evidence to arrest them, but they have a court order to go inside and try to get access to devices in secret or put in microphones or cameras, they wait outside in uniforms that say “state agent” on the front?

The candy was outside not inside.

I am suggesting I probably have a bad memory, am somewhat paranoid, thought about logging into Qubes and didn’t, and don’t remember. I use a lot of very new technology but I am not someone that anyone would normally consider to have an extremely high threat model.

So I probably have a bad memory, but if I’m wrong, then there is probably a whole bunch of things I should be doing right now.

The probability of my memory being faulty is 98 percent.

The probability of something else is 2 percent.

But if it’s not my faulty memory, the risk are large enough that it would be stupid to not do anything. I would not expect there to be a reason for me to be investigated

no pet or pets.

Don’t get me wrong, I think it’s fantastic that you’re erring on the side of caution, but there comes a point…

Did any of your logs reveal anything useful?

I want to help you put your mind at ease (or rule out the innocent scenarios and then guide you through what to do to fix it).

No VMs I would be most concerned about were accessed. Nothing seemed abnormal in logs.

Nothing was done recently enough that they could get anything from a RAM dump.

The thing that was so strange about that day is I really wanted to start working on a project. And I remember thinking “No I shouldn’t start that now, I should do other things first and work on it later.” And I remember choosing not to work on it at all, not going near my laptop at all. I remember making a choice and choosing not to even go near it.

And I get the 1 Failed Log in. Right around the time I left, or possibly a few minutes after I left is when there is a failed login. I don’t think I was imagining this.

It’s also possible it was someone who has access to the place who is just trying to steal electronically. It could be someone who couldn’t do an evil maid attack but who would walk in and try to log in to see if there were any bookmarked bank accounts with cookies and saved passwords and make transfers and was not able to get in, someone who figured I would be gone for at least a certain amount of time and went in and out quickly.

I know Qubes has good evil maid protection and I am stupid and don’t use it. I should back up what I need and reinstall everything. I don’t have time to do it right away. It’s pathetic I didn’t have evil maid protection before. It’s one of the things the creator of Qubes is most known for.

I am probably paranoid and crazy but better paranoid and crazy than compromised and oblivious.

What evil maid protection does Qubes have? Are there posts on it? I’m sure it’s in the documentation and I probably just need to read it.

The computer was still ON so nothing could have been done to its firmware IMO.

It helps to know that. Thank you.

I am only speaking to this and generally. Not specifically to the circumstances of this forum thread as this is very hardware specific. Just talking information security theoretically and about what I quoted only.

Some BIOS or EFI can be updated while running Windows. Scary but it is what it is. I don’t know how widespread this functionality is. The updater software is very most likely proprietary. In theory, this functionality could be re-implemented by the Linux community.

This is unlikely to happen as reverse engineering this is very difficult, any bugs might result in bricking the motherboard and there are presumably more generic, standardized, secure solutions (fwupd).

That however shows that an adversary with sufficient motivation and funds could develop a software to reflash the firmware from Linux (in case of Qubes: from dom0). They would probably also have to find an exploit to bypass the presumably existing digital signature verification of the firmware updating API.

Also once malicious code was executed in dom0, all protections are gone. Even if not possible to directly reflash any firmware (usb, keyboard, bios) from Linux or dom0, a rootkit / bootkit could be installed. Malware that runs earlier during boot / replaces the bootloader for higher privileges. Then anything could happen including firmware compromise.

This is why it is of crucial importance that dom0 stays secure.