Imagine this online hacking scenario: someone stealing information from your computer while you are uploading an image on Facebook. Scary, yes. Implausible? Think again; it may sound like its coming from a cyberpunk tale, but it’s quite possible with the latest online hacking techniques.

A collaborative effort between researchers from the University of Illinois at Urbana-Champaign and the Indraprastha Institute of Information Technology in New Delhi, India have come up with “Steganobot”, a new generation botnet, which attaches itself to Facebook profiles and gains access to the user’s confidential data such as e-mail passwords while uploading Facebook pictures. The researchers said that Stegobot was developed to show how easy it could be for a hacker to exploit Facebook photos upload feature to sneak into the user’s computer.

Botnet Malware: Online Hacking Evolution

Malware is an extremely serious threat to modern networks. In recent years, anew form of general-purpose malware known as bots has arisen. Bots are unique in that they collectively maintain communication structures across nodes to resiliently distribute commands and data through a command and control (C&C) channel. The ability to coordinate and upload new commands to bots gives the botnet owner vast power when performing online hacking activities of a criminal nature, including the ability to orchestrate surveillance attacks, perform DDoS extortion, sending spam for pay, and phishing.

The evolution of botnets for online hacking has primarily been driven by the principle of `whatever-works’. Early botnets followed a centralized architecture. However, the growing size of botnets led to scalability problems. Additionally, the development of online hacking defense mechanisms that detect centralized command-and-control servers further accelerated their demise. This led to the development of a second generation of decentralized botnets.

Meet Steganobot: New Botnet developed to Study Future Online Hacking Threats

Stegobot initially gains access to computers through the usual channels such as infected attachments or directs to malware-laden content. After gaining access, Stegobot applies a technique called “steganography” to conceal data in the image files without affecting the picture’s appearance.

Topological Diagram of Steganobot

The botnet incorporates the information into any image you are uploading on Facebook. And then it waits for one of your friends to see your profile. Stegobot can then infect your computer even if your friend has not clicked on the corrupted image. In case your friend is also infected with the botnet, then any photo they upload will also pass on the stolen data. And the relaying of the data can eventually land into the hands of a botmaster, who will be then able to access your identity.

The study focuses on the development of a decentralized botnet based on a model of covert communication where the nodes of the network only communicate along the edges of a social network. This is made possible by recent advances in malware technologies. Social malware refers to the class of malware that propagate through the social network of its victims by hijacking social trust. Instances include targeted surveillance attacks on the Tibetan Movement and the non-targeted attack by the Koobface worm on a number of online social networks including Facebook.

By adopting such a communication model, a malicious network such as a botnet can make its traffic significantly more difficult to be differentiated from legitimate traffic solely on the basis of communication end-points. Additionally, to frustrate defense efforts based on traffic flow classification, Steganobot’s development team intends to explore the use of covert channels based on data concealment techniques. What if criminals used steganographic data hiding techniques which exploit human social behavior patterns in designing botnets? Would it be possible to design such a botnet? How would it be superior to existing botnets, and where would it be inferior to the same? These are some of the questions this study hopes to answer in this paper.

The research related to Stegobot is quite significant as this online hacking threat is virtually undetectable. Of late we have seen a spate of online hacking across the world. Whether it has been a government website or the IMF network, everything online seems vulnerable. Online hacking techniques such as botnets have only strengthened the contemporary need for more secure and foolproof methods to safeguard online identity. For continued updates about malware protection and safe web behavior, keep reading our online hacking weblog.

Internet hackers and software companies from around the world are staging mock cyber wars at a major web security event in Europe.

Some 1,000 participants are taking part in the two-day Hacktivity 2010 conference in the Hungarian capital Budapest that started on Saturday. The conference comes at a time of mounting concern over software piracy and other cyber crimes. Hacking is fast becoming the 21st century tool for espionage.

Software companies these days use hackers to see how secure their new programs are – hackers benefit by learning new tricks.

“There are not many systems these days that cannot be hacked. It is a matter of time and investment,” Felix F-X Linder, a cyber security specialist, told Al Jazeera from the conference in Budapest. “Luckily, due to the many years of work in computer security, it is getting harder to hack systems.”

Mitch Altman, a hacker from the US, will present a workshop on computer hardware, while Bruce Scheier, a world-renowned cyber security expert, opened the conference with a keynote speech.

At the leisure zone, where “nerds” at the conference go to relax, participants can test their ability to break into systems and take control of foreign computers in a variety of games, from Hack the Vendor to Capture the Flag.

According to a recent study by the cyber security firm Norton, 65 per cent of all computers users have been the victims of cyber crime. The worst hit country is China, where 83 per cent of users have been hit by some form of cyber crime. In Brazil and India that number is 76 per cent.

Cruel intentions

Malicious computer use such as virus writing and hacking cost businesses globally more than $1 trillion each year, according to a study from computer security company McAfee. The projection is based on responses to a survey of more than 800 chief information officers of companies around the world.

The respondents estimated that in 2008 they lost data worth a total of $4.6bn and spent about $600 million cleaning up after breaches, McAfee said.

The recent recession is only increasing the security risk for corporations, respondents said, with 42 per cent reporting that displaced workers were the biggest threat to sensitive information on the network.

More than one quarter of the respondents said they avoid storing data in China, and 47 per cent of Chinese respondents said they believed the US poses the biggest security threat to their data.

The research also indicates that more and more vital digital information, such as intellectual property and sensitive customer data, is being transferred between companies and continents – and lost. The average company has $12 million worth of sensitive information residing abroad. Companies lost on average $4.6 million worth of intellectual property each year.

Taliban hacked

Business, government and regular computer users are not the only ones dealing with hackers: the Taliban is also facing the problem. The so-called Islamic Emirate of Afghanistan faced an attack in June 2010, Wired magazinereported.

Abu al-Aina’a al-Khorasani, an administrator with what Wired calls an “elite jihadi forum endorsed by the Taliban”, has cautioned users to be careful of recent activity.

Khorasani said that the “group’s main site and the site of its online journal Al-Sumud, have been subject of an ‘infiltration operation’”.

On the Falluja forum, Khorasani warns online Islamists “to not enter any of the links of these website and not to even surf [the material] until you receive the confirmed news by your brothers, Allah-willing”, Wired reported.

The Taliban websites have been hacked before, but the latest job should be particularly concerning to the group, Evan Kohlmann, a computer analyst with Flashpoint Partners, said.

“[T]his would be the first instance that I’m aware of it being actually ‘infiltrated’,” Kohlmann told Wired.

“It’s an unsettling prospect for security-minded online jihadists, because such sites can be manipulated by a variety of hostile parties in order to harvest a breathtaking amount of personal data on regular visitors.”

Victims ignorant

Generally people do not take cyber threats very seriously and most people who have been hacked do not even know it. They forget that by using unsecured Wi-Fi hotspots they are essentially shouting their information to the world.

Every access point into a system like Bluetooth or other communication software can be used by savvy cyber criminals to steal information or to implant malicious software. The average laptop could contain data worth around $1 million, according to research by security software company Symantec.

The same research shows that just 42 per cent of companies automatically back up employees’ emails, where often critical data is stored, and 45 per cent leave it to the individual to do so.

Lost laptops have been the bane of existence of many companies and countries alike. The most infamous instance of loss of laptop occurred in 1990 when a British Royal Air Force officer had a computer stolen from the boot of his car. It contained a top secret plan to drive the Iraqi army out of Kuwait after it had invaded the Gulf country in August 1990.

In January 2008 a British Royal Navy officers was court-martialled after a laptop containing the personal data of 600,000 people, including serving personel, was stolen from his car. The non-encrypted data included bank account numbers and passport details, national insurance numbers and home addresses.

Most laptop thefts are committed by common thieves who are after the laptop itself and not the information it contains. To prevent the thief to access the system it is enough to simply set the password and encrypt the hard drive.

It has in fact been a constant thorn in the search giant’s side and has set up a special Google website to log and monitor what it sees as its misdeeds as the firm tracks and collects data on us through our search history and browsing habits.

Now Consumer Watchdog has taken it to a whole new level with giant adverts playing on the JumboTron in New York’s Times Square. See them here.

Google CEO Eric Schmidt is portrayed as a “perverter of privacy” in the guise of an ice cream man. The animated video shows a caricature of Schmidt giving out free treats to children while at the same time spying on them and collecting information on them.

Consumer Watchdog’s president Jaimie Court said the aim of the adverts was to “make the public aware of how out of touch Schmidt and Google are when it comes to our privacy rights. Google knows more about us than most government agencies.”

“Google’s motto is ‘don’t be evil’ and the way Eric Schmidt has been talking lately proves he has not been living up to that standard.”

Specifically Mr Court is referring to Mr Schmidt’s recent comments about privacy and online behaviour.

“Schmidt is out of control,” said Mr Court.

“When questioned about privacy, he has said, ‘If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.’ Recently, he suggested children could change their names when they got older if they wanted to escape what was embarrassing and public in their online lives.”

As well as deriding Google and its CEO in this 540ft video screen in one of America’s most populous squares, Consumer Watchdog has a serious message about online privacy in general. It wants Congress to implement a “do not track me” list that prevents Google and any other internet company from tracking users’ every move online.

The list would work just like the “do not call list” which has been pretty successful at stopping those annoying marketing phone calls you get just as you are about to sit down for dinner/put the baby in the bath/read the toddler a book/or enjoy a sip of wine.

Google has taken quite a bit of heat lately over privacy. Its own admission that its Street View cars had mistakenly collected snippets of information leaking from unprotected networks in people’s homes resulted in criticism from privacy advocates around the world.

Google’s foray into social networking with its product Buzz also lead to unwanted headlines about a cavalier attitude towards privacy.

But as the Wall Street Journal points out, Consumer Watchdog is not above reproach. The group claimed that the Street view cars could have collected national security information from members of Congress but the Journal pointed out that it made the “allegations after sitting outside the homes of the members itself and sniffing for unsecured traffic”.

Google’s response to the advert is sanguine.

“We like ice cream as much as anyone, but we like privacy even more,” Google said in response to the BBC.

“That’s why we provide tools for users to control their privacy online, like Google Dashboard, Ads Preference Manager, Chrome incognito mode and ‘off the record’ Gmail chat.”

 
British Prime Minister David Cameron skipped prime minister’s questions on Wednesday, depriving lawmakers of their first chance to grill him in public since the revival of a scandal involving his top public relations aide.

Cameron’s father suffered a stroke and heart complications on vacation in France, and the prime minister is flying out to be with him, his office announced.

His deputy, Nick Clegg of the Liberal Democrat party, instead faced intense questioning about Cameron’s communications chief, Andy Coulson, who used to be the editor of a tabloid newspaper accused of widespread hacking of celebrities’ voice mails.

Coulson “made it very, very clear he had no knowledge” of hacking by his staff, “and that statement speaks for itself,” Clegg insisted.

Senior opposition Labour lawmaker Jack Straw tried to drive a wedge between Clegg and Cameron — a Conservative — by demanding that Clegg express a position on Coulson.

Clegg wouldn’t take the bait.

“It is now for the police and the police alone to decide whether new evidence has come to light,” he said.

Police expect to question Coulson as part of their investigation into the hacking scandal, a top British police official said Tuesday.

“At some stage I imagine we would be seeing Mr. Coulson in some capacity,” said Metropolitan Police Assistant Commissioner John Yates. He refused, in questioning by lawmakers, to be pinned down about when.

The House of Commons Home Affairs Committee is opening a new investigation into the hacking of phones, it announced Tuesday, after questioning Yates over what police did and did not do about the alleged hacking.

Coulson resigned as editor of the News of the World newspaper after one of his reporters was sent to prison for hacking into phone messages of the royal family’s household staff.

Both News of the World and Cameron’s office said Tuesday they had no response to Yates’ comment.

But Coulson said Monday he would be happy to meet with police voluntarily and “vehemently denies” allegations he knew of widespread phone hacking at his newspaper.

News of the World has also denied a culture of using illegal methods to get stories.

News of the World royal reporter Clive Goodman and private investigator Glenn Mulcaire were sentenced to prison in 2007 for hacking into voice mails of members of the royal family’s staff.

Mulcaire also admitted hacking into model Elle MacPherson’s messages, among others.

But The New York Times alleged in a detailed investigative story that — far from Goodman and Mulcaire being lone culprits — phone hacking was common practice at the newspaper.

The New York Times article last week prompted a furious response from a number of public figures, including former Deputy Prime Minister John Prescott, who demanded that the police tell him if his phone had been hacked.

Yates said Sunday that “the newspaper produced no new evidence for us to consider reopening the case,” but had reversed himself by Tuesday’s parliamentary committee hearing.

Police will question one of the few sources who went on the record in the Times article, former News of the World journalist Sean Hoare, Yates said.

Hoare told the Times that Coulson, then his boss at the tabloid, “actively encouraged me” to hack into the voice mails of public figures to get stories for the News of the World.

Coulson’s allies have cast doubt on Hoare’s credibility since the Times article came out September 1, pointing out that Hoare was fired from the paper over allegations of drug and alcohol abuse.

The New York Times also alleges that the police did not pursue their investigation into the News of the World as aggressively as they could have, both because of a “symbiotic” relationship between the police and the paper and because they were busy with other investigations.

Yates did not respond to those allegations.

The News of the World, which is owned by News Corp., Saturday rejected “absolutely any suggestion there was a widespread culture of wrongdoing” at the paper.

A British parliamentary committee twice investigated the tabloid.

Witnesses associated with the paper insisted there was no evidence that phone hacking extended beyond the two who were found guilty of it.

I’M a Modernist, devoted to Mies, postwar abstraction and flying. In the last year or so, I’ve been in Amman, Paris, Venice, Athens, Boston, London, Naples, Dublin, Rome, Reykjavik, Milan, Málaga, Moscow, Montreal and Memphis, to name a few.

One year, I was traveling back and forth to Paris so many times that the flight attendants recognized me.

I was traveling with an important artist and I was really trying very hard to impress him. When we boarded the plane, a flight attendant yelled out that it was great to see me. I felt really good, believing the artist would think that I must be someone special for a crew member to greet me that way.

Then the attendant asked me if I wanted a drink. It was 8:30 in the morning and I was sure the artist thought I was a drunk. Fortunately, he just found it amusing.

When Wi-Fi became available in flight, I was really excited since I thought I would be extra productive.

The first time I tried it, I was traveling to Los Angeles from New York. Since it’s a long flight, I thought I’d get a lot of work done. So I e-mailed a colleague telling him that I was in a plane but could still work.

My colleague, a notorious prankster, e-mailed me back with the subject line “Picasso,” with an attached image. The body of the e-mail said that he found the Picasso I had been looking for. I opened the attachment and my screen filled with, well, porn.

I was in the middle seat with two business types on either side of me. I was mortified. And they didn’t look amused. I slammed the laptop shut and didn’t say a word or do any work for the remainder of the flight.

Since I travel so much you’d think I would be savvier. But a lot of times I feel like I’m living out a “Seinfeld” episode.

When heading from Rome to Moscow, I had to board a shuttle bus to my plane. There were two buses: one was nearly empty; the other was really crowded. I’m not a fool. I opted for the less crowded bus. I got very comfortable and kept thinking how smart I was. That is, until I discovered the bus was taking me to a plane headed to Kuwait.

I make mistakes all the time. I had a meeting in Israel and by the time I landed in Tel Aviv, I was really tired. When I got to my hotel, all I wanted to do was go up to my room as quickly as possible and then sleep.

But since I was sure it was a Friday, I wanted to be respectful of the Shabbat laws. So I didn’t push any buttons in the elevator that would take me to my floor. I waited for the doors to close.

I must have stood there three minutes. Then a guy got on the elevator and immediately pushed the button for his floor. I gave him a dirty look. And then he told me it was Thursday, not Friday. I felt pretty foolish.

To help beat jet lag, I travel everywhere with a Pilates abdominal device. It’s a metal circle, with two plastic handles, that you use to strengthen your core. I swear some security people think it’s a weapon. I’ve had to explain what it’s used for and a few agents asked me to demonstrate.

They didn’t look impressed. But they did let me on the plane with my Pilates gear, where I proceeded to show the flight attendants just how it worked. At least they seemed impressed.

Apple’s new social media service, Ping, is already getting hit by a barrage of comment spam.

The Ping network integrates with iTunes 10 to let you follow your favorite artists and swap comments with other fans. But it took less than 24 hours for the comments sections to be swamped by phony offers for free iPhones and other hot gadgets, according to a Thursday blog from security vendor Sophos.

Sophos expressed bemusement that although it’s no secret that blogs and forums have become the new playing ground for spammers and scammers, Apple apparently has set up no spam or URL filtering in Ping, leaving the service wide open to junk comments.

Apple has implemented some degree of security in Ping–the service won’t display profile photos until they’re approved by the company–and is filtering for offensive content as well, notes Sophos, so the company should be able to kick in a spam filter. But spammers can also easily create fake accounts for Ping since the service requires no credit card or other ID to join.

Of course, comment spam has been swamping other social networks and blog sites for years. The spam messages hitting Ping are virtually the same ones that Sophos found have targeted Facebook, Google, and Twitter. These “survey” scams typically promise a free iPhone, iPad, or iPod in exchange for filling out a bogus online questionaire.

Facebook on Thursday announced a new security feature that will allow users to see if they are logged into their accounts on a different computer and to remotely log out if so.

This will address the problem that many of us have of leaving a computer–either one we borrowed at a friend’s house or used at a public spot like a library–logged in to our Facebook account without realizing it. Doing so leaves it open for abuse by whoever happens to visit the site next on that machine, allowing them to use the account to send spam or masquerade as the legitimate user.

“When anyone else is in charge of your online account there is the opportunity for foul play,” Jake Brill, a product manager for Facebook’s site integrity team, told CNET. Using the new feature that Facebook is rolling out worldwide, users will be able to click on the Account tab in the upper right-hand corner of their profile page, click on “Account Settings” in the drop-down menu and see new information about account activity under the “Account Security” area.

Facebook will provide users with recent activity on their account, including the last time the account was accessed, the device used, what approximate city it was located in, and the browser and operating system on the device. It will also provide the same details for other sessions if they are active on other devices and offer the user the ability to click “end activity” to log that device off.

Often, Facebook users don’t realize that they may still be logged into their accounts if they merely closed down the browser or even if they shut down the computer. For example, if the “Keep me logged in” box is checked on the log-in page, then you must manually log out on Facebook to end the session. That box, which is standard on many popular Web sites, is unchecked by default. If the box is not checked, users must quit the browser or log out to end the session.

The new feature will help people thwart would-be account hijackers, said Andrew Walls, a research director at Gartner.

“If you suspect somebody else has your password and is able to access your Facebook account or you see a computer you don’t recognize connected to your user profile, you can kill that session,” he said. Users who suspect their account has been compromised should always immediately change their password.

Walls praised Facebook for offering users this level of insight and control into their accounts and noted that it is standard in operating systems to provide this capability to administrators who want to, for instance, monitor the VPN (Virtual Private Network) connections into the network.

“This will be adopted by a small percentage of the user base, but it’s a good step and it is needed,” he said.

The new security feature follows a Login Notification feature the company announced in May that lets users tell Facebook to notify them via e-mail or SMS when a new computer or device is used to log into their account.

After temporarily setting aside its BlackBerry ultimatum, the Indian government has shifted its focus to Gmail and Skype, according to the AFP.

India is apparently taking issue with any communication service that doesn’t give it easy access to data. It has a problem with Google-owned Gmail’s heavy encryption and with the inability to listen in on conversations over VoIP with Skype.

“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible.”

As of this writing, India had not sent notices to comply with its tight data-availability regulations, but the AFP reports that Google and Skype may receive notices as early as Tuesday. The notes will likely require that both companies provide the Indian government with a way to access e-mails in Gmail and conversations in Skype.

The Indian government made waves recently by targeting Research In Motion’s BlackBerry devices over data accessibility. The government contends that by safeguarding e-mail, instant messaging, and Web browsing, RIM is preventing India from monitoring communications as part of national security.

Last week, RIM stood firm in opposition to India, indicating that it wouldn’t submit to the government’s September 1 deadline. India has now given RIM two months to furnish access to its data or face a ban of its service.

The Indian government said it will not shut down the service for at least another 60 days as it evaluates proposals RIM has offered that would allow the government to monitor wireless subscribers’ communications.

Indian officials said earlier this month that the company had until the end of August to come up with a solution that would allow them to monitor e-mails and other electronic messages from BlackBerry users in the country.

One of the latest proposals likely includes RIM placing one of its servers in India.

“It was also decided that the Department of Telecommunications would study the feasibility of all such services being provided through a server located only in India,” Onkar Kedia, a spokesman for the federal Ministry of Home Affairs, said in a statement.

RIM has been working with Indian officials to come up with a solution since earlier this month, when the government threatened to shut down the service over security concerns. Last week, RIM suggested creating an industry forum to address the government’s concerns. In this forum, RIM and other mobile companies would work with the Indian government to support “the lawful access needs of law enforcement agencies, while preserving the legitimate information security needs of corporations and other organizations in India.”

RIM has faced threats of bans in other countries as well, including Saudi Arabia and the United Arab Emirates. RIM averted a ban in Saudi Arabia by supposedly cutting a deal with Saudi officials, which reportedly also includes putting a server in Saudi Arabia that would allow the security officials to monitor communications.

RIM has been adamant that it has not compromised its core security features. And it claims it has not struck special deals with any country.

“RIM assures both its customers in India and the government of India that RIM maintains a consistent global standard for lawful access requirements that does not include special deals for specific countries,” the company said in a statement last week.

Governments in countries threatening to ban the service say they are concerned that the BlackBerry, which features stronger privacy safeguards than competing devices, could be used by terrorists and other criminals to avoid detection.