Mit ‘IT-Security’ getaggte Beiträge

◾ „Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.  Marlon Brando

[25.11.2014/22:00 UTC+1 – UPDATE]

Insecam.com now says: „The coordinates of the cameras are approximate„. But that is simply not true.
Despite insecam now only seems to show obvious uncontroversial cams, you are now able to get to the cameras IP-address. I found cameras which I am not sure, if they were intentionally open to take control over (zoom, rotate etc.).

This might lead in some cases to circumstances under which you could manage the camera to look into areas that are not supposed to be streamed. Insecam continues with its explanation: „They point to the ISP (IP) address and not the physical address of the camera. This information is accurate only to a few hundred miles. The coordinates are provided only to locate the city where the camera is located, but not it’s exact position or address.

Uhm, not sure how much more accurate you could be with having the IP-address which does forward to the cam?!?
Or do I misinterpret this point somehow? Even if you are changing the coordinates generously on insecams geo-map, the IP-address does not lie.

E.g. I found this camera in Liechtenstein: http://www.insecam.cc/cam/view/511xx/
with coordinates (47.141510 | 9.521540) on insecam:

Liechtenstein-Studio

If you click to open the stream, you are directed to the IP which provides the camera and its interface:

http://80.72.XXX.XXX:82/CgiStart?page=Single&Language=0

Now I decided to look who this might be via his IP-address. I did use iplocation.net to select the best result and opened
the associated Google-Maps-Link:

Altenbach_1

 

Looking at the streamed Image I noticed the text „Studio_Decke“ (in the lower left corner), so I did look on Google if
I could find a „Studio“ in the area „Altenbach“.

After a few minutes I got two perfect results. One company has a very similar logo as shown on the streamed front door.
I did sent the company owner an email, and now I am waiting for a response, if it is his cam and if he wanted to stream
his visitors to the world.

Remember what insecam told us? This information is accurate only to a few hundred miles. The coordinates are provided only to locate the city where the camera is located, but not it’s exact position or address.


I don’t only want to criticize his work with insecam.com constantly and I am happy he decided to
take the private streams offline, but the more you look into details, the more questions arise.


I decided not to dig deeper on that insecam thing. It is up to competent authorities to decide what actions are necessary, or not…


 

Mail-Insecam

Answered questions by admin(at)insecam.com (1 of 2)

The original blogpost (12.11.2014) about identifying the insecam owner is currently protected via password for special access only. Competent authorities were informed to investigate the issue on insecam.com. The site insecam.com and insecam.cc do currently not stream private Webcams anymore, and so my „work“ for the moment seems to be done.

Cat out of the bag

I am sorry for the guy behind insecam.com, that I had to make him public known, but there was no other way
to force his ugly site to be off the web! I can not accept someone does stream kids and private cameras all over the world!

It is NOT a collateral damage to stream private cameras. And it is not right or justifiable to login to cameras which are protected with simple or standard passwords! They ARE protected! No matter if with weak password or not. You do not have the right to log in to this systems and it IS a crime!


If you are a serious IT-Security Researcher you would never try to inform the masses about such kind of problem
by exposing them public! You would rather setup a site which detects only the visitors IP-Address and offer to scan
for weak passwords and a possible open stream (right that is more work than just grab the data from Shodan-API and stream cams & draw the IP-Geolocation!).

The guy behind insecam knows that I got him. And I can only ask him to stand behind his „project“ with his real Name! Because what we are seeing now on the News is a lot of crap about „Russia“ is attacking us, and panic that suggests false things about „evil l33t haxors“ (maybe let us call him the „moldovan programmer looking for a job“)…

He is only making things worse by trying to hide and keep an illusory and mysterious veil of fog on insecams intentions.


The lesson he might have learned: „cover your tracks, before trying to come around the next corner with your pseudo operation you don’t want to be traced back to…“

 

If you are a journalist or from a law enforcement authority and want to get in contact with
me for details, please do so via Twitter first (@Tactic4l).

Important:
The intention behind this article is NOT to start a smear campaign against someone.
I might be totally wrong and I would then apologize. But so far I am trying to find the
bigger context of all of this. Maybe the one person (yes it is a single person as he did let me know) behind insecam had really good intentions. And this assumed I urge you all to not stalk or harass this guy. But we need to find another solution to throw light on such kind of issue as with open cameras (or poor secured ones). I have a lot of respect for the one that started this campaign, but he should have put his name on the site, and explain open to the media what his intention is. He should have created a site which lets you detect if your private camera is streaming to the world….using the front door was not the best option in this case, although it did lead to more excitement! All all at the expense of privacy….

Trying to stay anonymous, with this kind of site he created, is like to challenge the devil…always a bad idea!

You all stay safe & remember to regularly change your (hopefully strong) passwords ;-)

Challenge accepted:


Here some related articles worth to read:

Webcam snooper now looking for a Job (pcworld.com by @Jeremy_Kirk )
Dem Webcam-Spion auf der Spur (NZZ.ch)
Russian webcam hacker uses Insecam site to look for Job (Independent UK)
Programmer behind webcam-snooping Website replaces site with a job ad (Fox News)
Piraten erstatten Anzeige (Tageblatt.lu)
Security Cams in Luxemburg geknackt (Tageblatt.lu)


Office of the Privacy Commissioner of Canada (Letter to operators of webcam website)
Information Commissioner’s Office blog
Office of the Information & Privacy Commissioner of British Columbia

UK moves to shut down Russian hackers streaming live British webcam footage (the Guardian)
This Terrifying Website Lets You Spy on People Through 73,000 Private Security Cameras (Mic.com)
This Website Streams Camera Footage from Users Who Didn’t Change Their Password (Moterhboard)
Thousands Of People Worldwide With Home Security Cameras Are Being Spied On By A Russian Website (Business Insider)

 

Dieser Inhalt ist passwortgeschützt. Um ihn anzuschauen, gib dein Passwort bitte unten ein:

◾ „You can not fix the stupid! – Ron White

OR is a vuln
Als ich bei XSSposed gestern die Meldung zum „Open Redirect“ bei allen Google Domains weltweit einreichte,
da dachte ich noch, dass Google das wohl sicher bald beheben würde.
Nach meiner Anfrage beim Security-Team von Google teilte man mir mit es sei keine Sicherheitslücke!

Google redirected

Wenn ihr also demnächst auf euch zugesendete Google-Links wie diesen hier klickt (Google steht drauf und ZDNet ist drin ;-), dann schaut besser gaaanz
genau jeden einzelnen Parameter der u.U. Kilometer langen URL genau an. Denn genau das setzt Google offenbar voraus!

Da die meisten User gar keine Ahnung von php, html oder sonst was für Sprachen, oder gar Protokollen haben,
halte ich dieses Abschieben der Verantwortung für unhaltbar! Und ja, es gehört angeprangert!

Selbst OWASP listet „Open Redirect“ in seiner Top 10 der Risiken auf! Und auf der zugehörigen Seite heißt es
deutlich:

Open Redirect – This is a Vulnerability

Nun geht es mir nicht hauptsächlich um den Reward, den Google (auch für Sicherheitlücken die Google Suche
betreffend) auslobt, es geht um das Prinzip. Und aus Prinzip lasse ich mich nicht gerne mit einem Einzeiler
und „das ist keine Sicherheitslücke“ abfertigen. Eine US Regierungsstelle durfte schon schmerzhafte Erfahrungen
mit „Open Redirects“ machen. Das Thema ist also wirklich nicht neu….

Wie mir ging es aber schon anderen, wie hier in einem Artikel von ZDNet zu lesen ist (siehe auch hier).
Nichts ist schlimmer, als wenn ein Problem ignoriert, oder gar nahezu als Feature abgetan wird,
oder wie in diesem Fall, man offenbar keine Verantwortung dafür übernehmen will!

Den User auf unvalidierte Redirects laufen zu lassen ist eurer nicht würdig!

Nein, Google…so geht es nicht!

Sollte Google seine Meinung ändern und ggf. sogar ein paar Taler aus dem Rewardprogramm
locker machen, spende ich einen Teil davon an eine gemeinnützige Einrichtung, die Menschen
in Not unterstützt!

Wer sich für die Parameter in der Google URL interessiert kann hier einen guten Beitrag dazu finden:
weiterführender Link zum Thema Google-Suche