Miss Teen USA, Cassidy Wolf, says that she is the latest victim of sextortion – after a blackmailing hacker allegedly broke into her computer, took over her webcam and threatened to release candid secretly-taken photos of the teenager in her bedroom.
Miss Wolf, from Temecula, California, says that she hopes to raise awareness of cybercrime and internet risks during her one year reign.
The teenage beauty queen says that she was not aware that she was being secretly watched, as her webcam light never switched on. I don’t know what type of computer she was using, but in my experience the webcam light on most PCs and Macs is controlled by hardware, and cannot be subverted by a hacker.
Maybe her hardware was wonky, or she just didn’t notice the webcam lighting up. The jury is out on that one.
Anyway, I have more reason to trust her than the expert CNN used to describe the issue:
If you watch the above video, you’ll see the most confused description of webcam hacking ever from CNN legal expert Jean Casarez:
“But here’s how it works…” (deep breath)
“They hack into your computer and they get on websites, or your webcam, but it can be websites, where they then can… forgot your password. And they act like they’re you that they forgot your password. And then they get some personal information of you just via the internet they put that in. Then they correspond with your friends they search for your pictures and all of a sudden you are in the middle of a sextortion scheme.”
Hmm.
Well, I think that’s cleared up everything pretty nicely for those of us who were confused.
If you’re still uncertain, if malicious hackers manage to infect your computer they can exploit it in all kinds of ways. They can see what’s on your screen, read your emails, scoop up passwords as you type them on the keyboard, secretly send spam from your computer to other internet users, and – yes – they can take over your webcam and take photos and movies of you without you necessarily realising.
There’s an unfair stereotype that beauty queens are dumb. But compare how well Cassidy Wolf described the problem of protecting yourself against cybercrime when she was interviewed on TV:
If you’re worried that hackers might be able to see you through your webcam, take care over the links you click on and the software you install on your computer, keep your security patches and anti-virus software up-to-date and consider sticking a band-aid over the webcam when you don’t want to use it.
If you don’t have a band-aid, a beauty queen sash will do just as well.
All my ports are in stealth mode; how much would that help in avoiding malware?
That will help you 22.23%
No, no, no… Don't even get me started on Steve Gibson – he is a very good example of one thing and that one thing is something he won't admit: he is an excellent charlatan. "Stealth" as he likes to call it does not mean that you cannot be seen or cannot be attacked or that your chance of avoiding an attack increases. Nor does it mean you can't be infected with malware. It does nothing there. But besides that I'll give you some more information on how his idea of better security is not really so.
Not only is there passive fingerprinting (look up the utility p0f – I run it on my server and that means when someone connects to my server, p0f passively fingerprints their system and logs it; they won't have a clue that I possibly – often the case – now know the OS along with their IP and other information of their system. I didn't have to do anything at all and now I have that info) not all attacks require an active (established) TCP connection (the three-way handshake, SYN, SYN-ACK, ACK) or even the UDP version of a connection (read: you can use connect() networking call on UDP sockets but its not the same as TCP and not a "true" connection). Much like I already mentioned, you can be probed just by connecting to a machine (website, for instance) and that also means you can be attacked just by connecting to a site. Sorry but stealth ports don't do anything of real use because of two very critical reasons:
1. If you are actively being attacked then they already know about you so the fact your ports are "stealthy" means little. See the explanation of TCP below and how it is supposed to behave, in order to see the difference.
2. If you are not being actively attacked then either you (example) ran a file that is in fact a trojan horse, a worm, whatever else…. or you went to a website that attacks on the spot (which by the very fact HTTP is TCP based means that a. you connected via TCP. b. which means you just gave the server your IP _and_ it also is connected by way of a port that is more dynamic in nature but the connection is there and any harm the site may do is either in the process or already done).
*TCP: Let's say you try to connect to some website (or it is now a different host or maybe you typed the URL wrong or you were redirected via one server or any other number of ways). Your browser (or indeed whatever you are using to connect to the server – even the telnet client and other text oriented utils can perform http transactions) sends a SYN request to the destination. What happens if the host does not have a service running on the port specified (or default – 80)? It sends an RST (reset). But guess what the host just revealed to you? It is up. While a firewall can send that even when there is no service running on that port (eg. it works as it should: only allow certain ports and otherwise deny everything else), if it answered it does not matter if it sent a SYN-ACK or if it sent an RST: the host is still known to be up. The host could also ignore you completely (so no response) but that doesn't mean that nothing is there; it simply means it didn't respond (whatever the reason may be; it might some times respond but other times not even). It still doesn't mean the machine isn't up or alive though and there's many different ways to get a machine to reveal itself (even waiting it out until the owner uses it to connect to a server or otherwise shows itself).
Perhaps most critically, relying on "stealth" is relying on security through and that is a rather dangerous trap to fall in to. That you aren't showing yourself right now does not mean you cannot be found or that you aren't up and most importantly you still run the same risks as you do otherwise: an attacker that knows enough needs one thing and one thing only in order to succeed: persistence. Look at it this way: in the old days a floppy disk infected with a boot infecter doesn't care if you respond online or not. Similarly, a USB drive doesn't care either. In fact, the malware might even open you up to more vulnerabilities.
Just noticed one missing word and I'm not sure how it happened but no matter: security through should be security through obscurity. Either way, relying on it is indeed very bad for your network (or single devices AND even your own personal security). Bottom line is this: NEVER, ever underestimate the power of seemingly useless information. There is no such thing as useless information when it comes to security and in fact you could argue this at any time; what one person values (doesn't have to be physical objects) may be worthless in the eyes of someone else BUT it goes the other way around, too.
*sigh* ignoring the "legal expert", not all webcams have an LED light, for example, my laptop doesn't.
But then there are some missing details. She might just have been performing some saucy acts on webcam for somebody who is now trying to extort her, and she is trying to pre-empt this by saying they have taken candid shots.
The best mitigation technique is a post-it (sticky) note over the webcam.
I am the recent victim of this exact type of horrible crime. I am calling the local FBI IC3 division in my state. I have no clue if it will be of any use. Luckily I have a fairly good idea of who the perpetrators are and where the authorities can track them down. They are the worst kind of scum and are honestly internet rapists.
How to turn off the webcam light.
http://blog.erratasec.com/2013/12/how-to-disable-webcam-light-on-windows.html#.Vhe1vflVhBc