Knowing how hackers do their dark art is an important part of learning to be secure on-line. It is not my intention in this article to teach you how to hack websites. Rather I want to help the average net citizens learn about the things to look out for when you have profiles and sensitive information about yourself kept on servers of Facebook, MySpace, Bebo, Plentyoffish and etc… Once you know how hackers work their way into your information, you can then know how to protect yourself. If your favorite social networking website is not taking the appropriate steps to protect you then you can at least know that your personal information is in trouble. Since many of the popular social networking sites today may be build or used by people who have little to no proper technical training and experience, you can be sure that our dark hackers are having a fun time.

In this article, I use hacking and cracking as the same term although technically they are different and require different skill sets. Hacking may involve programming skills but cracking usually do not. Anyway, I will discuss a few common and simple techniques that you need to know about, as well as, some more complicated ones that you should be aware of. You need also to start thinking defensively as you read this article so that you can take note of the possible security loop holes that you are or have created. It is critical to bear in mind while reading this article that hacking or attempting to hack a website is illegal in many countries! All your activities on-line are traceable from your ISP (Internet Service Provider) and chances of being caught is extremely high. In my description of the hacks below I have intentionally left out ways to prevent you from being traced so please don’t try it. OK lets start!

Step One:

The first step to trying to hack a website is always to gather information about the users/members or if possible the administrators of the site. Why gather information? (You may ask) Well, one thing for sure, hacking is not magic. You need to know your target before you even attempt to try breaking it. Many of the member profiles on popular social networking sites are public by default so gathering information from there is a simple task. (See how your social networking sites are already providing assistance to our dark art hackers?) When you gather information about your target, you need to know what type of information to look out for. You should copy down information like addresses, phone numbers, birth dates, user Ids, girlfriend or boyfriend information and etc… An added advantage is when you can think the way that your poor victims do. This can be easy when their profiles reveal a lot of information about themselves such as the type of music they listen to, the type of movies they like, the type of hobbies they have and etc…Some administrators are pretty careless too. You can usually find information about them from the site itself or from public DNS (Domain Name Server/System) information type of services. Doing some clever search from the website can reveal nice and handy information that you can use too. One such example is the web address entry field in web browsers. Whenever you do a search or click on some information, the browser would usually convert these action into some form of server side request. In that request, you can find important information such as user Ids, key values and etc that is used to maintain session information, retrieve information from their database or server side scripts. Sometimes you may even find directory paths to a particular file/movie/music, which is an added bonus.

For more advanced and adventurous hacker wannabes, you can try to ping or trace the IP (Internet Protocol) address of the server using their domain name. But bear in mind that some of the information provided by these probes are illegal to use for unlawful purposes. Anyway, these probes can help reveal a lot of information about the server that they are running, additional services that is being used, the path that your data will travel before reaching their server and etc… These information can then be used to try other more complicated techniques that I have briefly explained about in my previous two articles on security. DOS (denial of service) attacks, port scanning, spoofing, phishing, man-in-the-middle and etc will require these information.

Step Two:

Now that all the hard work is over, we can start harvesting our rewards. Now go to the website that your victim belongs to. The most simple and easy way to hack into their account is to try guessing the user Id and password. Some net citizens are just plain ignorant of good security practices. They use passwords like their date of birth, mother’s maiden name, information in their address, phone numbers, or even worse the user Id and password are the same. Trying the set of information about the target user first is recommended. If you don’t succeed, try using the information about their girlfriends and boyfriends. Remember, knowing how they think by understanding them with the information that they have provided about themselves is the key to our success when trying to guess the right passwords to use. If you hit a jackpot, you are in and you can then enjoy whatever is it that hackers enjoy when they have hacked into someone else’s account.

When you review the information that you have collected in step one, you might have discovered some bonus information like directory paths. Directory paths can be used to try back door hacks that allow you to enter into restricted web-pages. Some web servers are poorly configured and so even though you cannot access a web-page indirectly because it has been set private, you can do so by typing in the path to the server directly on your browser. If you do accidentally find a back door to some private content, do remember to alert the relevant administrators of the site of the security breach. Of cause they may sue you for hacking or attempting to hack into their website, in which case, you should have left them to their own down fall and not try to be a hero. Trial and error with absolute and relative paths to access restricted information files and web-pages is a powerful way of getting into and around websites. If trying a web-page directly is unfruitful, you can always try adding relative addressing to branch indirectly in your URL. Some web administrators know as much about securing their websites as a newbie does so you might just hit the jackpot. By the way all the techniques mentioned above can also be tried on Telnet and FTP (file transfer protocol) type services, just be creative about their usage.

For our jail bird wannabes you can try to script up some stupid DOS attack that is easy to do by writing infinite loops of web server requests. Basically, DOS attacks just load down the server with too many requests that the web server either becomes unusable or crashes. It is also interesting that when a web server crashes, it can sometimes make available what was once private or restricted. In short bad things might happen when servers crash and you can then take full advantage of it. If you have a Telnet terminal or SSH shell and etc, you can also try buffer overflow bugs. You don’t have to understand or write these exploits yourself, you can get these scripts from underground or security or research websites that provides them to us in the name of glory. You will probably acquire the name of a script kiddie but who cares about names when you can get your picture posted in the front page of tomorrow’s newspaper.

For our hardcore jail bird wannabes, you can try a simple phishing hack. Let us take Hiitch as an example. Just imagine Hiitch as a website based social networking service. Now all you need to do first is to buy a domain very similar to ‘hiitch.com’, say ‘wwwhiitch.com’. This is to catch our unsuspecting net citizens. Next clone the Hiitch website by saving the web-pages from your browser. When our victim comes to our fake Hiitch site by accident, they will not notice any differences between the original one and the fake one. The browser will not complain because the identity of the site is not digitally verifiable. Then write up a simple script to save and store the user Id and password that our victim will soon enter. Once their information is entered, send the result to yourself via email then redirect the victim to the actual site by doing a simple post to sign him/her in. The victim will not know or suspect anything even though they have just been hacked.

There are many ways to skin a cat and therefore breaking is always easier than securing an on-line service. Security is hard work for both the service provider and the end user like yourself. It takes proper education on security issues and enforcement on both ends to make an on-line service really secure. Are you the security weak link or your service provider? Ask your service provider how they are protecting you and your information. Play an active part in helping keep yourself and everyone safe while on-line.

I have read an article about MySpace in a fairly recent news article a few weeks back and thought that I should highlight the importance of security in social networking. In the early days of the Internet, most websites were information sites. However, today our web content has gone far from just being informative. Net citizens are beginning to take up their own identities on the Internet through blogs and social networking sites. The concept of verifiable digital identity, its use/misuse, its privacy and its authenticity are becoming critical issues. On-line security becomes the only front-line protection mechanism against these budding problems.

Most average net citizens don’t even care about such issues thinking that it do not concern them. The common respond is, “I don’t really care or it is not important!” Worse of all, they naively believe that their on-line service providers have it all covered. A common respond for this is, “It is a very popular site, they should be safe.” In this article, I hope to discuss about some of the things that net citizens should look out for in any site or software that involves the use of their identity on-line.

The first step to security is to keep your information private and permission controlled. Allowing the whole world to view information about you is a huge security risk. Now, you may ask if that is important. The obvious answer is yes. What is it that they want to do with your information? These information can give them clues to the sites your visit, passwords, user Ids, places you hang out in the real world, your habits, your health, your private life, your bank or credit card information and etc. The information that is gathered about you can then be use to stalk you in the real world, steal and use your identity to do terrorist activities, extort you, blackmail you, bully you, spread rumours and gossip about you and etc. I am sure that if you are creative, you can come up with more horrible things that can happen. Do you know that your service providers are not required by law to protect your information and that you visit and use sites at your own risk? Security is basically your own responsibility. You should never post any information about yourself unless you know you can control how they are accessed. Always remember to take your time to read the security and privacy statements that are provided by most service providers, then decide for yourself if you want to use them. If any service provider that you are looking at do not have any such information, your alarms should start sounding off. If in doubt, you should always question them about how they intent to keep your information safe before signing up for their services. In addition, you can also search for news about the service provider that you are interested in before signing up with them. News articles can sometimes reveal a lot about how secure they are.

Other general things to worry about in regard to keeping your information private includes malicious web spiders and search engines that unknowingly compromise your information. Web servers are all programmed to respond in a specific way when queried. It is this standard protocol or behavior that makes the Internet so widely used. However, web servers also becomes more easily exploitable when configured inappropriately or when bugs are discovered through cleverly crafted probes. In short, web servers can unknowingly pass your private information to a malicious web spider or search engine and make your private information publicly available. In most cases your service provider should have a plan to deal with all these issues. If a service provider shows little concern about protecting your information, perhaps you should reconsider putting them there.

The second step is to ensure that you are connecting to the right services that you desire. Failure to ensure that may result in information leaks that can be used against you. Do you know that there are malicious software and people collecting information about you all the time on the Internet? Hacks such as man-in-the-middle attacks and phishing are on the rise. The goal of the hacks is to steal your private information either by hijacking your information half way to your service provider or by pretending to be your service provider. Being sure that your service provider has the capabilities to keep your information safe and access controlled is not enough. Your service provider needs to ensure that you can connect to them securely and without doubt. Hackers can easily use tools to harvest your information en-route to your service provider and hide their actions using techniques such as network address translation (NAT). Step one only makes sense when you are sure that your information is going to the correct service provider.

The third step is to ensure that your service provider has the capabilities to protect you from third party components that reside on their website or software. Giving users the permission to add custom components on top of their services can and will introduce new security issues. All the other threats we have discussed so far comes from outside your service provider, embedded components on the other hand comes from internal and is viewed as part of the system. Most users have the wrong perception that anything from a secure site or software is safe but this is not true when it comes to third party add-on. Most service provider disclaimer will include a sentence that protects them from such issues. These add-on can sometimes become the security loop hole to the unbreakable fortress. A simple example would be a widget that broadcast your information in plain text residing in a secure website. Add-on includes media players, nice innocent looking widgets, unseen script code and etc. Seeing custom components and widgets on a website should also raise your alert level while browsing because the security risk is higher. Shutting down the browser’s capabilities on third party components can also be a good solution to protect yourself against such threats. Third party components are becoming a greater threat now that almost all social networking sites uses or allows some form of add-on.

Web browser based technologies are more widely published and hence more widely exploited than custom clients. It does not mean that therefore web browser based technologies are less safe, it just means that more people tries to break your system through it than through custom clients.

I hope that the discussion has helped you become better aware of the need for security while social networking on-line and how poor security will result in you paying the price and not your service provider.