If malware remotely activated a webcam -- without turning on the light -- or silently logged keystrokes and infected a PC, would it be detected?
Don't be so sure. Marcus Thomas, a former assistant director with the FBI, recently told The Washington Post that, for the past several years, the bureau has been able to infect targeted systems with malware that lets it activate webcams remotely, record the video feeds, and log keystrokes. The capabilities reportedly have mostly been used for investigating terrorism and other serious crimes.
But if the FBI can launch camjacking attacks, so can others, including peeping Toms and sextortion practitioners. Furthermore, such attacks aren't rare. A Finnish hacker told the BBC in June that webcam access on the underground market went for $1 per target for a woman's webcam -- and just $0.01 per target for a man's webcam.
Keystroke recording has long been a feature of crimeware toolkits. Hackers seek any information they might turn to their financial gain. Take the stash of 2 million stolen passwords -- from Facebook, Google, Twitter, Yahoo, and other services -- recovered last week by Trustwave researchers. Neal O'Farrell, executive director of the Identity Theft Council, said the stolen access credentials were most likely harvested with keylogging malware.
[Will two-factor authentication be the demise of passwords? See 2013: Rest In Peace, Passwords.]
How can camjacking and keylogging software be stopped? Here are six tips.
1. Antivirus tools alone won't save you
You should always use antivirus antimalware products, but their success rate at spotting keylogging and webcam-hijacking software (whether developed by the FBI or criminals) isn't great. The security vendor OPSWAT recently took a sample of malware designed to log keystrokes, known as winpe/KeyLogger.SYK (a.k.a. PhrozenKeyloggerLite1-0R3_setup.zip), installed it on a test system, and scanned it using 40 different antivirus engines. As of last Thursday, only Norman's antivirus engine had detected the keylogger, OPSWAT's Alec Stokes wrote in a blog post. On Saturday, Virus Total reported that Comodo's antivirus engine had added a detection signature for the keylogger, but 46 other engines still weren't detecting it.
The results were even worse it came to testing whether 16 different antivirus engines could spot signs related to the malware running on a test system. "After a quick scan of running processes, none of the engines flagged the keylogger's process," Stokes wrote. In addition, one behavioral analysis engine also failed to sound alarms.
2. Employ anti-keylogging software
Instead of simply attempting to detect keyloggers, O'Farrell recommends trying to disrupt them. KeyScrambler (which is free) and Guarded ID (which costs $30 annually for two computers) are among the many good options available, he told us via email. "Some work by instantly encrypting or scrambling all your keystrokes so that they're unusable to hackers. They won't protect you against every type of keylogging, but are a good defense against the more common software."
3. Beware phishing attacks
How does camjacking or keylogging software get on to PCs? One typical infection vector is phishing, which is designed to trick an email recipient into opening a malicious executable. In fact, according to The Washington Post, that's the FBI's favored technique for infecting a system. However, the bureau uses it sparingly -- in part to keep references to the capability out of news stories -- and only after obtaining permission from a judge (which has not always been granted).
One defense against phishing is to ensure that systems remain fully updated and patched against all known vulnerabilities. A number of crimeware toolkits continue to exploit large numbers of systems that run outdated browser plugins (especially Java) with known vulnerabilities. Every successful exploit, of course, enables an attacker to install malware on the targeted PC.
4. Watch where you use passwords
Avoid typing sensitive information in public locations, especially if you're using a wireless keyboard. "More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard," said O'Farrell.
Of course, sensitive data can also be intercepted by anyone with the right technology and tools to sniff nearby WiFi data -- for example when users are logged into a public hotspot or a rogue hotspot disguised as one. Accordingly, think twice before sending sensitive information via the Internet when connected to a public hotspot.
5. Cover your webcam
Worried about someone hacking into your webcam? Cover it up with a piece of tape. That's long been the advice of leading information security professionals, including the cryptographer Whitfield Diffie. Mikko Hypponen, chief research officer at F-Secure, who recommends using a Band-Aid, since it won't gunk up the webcam lens.
6. Keep reviewing your countermeasures
The above aside, someone -- say, an intelligence agency with deep pockets -- really, who really wants to capture your passwords will do so. "More than 25 years ago, a couple of former spooks showed me how they could capture a user's ATM PIN, from a van parked across the street, simply by capturing and decoding the electromagnetic signals generated by every keystroke," O'Farrell said. "They could even capture keystrokes from computers in nearby offices, but the technology wasn't sophisticated enough to focus in on any specific computer."
Of course, the technological state of the art has continued to advance from then. But when it comes to keylogging, your most likely foe will still be incidental attacks -- of the malware variety -- that attempt to harvest information from as many PCs as possible. Putting the above tools and practices in place will help block or disrupt these automated attacks.
Advanced persistent threats are evolving in motivation, malice, and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted intelligence gathering. Enterprises need to be on guard, too (free registration required).
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.