The China-based cyber-spy network known as "GhostNet" is a sophisticated group of hackers capable of logging its victims' keystrokes, stealing their documents, capturing images from their screens—and staring creepily at them through their webcams.
In a report released last month, Canadian researchers concluded that GhostNet has cracked at least 1,295 computers in 103 different countries, specifically targeting the Dalai Lama and other Tibetan activists and officials. Stealing documents and logging keystrokes—that I understand. You can get all sorts of useful information reading someone's e-mail or looking at their bank records. But peeking at them through their Web cameras? That seems creepy even by the standards of shady cyber-spying rings. It's one thing to read the Dalai Lama's IM conversations. It's another to actually watch him LOL.
GhostNet might be the most prominent example yet of webcam infiltration, but it's certainly not the first. The practice dates back to 1998, when a group of hackers calling itself the Cult of the Dead Cow designed a piece of software that, when downloaded onto a computer, let someone control the machine remotely. Anything you could do sitting at your desk, they could do thousands of miles away, from creating documents to playing MP3s to popping open the disk drive. They dubbed the program Back Orifice—a twist on Microsoft's BackOffice. The authors "were not malicious guys," says Frank Heidt, CEO of Leviathan Security. "They thought it was funny as hell."
Webcam scams do occur, though they're far less common than other types of online extortion. In 2004, four hackers in Spain were arrested after threatening to post candid webcam videos online unless their victims paid up. In 2008, a Canadian man told young girls that he had nude pictures of them and would post them on the Internet unless they posed for him again.
Governments and businesses have adapted. For example, the Department of Defense has regulations about where you can carry a laptop. And unlike the most advanced computer worms, this isn't a threat that's constantly evolving to outpace security measures.
Since Back Orifice hit the market, the basic methods of cyber-peeping haven't changed much: Just get your target to download an e-mail attachment or click a link that triggers an automatic download, activate the camera, then sit back and watch. "Writing the malware is a total triviality" even for middling programmers, Heidt says. Back Orifice is still available for download, and beginners can find instructions on how to write their own programs with a simple Google search. Or you can just take a college course on how to do it.
What's changed is the prevalence of cameras. You can't buy an Apple laptop these days without a built-in camera. Even Sony's smallest notebook has a webcam. Sometimes they're practically invisible: The MacBook Air's built-in camera is "so smartly integrated, you hardly notice it's there," brags Apple. That said, almost all laptops have a light that turns on whenever the camera is on—a feature that hackers can't disable since it's controlled electronically, not programmatically.