Vulnerabilities / Threats
12/10/2013
02:55 PM
50%
50%

6 Tips To Secure Webcams, Stop Keyloggers

If the FBI can activate webcams silently and record keystrokes, so can attackers. Here's how to defend yourself.

If malware remotely activated a webcam -- without turning on the light -- or silently logged keystrokes and infected a PC, would it be detected?

Don't be so sure. Marcus Thomas, a former assistant director with the FBI, recently told The Washington Post that, for the past several years, the bureau has been able to infect targeted systems with malware that lets it activate webcams remotely, record the video feeds, and log keystrokes. The capabilities reportedly have mostly been used for investigating terrorism and other serious crimes.

But if the FBI can launch camjacking attacks, so can others, including peeping Toms and sextortion practitioners. Furthermore, such attacks aren't rare. A Finnish hacker told the BBC in June that webcam access on the underground market went for $1 per target for a woman's webcam -- and just $0.01 per target for a man's webcam.

Keystroke recording has long been a feature of crimeware toolkits. Hackers seek any information they might turn to their financial gain. Take the stash of 2 million stolen passwords -- from Facebook, Google, Twitter, Yahoo, and other services -- recovered last week by Trustwave researchers. Neal O'Farrell, executive director of the Identity Theft Council, said the stolen access credentials were most likely harvested with keylogging malware.

[Will two-factor authentication be the demise of passwords? See 2013: Rest In Peace, Passwords.]

How can camjacking and keylogging software be stopped? Here are six tips.

1. Antivirus tools alone won't save you
You should always use antivirus antimalware products, but their success rate at spotting keylogging and webcam-hijacking software (whether developed by the FBI or criminals) isn't great. The security vendor OPSWAT recently took a sample of malware designed to log keystrokes, known as winpe/KeyLogger.SYK (a.k.a. PhrozenKeyloggerLite1-0R3_setup.zip), installed it on a test system, and scanned it using 40 different antivirus engines. As of last Thursday, only Norman's antivirus engine had detected the keylogger, OPSWAT's Alec Stokes wrote in a blog post. On Saturday, Virus Total reported that Comodo's antivirus engine had added a detection signature for the keylogger, but 46 other engines still weren't detecting it.

The results were even worse it came to testing whether 16 different antivirus engines could spot signs related to the malware running on a test system. "After a quick scan of running processes, none of the engines flagged the keylogger's process," Stokes wrote. In addition, one behavioral analysis engine also failed to sound alarms.

2. Employ anti-keylogging software
Instead of simply attempting to detect keyloggers, O'Farrell recommends trying to disrupt them. KeyScrambler (which is free) and Guarded ID (which costs $30 annually for two computers) are among the many good options available, he told us via email. "Some work by instantly encrypting or scrambling all your keystrokes so that they're unusable to hackers. They won't protect you against every type of keylogging, but are a good defense against the more common software."

3. Beware phishing attacks
How does camjacking or keylogging software get on to PCs? One typical infection vector is phishing, which is designed to trick an email recipient into opening a malicious executable. In fact, according to The Washington Post, that's the FBI's favored technique for infecting a system. However, the bureau uses it sparingly -- in part to keep references to the capability out of news stories -- and only after obtaining permission from a judge (which has not always been granted).

One defense against phishing is to ensure that systems remain fully updated and patched against all known vulnerabilities. A number of crimeware toolkits continue to exploit large numbers of systems that run outdated browser plugins (especially Java) with known vulnerabilities. Every successful exploit, of course, enables an attacker to install malware on the targeted PC.

4. Watch where you use passwords
Avoid typing sensitive information in public locations, especially if you're using a wireless keyboard. "More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard," said O'Farrell.

Of course, sensitive data can also be intercepted by anyone with the right technology and tools to sniff nearby WiFi data -- for example when users are logged into a public hotspot or a rogue hotspot disguised as one. Accordingly, think twice before sending sensitive information via the Internet when connected to a public hotspot.

5. Cover your webcam
Worried about someone hacking into your webcam? Cover it up with a piece of tape. That's long been the advice of leading information security professionals, including the cryptographer Whitfield Diffie. Mikko Hypponen, chief research officer at F-Secure, who recommends using a Band-Aid, since it won't gunk up the webcam lens.

6. Keep reviewing your countermeasures
The above aside, someone -- say, an intelligence agency with deep pockets -- really, who really wants to capture your passwords will do so. "More than 25 years ago, a couple of former spooks showed me how they could capture a user's ATM PIN, from a van parked across the street, simply by capturing and decoding the electromagnetic signals generated by every keystroke," O'Farrell said. "They could even capture keystrokes from computers in nearby offices, but the technology wasn't sophisticated enough to focus in on any specific computer."

Of course, the technological state of the art has continued to advance from then. But when it comes to keylogging, your most likely foe will still be incidental attacks -- of the malware variety -- that attempt to harvest information from as many PCs as possible. Putting the above tools and practices in place will help block or disrupt these automated attacks.

Advanced persistent threats are evolving in motivation, malice, and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted intelligence gathering. Enterprises need to be on guard, too (free registration required).

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
1/3/2014 | 4:18:06 PM
Re: Stop data from leaving PC
I cerntainly agree, tools lthat stop data from leaving your PC are preferrable.  But how many individuals have the time or technical know how to run the kind of scans you're referring to. Is there really no product that can sit on your desktop (and not be hacked) that tells you someone's messing with your PC/laptop? And that makes it simple lock them out?
MaxB491
50%
50%
MaxB491,
User Rank: Apprentice
1/3/2014 | 2:52:21 PM
Re: Spying
Band Aid and Post its are sub optimal products for this purpose.

 

What we need is a something that looks professional, or invisible, leaves no residue (I'm looking at you, Bandages) and will stay on. Something cheaper than a roll of tape or a pack of Post its. Something that can be cleaned and reused basically forever.

I think that webcamera blocker, www.webcamerablocker.com is the best product out there right now.
sedson
50%
50%
sedson,
User Rank: Apprentice
12/16/2013 | 7:22:59 AM
Stop data from leaving PC
As an alternative to disrupting keyloggers, how about stopping data from leaving the PC?  I recently detected the Win64/Alureon trojan on a client machine by installing Malwarebytes and detecting the flow of data the trojan was trying to send out of the PC.  It took 3 days of running several scanners before detecting and identifying Win64/Alureon, but after running the removal tool the messages were stopped.  Blocking unauthorized traffic from leaving the PC could work for keyloggers, trojans, and other forms of malware by stopping delivery of the data.
WKash
50%
50%
WKash,
User Rank: Apprentice
12/12/2013 | 3:39:17 PM
Re: Spying
OK... now what do we do to muffle those microphones on our laptops? 
David D.
50%
50%
David D.,
User Rank: Apprentice
12/12/2013 | 12:32:00 PM
Re: Spying
Have you tried 3M Post-it Flags?  Variable width, re-usable, cheap, and no adhesive on the opaque section.

http://bit.ly/IRB2y1

 
JoshLuft
50%
50%
JoshLuft,
User Rank: Apprentice
12/11/2013 | 11:45:31 AM
Re: Spying
There already is a product out there that is designed exactly for this reason.

Look up camJAMR Webcam Covers ( www.camjamr.com ), or watch this video.

http://www.youtube.com/watch?v=h8utQ5eXa5c

Cheers!
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Apprentice
12/10/2013 | 7:04:59 PM
Re: Spying
Agree, Wyatt, though we need something subtle that covers the camera but blends in -- so we can be paranoid without broadcasting to everyone around us that we're paranoid.
WKash
50%
50%
WKash,
User Rank: Apprentice
12/10/2013 | 4:33:57 PM
Re: Spying
I'm surprised the makers of 3M Post-Its or even Band-Aids haven't come out with a Web Cam CoverAll product by now.

 
anon4453030347
50%
50%
anon4453030347,
User Rank: Apprentice
12/10/2013 | 3:12:37 PM
Spying
Great tips. Now we have the ability to stop keyloggers or spammers. But i have a question how can we stop government to stop spying us. :)

 

Blog: Tech Lives 

Youtube: News Headlines
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?