Statement on exposing the guy behind Insecam.com

Veröffentlicht: 22. November 2014 in IT-Security, Netzwerke
Schlagwörter:, , , ,

◾ „Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.  Marlon Brando

[25.11.2014/22:00 UTC+1 – UPDATE]

Insecam.com now says: „The coordinates of the cameras are approximate„. But that is simply not true.
Despite insecam now only seems to show obvious uncontroversial cams, you are now able to get to the cameras IP-address. I found cameras which I am not sure, if they were intentionally open to take control over (zoom, rotate etc.).

This might lead in some cases to circumstances under which you could manage the camera to look into areas that are not supposed to be streamed. Insecam continues with its explanation: „They point to the ISP (IP) address and not the physical address of the camera. This information is accurate only to a few hundred miles. The coordinates are provided only to locate the city where the camera is located, but not it’s exact position or address.

Uhm, not sure how much more accurate you could be with having the IP-address which does forward to the cam?!?
Or do I misinterpret this point somehow? Even if you are changing the coordinates generously on insecams geo-map, the IP-address does not lie.

E.g. I found this camera in Liechtenstein: http://www.insecam.cc/cam/view/511xx/
with coordinates (47.141510 | 9.521540) on insecam:

Liechtenstein-Studio

If you click to open the stream, you are directed to the IP which provides the camera and its interface:

http://80.72.XXX.XXX:82/CgiStart?page=Single&Language=0

Now I decided to look who this might be via his IP-address. I did use iplocation.net to select the best result and opened
the associated Google-Maps-Link:

Altenbach_1

 

Looking at the streamed Image I noticed the text „Studio_Decke“ (in the lower left corner), so I did look on Google if
I could find a „Studio“ in the area „Altenbach“.

After a few minutes I got two perfect results. One company has a very similar logo as shown on the streamed front door.
I did sent the company owner an email, and now I am waiting for a response, if it is his cam and if he wanted to stream
his visitors to the world.

Remember what insecam told us? This information is accurate only to a few hundred miles. The coordinates are provided only to locate the city where the camera is located, but not it’s exact position or address.


I don’t only want to criticize his work with insecam.com constantly and I am happy he decided to
take the private streams offline, but the more you look into details, the more questions arise.


I decided not to dig deeper on that insecam thing. It is up to competent authorities to decide what actions are necessary, or not…


 

Mail-Insecam

Answered questions by admin(at)insecam.com (1 of 2)

The original blogpost (12.11.2014) about identifying the insecam owner is currently protected via password for special access only. Competent authorities were informed to investigate the issue on insecam.com. The site insecam.com and insecam.cc do currently not stream private Webcams anymore, and so my „work“ for the moment seems to be done.

Cat out of the bag

I am sorry for the guy behind insecam.com, that I had to make him public known, but there was no other way
to force his ugly site to be off the web! I can not accept someone does stream kids and private cameras all over the world!

It is NOT a collateral damage to stream private cameras. And it is not right or justifiable to login to cameras which are protected with simple or standard passwords! They ARE protected! No matter if with weak password or not. You do not have the right to log in to this systems and it IS a crime!


If you are a serious IT-Security Researcher you would never try to inform the masses about such kind of problem
by exposing them public! You would rather setup a site which detects only the visitors IP-Address and offer to scan
for weak passwords and a possible open stream (right that is more work than just grab the data from Shodan-API and stream cams & draw the IP-Geolocation!).

The guy behind insecam knows that I got him. And I can only ask him to stand behind his „project“ with his real Name! Because what we are seeing now on the News is a lot of crap about „Russia“ is attacking us, and panic that suggests false things about „evil l33t haxors“ (maybe let us call him the „moldovan programmer looking for a job“)…

He is only making things worse by trying to hide and keep an illusory and mysterious veil of fog on insecams intentions.


The lesson he might have learned: „cover your tracks, before trying to come around the next corner with your pseudo operation you don’t want to be traced back to…“

 

If you are a journalist or from a law enforcement authority and want to get in contact with
me for details, please do so via Twitter first (@Tactic4l).

Important:
The intention behind this article is NOT to start a smear campaign against someone.
I might be totally wrong and I would then apologize. But so far I am trying to find the
bigger context of all of this. Maybe the one person (yes it is a single person as he did let me know) behind insecam had really good intentions. And this assumed I urge you all to not stalk or harass this guy. But we need to find another solution to throw light on such kind of issue as with open cameras (or poor secured ones). I have a lot of respect for the one that started this campaign, but he should have put his name on the site, and explain open to the media what his intention is. He should have created a site which lets you detect if your private camera is streaming to the world….using the front door was not the best option in this case, although it did lead to more excitement! All all at the expense of privacy….

Trying to stay anonymous, with this kind of site he created, is like to challenge the devil…always a bad idea!

You all stay safe & remember to regularly change your (hopefully strong) passwords ;-)

Challenge accepted:


Here some related articles worth to read:

Webcam snooper now looking for a Job (pcworld.com by @Jeremy_Kirk )
Dem Webcam-Spion auf der Spur (NZZ.ch)
Russian webcam hacker uses Insecam site to look for Job (Independent UK)
Programmer behind webcam-snooping Website replaces site with a job ad (Fox News)
Piraten erstatten Anzeige (Tageblatt.lu)
Security Cams in Luxemburg geknackt (Tageblatt.lu)


Office of the Privacy Commissioner of Canada (Letter to operators of webcam website)
Information Commissioner’s Office blog
Office of the Information & Privacy Commissioner of British Columbia

UK moves to shut down Russian hackers streaming live British webcam footage (the Guardian)
This Terrifying Website Lets You Spy on People Through 73,000 Private Security Cameras (Mic.com)
This Website Streams Camera Footage from Users Who Didn’t Change Their Password (Moterhboard)
Thousands Of People Worldwide With Home Security Cameras Are Being Spied On By A Russian Website (Business Insider)

 

Advertisements
Kommentare
  1. […] German researcher said during a weekend that he had tracked IDs compared with a site to a webcam snooper, that he had given upheld on to […]

  2. […] researcher, who preferred to be identified by his Twitter handle @Tactic4l, published a blog post on his findings naming the man, but then decided to password-protect the post in case his […]

  3. […] T' persen behin a website at pullt togeth'r lif' streems frum thousan's o'webcams inside homes roun t'worl has replacet t'site’s questyunabull content wit a job ad. “Programm'r is a'lookin fer a good remote job,” t' ad reeds, befor listyun' variyus programmyun' skills an' un email address. No doubt t'rekwest fer wurk will receif' a desent numb'r o'vioos, tho mos will be frum folk hittyun' t'site wit t'intenshun o'peeryun' into folk’s homes rath'r thun employers seerchyun' fer a skillet programm'r fer thar bizness. T' Russiun-hostid site lan'et n' t'noose las week wen autheritees n' t'U.K. threw t'spotliite un it by callin fer its immediate closure. Up until t'start o'thishere week it feeturet webcam feeds frum mer thun 100 countries, wit roun 4,000 locatid n' t'U.S. Relatid: Website streems thousan's o'private webcam feeds Minny a o't' cameras air uset fer securty purposes, ta keep un eye un a trayler wile t'own'r is away, tho sum wuz uset as youngn moniters an' showd infants asleep n' thar crib. T' persen behin t'site sed thay hadn’t hacket t'camera feeds but had simplee accesset 'um as owners had failt ta change t'default passwerd at ships wit each deevice. T' individual addet at t'purrpus o't' website wuz ta shoe hoe easy it is ta gane access ta t'online feeds o'such cameras. T' site nairy onlee allowd users ta select streems by kuntry, but also by deevice manufactur'r, wit Panasonic an' Linksys amungst thems listid. N' a futher development, a Germun reseerch'r claims ta have idantifiet t'individual behin t'webcam site. Ritin un his'n blog ov'r t'weekend, t'reseerch'r sed he’d passet un his'n findings ta t'relevant autheritees, tho t'post reveeleeun' t'name o't' mun has since bee passwerd protectid. “[T'] autheritees wuz infermet ta investigate t'issue….[t' site duz nairy] currantlee streem private webcams innymore, an' so my ‘wurk’ fer t'moment seems ta be done,” t'reseerch'r sed n' a faller-up post. […]

  4. […] “[The] authorities were informed to investigate the issue….[the site does not] currently stream private webcams anymore, and so my ‘work’ for the moment seems to be done,” the researcher said in a follow-up post. […]

  5. Basil B. sagt:

    Hi I was just wondering if you knew that insecam.org is around?
    it’s doing the same thing that insecam.com and insecam.cc were doing, and it’s currently on the Internet.
    Thanks

Eigenen Senf dazu geben

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s