30 January 2012

Is your webcam light glowing ?

Excerpts from an unsettling story at GQ:
Amy, a 20-year-old brunette at the University of California at Irvine, was on her laptop when she got an IM from a random guy nicknamed mistahxxxrightme, asking her for webcam sex. Out of the blue, like that. Amy told the guy off, but he IM'd again, saying he knew all about her, and to prove it he started describing her dorm room, the color of her walls, the pattern on her sheets, the pictures on her walls. "You have a pink vibrator," he said. It was like Amy'd slipped into a stalker movie. Then he sent her an image file. Amy watched in horror as the picture materialized on the screen: a shot of her in that very room, naked on the bed, having webcam sex with James...

Amy decided to call the cops herself. But the instant she phoned the dispatcher, a message chimed on her screen. It was from the hacker. "I know you just called the police," he wrote. She panicked. How could he possibly know?..

The campus police were in no position to handle a case like this. Whoever devised the malware—a sophisticated program capable of dodging antivirus software—clearly had a leg up on university cops. The task of hunting him down fell to agents Tanith Rogers and Jeff Kirkpatrick of the FBI's cyber program in Los Angeles...

Hackers had been accessing cameras here and there for a while. But Mijangos started thinking big: He decided to weaponize them on an unprecedented scale... As soon as she opened the file, Mijangos was in—he had access to her every file, every photo, and could even keep a log of every keystroke, which meant every password. But that wasn't all. Mijangos hit a few buttons, then watched in awe as his screen filled with an image taken by her webcam...

He says it didn't take long for word to get out that he was the go-to guy for anyone looking to spy on a girlfriend or wife. For $150, he'd infect the target's computer, then send his clients links so they could snoop themselves. Mijangos knew a few of his clients were "just perverts" spying on some unsuspecting stranger, but their money was just as good...
You can read the rest of the story at GQ.  BTW, your webcam light is off?  Good.  Now read this:
It's a good thing the FBI discovered the scam when they did, too. Mijangos told me that he'd figured out how to turn off a camera's LED, cloaking himself completely.
Consider covering the lens with a Post-It note...

18 comments:

  1. Use black duck tape or similar; Post-It notes are opaque and fall off easily.

    ReplyDelete
  2. Or don't have a webcam. I think he'll have trouble trying to see into my room..

    ReplyDelete
  3. My cam came with a lens cap that stays on all the time when not in use.

    ReplyDelete
  4. I'm less concerned about anyone watching me through the webcam than I am about this bit: "[H]e had access to her every file, every photo, and could even keep a log of every keystroke, which meant every password."

    ReplyDelete
    Replies
    1. I have been told (not sure if it's true) that one way to bypass a keylogger is to copy/paste your passwords, rather than typing them in. They can even be copied from an incorrect version (if you'd rather store that) and then after pasting change the 3s to 9s or whatever.

      But don't take my word on that.

      Delete
    2. Plus, if someone has access to all my files, that means the file with the passwords, too.

      I personally put a bandaid over the webcam lens on my laptop after I watched a Discovery Channel show about evading surveillance.

      Delete
    3. Right, but if you're going to store them on your computer, you can store incorrect versions, with the conversion kept only in your mind (or in your bank safe deposit box for your heirs).

      For example, if your real password to the National Butterfly Association is NBA3yrs#3dh, then store it as NBA9yrs#9dh, with the understanding that any password of yours containing a 9 actually uses a 3.

      Delete
    4. If the attacker had access to a keylogger on your machine - and nothing more - then copy/pasting passwords might be effective. In reality, if an attacker has enough access to your computer to install a keylogger, they have enough access to do everything else, which includes reading your password file and watching you edit them. It's roughly the equivalent of having a fake front door on your warehouse and counting on that to protect you when the thief is already inside the building.

      Generally speaking, security by obscurity is a bad idea. It's much more effective just to keep your machine patched and use a good antivirus to avoid being hacked in the first place. Tape over the camera isn't a bad idea either. If you want more security than that, learn to use linux. :-D

      Delete
    5. having just discovered that some website security systems do not allow cut and paste passwords, I think it would be minimally effective.

      These days, it's probably safer just to write your passwords in cursive with a pen and paper and leave them on your desk.

      Delete
  5. This is why the webcams on the notebooks at school are locked off in the BIOS.

    ReplyDelete
  6. No pity from me mate.What the hell are you doing banging with the camera there? Too much dilapetated morals going on in the world. Have some COMMON decency.

    ReplyDelete
  7. And that is why the webcam light should be done in hardware, not in software. (And for what it is worth, I deliberately choose a laptop without a camera.)

    ReplyDelete
  8. I keep a piece of tape over mine

    ReplyDelete
  9. Easy solution: CLOSE THE LAPTOP.

    The hacking...? My guess is the government does this all the time. Nothing on a computer is truly private.

    ReplyDelete
    Replies
    1. It's ever-so-slightly hyperbolic to state that the government (of the U.S.A. anyway) is actively snooping on every laptop user, but there is a grain of truth in your statement - I recall reading something a procedural doc at cryptome.org (or similar) detailing the requirement that machines with built-in webcams have the webcams physically removed.

      Delete
  10. I keep a post it flag over my camera lens. It'll let a tiny bit of light through, but you can see anything. I checked. :) I should really install a better firewall, though.

    ReplyDelete