06 April 2013

Taping over prying eyes of web spies

IT experts are resorting to some simple techniques to secure their webcams.


Many Australian and international IT security experts are using Post-it notes, electrical tape, Band-Aids and even cigarette papers to secure their computer web cameras from hackers.

The phenomenon was discovered after security experts were asked a simple question that arose after publishing a story about unsuspecting victims who become "RATted" by hackers who use Remote Administration Tools, or "RATs", to spy on them.

In many cases hackers who use RATs can switch on a victim's web camera or microphone after infecting them.

The question asked was whether the experts concealed their webcam when it was not in use.
Advertisement

Although many web cameras offer a telltale LED light which indicates whether it is active, Fairfax found many security experts didn't trust that it would operate correctly if a hacker compromised their machine. After all, hackers have found ways to disable some webcam lights.

A number of manufacturers, like Apple in their MacBooks and iMacs, ensure that the web camera is hard-wired in such a way that the green LED will always turn on regardless of any software changes. But some manufacturers don't make use of a light at all, or when they do they are very lax with how it is implemented, allowing for it to be easily turned off by software.

Matt Tett, managing director of Enex TestLab, which is hired by governments and businesses to test their IT systems, told Fairfax he used a Post-it note to secure his web camera.

“It's just a logical thing that paranoid people do, right?” Mr Tett said.

“I've seen a few people do it,” he added.

Information security analyst and Risky.biz podcaster Patrick Gray also admitted to covering up his laptop's camera. When he smoked, he used the glued part of a cigarette paper to protect it.

“If I need my camera I'd rip it off [and] then just stick a new one over the top when I'm done, although I'll probably have to think of something else now I've quit smoking,” Mr Gray said.

Mikko Hypponen, chief research officer at anti-virus firm F-Secure, uses a Band-Aid. In an email response explaining why, he said: “I'm paid to [be] paranoid. So what do you expect?”

Mr Hypponen also noted that the man behind spying software FinFisher and FinSpy, which is sold to governments, was recently snapped with tape over his MacBook's web camera. Another prominent security expert, also publicly outed for using tape over his MacBook camera, was public-key cryptography expert Whitfield Diffie, at the AusCERT security conference in 2010.

"I trust the tape more than I trust any program. I figure if there's a piece of tape over it, it isn't taking pictures of things," he told ZDNet Australia at the security conference on the Gold Coast.

Australian security researcher Troy Hunt doesn't cover his web camera. Instead he prefers to turn it away from him when it's not in use. “I am partially paranoid about it,” he said.

“I would hope that the light would come on and save me, but at the end of the day that's [usually] a software decision and we all know what can happen with software,” Mr Hunt added.

Mr Hunt was referring to how it is sometimes better, at least when it comes to something like an LED indicator on a web camera, to make the LED hard-wired so that no matter what is done on the software side of things the LED cannot be turned off even when the camera is active.

Carlo Minassian, CEO of IT security firm Earthwave, said all web cameras and microphones at his company were “disconnected” after use each and every time, as per company policy. If web cameras or microphones were inbuilt, they were disconnected by uninstalling their drivers.

“When testing our customer's networks this is a common threat vector we are able to exploit regularly,” Mr Minassian said. “Furthermore, the building management system including the building security cameras are generally easy to tap into directly or via the admin's PC.”

Asked if others should do the same as the security experts and conceal their camera when it is not in use, Mr Minassian said: “Doing something is better than doing nothing knowing well the potential ramifications.”

David Campbell, director of operations at the federal government's national computer emergency response team, CERT Australia, declined to comment in his personal capacity as an IT security expert via the Attorney-General's Department.

Chris Gatford, of security firm HackLabs, was one of the few that declared they didn't cover their web camera, but said he understood why many people did. “I'm not quite that paranoid,” he said.

“It doesn't stop [hackers] from accessing other information. If they've got access to turn your webcam on they've certainly got access to do other things on your machine,” Mr Gatford said.

“So unfortunately putting sticky tape over [a web camera] is not a control to prevent access [to a computer] in the first place, which is something you'd be most concerned about [protecting].”

Mr Gatford's point is that when a hacker compromises a user using the method outlined in Tuesday's article, they often have full control over a PC, which is likely to have stored data on it that will be much more useful than a live web camera feed to a hacker, depending on their intent.

He said he practised “safe computing practices” – as opposed to covering his web camera – as one of his measures to prevent being compromised, which meant clicking only on trusted links.

For those wanting to implement the tape method, Mr Gatford advised that users should only cover the lens of the web camera and not any LED which could indicate a hacker's presence.

“If your web camera is on you kind of want to know whether or not [the hackers] are getting a picture. [Because if they're in your web camera], presumably they're getting sound,” he said.

The head of the Queensland police fraud squad, Brian Hay, said he didn't conceal his laptop web camera, but labelled the sticky tape security solution as “good safety advice”.

“It's about protecting your privacy,” Mr Hay said. “We all know that computers are not 100 per cent secure devices and this is just another vulnerability that needs to be taken care of. Remove the cover [on your web camera] when you need to use it, cover it when you don't need it.”

One business trying to take advantage of the paranoia offers $US4.99 "iPatches" for devices that have inbuilt cameras which conceals the lens neatly using a slider when it is not in use.

The security experts' comments come after a number of stories about webcam spying have surfaced. Fairfax reported last year that Melbourne-based Rentasaur leased laptops with software on them that tracked a user's location and had the capability to capture imagery.

Further, schools using government-supplied laptops in Queensland were in May last year found by the Courier Mail newspaper to have software on them that took time-stamped screenshots, monitored printing, visits to websites and keystrokes of students. A more severe case of spying occurred in the US in 2010 when a school, apparently accidentally, stored 30,000 laptop webcam images and 27,000 screenshot images while students were either at school or at home.

smh.com.au 3 Apr 2013

No comments: