Peepholes on the web

Webcams are a tabloid horror story just waiting to happen. The young women who disport themselves in their bedrooms for paying visitors have already provided the red-tops with a series of titillating news stories.

But the story that could hit closer to home for most people has yet to break. I can just see the headline now: 'Net perverts spy on your kid'.

The fact is, if a hacker can get into your PC, the chances are he can look through your webcam - or the one in your children's bedroom. Always-on broadband links are more vulnerable in the sense that you may forget they are there, but dial-up links tend to have less protection. If you don't think it can happen to you, here is a cautionary tale.

I am unforgivably slack about security, for someone who writes so often about it. This is partly out of laziness, but also out of the irritation at having to protect myself against some look-at-me bozo who wants to crawl round my hard disk or spread a virus.

But I got alarmed recently when I started getting several infected emails a day at work. Fortunately the viruses were stripped out by VNU's stringent security regime before they could do any harm, but they reminded me that updating the protection on my home machines was long overdue. So I got Sophos to send me its latest antivirus software.

One machine turned out to have 57 files infected with the self-mailing Nimda virus, which happily had not spread further as the machine had no address files. More sinister was the fact that I had two Trojans, Win32/Qaz and a variant of Sub7, each on a separate network.

A Trojan, named after the horse that let the Greeks into Troy, is malicious code posing as an innocent program. Qaz, for instance, poses as the Windows Notepad applet - the original code, renamed Note.com, still opens when you try to run the utility.

Some Trojans are dumped by websites; others come in email attachments; some self-replicate like viruses. Both Sub7 and Qaz allow a hacker the run of your machine - the latter actually let hackers into Microsoft last year. But the fact that you are infected does not mean you have been hacked.

Sophos antivirus guru Graham Cluley said: "A lot of Trojans send an email message to the sender with the IP address of the infected machine. There may be thousands of addresses and the hacker may look at only some of them."

But other hackers may scan IP addresses at random looking for openings.

Intruders range from kids fooling around, to criminals who will look for items like passwords or bank and credit-card details. Some users even want their machines infected to give themselves remote access, as the Trojans work as well or even better for this purpose than commercial programs.

Even these users may be up to dodgy business. Cluley thinks there is something worrying about the tiny webcams that are advertised on the web.

"Why do people want them so small? It makes you wonder what they are doing with them. Perhaps they are spying on the wife..."

But net voyeurs would not need to mess with setting up spy cameras, given the number already online. Cluley warns: "A Trojan can allow a hacker to do anything on your machine that you can do at the keyboard." And that includes peering through your webcam.

Sometimes the tables are turned. A security expert who got hacked last year managed to trace the offending machine - and found himself, thanks to a webcam, staring at the culprit.