4 Ways to Crack a Facebook Password and How to Protect Yourself from Them (noob friendly)

Despite the security concerns that have plagued Facebook for years, most people are sticking around and new members keep on joining. This has led Facebook to break records numbers with over one billion monthly active users as of October 2012—and around 600 million active daily users.

We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. We even clamor to see the latest versions even before they're ready for primetime.

But we sometimes forget who's watching.

We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities—and that's just with the visible information we purposely give away through our public Facebook profile.

The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. As if we haven't already done enough to aid hackers in their quest for our data by sharing publicly, those in the know can get into our emails and Facebook accounts to steal every other part of our lives that we intended to keep away from prying eyes.

In fact, you don't even have to be a professional hacker to get into someone's Facebook account.

It can be as easy as running Firesheep on your computer for a few minutes. In fact, Facebook actually allows people to get into someone else's Facebook account without knowing their password. All you have to do is choose three friends to send a code to. You type in the three codes, and voilà—you're into the account. It's as easy as that.

In this article I'll show you these, and a couple other ways that hackers (and even regular folks) can hack into someone's Facebook account. But don't worry, I'll also show you how to prevent it from happening to you.

Method 1: Reset the Password

The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.

• The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section.
• Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.
• It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?
• It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.
• It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.
• If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.

• It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.

How to Protect Yourself

• Use an email address specifically for your Facebook and don't put that email address on your profile.
• When choosing a security question and answer, make it difficult. Make it so that no one can figure it out by simply going through your Facebook. No pet names, no anniversaries—not even third grade teacher's names. It's as easy as looking through a yearbook.
• Learn about recovering your account from friends. You can select the three friends you want the password sent to. That way you can protect yourself from a friend and other mutual friends ganging up on you to get into your account.

Method 2: Use a Keylogger

Software Keylogger

A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.

CNET has Free Keylogger, which as the title suggests, is free. If this isn't what you're looking for, you can search for other free keyloggers or pay for one.

Hardware Keylogger

These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data. You can look through Keelog for prices, but it's bit higher than buying the software since you have the buy the USB drive with the program already on it.

How to Protect Yourself

• Use a firewall. Keyloggers usually send information through the internet, so a firewall will monitor your computer's online activity and sniff out anything suspicious.
• Install a password manager. Keyloggers can't steal what you don't type. Password mangers automatically fill out important forms without you having to type anything in.
• Update your software. Once a company knows of any exploits in their software, they work on an update. Stay behind and you could be susceptible.
• Change passwords. If you still don't feel protected, you can change your password bi-weekly. It may seem drastic, but it renders any information a hacker stole useless.

Method 3: Phishing

This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type ofphishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.

The easiest way to do this would be to follow our guide on how to clone a website to make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.

How to Protect Yourself

• Don't click on links through email. If an email tells you to login to Facebook through a link, be wary. First check the URL (Here's a great guide on what to look out for). If you're still doubtful, go directly to the main website and login the way you usually do.
• Phishing isn't only done through email. It can be any link on any website / chat room / text message / etc. Even ads that pop up can be malicious. Don't click on any sketchy looking links that ask for your information.
• Use anti-virus & web security software, like Norton or McAfee.

Method 4: Stealing Cookies

Cookies allow a website to store information on a user's hard drive and later retrieve it. These cookies contain important information used to track a session that a hacker can sniff out and steal if they are on the same Wi-Fi network as the victim. They don't actually get the login passwords, but they can still access the victim's account by cloning the cookies, tricking Facebook into thinking the hacker's browser is already authenticated.

Image via wikimedia.org

Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi connection. It collects the cookies and stores them in a tab on the side of the browser.

From there, the hacker can click on the saved cookies and access the victim's account, as long as the victim is still logged in. Once the victim logs out, it is impossible for the hacker to access the account.

How to Protect Yourself

• On Facebook, go to your Account Settings and check under Security. Make sure Secure Browsing is enabled. Firesheep can't sniff out cookies over encrypted connections like HTTPS, so try to steer away from HTTP.
• Full time SSL. Use Firefox add-ons such as HTTPS-Everywhere or Force-TLS.
• Log off a website when you're done. Firesheep can't stay logged in to your account if you log off.
• Use only trustworthy Wi-Fi networks. A hacker can be sitting across from you at Starbucks and looking through your email without you knowing it.
• Use a VPN. These protect against any sidejacking from the same WiFi network, no matter what website you're on as all your network traffic will be encrypted all the way to your VPN provider.

Protecting Yourself: Less Is More

Social networking websites are great ways to stay connected with old friends and meet new people. Creating an event, sending a birthday greeting and telling your parents you love them are all a couple of clicks away.

Facebook isn't something you need to steer away from, but you do need to be aware of your surroundings and make smart decisions about what you put up on your profile. The less information you give out on Facebook for everyone to see, the more difficult you make it for hackers.

If your Facebook account ever gets hacked, check out our guide on getting your hacked Facebook account back for information on restoring your account.

Few Advanced Tricks to Speed Up Firefox Browser

This video will guide you few advanced tricks to speed up Firefox browser. If you apply these tricks it will definitely increase the speed and make your browsers experience sweeter. Watch the video and follow all the steps.

Hack Like a Pro: How to Spear Phish with the Social Engineering Toolkit (SET) in BackTrack

Welcome back, my rookie hackers!

Many newbie hackers focus upon the technical aspects of hacking and fail to give enough attention to social engineering. In fact, I would say that technical hacks should ONLY be attempted if social engineering attacks fail. Why bother spending hours or days trying to hack a password if someone will simply give it to you?

Social engineering is the act of getting people to give you the information you seek, usually by gaining their trust. That trust may be gained by posing as someone in authority, a colleague, or just someone who needs help. Some of the best hackers in history, including Kevin Mitnick, have been great social engineers.

BackTrack has a tool to assist and automate social engineering attacks calledSET, or the Social Engineering Toolkit. SET was developed by David Kennedy and simplifies a number of social engineering attacks such as phishing, spear-phishing, malicious USBs, etc. Furthermore, it has been integrated withMetasploit so that we can use Metasploit exploits and payloads in our social engineering attacks.

The current version of the Social Engineering Toolkit includes the following types of attacks.

• Spearphishing
• Websites
• Malicious USBs

So, let's fire up our BackTrack and explore the Social Engineering Toolkit!

Step 1: Open SET

To start using the Social Engineering Toolkit, go to BackTrack, thenExploitation Tools, then Social Engineering Tools, then Social Engineering Toolkit, and click on set.

Step 2: Pick Your Type

This should open the main menu for the Social Engineering Toolkit. Note that it offers:

• Spear-Phishing Attacks
• Website Attacks
• Infectious Media Generator
• Create a Payload and Listener
• Mass Mailer Attack
• Arduino-based Vector Attack
• SMS Spoofing Attack
• Wireless Access Point
• And many others

In this tutorial, we'll be looking at creating a spear-phishing attack. For those of you not familiar with this terminology, a phishing attack is an email attack with a broad "net" in an attempt to try to pick up a few random victims. A spear-phishing attack is similar, except that it targets one or a few individuals. In other words, it's a targeted social engineering attack, hence the spear.

Step 3: Spear-Phish

Let's now select number 1 from the menu and begin our spear-phishing attack. When we do, we will be greeted with the screen below.

It explains what a spear-phishing attack is and asks us how we want to go about our attack. We can choose:

1. Mass email attack
2. FileFormat payload
3. Social engineering template

Let's select a FileFormat attack. Type number 2 and press enter.

Step 4: Choose an Attack

After we select our FileFormat type attack, we will be asked what type of exploit we would like to use. Notice that the default is the PDF with the embedded .exe. In this hack, let's use the Microsoft Word RTF Fragments attack or MS10_087.

This will create a Word document that will overflow a buffer and enable us to put a listener or rootkit on the victim's machine. Type 4 and press enter.

Step 5: Choose a Payload

Now that we have decided what type of file we want to use in our attack, our next step is to decide what type of listener (aka rootkit, aka payload) we want to leave on the victim system. These may look familiar to those of you who have used Metasploit as these are Metasploit payloads.

Let's be ambitious and try to get the Metasploit meterpreter on that victim's machine. If we are successful, we will completely own that system!

Step 6: Create the File

After we type number 5 and press enter, we must choose what port we want to listen on (the default 443). SET then goes about creating our malicious file for us. It names that file template.rtf.

Step 7: Rename the File

If we want to trick the victim into opening the file, we should name it something that sounds enticing or familiar to the victim. Now this will differ depending upon the victim, but in our scenario we're trying to spear a manager at a large company, so let's call it SalesReport, something he or she might actually be expecting in their email.

Step 8: Create the Email

Now that we have created the malicious file, we now need to create the email. This is important. If we're to get the victim to open the file, the email must look legitimate. SET prompts us whether we want to use a pre-defined template or a one-time-use email template. Let's be creative and choose a one-time-use email.

SET then prompts us for the subject of the email. In this case, I used Sales Report. SET then asks us whether we want to send it in html or plain text. I chose html to make it look more inviting and legitimate. Finally, SET prompts us to write the body of the email and then type Control + C when we are finished. I wrote:

Dear BigShot:

Please find attached my quarterly sales report. If you have any questions, please feel free to ask.

Sincerely,

Your Minion

Of course, your email will differ depending upon who you're sending it to, but try to make it sound enticing and legitimate or they aren't likely to open the attached malicious file and our attack will fail.

When we're finished, SET will ask us whether we want to use a Gmail account or send it from our SMTP server. In most cases, we will want to use a Gmail account. Simply type in your address (you might want to create an anonymous email account for this purpose) and password, and SET will send the email you created with the malicious attachment from this Gmail account.

We will be using some of the other features of the Social Engineering Toolkit in future tutorials, so keep coming back!

Using a Itouch to perform a MITM attack

Using pirni to sniff on a Ipod

Part of the Iphone Hacking series

In this tutorial (part 2 of the iPhone hacking series) we will be learning how to use pirni to perform a MITM (Man In the Middle) attack on any wireless network. Network Sniffing is when the attacker catches all packets (information) passing through the network.

For example, if you were running a network sniffer on starbuck's, and one of those guys on there laptops logs into there myspace, you would get the password to there myspace if you were the sniffer.

Disclaimer: I am not responsible for anything you do from what you learned, running a network sniffer on anyone's network but yours IS illegal. Act on your own risk.

The first thing you need to do is make sure is that you get your itouch jailbroken with cydia, at the time there is no sniffing method without it being jailbroken. As long as your firmware is not 3.1.3 (or your not a 3rd gen itouch).

Your going to also need the following packages from cydia:
-Mobile Terminal
-OpenSSH
-Pirni

And on your desktop (or a schools or friends) you will need:
-WireShark 
-Winscp

Wireshark will be used to actually read the log. Now, before you start sniffing were going to need somethings. Note: There is NO graphic user interface for pirni, if you are uncomfortable in CLI, this is not for you (however it is a very easy terminal application, extremely similar to LKL if you have ever used it).

Gathering Required Information:
- Get a notebook or something you can write on (a table, anything.)
- Open up wifi and find the network you want
- Click the blue arrow next to it
- It will show the network info, log the following:

Routers IP address / IP address

Now were ready to start the sniffing process:

1. Open up Mobile Terminal
2. Log is as root:

su

It will prompt you for a password. The default is "alpine". If you have changed it, type yours.

3. Look below:

pirni -s IpAddress -d RoutersIP -f “tcp dst port 80″ -o snifflog.pcap

4. Obviously you will replace IP Address with the one you wrote down and the same with routers IP.

5. Replace snifflog with the file you want to save the log as with the .pcap extension (so it will run under wireshark).

Pirni will start capturing packets.

PART 2: 

ANALYZING THE DUMP FILE

In this part of the tutorial we will be using the computer with wireshark to analyize everything that your itouch picked up.

Open up winscp.exe to launch the program, and you will need to give it the following information:

1. The username (root)
2. The Password (alpine if unchanged)
3. The hostname (the IP address I had you write down earlier)

Press the login button, it may take a while.

Hit the "/" button inside of a file on the top right of the screen to take you root. Press the "User" folder. This is where the logfile is held. Drag it to your desktop.
Winscp is a great tool which can be used for a lot. You can move any files like music or videos to your computer.

1. Run wireshark.exe
2. Press "Open"
3. Find the file on the desktop
4. Load it
5. Press the Magnifying glass and look for keywords like "pass, username, user, password"
6. Some times the password will be encrypted. Click here for a Md5 Crack (the most common). But make sure to try THIS first!

You Are Being Tracked Online By A Sneaky New Technology -- Here's What You Need To Know

You are likely being tracked online by a sneaky, new technology that works without your consent, and can track you even if you use anti-tracking toolbars or strict privacy settings.

How is this possible?

Historically, to track you, a website sent cookies or files to your computer, or examined various properties of your device. Anti-tracking systems, therefore, block these types of activities. The new tracking system, however, does not transmit cookies or files, and does not need to read unique properties; to web browsers – and to anti-tracking tools – its mechanism appears to operate like that of a normal webpage.

So how does it work?

When you visit a website that employs Canvas Fingerprinting, as the new sneaky system is known, the site sends your web browser a request to generate a hidden image consisting of some text. Because individual computers have operating system versions, browsers, fonts, graphics adapters, etc. that vary from one to another, there are slight variations between the way text appears in an image on one computer from the way it does on the next. The images of text, are, therefore, like computers’ fingerprints; by analyzing them and tracking what type of image a particular computer generates, different websites utilizing the same tracking system can track a user from site to site – even if he or she is using Incognito Mode, strict browser privacy settings, or an anti-tracking tool.

Strictly speaking, it’s actually the computers that are being tracked – not the people using them. But that’s still quite scary – especially since many people are the sole users of their computers and mobile devices, and because once other information is added into the mix, the identification and tracking can often be refined down to the actual human user level.

Who is doing the tracking?

Social-bookmarking provider AddThis is believed to have begun using canvas fingerprinting earlier this year. Websites that are believed to have utilized canvas fingerprinting from AddThis range from the White House to YouPorn. (YouPorn claims to have turned off canvas fingerprinting after being made aware of its presence in AddThis; the White House has made no such claim – even though the use of canvas fingerprinting seems, at least to me, to be a violation of its own privacy policy.)

What does this mean? Am I being tracked?

Even if you are using Incognito mode, anti-tracking toolbars, or strict privacy settings in your web browser, you can be tracked, and there is a pretty good chance that you are being tracked. That means that when you visit any particular website the operator of that site could know what other sites you have visited in the past – even if you don’t want them to know.

Is device fingerprinting new?

While canvas fingerprinting gained public awareness in 2012 and became a practical problem recently, device fingerprinting technologies in general go back many years. Authentication systems (such as the one I designed for Green Armor) and anti-fraud solutions have used various forms of fingerprinting for over a decade. But that fingerprinting was, and is, used to prevent unauthorized parties from accessing people’s private accounts or stealing their money and data; it was not used for surreptitiously tracking a user’s actions between websites or to target the user for advertising. Even when such systems were ultimately leveraged by marketers, anti-tracking systems that masked browser properties remained generally effective.

The use of advanced fingerprinting technologies, such as canvas fingerprinting, for purposes of tracking people who wish not to be tracked is a different situation and highly problematic.

How can I avoid being tracked?

One can argue that you should always assume that you are being tracked; there is no foolproof way to fully anonymize anything on the Internet, and there is no way to know if some new tracking system is tracking you in an, as of yet, undetectable and/or unblockable way (as was the case with canvas fingerprinting until recently). There are some ways to improve your odds, however, if you are willing to sacrifice some convenience; you should be aware, however, that it is possible that your efforts will not actually succeed in stopping the tracking. Here are some possibilities:

1. Privacy Badger is a new tool that claims to block canvas fingerprinting (it is new – so time will tell…)
2. You can use Tor web browser (which may seem complicated for some people)
3. You can use the Chameleon web browser which is designed to block tracking (although it is not simple to install and use like the major browsers)
4. You can turn off JavaScript in your browser (although that will likely cause various websites not to work properly)
5. You can use a very old web browser (although that may introduce other security risks that may be far worse than being tracked)

What To Do About Our Cybersecurity Problems

1 of 11

Attackers come from all over

When it comes to digital attacks happening online, it’s hard to draw clear battle lines. Attackers come from all over and target all over. Forbes asked ten cyber-experts to offer up their best ideas for stemming the threats we face when it comes to digital security. Note: Almost every one of them muttered something about there being no silver bullets.