This serious vulnerability (which apparently Apple sat on for over a month) is probably the first time that most people have heard of mobile phones being used to create botnets. However, this isn't the first sighting of a mobile phone hijacking attempt for the purpose of botnet creation - a similar exploit was discovered earlier this month. Does this mean we're on the verge of a new and dangerous trend: the creation of "zombie" phones?

According to Forbes, the SMS exploit being demonstrated at Black Hat today involves sending short, mostly invisible SMS bursts which would allow a potential hacker to entirely take over the phone. The only warning you would have to alert you to the hack would be a text messaging that contained a single square character. If you received something like that, your only recourse would be to turn the phone off immediately.

The researchers said they alerted Apple to this vulnerability over a month ago, but no patch has been released. Apple isn't returning calls requesting a comment, either.

The First Mobile Botnet?

Assuming the iPhone exploit described above was able to make it into the wild, it could effectively compromise all the unprotected iPhones in the world (which, in theory, would be all of them, if no patch is distributed). The hack would essentially turn the phones into "zombies" - a term usually used to refer to PCs compromised by a hack, virus, or trojan horse in order to do the bidding of a hacker. Along with other compromised PCs like them, this group of computers would form a botnet of "zombie" machines.

While botnets are common in the PC world - it's estimated that these machines are used to send anywhere from fifty to eighty percent of spam worldwide - botnets consisting of mobile phones are practically unheard of...or are they?

Earlier this month, Symantec revealed an SMS threat dubbed "Sexy Space" created using malware known as SymbOS.Exy.C, a revision of older variations also used to create similar threats. Using simple social engineering tactics, this hack involves sending SMS spam with names like "Sexy View," "Sexy Girl," and "Sexy Space" to encourage victims to click an included link in the text message.

This particular exploit, only found on Symbian-powered devices so far, is smart enough to end certain programs on the hijacked phone that would make it possible to manually end the threat. At first, the hack was only being seen in China, but later an English version was discovered in the Middle East.

What's most frightening about this particular threat is that it's controlled by a central server. That means hackers could control the attacked phones the same way hackers today control zombie PCs. This led the Symantec researchers to wonder if this was, in fact, the first case of a mobile botnet being spotted in the wild.

But My Phone Has Never Been Attacked!

Security researchers have been warning us about the upcoming mobile risks for some time and yet few people have ever actually had their phone compromised by malware, it seems. To date, mobile exploits have been few and far between and have had no major impact on the industry as a whole or on consumer confidence levels regarding these devices. Perhaps lulled into a false sense of security since mobile phones were once much more basic devices without internet access and data plans, most people don't even realize that their phone could be at risk of an attack.

In a paper released this past fall from the Georgia Tech Information Security Center, Tom Cross, a researcher with the IBM Internet Security Systems X-Force team was quoted as saying how surprised he was that there haven't been more attacks to date on smartphone devices like Apple's iPhone. However, he noted that "financial motivation and increased adoption will increase attacks to smartphones in the years to come. As more payment infrastructure gets placed on these devices, they will become a more attractive target."

In other words, mobile phones just aren't worth hacking yet. That will change once more financial transactions take place over phones, agreed Dave Amster, VP of security investigations at Equifax, in that same report. "Consumers are ordering credit reports from their Blackberrys, which puts valuable information at risk," he said.

Still, hacking the mobile platform will remain a challenge. According to Patrick Traynor, a computer science professor at Georgia Tech and member of GTISC, the lifecycle for mobile phones is much shorter than that of PCs. Most people buy a new mobile device every two years - a cycle which allows manufacturers to keep up with security design - and potentially stay ahead of hackers.

But if there's one thing we've all learned over the years, it's that you should never count out the hackers. If there's something to be gained by creating mobile botnets - beyond simply proving that it's possible to do so - then there's no doubt that hackers will attempt to create them.

Or was Facebook simply following through on a TOS violation because Chris had accidentally sent out duplicate messages to group members, thereby getting flagged as a spammer and subsequently booted from the network?

On Monday, the anonymous blogger over on Social Hacking posted a link that demonstrated a gaping hole in Facebook which revealed private profile data upon clicking. The hack worked (I tried it at the time) although now the hole has been closed. He later revealed the technical details of this hack on his blog.

However, even before those technical explanations were posted, Chris Almond was spreading the word via the Rogue Facebook Apps Early Warning Group, a group whose members like to stay informed about the latest and greatest threats happening on the social network. All he was doing was publicizing the information - he was not involved in the hack's creation in any way.

Shortly after sharing the information with the group, Chris found his account was disabled.

And because it was disabled, Chris's collection of links and articles he had posted since the group's creation in 2009 as well as all the discussions he had with other group members were gone, too. The group's archive was emptied out.

Does that sound suspicious to you? TheHarmonyGuy (aka Mr. Anonymous from Social Hacking) thinks so. He writes, "While I hope I'm wrong (and I very well could be), it appears that at least part of the reason for the account shutdown was that this user was spreading word about my Facebook attack. It saddens me that other people are having to suffer on my account..."

Flip Side: Just a Simple TOS Violation?

Of course, there are always two sides to any story and this story is no exception. In Facebook's defense, Chris Almond was guilty of a TOS (Terms of Service) violation. You see, Chris had decided to send out personal emails to group members with information about the hack and to invite them to a group event. Unfortunately, he accidentally sent out duplicate emails to some of the group's members.

This triggered Facebook's spam detection feature - most likely an automated system that detects such behavior on the part of group admins. Chris received the warning and realized his mistake. Though accidentally, he had in fact violated Facebook's TOS. He stopped sending any further messages after receiving the message.

But apparently, it was too late for contrition because Facebook soon thereafter disabled his account.

At the moment, Chris is busy pleading for reinstatement. He has sent Facebook the following emails to state his case:

Email 1

Hello

My Facebook account, registered with this email account [EMAIL ADDRESS REMOVED] has been disabled.

I'm not going to argue that I didn't violate terms of use, only that I did so unknowingly and in completely good faith.

Please allow me to explain my activity that led to the disabling. I am admin of a group called Rogue Facebook Apps Early Warning Group. I wished to send an invite to members to a group event I'd created in which information about facebook security issues was shared, containing links to a site that after personal contact with the author I am satisfied is legitimate and non-threatening.

Here is the link I shared: http://theharmonyguy.com/2009/06/22/illustrating-facebook-privacy-problems/

Due to the size of the group, it was impossible to send a group invite, so I decided to personally message members of the group who had posted on the wall. My reasoning was that they were voluntary members of the group and so this was probably an acceptable course of action. Obviously I was wrong about that.

I assume that somebody to whom I sent a message has reported my activity as spam. I can certainly see, in light of what has happened, that it could be construed as such but my intention was to share information about Facebook security awareness, and absolutely not to trouble anyone at all.

Please reinstate my account. I run a small business, promoting music in my local area, and my business will suffer if I can't use facebook for that purpose.

Yours contritely

Chris Almond

Email 2

Hello

I wrote the other day about how I'd shared a link with members of the Facebook group I co-administrate, and how that action has led to the disabling of my Facebook account registered with [EMAIL ADDRESS REMOVED]

I don't know if the manner in which I distributed the message or its contents were the main transgressions in your opinion. I accept that by duplicating a message I triggered an automatic spam alert, and I sincerely regret that particular course of action. Please note, I stopped sending the messages as soon as the first warning appeared.

The link itself was to a hack, described here by its author http://theharmonyguy.com/2009/06/24/facebook-attack-technical-details/

The purpose of the Facebook group I help to run, Rogue Facebook Apps Early Warning Group, is to spread awareness about the weaknesses in Facebook platform that allow unscrupulous Facebook app developers to access users' private information without their explicit authorisation. I am not a hacker, nor particularly technically informed in that area, but I am somebody who is concerned by the implications of such weaknesses. Neither am I, as my group co-admin erroneously stated in an email to you yesterday, working with theharmonyguy. I merely follow his work and believe that the kind of activism he engages in is an honorable, and practical way, of encouraging greater security on Facebook.

A hallmark of my personal experience of Facebook is the worrying amount of applications that find their way onto my account without my permission. Error Check System, the notorious app attack of February 2009 that led to the formation of our group, was merely one of the most aggressive, visible, and widely remarked-upon.

I don't publish sensitive personal info on my account, but many do, and I believe it is legitimate behavior to be proactive in spreading awareness of the issue.

Having accepted that the sending of duplicate messages is in contravention of the Facebook terms of use, I must say it is intolerable that I have been singled out for suppression when, over the course of my time using Facebook I have seen many groups containing material that by any reasonable assessment is racist, homophobic, or in some other regard hate-filled and offensive, and whose admins are allowed to continue their activities.

I am not a spammer. I have never, before this incident, done anything that could be viewed as spamming. I accept that I was naïve in the way I went about promoting the activities of my group. I do not think that what I did warrants permanent expulsion from the Facebook community, and I hope you will agree.

Yours sincerely

Chris Almond

What Do You Think?

So is this a clear-cut case of a Facebook TOS violation being acted upon? Or was Facebook just looking for an excuse to shut this group down? Surely they couldn't have liked the fact that Facebook users were using their very own platform to share news and links about ways to attack Facebook! Still, there wasn't anything Facebook could do about it...unless somebody crossed the line, of course.

Luckily for us, Facebook has not yet succeeded in completely destroying this group. The Rogue Apps Early Warning group itself lives on thanks to co-admin, Stuart Forbes, who is now in charge of the group's activities. Chris's account is currently still suspended.

UPDATE:After this article was published, Facebook reactivated Chris's account.

Greasemonkey is easy to use, fast and powerful. Most scripts are hosted and discussed at Userscripts.org, but that site can be a little overwhelming. In the past week, 375 scripts were added or updated. We looked through them all and picked out the best 5. Below we've also posted a screencast that will get you started harmlessly hacking your browser with Greasemonkey in under 5 minutes.

RSS readers can click here to view the video below.

Thanks to Screencast.com for hosting the video above. (Here's a Flash version, if you prefer it.)

Now What?

There are a lot of must-use Greasemonkey scripts that have been published before this week. Some of our favorites include:

Autopagerize - continuous scrolling from page to page on many websites.

Twitter Search on Google Results Pages - add real-time search to Google.

Memeorandum Colors - color code links on political blog aggregator Memeorandum by the politics of each blog's linking history.

Those are oldies-but-goodies but more and more scripts are available every day. Here are our favorite 5, in no particular order, out of the 375 that were added to or updated on Userscripts.org last week.

1. Gmail 3.0 Productivity Package - adds links to create new Google Docs and integrates other Google services into the GMail interface.

2. Alltop Topic Search and OPML

Guy Kawasaki's Alltop has aggregated the top sources on a long list of topics. This script makes it even more useful by allowing you to search inside each category's archives and export the RSS feeds for all the selected sources into another RSS reader.

3. Google Search Sidebar with Youtube , Wikipedia, Dictionary.com and Flickr Results

In the image above you can see the Twitter Google script results at the top of the page (described above) and this Wikipedia, etc. script on the right hand sidebar. The script works well.

4. Cookie Life Extender

Sick of having to log back in to sites all the time? This script rewrites the expiration date on all cookies in your browser, making them live for 50 years!

5. Vidzbigger

This script makes a bunch of changes to YouTube video pages. It displays the largest video player available, moves the comments into the right sidebar so you can view them while watching the video and it inserts links to download a copy of all videos. It isn't the prettiest thing in the world and has the audacity to insert an ad overlay after videos are completed. It may not be pretty, but it's useful.

Those Are Our Favorites, What About You?

We'd love to hear about your favorite Greasemonkey scripts, too. There are so many of them out there that it's hard to unearth the best. There's nothing quite like it though, when you find a way to change the very browser you look at the web through.

The Fox tweet was deleted an hour after it was posted, so the password may not have been changed. The Facebook account on Twitter just posted a link to porn, so it appears that the situation remains unresolved. Update: Twitter says it's been resolved but that users should change their passwords! The Twitter blog has just posted an explanation of the breach. Screen shots of the hacked accounts below below.

Some suspected that the hacks today were associated with the weekend's phishing attacks, but the Fox News account isn't following anyone - so no one could have direct messaged it. That's how accounts were taken over via phishing. Something else is afoot.

If the hacker is associated with the affiliate link sent out over Obama's account, it may not be hard to discover who did this. Time will tell.

Twitter co-founders Evan Williams, Biz Stone and lead engineer Alex Payne have posted no messages since the attacks emerged. This can't be good for Twitter. What major brand will be excited to sign up for the service now? Who would pay, even, to be put at such risk?

It's possible for a malicious Facebook application, like the one used in the news story, to masquerade as a game or a quiz. And unlike protecting yourself from phishing emails, it's not simply good enough for you to "know better" yourself - if even one of your friends installs the app, your details get stolen too.

Despite the severity of this potential hack, stories like this one are old news in the realm of those who follow social network hacking trends.

For example, white hat hacker "theharmonyguy," wrote on his blog Social Hacking back in March about an app he submitted to social media instructor, Lee Aase's, $100 hacking challenge. His app, once installed, would grab any available information from a private Facebook group. The app didn't win the challenge, however, since it required action on the part of the user to be successful.

However, theharmonyguy points out that although Facebook has a Terms of Use that restricts applications from storing most user data, "there is not a practical way for Facebook to enforce or even completely audit this requirement." And since these applications are third party code, they are essentially running on the honor system.

Facebook, especially, has been plagued by security lapses as of late, with the AP reporting news about a security exploit that exposed private photos on the site back in March. However as one of our own commenters pointed out, this hack was known as early as February, it just took the AP's coverage to bring attention to the matter.

Then there was a story in January about Facebook app Secret Crush that downloaded and installed spyware to your computer. However, it's not just Facebook under the gun - back in November, TechCrunch reported on an OpenSocial hack, this one involving the RockYou and Plaxo.

Reading these types of stories remind us that our security on these networks are in the hands of unknown developers, not just the sites themselves - developers who may be more concerned with getting their apps completed and installed than they are with security.

Facebook's response to this latest BBC story is that they have "an entire investigations team that watches the site and removes content and third-party applications that violate Facebook's Terms of Use." However, they advise users to "employ the same precautions while downloading software from Facebook applications that they use when downloading software on their desktop."

In other words, your security is left to the tech-savviness of you and your friends. (Considering my years in I.T./end user support, that's a frightening concept. Many users aren't smart, savvy, or careful when online.)

Even worse, if you do become a victim of an attack, good luck getting support from Facebook on dealing with it. As Lauren Cooney reports after her account was compromised to send out spam, she emailed the Facebook team several times, and spent the better part of an hour trying to track down a customer service number to no avail, noting "you would think that a company that collects that much data on their users would consider having a customer service number." In the end, it was nine hours before she received an email response.

What this means for the average social networker is that we need to be very careful on these networks, and should not entirely rely on them to keep us safe. If there's really a photo you don't want certain people to see, maybe it's best to keep it offline forever. We also need to be vigilante about the applications we install, on Facebook and elsewhere, and take the time to educate our friends to do the same.

This work flow uses the following services, linked to here, demonstrated visually and described in text below: Del.icio.us, AideRSS, Yahoo! Pipes and Feedburner. There are probably many different ways to do the same thing, but this one comes with a slide show.

Steps involved

Source discovery

I started with two blogs that best exemplified what kind of content I'm looking for- BoingBoing and Neatorama. Not really "cool hunting" I think of them more as "weird hunting" blogs.

In order to discover more top sources similar to those two, I went to Del.icio.us Popular and clicked on the pink "how many people have tagged this URL" for any random URL. There you'll find a little box you can enter another URL into, like BoingBoing.

Once you do that, the tag cloud in the top right of the page will show you some of the most common tags used by other people to describe that URL. The larger the tag, the more common it is. You might want to refresh this page once or twice to see if things change, the limitations of our access to the Del.icio.us database is just one of many things that make this more an art than a science.

I did this for both BoingBoing and Neatorama and found that both are often tagged Blog and Culture. I then went to http://del.icio.us/tag/blog+culture to see what other URLs have recently been tagged both blog and culture. It would be great if Del.icio.us offered a most popular page for multiple tags like it does for single tags, but it does not.

I scanned down several pages of these results, in this case looking for URLs that had been tagged more than 500 times. Other niches may require a different threshold. I clicked through those popular URLs and looked to see if they were what I wanted. It took a little time to find just the right ones in this case, but this proccess did expose me to a whole lot of popular sites that I had never seen before.

In the end, I decided on including the following sites, for now: LaughingSquid, We Make Money Not Art, Wooster Collective, EveryoneForever and WebUrbanist. Those were the blogs I found that posted weird, interesting stuff and had at least some comments left on recent items. Comments are in important indicator of how popular a particular item is, though that criteria has its limitations as well.

Please feel free to recommend more top weird hunting blogs below in comments!

Cutting way down on the already fast-flowing river of weirdness

Once I had my list of seven top weird hunting blogs, I ran the feed for each one through the parsing service AideRSS. That service looks at every item in a feed and scores it (relative only to other items in the same feed) in terms of the number of comments an item got, the number of times it's been saved in Del.icio.us, Dugg in Digg and blogged about on another blog via blogsearch.

Those are explicit attention gestures that help show us quickly which items were "best" or at least most popular in a given feed. If you've got the time to read every item in a feed in order to determine what's best through methods better than looking at popularity, then you are a wonderful person. Please tag the best items in Del.icio.us so the rest of us can tell quickly which ones they are.

AideRSS will offer you an RSS feed of just the most popular items in any given feed, a "best of" for a particular blog if you will.

One feed, please!

Next, let's take all of the "best of" feeds for our seven selected weird hunting blogs and splice them together using Yahoo! Pipes. I was scared of Yahoo! Pipes, I must admit, until I read this excellent series of posts on how to use it by my old friend Justin Kistner.

For the purpose of splicing RSS feeds together in Pipes, all you need to know to get started is this:
1. Select "Sources", then "Fetch Feed" to add your RSS feeds one at a time.
2. Select "Operator", then "Union" to insert the command to splice them all together.
3. Drag and drop connections between all the little dots, down to "Union" and then Run That Pipe! Select output via "other" and RSS and you've got your spliced feed.

(I did go back in and add the command "sort by pub date" just to be safe.)

Finally, before you share that funky looking feed URL with anyone - I suggest you run it through Google's Feedburner. That way you can get a pretty URL, you can keep track of how many people you share it with actually subscribe, you can offer email subscription (see below) and if you need to ditch Pipes or make any other drastic changes later, you can just switch out the source RSS URL to Feedburner and subscribers will never know the difference.

Time to relax and weird out

That's it, now you've got an awesome feed of nothing but the most popular items from seven of the top blogs in the weird hunting niche. Those authors do a whole lot of parsing for us, but they also produce a whole lot of content. This methodology helps you systematically discover the top blogs in any niche and get a feed of just the most popular items published by those top blogs. I don't know about you, but I feel weirder already.

If you prefer getting your feeds by email (pretty weird, but whatever!) feel free to subscribe to the ReadWriteWeb Best of Weird Hunting Blogs feed using the form below.

photo CC via Flickr user Marxchivist. thanks for using Creative Commons!

Roger noted that "attacks on MySpace seem to be on the rise." He says that the current hack, affecting Alicia Keys' MySpace page and others, is an image-background link which, when clicked, entices users to install a fake codec - which then infects the user's computer. He calls it a "FakeCodec trick" and here's how it works: if a user clicks on a MySpace page and slightly misses a control or link on that page, they have clicked the image-bg link and are then taken instead to the exploit site. Roger explains more in this video:

To summarize, when a user visits the infected page, they're first hit by an exploit (which installs malware in the background if they're not fully patched against the latest security vulnerabilities), and next they're presented with a Fake Codec which tells them they need to install a codec to view a video. So even if they're patched, they can fall victim to the exploit.

Roger said via an email that "it's MySpace that has been hacked, as opposed to the bad guys getting the usernames and passwords of a few bands".

The fact that MySpace is media-rich, with lots of sound and videos, means that the FakeCodec trick will be much more effective -- said Roger on his blog. The user, when clicking on the page, will expect to see a video or hear a song - but the hack will make them think they need to install something extra.

Let us know in the comments if you've heard of other MySpace hacks recently - or Facebook hacks for that matter.