Laptops, desktop computers, tablets and mobile phones are all at risk of being hacked. But did you know that intruders might use the built-in camera to take surreptitious pictures and videos of you and your surroundings or hijack your microphone to eavesdrop on conversations?
The latest story from the Edward Snowden leaks yesterday drives home that the NSA and its spy partners possess specialized tools for doing exactly that. NSA uses a plug-in called GUMFISH to take over cameras on infected machines and snap photos.
Another NSA plug-in called CAPTIVATEDAUDIENCE hijacks the microphone on targeted computers to record conversations.
Intelligence agencies have been turning computers into listening devices for at least a decade, as evidenced by the Flame spy tool uncovered by Kaspersky Lab in 2012, which had the ability to surreptitiously turn on webcams and microphones and perform a host of other espionage operations. Researchers believe Flame has been around since 2007.
Spy tools, whether designed by intelligence agencies, cyber crooks or internet creeps, can turn your camera on without illuminating the indicator light. Naturally, there are even online tutorials available to instruct neophyte hackers on how to hijack your webcam.
Cover your camera lens with a sticker.
A sticker is better than a Post-It, which can lose its adhesion and fall off. Gaffer tape works nicely, too, but can leave a residue.
The Electronic Frontier Foundation has created webcam stickers that you can order for just five bucks. The black vinyl emblems are designed with a special adhesive that won’t leave a residue on the camera lens when you remove it. With EFF’s logo on them, they also make a civil liberties statement.
If you use your laptop camera often for Skyping and video conferencing, you might prefer the C-slide, which uses a sliding door to cover and uncover your camera’s eye.
Sadly, covering your camera still won’t prevent spies, intruders and even web sites and phone apps from surreptitiously turning on the internal microphone on your computer or mobile phone, computer, or VoIP phone and listening in on conversations.
Muting the mic won’t work, since it’s possible for an intruder to unmute it. Your best defense is probably to insert a dummy plug into the microphone jack to prevent sound from being picked up by the internal mic. You can create a dummy plug by simply cutting off the unneeded portion of an old microphone plug. This won’t prevent someone from listening to your conversations when you need the mic, such as when using Skype, but it will at least thwart them from using the microphone on their own without you knowing.
Put your phone into airplane mode while playing games.
Most games don’t need an Internet connection to run, but their ad networks do. Killing the connection will block ads from displaying and stop the transmission of your personal data, both by the game and by third-party ads. Airplane mode may also help your game run a little more smoothly as the processor stops trying to load ads.
Use a virtual private network (VPN) while connecting to the Internet.
A VPN encrypts all data traffic to and from your phone, tablet or computer by routing it through a VPN provider’s server. Using a VPN won’t stop apps and ads from collecting and transmitting your personal data, but it will make it much more difficult for spies or hackers to eavesdrop on those transmissions. VPN apps such as Hotspot Shield or VPN Express can be downloaded from the Apple App Store and Google Play store.
Don’t post on social media accounts while connected to cellular data networks.
Instead, wait until you’re connected to your secure, password-protected home or workplace Wi-Fi network. Better yet, don’t post to social media accounts from your smartphone at all. Wait until you’re seated at a desktop or laptop PC and connected to the social-media service via a secure HTTPS connection (see next item).
Install HTTPS Everywhere.
HTTPS Everywhere is a browser plugin for Firefox, Chrome and Opera desktop browsers provided free by the Electronic Frontier Foundation. There’s no smartphone equivalent yet, but if a website, such as Facebook or Twitter, is capable of securely connecting to your computer, HTTPS Everywhere will make sure it does.
Turn off Wi-Fi, GPS and geolocation on your phone.
Wi-Fi, GPS and geolocation can all be used to quickly pinpoint your location. Don’t use them until you absolutely need them. You may have to go into each app’s settings to turn off geolocation, but start with apps capable of taking photos. If you do all that, spies and hackers won’t be able to use app data to tell where you are, or where you’ve been.
Turn off cellular data connections.
If you don’t need to receive constant email updates when on the go, turn off cellular data and go online only when connected to a secure, password-protected Wi-Fi network. You’ll still be able to get text messages and voice calls, and your battery life will probably improve.
Get rid of the smartphone.
If you want to go to extremes, downgrade to a 2007-era “dumb” phone. All cellphones are tracking devices, but it’s a lot more work for spies to get location data and personal information out of something that can’t run Facebook or play “Angry Birds.”
Browse anonymously with Tor
NSA whistleblower Edward Snowden has been photographed with a Tor sticker on his laptop. Tor lets you use the Internet without revealing your IP address or other identifying information. The distributed network works by bouncing your traffic among several randomly selected proxy computers before sending it on to its real destination. Web sites will think you’re coming from whichever node your traffic happens to bounce off of last, which might be on the other side of the world.
Tor is easy to use. You can download the Tor Browser Bundle, a version of the Firefox browser that automatically connects to the Tor network for anonymous web browsing.
Keep your chats private with OTR
If you use a conventional instant messaging service like those offered by Google, AOL, Yahoo or Microsoft, logs of your chats may be accessible to the NSA through the PRISM program. But a chat extension called OTR (for “off the record”) offers “end-to-end” encryption. The server only sees the encrypted version of your conversations, thwarting eavesdropping.
To use OTR, both you and the person you’re chatting with need to use instant messaging software that supports it. I use a Mac OS X client called Adium, which works with Google, AOL, Microsoft and Yahoo’s chat networks, among others. Windows and Linux users can use Pidgin. OTR works as an extension to conventional instant messaging networks, seamlessly adding privacy to the IM networks you already use. You can configure Adium or Pidgin so that if a person you’re chatting with is also running an OTR-capable client, it will automatically encrypt the conversation.
Make secure calls with Silent Circle
The conventional telephone network is vulnerable to government wiretapping. And many Internet-based telephony applications, including Skype, are thought to be vulnerable to interception as well.
But an Internet telephony application called Silent Circle is believed to be impervious to wiretapping, even by the NSA. Like OTR, it offers “end-to-end” encryption, meaning that the company running the service never has access to your unencrypted calls and can’t turn them over to the feds. The client software is open source, and Chris Soghoian, the chief technologist of the American Civil Liberties Union, says it has been independently audited to ensure that it doesn’t contain any “back doors.”
Make secure calls with Redphone
Redphone is another application that makes phone calls with end-to-end encryption. Interestingly, it was developed with financial support from U.S. taxpayers courtesy of the Open Technology Fund.
The government hopes to support dissidents in repressive regimes overseas. But the only way to build a communications application that people will trust is to make it impervious to snooping by any government, including ours. So like Silent Circle, the Redphone client software is open source and has been independently audited to make sure there are no back doors.
Remove your cellphone battery to thwart tracking
The NSA phone records program revealed by the Guardian last week not only collects information about what phone numbers we call, it also collects data about the location of the nearest cellphone tower when we make calls. That gives the NSA the ability to determine your location every time you make a phone call — and maybe in between calls too.
Unfortunately, Soghoian says there’s no technical fix for this kind of surveillance. “The laws of physics will not let you hide your location from the phone company,” he says. The phone company needs to know where you are in order to reach you when you receive a phone call.
So if you don’t want the NSA to know where you’ve been, you only have one option: You need to turn off your cell phone. Or if you’re feeling extra paranoid, take out the battery or leave your phone at home.
You probably can’t hide metadata
Soghoian says that a similar point applies to your phone calling records. Encryption technology can prevent the government from intercepting the contents of voice communications. But it’s much harder to hide information about your calling patterns. And information about who you’ve called can be as revealing as the contents of the calls themselves.
“If you’re calling an abortion clinic or a phone sex hotline or a suicide counselor, what you say is basically the same as who you’re saying it to,” Soghoian argues.
Unfortunately, there’s no easy technological fix for this problem. Even obtaining a phone not specifically tied to your identity may not help, as it may be possible to identify you from your calling patterns.
This problem tripped up Paula Broadwell, who was outed last year as having an extra-marital relationship with Gen. David Petraeus. She had been sending e-mails from an anonymous Gmail account, and she had even been smart enough to avoid logging in from home.
But the FBI identified her anyway. Broadwell logged into the account from several different hotels. The FBI obtained lists of who had checked into those hotels on the relevant dates and looked for common names. Broadwell was the only one who had checked into all of the hotels.
So it’s fairly easy to protect the contents of your communications from government spying. But there’s no easy technological fix to prevent the government from finding out who you’re communicating with.
The aging NSA brainiacs seem to be missing all the cool and happening communications apps like Vine, LINE, Viber, Kik and KakaoTalk. This means that as middle-aged spies sift through AOL and Skype text messages, entire venues of communication could still be secure, even for American citizens.
- Six-second second Vine clips can be packed with information, especially if some of it is mimed while the soundtrack is used as a parallel channel.
- LINE is a Japanese messaging service that is so hip it hasn’t even hit the top-200 iPhone app chart in the U.S. yet, which is just as well if you want to avoid the lizard gaze of the NSA squares. The advantage of this texting service it that you can amplify your comments with Hello Kitty stickers evoking various emotional states… such as intense paranoia.
- Kik is a Canadian texting service that may be able to resist NSA demands for collaboration longer than U.S. messaging rivals like Apple, Google and Facebook.
- KakaoTalk is a Korean service that offers particularly nifty group texting and group calling features — in case you want to review your last few years of possibly incriminating Facebook and Apple iMessage chats with your friends and family.
There you go. Freedom lies in Canadian, Japanese and Korean modes of communication now that all the leading American tech companies have been compromised.
App developers have come up with new devices and/or applications to help put a stop to all the spying. One such new app that aims to better inform users about the data their smartphone sends while they use apps or surf the web, and to better educate them on how to protect their privacy is viaProtect, PhoneArena reports.
“Leaky and insecure apps pose substantial risks to personal data on mobile devices,” the app description says. “These apps may transmit information without encryption or to overseas servers which allows data to be intercepted by unwanted parties. The harsh consequences can include identity theft, financial theft and loss of privacy.”
viaProtect will gather “mobile forensic, system, network, security and sensor data from devices,” and use “statistical analysis and risk indicators to detect suspicious events or behavior” and monitor app data in real time.
The app will provide a rating for the smartphone or tablet to show users how safe their data is and tell them “where their data is being sent.” While the app will likely not stop the NSA’s sophisticated attempts to collect data in bulk, it should at least help users better protect their personal data
viaProtect can be downloaded free of charge from the Google Play Store, and requires 2.9MB of storage and Android 4.0 Ice Cream Sandwich or later to run. The app has a 3.7-star average out of over 200 reviews.
It appears than what we need is a more secure operating system that locks devices or does not allow devices to be mounted with permission from any outside source. I envision a control panel that lists all of your computer devices on one screen. This control panel will show the permissions allowed to the devices and gives only the user the ability to change them. Attempts to change permissions to devices would pop up on screen showing the address of the hacking attempt.
But tape and a mic plug is the most secure and can be done physically and cannot be hacked by software. Plus you do not need a programmer.
Create a safe route
If you use a mail client for email, you’ll want to make sure that you enable SSL (Secure Sockets Layer) encryption within the settings or preferences of your individual email account (you may need to check with your ISP or IT to make sure it is supported). SSL encrypts traffic between you and your mail server, and so prevents breaches referred to as “man in the middle” attacks (where someone grabs your email while it’s in transit).
Similarly, many individuals – and increasingly many companies – use programs like Google’s Gmail for the majority of their emailing. Most such web-based programs support secure connections using a Hypertext Transfer Protocol Secure (HTTPS) connection. The little S on the end shows that your traffic is encrypted, and so is virtually impossible for the connection between you and the mail server to be compromised. You can always confirm you are connected securely by finding the padlock icon or the “https://” in the browser address bar of whatever browser-based mail program you use(e.g. https://mail.google.com/).
Without such a secure connection, using web-based email is like sitting at a Starbucks doing a private call on your speakerphone – you’re broadcasting your communication for anyone to hear. (And just in case you actually are sitting at a Starbucks or anywhere else accessing a third party’s Wi-Fi, remember that you are potentially using an unsecured network every single time.)
Step 2: Give email some armor
A secure connection to the server is critical, but it doesn’t encrypt the message itself. That means that all those emails you send via Gmail, iCloud, Yahoo, and Outlook among others are sitting free and clear on servers that, as we’ve learned, the NSA has free and easy access to. That’s where adding encryption software like OpenPGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) or third-party OpenPGP-based add-ons such as Mailvelope come in. These encrypt your email message itself, not just the route along the way.
However, encrypting email messages does not come without some (hefty) inconvenience. Before a message is sent, senders and receivers first have to exchange public key certificates and install each others’ in their respective browsers or email clients. As you can imagine, setting up all your contacts with corresponding public keys is cumbersome. So you need to set some rules.
For business use, companies should set policies that define which type of emails must be encrypted. For individuals, you’ll essentially need to do the same – decide who and what is important enough that you are willing to endure some up-front efforts in exchange for your peace of mind.
And it’s worth noting that since most encryption programs don’t cover the metadata of your messages – everything from the subject line and above – you might want to think about how much sensitive information you’re typing into that header field.
Step 3: Lock all the doors
Going through the above steps is important, however forgetting about what happens to all those sent and received messages afterwards is like locking your house but leaving the windows open. Emails residing on desktops, laptops and mobile devices may still be at risk without a proactive “data at rest” encryption plan (unless you implement something like OpenPGP and S/MIME for all of your emails). If you understandably find solutions like PGP too weighty, though, there is a middle-ground.
Windows Encrypted File System (EFS) feature allows users to encrypt email storage files (such as .PST and .OST) on desktops and laptops; similarly, Mac users can use built-in FileVault which encrypts the entire hard drive on the fly. And some mobile operating systems like iOS provide out-of-the-box device level encryption.
Alternative, specialized webmail applications like hushmail.com that use encryption for all email, and can work with custom domain names as well.
A new standard for communication known as WebRTC (Web Real-Time Communication) could enable users to make calls over the internet without leaving any traces at all. That’s because it doesn’t rely on centralised servers but rather sends traffic directly between individual computers.
Combined with an encrypted connection using the anonymising Tor network, which sends data via volunteer networks of computers, WebRTC could keep your internet communications invisible.
An organisation called Tor Servers is aiming to bolster traffic speeds across Tor exit nodes – the points at which traffic from Tor enters the real internet. Its mission statement is to “make the Tor network more stable, faster and more anonymous for everyone”.
There are even efforts afoot to build an entirely new internet, one free from control by large corporations and, by extension, governments. Project Meshnet aims to have its own router hardware, and for this to communicate without using the infrastructure of large telecoms companies. That is still some way off, but for now you can use the software version, called cjdns, which runs on existing infrastructure. Physical Meshnets are already up and running in Maryland, Seattle and New York.
“…How to Keep the NSA From Spying Through Your Webcam..”
Network of traitors : Governments and corporations who are giving these agencies boundless freedom to do whatever they please having no regard to privacy or fear or prosecution.
Amend the Patriot Act? Nullify the NSA.
Inserting a 1/8″ jack into the av port on most laptops will not disable the microphone. Most modern laptops allow multiple audio source input – check your sound control panel. If you can pull down the input menu and select built-in mic – watch the SPL meter and speak. If it moves, your laptop can hear you.
Know More Ways? ADD Them in the Comments Below:
See Also: Latest Snowden Details, Turbine,
Sources: http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/10/five-ways-to-stop-the-nsa-from-spying-on-you/ , http://www.tomsguide.com/us/nsa-angry-birds-how-to,news-18255.html , http://news.yahoo.com/spy-nsa-spies-android-app-150526434.html , http://www.wired.com/threatlevel/2014/03/webcams-mics/ , http://www.newscientist.com/article/mg21829215.400-how-to-stop-the-nsa-spying-on-your-data.html?cmpid=RSS|NSNS|2012-GLOBAL|online-news , http://bgr.com/2013/06/06/prism-nsa-spying-how-to-avoid/ , http://gigaom.com/2013/06/15/how-to-prevent-the-nsa-from-reading-your-email/