Imagine waking up one morning to find that someone has emailed you a sex tape. Not just any sex tape, but a sex tape starring you. In your bedroom. Where there are no cameras.
That’s what happened to the victims of a hacker arrested last week by the FBI who, among other things, is charged with remotely accessing peoples’ webcams and using the videos he obtained to blackmail his victims.
According to the Department of Justice Press Release from June 22, 2010, Luis Mijangos of Santa Ana, California would hack into a victim’s computer and turn on the computer’s webcam once in awhile, hoping to film his female victims in compromising situations. If he did so, he blackmailed her with the footage, basically an involuntarily made sex tape, threatening to make it public if she did not send him more explicit videos.
He also blackmailed his victims with photos or videos he found on their hardrives. According to the FBI report, he looked specifically for images of “young women and girls in various states of undress or engaged in sexual acts with their partners.” He “threaten[ed] to distribute those stolen images and videos to every addressee in the victims’ contact lists unless they made additional videos for him.” He tried to keep his victims from reporting him to the police by telling them that because he controlled their computer, he would know if they went to the authorities.
Creepy doesn’t even begin to cover it.
The Department of Justice Press Release explains that Mijangos was able to hack into computers using malware, which he got his victims to download by disguising the files as popular songs. Once these files were installed, Mijangos was able to control the computer.
If that last part went over your head, Kevin Haley, Director of Product Management for Symantec, provided a crash course in hackers for the layman.
‘Malware’ is short for ‘malicious software,’ a general term that encompasses all sorts of things that can harm your computer: viruses, worms, Trojans, and so on. Hackers commonly get people to download malware by putting it in an mp3 file or on a bit torrent or a peer-to-peer network. In layman’s terms: when you download music illegally, you probably go to a peer-to-peer network, at which point you may potentially download an mp3 file in which a hacker has hidden malware.
Haley calls this method “training wheels for bad guys.” It’s a very simple process to hide malware in an mp3: you can find an instruction book on the internet and download a program to install the malware.
Another method is known as ‘social engineering,’ in which a hacker infects one victim, and then poses as that person to infect their friends. The hacker sends an mp3 file or a link to a video that contains malware. The friend opens the file assuming it is from his or her friend, and inadvertently downloads the malware.
Sometimes, a hacker will simply send an email with an attachment that is infected with malware. A slightly scarier method is what is called ‘drive by downloads,’ where a computer user will go to a website, and while there, a piece of malware is downloaded, unbeknownst to the user.
An alternative strategy is for the hacker to create malware that will automatically copy itself onto any thumb drive inserted into the computer. When the thumb drive is inserted into another computer, the malware jumps onto that new hardrive. Haley says this is a method typically used at corporations, where there is more sharing of thumb drives.
It’s easy to imagine this as the work of some super genius using his superior technological intelligence for diabolical ends. But as it turns out, making malware is simple: like every other kind of DIY project, you just have to buy a toolkit. A variety of toolkits are available in the underground economy, and with the click of a few buttons, anyone can build their own malware and target it for specific purposes.
“It’s just like any other service industry,” says David Marcus, Director of Security Research at McAfee Labs. If you know where to look, or even just with a well-worded google search, you can find people who will build malware for you, or get the instructions to do it yourself. Like the latest security software, these toolkits get updated on a regular basis, so at this point, Haley says, it’s possible to create a piece of malware that can do pretty much anything. For instance, remotely activate someone’s webcam.
Freaky.
Of course, being blackmailed by a hacker who has remotely activated your webcam at the exact same time that you happened to be getting down and dirty seems like the kind of thing that only happens in splashy articles like this one. We read them, shudder, and then go back to doing things exactly as we did before.
But what if the person using your webcam to spy on you isn’t a bad guy? What if it’s, say, your school?
That’s allegedly what happened to Blake Robbins, a student at Harriton High School. Lower Merion School district, to which Harriton High belongs, loans each student a laptop for school use. Unbeknownst to the students, security software called LANRev TheftTrack was installed on the laptops. The purpose of the software was to track lost or stolen computers, and one of the methods employed allowed the network tech to remotely activate the webcam and take a still photo. Robbins is suing the school district, after a picture taken of him using the computer in the privacy of his own home was used by the school as grounds for disciplinary action against him.
There are legitimate uses for this kind of software, but this doesn’t seem to be one of them. Stryde Hax blog reports that students were not only required to have and use a school loaned laptop, they were punished for using personal laptops for school assignments. Students were not informed that this software was installed on the computers. Stryde Hax posted comments from students at Harriton High, many of which say that they noted the green light next to the camera turning on, but assumed that it was a computer malfunction. One student said he or she even reported it to the school and was told that it was a just a “malfunction,” though that was obviously not the case.
The software lent itself to a being abused, as it gave school administrators the power to activate the webcam. Other software only allows the software company to activate these features. For instance, Absolute Software, which bought LANRev in December, has an anti-theft software called Lojack for Laptops, in which the tracking features can only be activated by the company when the owner reports it stolen. The company’s FAQ section on Lojack explains that the Absolute works closely with law enforcement to recover the computers, making the process a whole lot less invasive than a software that let’s school administrators snap pictures of students in their bedrooms.
At other schools, administrators openly admit to having this type of surveillance on their students. In a New York Times article on cyberbullying, the principle of a Massachusetts school where students are loaned computers with similar security software installed is quoted as saying
“I regularly scan every computer in the building. They know I’m watching. They’re using the cameras on their laptops to check their hair and I send them a message and say: ‘You look great! Now go back to work.’ It’s a powerful way to teach kids: ‘I’m paying attention, you need to do what’s right.’ ”
But unlike students at Harriton, these students are aware that administrators are watching, and they can adjust their behavior accordingly.
Students at schools that monitor computers may just have to stick it out, but when it comes to hackers, there are ways to protect yourself. Both Marcus and Haley stress the importance of having security software on your computer, and running it often. Marcus is adamant that users should be updating their software and scanning their computers every single day because the threats change on a daily basis. Moreover, he notes, “the bad guys are all over the internet, and they use the same tools and read the same news as the good guys.” Which means that websites like Google News and Twitter, things people use on a daily basis, can also be abused by hackers. Haley notes that users should be suspicious of any attachment or video or song link that they receive, as those are the most common ways that hackers install malware.
The first thing to do if you think your computer has been hacked, Haley says, is install security software and run it. A hacker who notices this may try to stop you from installing it, but good security software should be able to counteract that.
If you are as technologically challenged as this writer, never fear, security software is designed to save us from ourselves. If it finds a piece of malware, it destroys it without asking, an important feature for anyone who has ever gotten a pop-up window saying that your computer may be at risk, and then simply ignored it, having no idea what that might means or how to stop it.
As Haley points out, a good indicator that someone is spying on you through your webcam is if the green light next to the camera goes on when you aren’t using it. But a good hacker, Marcus says, can activate the camera without turning on the light. In fact, he says, “if the person knows what they’re doing…you’ll have absolutely no idea” that they’re there.
He suggests, however, that you can turn off the functionality of the camera by unplugging it, if it’s an external camera, or by setting up your own controls or security software that disables remote access of a webcam. Again though, if the bad guy is sophisticated enough, odds are that he can get in and change all those settings.
Using a Mac may lower your odds of downloading malware, but the idea that Mac’s don’t get viruses is a myth. There is plenty of malware available that targets Macs, and everyone is going to the same internet sites, so it’s just as possible for a Mac to pick up malware online as it is that a PC will. That said, Marcus calls the amount of Malware available for Macs just “a drop in the bucket” compared to the amount of malware that exploits Windows operating systems.
New malware comes out every single day, and it’s possible that your security software will come across something that it can’t fix. In the worst case scenario, the only solution may be to wipe the hardrive.
Also, security software messes up sometimes. McAfee got in trouble in April when an update to its security software caused it to attack a critical Windows file, preventing computers from booting up.
This, Marcus tells me, is called a false positive, and it happens every once in awhile. The bad news is, your computer may not be able to start up for a few hours. The good news, he says, it’s not something hackers are able to foresee or exploit.
As for whether or not there’s a hacker using your webcam to spy on you while you read this article, both Marcus and Haley agree that it’s not too likely. Haley tells me that more often, a hacker will remotely activate a webcam to see if there’s anyone in front of the computer who might notice that it’s being tampered with.
Most hackers are in it for profit, which means they’ll look for bank account numbers or credit card information, sources of profit that are less labor intensive than blackmail. The problem is, if a hacker has installed something that enables him or her to do that, then he or she can just as easily turn on your webcam and take a look around.
Take away lesson: if you’re about to do something you’d never want your mother to see, much less millions of people on the internet, close your laptop. If it seems unrealistic to be expected to remember to do that in the heat of the moment, your best bet might be the low tech solution employed by some students at Harriton: just put a piece of tape over the video camera.
James Brown did not allow computers in the James Brown Enterprises offices because, Maria Moon, a staffer, explained in a 2002 New Yorker profile, “He’s got this strange notion that they can see back at you.” Chalk it up to PSP induced paranoia, but the godfather of soul may have had a point.