Is it possible to find out who is doing the hacking?

Answer 1

Okay. Yes. First you would need to be a total genius to find out. Second it could just be one of your friends trying to trick you. So be ready to start pulling out some que cards and start asking questions! If someone is hacking and THIS advice doesn't work try this advice:

Try to change your password to something challenging like "ilovetodrinkcokesotasty!"

but don't use that because it an example. But in reality Fb doesn't limit the password so it can be really long. If THIS doesn't work heres some more:

Try to change your password every week.

If that didn't work suck on this for a while: when you get go to privacy settings this will appear:

* Pokes

* Messages

* Whose profile you view

* Whose photos you view

* Whose notes you read

* Groups and Events you decline to join

* People you reject as friends

* People you remove from your friends

* Notes and photos you delete

But if you have the timeline its totally different.

Hope this helped!

And a technical answer...

The short answer is YES.

Undoubtedly this answer will be all the better for some explanation -- so here it comes. First, the thesis: Communications travelling between any two points can be traced to each point. All it takes really is effort, ability and time. Hollywood expresses this with a wonderful equation: "When Making a film, it's money, time, quality -- pick any two." This applies to information science as well.

At a more specific level, the questions become:

• Who is hacking you (Not the identity; the role. What sort of a person would be hacking you? Who's interested?)?
• Why are they hacking you?
• What forensic countermeasures have they employed?
• How much effort, money, time do you care to expend in order to find out exactly who they are?

Let's start with someone hacking someone your Facebook account. Let's also assume you're not an international celebrity, not a bank, not the military or an intelligence agency, and not the hacker's ex-wife. This given, we can guess a few things about the hacker that are likely to be true:

• You weren't selected specifically to be hacked -- you were just available for this -- hence an opportunistic attack.
• Hacking you doesn't offer huge rewards (so we'll guess the hacker didn't spend a huge amount of time and money on this).
• You aren't known for your forensic ability or your ability to counter-strike (so they likely aren't afraid enough to employ expensive countermeasures).

With these factors as givens in this example, we can safely assume that the hack isn't something sophisticated, so it's either taking advantage of a known technical vulnerability or it's Social Engineering. So we use a "strong" password, we make sure our operating system has the most recent patches, we employ up to date antivirus measures (AV -- really, this is anti-malware but let's call it AV), and it's also a good idea to use some kind of firewall -- even the one Windows has built in. While these safety measures will not stop the CIA from attacking your system (and why would they bother?), it'll stop over 99% of modern opportunistic attacks.

Social Engineering is a non-technical means of getting people to tell them information that will allow access to your system. This is the most common attack modality in civilian circles and I strongly suspect, in covert circles as well. Sam Mitnick, famous imprisoned hacker in the 1980s was brilliant at this, as was John Draper. a.k.a. "Captain Crunch", who operated from the late 1960's on into at least the 1980's. There are famous and well known examples of these gentlemen -- at least once on television -- speaking over a landline phone to the phone company -- a very security-conscious group -- and getting access information that allow the penetration of major tandem PSTN switches. Just by asking questions over the phone.

Social Engineering would include asking your friends for your password, checking your garbage (so-called "garbology"), reading over your shoulder when you type in your password ("shoulder Surfing"), etc. While the number of SE approaches is endless, some simple precautions are very effective. Try these on for size:

• Don't ever say your password out loud. Not to anyone including people who say they're techs. Not to yourself.
• If you're typing in a password, guard your shoulder -- note that good surfers don't need to see the screen -- they can read the keys your typing on your keyboard or phone.
• Don't write your password down. If you must, treat that paper like money. How much money? Well, what's your system security worth?
• If you think you've been compromised, don't just shrug your shoulders -- increase security until you're sure you're safe.

Once hacked, you'll have to determine if the hack was a one-time event or not. If it was, you're home free except for finding the hacker. In order to find the culprit, start with knowing that, at some time your two systems were linked over the internet (I'm assuming this isn't a local proximity hack where the hacker is a family member or employee or otherwise onsite with you, that you're not air-gapped and you're not a classified military operation running on milnet). So all you need to do is find a record of the IP address you're sending to and you're off to a great start. This can be done a variety of ways:

• Currently connected IP addresses can be obtained from Windows.
• If not currently connected, Windows Pathing may show paths to this hacker.
• If you identify the malware allowing the hack, you can often easily examine it in order to find the receiving IP address.
• You can possibly convince your Internet Service Provider (ISP) to check logs and/or current connections for this information. Be prepared for them not to always want to cooperate with this.
• Don't open anything that happens to be executable, i.e. a program of some kind, in a mode that lets it run. So don't open attachments with endings like .exe or .com or -- there are thousands of these and you should learn a few. However, to avoid a lookup just now, know that filenames that end in .txt are safe -- they won't execute.

Usually, opportunistic hackers don't use proxies, repeaters, cut-outs or other fancy (and expensive) means of obscuring their end destination. When they do, you might take a page from the Church of Scientology who employed law, money and tons of effort to overturn the security of several anonymous remailers in Scandinavia (circa 1980 or so) in order to find the source.

Most opportunistic low-security hacks can be stopped and even identified just by playing with the rules I listed above.

But what if you're a financial institution? Well, the list of interested hackers is now much larger, and the level of sophistication they'll have and the money they can spend has increased significantly. Countering and identifying these hackers is harder, but almost never impossible. The first thing you'd do is get law enforcement involved. This isn't because they'll solve this -- they might, but more likely their desk is already full. This is so you can contact your ISP, show them the police report, and get their security team on alert. In typical situations, the more the ISP has to deal with law enforcement, the more receptive they'll be to your requests for identification. There's a lot more on this level of electronic security, that exceeds the scope of this response.

Note that in none of these cases are we discussing people who actually break encryption. In America and Europe (and most of the world really), the standard for encryption is called AES, for Advanced Encryption Standard, a cipher algorithm formerlt named "Rijndael", and winner of the AES competition. At this time, no known breaks of AES have been published (and yes, they would have been), and only a few so-far impractical theoretical breaks have been postulated. This isn't to say the NSA, Russian State Security or their (very limited) ilk can't break AES -- we civilians honestly don't know their capabilities -- but they aren't likely to try and hack your system and, if they did, a crypto break would be a very unlikely method.