Recap: May Dinner with Ashley Sametz

Well, I think we can safely say that was a raging success. Facebook stalking! Hilarious tales of dumb criminals! Cake! Lest anyone remain unconvinced about how not-anonymous we are online, the morning after our Dinner this was one of the first things that came across my feeds: Stalking your friends with Facebook Messenger. (I sent it to Ashley who had a panic over even owning an iPhone, so I’ll take that as relevance.)

To refresh you, Ashley works with the Hate Crime and Extremism Investigative Team with the Waterloo Regional Police. Her background is in tech security and fraud and threat investigation, and she’s an OSINT analyst (Open Source INTelligence). For our Girl Geek purposes: she spends a lot of time online using a lot of publicly available tools — and some other magic we don’t have access to — to fight crime. (Side note: criminals are often not very bright. And all seem to know each other, which is great for using social graphing tools.)

You can find the scrubbed version (some info removed) of her presentation here, which includes a lot of links, etc. that I won’t bother duplicating in this recap.

OSINT sources include a lot of media, mostly online, but things like magazines and tv as well; web-based communities and user-generated content; public data; and professional and academic sources. There is a LOT of information out there about most people, and accessing it is free and legal (mostly). Ironically, it’s not uncommon for criminals caught by this type of information to be the ones who posted it in the first place. And, unfortunately, it can be used for much more unsavoury means, as we’ll see.

TL;DR: there is no such thing as real privacy in social media — don’t post it if you wouldn’t want it on the HuffPo homepage or sent to all your friends — and you really do need to read end-user licence agreements (EULAs). In general, the more generic your name, the easier it is for you to hide. Just one straw-coloured John Smith needle in the online haystack. For the Ashley Sametzes or Amaris Gersons… well, it’ll be tougher for them to rule criminal empires. (Or the Melanie Bakers, as we’d find out.)

The demonstration Ashley did researching me wasn’t 100% accurate, but the details that were wrong were trivial, and the quantity of data from some quick searching was considerable. Being able to find out information like date of birth is very useful. Ashley did find my Mom, too, and from there, it might be possible to find Mom’s maiden name. How many gazillions of people use that as a security question?

Side note: that recent “game” that went around where you provided a picture and it “guessed” how old you were? That was from Microsoft, and it wasn’t a way for them to amass stock photography, as some people claimed (honestly, like that’s hard to come by). What they are/were doing is training biometric authentication tech (fingerprints, iris scanning, facial recognition) that they’re developing. So we all helped them do free testing and whatnot. And while they stopped keeping the photos, they do get to keep the approximate ages gleaned, gender, geolocation data, phone information, and browser information (for those who used the app on mobile).

Of course, it said my 19-year-old picture looked 40, and a while back Facebook asked me to tag my dog’s butt hole as a “friend”, so while we have no privacy and are flinging our personal info around left and right, the singularity is perhaps not upon us just yet.

Now, with geolocation data, things get really interesting, and creepy. Since most people can be tracked day and night. (Seriously, turn it off on your phone. For everything. And while we’re at it, logout of apps/services when you’re not using them.) Ashley showed us an example of the geolocation data in Tinder profiles having been used by some curious guys who hacked things a bit to enable triangulation to within 100 feet.

The Facebook Messenger hack linked above, which is very similar, enabling pinpointing what part of a particular dorm a guy was in. And with the Tinder exploit, it only required three profiles (cuz… triangle).

The guys who found this out let Tinder know, and they “fixed” it… kinda. They rounded the lat/long data. But now, using ~100 people, you could still produce the same accuracy. And let’s face it, stalkers have a LOT of free time on their hands and often a lot of skills…

Moving along to a different segment of real world data harvesting, Uber, which uses contract drivers, which I’m sure are thoroughly vetted, especially given the company’s growth rate, gets location, name, phone number, and final destination from users. When stories come out about women who’ve used the service getting sexually assaulted, the cringe-worthiness expands greatly. They’re literally being handed over to nefarious strangers who can find and contact them at will.

Ashley gave us a demo of Creepy (appears to be Windows-only), which enables tracking people’s patterns based on their tweets and the geolocation data from them. She mentioned additional tools that accomplish similar things for other social networks with geolocation functionality as well. Hmm, that guy appears to be at this Tim Hortons every afternoon at 3pm… Oh hey, this girl passes this secluded part of the park on her evening runs each night at 9pm…

Mentionmapp is ostensibly for “social discovery, mapping, and engagement”. Indeed. It’s also a great way to find people, or find out who people know, based on Twitter interactions. This could be as useful for social engineering as it is to catch a cheating partner or a gang of criminals.

And then we got to Yik Yak, which pretty much everyone but students thinks is an absolutely awful idea. It’s a mobile, anonymous, location-based social service that enables posting of text, pictures, etc., which others can then up- or downvote. It’s like the perfect tool for ramping up online bullying, slut shaming, threats, you name it. (It was developed for universities to share news/gossip, but has spread widely in elementary and high schools, too.)

Yik Yak has been responsive and enabled location-based blocking, so, for example, one of the Stratford high schools got it blocked after a rash of bullying, at least at school. (They can still use it at home and elsewhere, but it’s something…) They also work with law enforcement to hand over information, including identifying details, if required — like when high school students inadvisedly make bomb threats.

Ashley spent a fair bit of time on Facebook as well, mainly because it’s such a potential gold mine of personal data (and there are some very powerful tools for mining). On Facebook, the key pieces of data are your search history, graph search, ID, and “OSINT” page.

The Activity Log can go all the way back to when you set up your account, recording things you did going back years and tracking potentially your entire life. Talk about displaying patterns and relationships. Activity Log can show everything separately or all together: photos, likes, comments, tagging, etc.

Graph search finds information about a user based on their friend relationships. Typically photos or posts are paired with search terms for best results. And, of course, auto-fill will offer up all kinds of helpful suggestions of information that’s just waiting to be uncovered. (What “Melanie Baker whadda” means I have no idea, and that kitten was from a litter of strays that showed up at my parents’ house, so my own cats remain a secret…)

However, as Ashley demonstrated, a lot of bits and pieces are often publicly available to people you’re not friends with, and that anyone can search for. If you see that globe icon by your name anywhere, click to change to more private settings. The globe is pretty much literal.

People involved in human trafficking have used tools like graph search to identify and target vulnerable teenage girls. They find them based on potential issues like problems at home, mental health, sexual activity, recent breakups, bullying, etc., and then gradually befriend them (often using women) before luring them. Parents can look for incongruous people on their kids friends’ lists, like having a 14-year-old daughter with a 37-year-old female friend who is no one you’ve ever heard of.

Ashley also showed us a sliver of the tools available via Michael Bazzell’s IntelTechniques.com site. Combined with tools like FindMyFacebookID, how far down the online stalking rabbit hole you can go is nearly endless. She can even get a pretty good idea for how long you’ve been on Facebook just based on your user ID. (For example, one of our Girl Geeks went to university in the US, and so signed up for Facebook when it was only open to American university students, well before many of us were on it, and her ID number was much lower than most.)

As another side note, re. online ads or links that offer arrest records for people: you can’t search for that information in Canada as we have laws about things like that. Someone like Ashley working with the police can, of course. But as we also discussed, it’s amazing what you can learn offline as well. Much social engineering can be done by picking up the phone. (Beware, people who’ve lied on resumes…)

If you’ve read any of Kevin Mitnick‘s books, particularly the older stuff, it’s amazing how much of his “hacking” wasn’t hacking at all; it was pure social engineering and used a handset, not a keyboard.

Ashley also mentioned a few times that a simple Google search is an easy and surprisingly effective way to start stalking. We’ve all searched for ourselves to see what was out there and how high in search rankings. Beyond that, Google Image Search can take things to a whole other level if someone gets a hold of a picture of you. Granted, you can also find out where your pictures have ended up using the same search, or tools like TinEye. (Artists often use it to see who’s stolen their work.) Also incredibly icky but possibly important may be to find out where pictures of your kids may have been stolen and posted.

So, as we wrapped up, Ashley assigned some homework for the assembled:

  • Set Facebook privacy to Friends Only for all photos/albums, including Mobile Uploads
  • Review Timeline and Tagging settings under Facebook Privacy
  • Use the “Who can see…” function
  • Hide your Friends list (mutual friends are visible to each other)
  • Set your Instagram account to Private
  • Review photos and content before tweeting, instagramming, snapchatting, facebooking, etc.
  • Turn off all (geo)location and GPS settings
  • Watch for social engineering attempts on LinkedIn, especially if you work with intellectual property
  • Google yourself – see what’s accessible about you online
  • Review passwords AND usernames for repetition – don’t make it easy to steal ALL your presences
  • (Melle’s addition) If you own any domain names, do a WHOIS search for them. If you don’t have WHOIS privacy turned on, your name, address, phone number, and email may be completely public information. (This isn’t available for every type of domain, but there are options for others to make info less accessible.)

And with that, Ashley wrapped up her presentation, though we spent some time in Q&A, sharing stories (some really scary), and ensuring Ashley got her cake. She can be contacted via email, work or personal Twitter, and the HCEIT is also on Facebook.

I’ve had a few people make inquiries with me about her speaking availability (and really, she should be talking to every teen and tween out there), so now those interested can contact her directly.

Thanks again, Ashley for a thoroughly educational and creepy evening! And now, everyone, share this and her deck with everyone you know so we can all be a little safer and a little smarter. And no naked selfies. Honestly…

2 thoughts on “Recap: May Dinner with Ashley Sametz

  1. Talk to your provider if you do own a domain–mine offered the ability to have their business contact info listed in the WHOIS registry. If they don’t offer any options, find a different company!

    1. Generally they offer a WHOIS privacy option (for gTLDs like .COM), which will display info that’s not yours. Some companies charge annually for this, but not all.

      Some ccTLD registries (the two-letter country codes, like .CA) don’t offer privacy. In that case using something like a PO box, which isn’t a physical address, and an email address only for domain stuff, is recommended.

Leave a Reply