Put some tape over your webcam!

Ok, so recently I´ve been trying out Metasploit Framework in order to learn more about hacking.

For those who haven´t come across Metasploit, it´s a set of tools for penetration testing, a.k.a "white hat" hacking.
It contains more or less everything you need to hack just about anything.

It´s not a "next, next, finish" type of product
So if you´re expecting to hack your friends facebook account within 15 minutes of installing, you´re out of luck.

After setting up my environment, and reading a few tutorials, it quickly became apparent that hacking someone is a lot easier than I thought.
Not that I thought it was impossible, I just presumed it would be harder than this...

I created a trojan horse for Windows from one of the many templates there are to choose from (yes, there´s a bunch of viruses in there for you naive Mac owners as well),
named it "counterstrike.exe" and didn´t bother to use any advanced settings, so no encryption or anything, and pressed Enter.
What the virus does, in short, is that, when someone clicks it, a process is created, which connects a https tunnel towards my Internet router on port 8080,
which I forward from the router to my own PC.

As long as I have Metasploit running, listening for any connections, my PC will pick up whenever the file is executed on a remote PC.
When it connects, I have control of the remote PC and can do pretty much anything.
I can view the webcam, get a screenshot of the desktop, create files/folders, download files to my own PC, etc.

Now, to be fair, as long as you have a good antivirus, or if you´re running Windows 10, my virus would be blocked.
However, there are lots and lots of tools out there, that will create a unique signature for my virus, to fool any antivirus.
Even worse, is that you can place the virus inside Office files, such as word-documents or excel-files.

So what should you do?

There´s a short answer and a long answer.

In short, learn how to be a safe internet user.
Don´t download stuff from pages you don´t recognise and don´t open mail attachments from unknown contacts,
and not even from the ones you know if it looks shady.

If you haven´t ordered anything online, that e-mail from UPS is probably not legit.

The other part of the short answer is:
Keep your software up to date.
Windows Update installs stuff for you automatically, why would you postpone security updates?

As for the long answer:
Ask yourself, how often do you really need to be admin?

  • Create an admin on your PC with a secure password, remove your own admin status and use the second account whenever you need the permissions.

  • Disable automatic running of macros in Word/Excel.

  • Enable UAC! *

  • For physical security, enable bitlocker.

  • * I know it was annoying when it first arrived, and a lot of computer-savy people turn it off as the first thing to do after installing Windows.
    But, make no mistake, the only thing that blocked me from getting administrative rights to my brothers PC when hacking him, was because of the UAC being enabled.

    ... And put some tape over your webcam!