How They Spy on Users Online and How to Avoid It: Cybersecurity Expert’s Take

Having to rig someone’s landline phone and plant microphones all over their place to sniff out some secrets is now mostly the thing of vintage movies. We have voluntarily surrounded ourselves with cameras and microphones constantly connected to the internet. People upload their personal information, photos, and geolocation, show the world who their friends and relatives are, brag online about jobs, cars, and vacations.

Even the things we’d like to keep private and the sensitive data we share with authorities end up on the internet one way or another, waiting to make the news about yet another hack, leak, or mishandling scandal.

While thinks may be looking grim, especially with the global health crisis unfolding, privacy can be protected, at least to some extent.

In his online presentation, HackIT’s co-founder and cybersecurity expert Nikita Knysh explains the implications of data leaks and how to prevent them, talks about ways governments, corporations, or criminals can spy on internet users, and explains how to stay safe online. This is the adaptation of the Russian-language talk from ForkLog’s Digital Middle Ages online conference.

Data Leaks, Their Consequences and Prevention

Recently, there was news about videos recorded via Zoom being exposed. People were recording their video calls and the recording ended up on Zoom’s servers or YouTube not protected by a password. The naming pattern for the files was straightforward and people were able to simply google these files.

In this case, I don’t see the problem with Zoom itself. The real way to prevent such a thing was not to record the videos. But there were other much more interesting scandals related to this service.

Zoom was touted to have end-to-end encryption and asymmetric cryptography. Allegedly, nobody could decrypt the data being transmitted via Zoom’s channels. This was not the case. It turned out that there’s no end-to-end encryption, only the TLS protocol. Encryption took place only in communication between data centers.

Elon Musk banned Zoom in SpaceX because of privacy concerns, which is quite a flag. There was also a class-action lawsuit against Zoom filed by the company’s shareholder Michael Drieu, who said he suffered damages because of the overstated security features.

Still, the company is there and its stock price is growing, so I believe all these problems weren’t that big of a deal. Leaks actually happen all the time, but not all of them are equally impactful and people usually don’t care about it too much. But it’s important to understand how a particular data leak may affect you personally.

When it comes to using the leaked information, there’s a prominent example related to NSA exploits published on WikiLeaks by Julian Assange. He revealed things that basically allowed agents to break into any computer system. Subsequently, some guys from the dark web used the exploits to create WannaCry malware, which has reportedly infected over 200 thousand Windows systems across more than 150 countries. In reality, the number of affected machines is probably much higher than that.

There’s also another example. To show how simple things can get, I decided to do my own experiment and tried to dig up information on a certain journalist. It took 15 seconds and no money whatsoever to find information about their phone numbers, home, workplace, relatives, and cars. All this came from government and bank databases that were hacked or otherwise made public and were accessible through a Telegram bot. Given this amount of information, somebody could simply rob or kidnap them just like that. This can be dangerous.

Spying on Users

Right now, companies and governments are considering the introduction of monitoring apps to trace people infected with the coronavirus. In some countries, the authorities think about making such apps mandatory. But iOS and Android phones are already collecting the needed data.

Smartphones are tracking location data with timestamps and you or a police officer can browse these data on your phone. Whenever you take a photo or make a video with your phone, the file you get is full of additional information, metadata, which may include GPS tags and other potentially useful things. Tools to retrieve these data are readily available online.

Moreover, nothing really keeps certain government agencies from just going to Google or Apple and getting access to 99% of their phones across the globe. There isn’t much to do about it.

Basic Advice on Secure Online Communication

The best way to keep online communication secure is to use open-source software. Everybody can see the code of an open-source application and check if there is funny business going on under its hood.

Rocket.Chat is one of the examples. It’s not an ad, I’m not paid to say this and they won’t get any money from it since it’s a free service. Rocket.Chat is a full-blown messenger with users, channels, search functions, video calls, file sharing, and whatever else you would expect from an app like that. It has encryption and two-factor authentication. The best thing is that you can run it on your own server, meaning that nobody else would be able to access it.

Unfortunately, stuff like that is too much of a hassle for most regular people. Setting up a server and tweaking all the settings costs time and effort. There is a balance between security and convenience. In the end, you have to trade one thing for another.

Watch the full video on ForkLog YouTube channel

Follow us on Twitter and Facebook and join our Telegram channel to know what’s up with crypto and why it’s important.