|
META TOPICPARENT | name="SecondEssay" |
| |
< < | Technological Stalking | > > | Network Compromise and Technological Stalking | | | |
< < | -- By DavidKellam - 30 Dec 2017 | > > | -- By DavidKellam | | | |
< < | Roughly one million women are ‘cyberstalked’ annually in the United States, yet the U.S. has been notably slow to respond to this new phenomenon. This is because other domestic issues obscure the rapidly growing threat born of our increasingly available online identities and because the criminal justice system has allocated resources to the culmination of cyberstalking, sexual assault and murder, rather than the steps taken by the perpetrators that lead up to it. Fortunately, these steps can be frustrated if liability is allocated to the router manufacturers, phone and network providers, and social media corporations that make personal information unreasonably insecure. Unfortunately, however, the victims often unknowingly volunteer the personal information that leads to cyberstalking, and this growing threat cannot be abridged without also raising awareness of the high possibility that cyberstalking is to affect their lives. | > > | With the increase in mass reliance on technology and the Internet, personal network compromise is becoming an increasingly common and malignant issue. A particularly malignant manifestation of this issue is technology's growing role in stalking, which is enabling stalkers to use modern conveniences to track a victim's whereabouts and identify their friends and family. The purpose of this essay is to make readers aware of current vulnerabilities by exploring one path that cyber-stalkers often take that is used to invade the most common technologies and services. The essay will conclude with a brief policy suggestion. | | | |
< < | The Starting Point | > > | Late to the Game | | | |
< < | Accessing a router is astonishingly easy; when my father refused to upgrade from dial-up, I was able to hack myself onto a neighbor’s SSID in less than a half-hour when I was no more than fifteen. This is due both to manufacturers who place a developmental premium on ease-of-access and device-integration over security, and the uninformed consumer that demands this compromise to occur. | > > | Roughly one million women are ‘cyberstalked’ annually in the United States, yet the U.S. has been notably slow to respond to this new phenomenon; other domestic issues obscure the rapidly growing threat born of our increasingly available online identities and the criminal justice system has allocated resources to the culmination of cyberstalking, sexual assault and murder, rather than the steps taken by the perpetrators that lead up to it. Fortunately, these steps can be frustrated if liability is allocated to the router manufacturers, phone and network providers, and social media corporations that make personal information unreasonably insecure. | | | |
< < | Mainstream commercial routers, until recently, came only with paper-thin WPS encryption, and still come with this substandard encryption written into the default settings, rather than the (slightly) more secure WPA2. Furthermore, they come with mass-manufactured default passwords, printed on the routers themselves, and seldom require users to provide non-standard passwords for administrative access. Perhaps most fatally, router manufacturers don’t distinguish between typical and advanced users, and thereby add features like remote administration, UPnP? (NAT-PMP for Apple people), device integration, and port-forwarding to all routers to satiate the few that will ever use them. As a result, router features that dramatically increase the risk and breadth of unauthorized access come built into routers that are sold to users with no ability to disable them. | > > | One Example of Successful Invasion | | | |
< < | Customers themselves are no less guilty- generally satisfied only if they can plug the router in, use it immediately, and boast to their neighbors about how it is the newest and most expensive model. While the true mistake was using a commercial router (and Wifi), these users only increase the likelihood of unauthorized access by failing to change the defaults or to update the firmware. | > > | Cyber stalkers have countless entry points into the digital identity of a victim. A common starting point is the router, so this particular example of technological invasion will begin there. | | | |
< < | The Next Step | > > | Accessing a router is astonishingly easy. This is due both to manufacturers who place a developmental premium on ease-of-access and device-integration over security, and the uninformed consumer that demands this compromise to occur. Mainstream commercial routers, until recently, came only with paper-thin WPS encryption, and still come with this substandard encryption written into the default settings. Furthermore, they come with mass-manufactured default passwords and seldom require users to provide non-standard passwords for administrative access. Perhaps most fatally, router manufacturers don’t distinguish between typical and advanced users, and thereby add features like remote administration, UPnP? , device integration, and port-forwarding to all routers to satiate the few that will ever use them. As a result, router features that dramatically increase the risk and breadth of unauthorized access come built into routers that are sold to users with no ability to disable them. | | | |
< < | Because cyberstalking often revolves around the interception of messages, location, and personal information, the logical next step is to use the router to access a smartphone, which conveniently consolidates them all. There are several ways this can be done: for example, using a metasploit, which is essentially using the terminal to place an application onto a connected phone that gives remote payload-access to the phone’s microphone, camera, files, etc. | > > | Customers themselves are no less guilty- generally satisfied only if they can plug the router in, use it immediately, and boast to their neighbors about how it is the newest and most expensive model. While the true mistake was using a commercial router (and Wifi) in the first place, these users only increase the likelihood of unauthorized access by failing to change the defaults or to update the firmware. Once a stalker has completed the initial step of invading a victim’s router, they will have access to abundant personal information and might well have access to home IP cameras and other smart devices. | | | |
< < | The phone can then be used to upload any local information to a remote source. However, this dramatically increases data consumption and is often detectable. Thus, a good cyberstalker will not stop with a mere installation. With access to the phone, the hacker also has access to the phone’s stored credentials and typed passwords, which means access to social media, and most importantly, the unfortunately popular Gmail. With Google access, the hacker not only has all email correspondences, but can use the evasively titled 'Google timeline'; (location history) to trace exactly where the user has been since they created the account, and where, when and how often they go to specific locations presently. Furthermore, Google, to feign a concern for security, allows users to see the MAC and IMEI of devices connected to their account. Because the hacker’s is likely masked, this does little to aid the user. However, the hacker can access this list of devices and can obtain the IMEI of the victim’s smart-phone. | > > | Because cyberstalking often revolves around the interception of messages, location, and personal information, a common next step is to use the router to access a smartphone, which conveniently consolidates them all. There are several ways this can be done: for example, using a metasploit, which is essentially using the terminal to place an application onto a connected phone that gives remote payload-access to the phone’s microphone, camera, files, etc. | | | |
< < | With the IMEI and an easily obtainable $300 device, the hacker can then clone the phone. At this point, the hacker has exhaustive and nearly untraceable access to everything that the phone transmits over the mobile network. Even if the victim secures the Google account and removes any malicious apk.s from their phone, the hacker can listen to every call and receive every text and connected email, without the risk of being detected by a phone’s antivirus.
The experienced cyberstalker then has one final step: hacking the device of the victim’s family member. Once he has taken the above steps to hack the device of a family member with consistent communication with the victim, the victim cannot safely change their phone number because the hacker will find it when the family member communicates with the new number, and the cycle begins again. | > > | However, this is often detectable. Thus, a good cyberstalker will not stop with a mere installation. With access to the phone, the hacker also has access to the phone’s stored credentials and typed passwords, which means access to social media, and most importantly, the unfortunately popular Gmail. Thus, the next step on this path is to access Google; the hacker not only has all email correspondences, but can use the evasively titled 'Google Timeline' (location history) to trace exactly where the user has been since they created the account, and where, when and how often they go to specific locations presently. Furthermore, Google allows users to see the MAC and IMEI of devices connected to their account. Because the hacker’s is likely masked, this does little to aid the user. However, the hacker can access this list of devices and can obtain the IMEI of the victim’s smart-phone. | | | |
< < | Awareness & Liability | > > | With the IMEI and an easily obtainable $300 device, the hacker can then clone the phone. At this point, the hacker has exhaustive and nearly untraceable access to everything that the phone transmits over the mobile network. Even if the victim secures the Google account and removes any malicious apk.s from their phone, the hacker can listen to every call and receive every text and connected email, without the risk of being detected by a phone’s antivirus. | | | |
< < | This phenomenon shouldn’t be surprising. In a world where computer use has been streamlined to the point of a technically ignorant population, where nearly everyone uses Wifi, commercial routers, and Google/social media to store and disseminate their most precarious information, often from their mobile device, cyberstalking is the corresponding progression for those who intend to monitor a victim until they know exactly when and where they can find the target at their most vulnerable. In fact, the UK estimates that 97% of premeditated murders have been subsequent to some type of cyberstalking. | > > | To finalize their grasp, an experienced cyberstalker then has one final step in this scenario: hacking the device of the victim’s family member. Once the stalker has taken the same steps as above to hack the device of a family member with consistent communication with the victim, the victim cannot safely change their phone number because the hacker will find it when the family member communicates with the new number, and the cycle begins again. | | | |
< < | Those with stalking tendencies are unlikely to disappear, however, the risks of being cyberstalked can be tempered if the general population is made aware of the dangerous possibilities of cavalier internet use. While no mainstream encryption is foolproof and while a diligent cyberstalker can gain access through countless other channels, users that recognize the risk, choose to use email sparingly and securely, and distance themselves from social media services and Google can reduce the online footprint around which these cyberstalkers thrive. Furthermore, in instances where sexual assault or murder can be traced to substantial security oversights by router manufacturers, Verizon, Google, etc., liability should be more readily imposed. This could incentivize corporations to allocate resources to security, more frequently patch vulnerabilities, and educate their user-base on the rudiments of online security. | > > | Awareness & Liability | | | |
< < | | > > | This phenomenon shouldn’t be surprising. In a world where computer use has been streamlined to the point of a technically ignorant population, where nearly everyone uses Wifi, commercial routers, and Google/social media to store their most precarious information, often from their mobile device, cyberstalking is the corresponding progression for those who intend to monitor a victim until they know exactly when and where they can find the target at their most vulnerable. In fact, the UK estimates that 97% of premeditated murders have been subsequent to some type of cyberstalking. | | | |
< < | | > > | Those with stalking tendencies are unlikely to disappear, however, some solutions may exist. One would be the imposition of liability on router manufacturers, service providers, Google, etc., in instances where sexual assault or murder can be trace to substantial security oversights. This could incentivize corporations to allocate resources to security, more frequently patch vulnerabilities, and educate their user-base on the rudiments of online security. | | | |
< < | There are several parts here that don't fully fit together for
almost any imaginable reader. You present a problem (women,
specifically women, being "cyberstalked"), which turns out to be a
species of personal network compromise. Nothing is said about this
particular subtype of invasion as opposed to all other examples of
personal network compromise.
Then you present some possible modes of entry through parts of the
attack surface. Why routers and smartphones but not other devices
is unclear. Why the particular forms of attack described, and not
other ones, ditto.
Then you have a response conclusion, based around telling people how
to improve their security and imposing liability on manufacturers of
devices and providers of networking. These are somewhat different
in scale and political cost—perhaps indeed occupying
near-endpoints on both axes—but we don't get told why these
are the points on the spectrum of possible policies that we should
choose, or how to go about anything specific.
Improvement seems to me to lie in limiting the draft's reach in
order to increase its coherence. Specifics should be illustrative,
but not so chosen as to imperil the reader with randomness. And the
central idea that ties the disparate sections together should be
articulated, not implied. | | | |
< < | | |
\ No newline at end of file |
|