Some media reported today about the theft of facebook user account passwords in several places both in Indonesia and abroad. The victims were admitted after log out last time and the next day trying to log in to access failed for several reasons such as "username and password do not match" or "account does not exist".
.
In some other social networking, like twitter and plurk had reported a similar incident never happened. Username and password do not match suddenly due to any reason, or we can take the red yarn, which change their password there.
.
Is there a cracking technique to break into facebook accounts between individuals? The answers are few. Then the next question is, is there a technique to disable an account facebook or other social networking?
Techniques that are revealed to attack your facebook account some time ago is to flood the data on a server or facebook with DDOS technique commonly known as distributed denial of service so that the server was paralyzed for several hours as it did on facebook and twitter in 2009 by a cracker from Russia. The possibility of this kind we need to beware.
* Keylogger *
The first way to use keylogger is a very effective way for the cracker to steal passwords from your facebook account. By installing the software and or hardware keylogger on the target notebook or PC, then automatically all forms of tapping on the keyboard or your browsing activities will be recorded in detail and systematically.
So if you type the password and username on a notebook or a PC that already has a keylogger, your full compliance with the liver had submitted such sensitive personal data on people who put it, because the keylogger is like carbon paper which will make copies of something written on it.
Keyloggers are usually installed by crackers on the public internet access terminals sharing the same like in the cafe and campus. So be careful when using this access.
1. First, do not immediately use the terminal but did restart.
2. Second, check whether there is a hidden application that runs in the background memory, you can use the tools event task manager (press ctrl + alt + del on your windows desktop) and see if there is an application or process that is unusual? Indeed you need a bit to learn and get used to this for your own safety.
3. Third, check the security settings on your browser does automatically record the username and password? You should turn off this feature and if there are anti-phishing features of the site can be activated.
4. Fourth, clear / delete cache and history are automatically every time you close the browser. This you can do in your browser settings.
5. Fifth, make sure that every completion of the activities you always log out completely.
* Sniffing *
The second technique is to use commonly used sniffing tools such as Cain and Abel in the area that connects WiFi so these tools are "seeking activity" on the laptops are connected. Then you must be careful whenever they are mobile and access the HotSpot.
In principle, wireless access is very easy to spy. Do not just trust the SSID "Free WiFi or Free HotSpot" when you scan the wireless network. The safest is to ask the manager what area HotSpot SSID official? Then wirelessly access the settings on your notebook to not "auto connect" but must be manually so you can examine it first.
When you do WiFi HotSpot access from the network should avoid transactions in critical sites such as e-banking, access email, social networking accounts and so forth. Browsing the general course unless you are absolutely certain that no one tried to peek your activity and the network are trustworthy.
However, make sure that you always access by selecting the mode using the HTTPS secure connection that is normally characterized by the emergence locked padlock icon on your browser. With HTTPS access is then between you and the server is accessed services have been protected by encryption so it is not easy to spy by people who are not eligible. Make sure you are logged into a secure mode before entering your username and password or PIN.
* Phishing *
The third way is to click the url given by facebook or via e-mail application on behalf of facebook. Or to trap you with offers of foreign application on facebook is a free application from facebook own maintenance.
The application can be made by anyone, anytime and random nature. To steal your username and password, usually the victims were told to access the link and ordered to provide a password and username. Consider the following examples:
Example 1:
You are required to access a particular link:
http://www.facebook.com/l.php?u=http ... f440ac31753781
But when you click it you must log in first on the page, whereas you previously had this log first. Never enter your username or password if you see strange things like this, because it may indicate it is a phishing attack using a fake log in facebook, note the screenshot below:
<http://www.facebook.com/photo.php?pid=30756389&op=1&view=all&subj=38658593 2410&aid=-1&auser=0&oid=386585932410&id=1064919678>
There's something odd, you have logged in before and when you access the link above you were told to log in a second time. Obviously this is a form of phishing in which the thief passwords trick you with designing the page "original" of facebook. Notice the good url on the column where you enter a url, so as not to become victims. And note when you get a warning from facebook like this:
<http://www.facebook.com/photo.php?pid=30756389&op=1&view=all&subj=38658593 2410&aid=-1&auser=0&oid=386585932410&id=1064919678>
The emergence of this facebook memorial page indicates that you are actually accessing the site (url) other than the official web site facebook, so you need to be careful and never give if asked to re-enter your username and password or should never do when asked to download a software, program, application or a specific document that briefly appears to be useful or interesting (eg games, tools, etc..) because it could be actually a malware.
The problem is that most facebook users paying less attention to a warning message like this, do not read the contents or because of lack of understanding the meaning and the language barrier and ignored. It should be accustomed to, if found it unusual or questionable even you do not understand what he meant, then the safest action is to always reject and select click the button "cancel". Direct or close the page, until you get reliable information.
Example 2:
There used to be a group on the facebook that provides techniques to take another person's account password to this address:
http://www.facebook.com/group.php?gid=202000763768
Then we see what is listed on the page group "Password How To Know Your Friends" are:
* 1. CLICK "Join this Group" OR "Join This Group" (only you who have joined can use this facility!)
2. CLICK "Invite People to Join" OR "Invite People to Join"
3. Check All your friends, at least 100 people to be able to walk! (Only your friends who have been invited you can see all
activities on your facebook!)
4. CLICK button "Send Invitations" OR "Send Invitation"
send a message to admin facebook by copying the link:
http://www.facebook.com/home.php? # / i ... .3256059163 .. 1
THEN send a message with the following instructions:
. Gx = 0 &. Tm = 1259467892 &. Rand = fnvrjkff2bk4e | (EMAIL ADDRESS You) / config / login?. Src = fpctx &. Intl = us &. Done = http% 3A% 2F% 2Fm (PAS SWORD EMAIL you) | | 202 000 763 768 & ref = nf # # hl = en & source = hp & q = / 7601524/id/f # id (EMAIL ADDRESS THAT WILL KNOW your password)
click send email
then to wait for a confirmation reply from facebook admin within 24 hours, you will get an email reply and find out your friend's facebook password .*
Note that bold sentence, there is something odd is not it? You want other people knowing the password, but you previously asked to enter your username and password first. Clearly this is an effort to trap against your account.
Must always remember that your username and password is something vital, just like an ATM PIN let you, the bank and God only knows. Do not ever give to another party, for whatever reason including a request from someone claiming to be admin. Because if true he is an admin, certainly does not require a username and password to perform maintenance or for any actions.
Lastly, always directly type the url address of the site on your browser window. Because there is also malware which add a link bookmark so you think that it is official but deception (phishing).
More sophisticated malware that can even change the information in the etc / hosts that maps the url address is static on your computer without using the engine control. So when you type the address of the social networking site was redirected to phishing. Because it is very important to always be vigilant and check the validity of a url and aware of any irregularities, although a bit difficult.
* Social Engineering *
Now it began to fall due to the efforts of many victims of piracy facebook account that uses social engineering techniques. Especially exploit weaknesses such as free email accounts procedures Yahoo! Mail.
A person or a cracker can pretend to be you and try to gain unauthorized access to and hijack your email account. You do this by following the procedures for lost passwords.
Usually a free email service will ask for confirmation of some key words such as combinations of "where to place your honeymoon?" Or "what is the name of your first pet" or "uncle or aunt who is a name that became your favorite?". Answer or keyword from the confirmation question like this once you enter when you first registered email account.
Now through facebook, a person or a cracker can easily fool you. He will pretend to apply as your friend. Then figure out your email address.
When he learns that you use a free email address, then he began to invite you to converse. In a certain way he would mengkorek amount of information you should be confidential.
Once you provide the information necessary to access the lost password procedure in a free email account service, then the cracker will retain your email account. Then he will perform the same procedure to your facebook account, ie pretending forgot my password and tried to hijack it.
Up usually will send you an email "temporary password" to your primary email address which unfortunately have been mastered by the cracker. So easily he mastered your facebook account as well. Once she changed your facebook account password, then the next you will be denied access to your own facebook me.
A cracker who hijack your facebook account will usually use it for some evil purpose. The first is to make impersonating or falsification of identity with the intent to defame, bad-mouth and drop your dignity as a true account owner. For example, he attacked and perform an action that does not like your friends so that in the real world, all people become hostile to you without you knowing it.
The second is to fool your friends. There have been many reports in foreign countries and also in Indonesia, that some people asked for help by his old friend on facebook to send some money for some reason, the classic is claimed kecopetan or kerampokan or on the weekend can not take money for treatment and so on. Or take something but actually transact facebook account had been hijacked by
others.
* Prevention Tips *
1. Do not easily accept friend request from people who have not you know, especially those that do not have a mutual friend.
2. You always have the opportunity to confirm to a friend who is in the mutual friend a person trying to ask
friendship to you. Because that's one point of a mutual friend facebook display information that is so you can verify it first. If you refer a friend and confirm the validity of these new potential friends "application" can be considered for acceptance.
3. Another way to confirm a friend request is to send the message to the concerned. With this communication you
to ask who he really is (often the name of the account that is displayed is the nickname or alias name that does not help you to
considering the candidate who is the friend) and perform other necessary confirmation. For example, to communicate off line (telephone) or meetings on line web cam or even off line is another way to confirm the validity of potential friends.
4. Do not rush and be careful in submitting some personal information at a glance seem unimportant but it turns out
is the key to break into your email account. The question that seemed to show enthusiasm on the one thing in common (pets, favorite attractions, the story of a family, put a specific event photo album etc..) Can accidentally expose private information that should be your secret.
5. You may have unknowingly expose confidential information that should have it in your profile. Or in the words caption in your photo album.
For example, write your pet names just below his picture there are even people who are specifically made for pet facebook account complete with all profilenya. Or put a picture and called honeymoon locations and / or provide tagging of family photos (including a favorite uncle who you are) etc.. A variety of such accident.
6. Be careful and think many times the possible benefits and disadvantages if you have to display personal information on info pages
your facebook account. You have a choice to not write down that information, such as pets, yet in fact if anyone wants to know,
could ask her personally via message facility directly to you. You also can choose the settings to restrict access of others to
certain information in your facebook account. For example you could hide your email address. Take advantage of the features of this facebook account security settings
as much as possible and think about it.
7. As much as possible and if possible avoid using email service is not paid to your facebook account. Use local email accounts such as those provided by your office (if permitted for personal), rented to the ISP email account (actually it's cheap or even free if you are a subscriber of the ISP) or you create your own personal domain and hosting services for help to make , if you do not have the technical skills of its own. In essence, local email account or own property more secure from attack social engineering technique is mainly because the procedure to confirm loss of password or in case of compromise is usually done manually with off-line identification techniques rather than by an automated system but uses the security algorithms that are too simple, such as service free email.
8. Always add a secondary email address on your facebook account and also on a free email account that you use if it had no choice but to use the service. You should never hide or show to anyone for any reason your secondary email address that. And periodically change all your passwords as recommended safeguards such as using a combination of letters, numbers and special characters and password length of at least 6 or 8 characters that are difficult for others to guess and hard to memorize if do not put notes in a place that is easy to determine. Or use the password management application facilities to help you. There are many free.
9. Although not common, but for the sake of security, data backuplah your friend list. Important information such as name of profile accounts, facebook page url, email address and telephone (if any). So, when something happens you can immediately give a warning, for example via email and will be useful if you later open a new facebook account and was forced to enter one by one more friend list you are. Backup is a bit inconvenient but important.
10. If you have already become victims of piracy facebook account then you can do 4 things.
1. First, alert everyone that your account has been hijacked. This effort can you do through various channels such as email, phone, mailing lists, chats, blogs etc.. In order to prevent other people, friends, your family is in friend list to be victims of such fraud.
2. Second, it should be immediately (you compete with the hijacker before he replace primary and secondary email address you) try to get back your account through the procedure forgotten or lost passwords. If successful, immediately replace your email address and password and hide do not appear to change the security settings of your account. Do not rush to log out to prevent the hijackers tried to take over as well. And do not log out until you successfully change the primary and secondary email address and fill your new password at the same time apply the security setting that is more closed (protect / hide your email address).
3. Third, the report to the security team facebook that your account has been hijacked, the address is:
http://www.facebook.com/help/?page=1023 or if the link has changed you can look at page HELP. You will be asked to fill out the form and then there will be correspondence with facebook security team that will try mengkonfirasi truth of your report and if all goes well, your account may be restored. But make sure that before the report, you already have an email address a new and safe.
4. Fourthly, if all efforts fail to restore your account, then immediately open a new facebook account, secure information for people not hijacked again and add all your friends (hopefully you did back up). Then together they invite all your old account to report a hijacked page. For accounts that do abuse, fraud and impersonating compromise so that later we will be closed or blocked by facebook.
11. The latter do not use an email address, username and password are the same for all the services online that you follow. Always update your knowledge of security issues of social networking services and always wary when active in cyberspace.
Authors are:
- * M Salahuddien, Vice Chairman of the ID-SIRTII (Indonesia Security Incident Response Team on Internet Infrastructure) *
- * Sam Ardi, observer Cyber Law and Cybercrime, chairman Bloggerngalam (Community Blogger Malang) *
Source: Jasakom.com
0 comments:
Post a Comment