Friday, May 14, 2021
Home Blog Facebook: If Your Employees Use It Chances Are That I Harvest Their...

Facebook: If Your Employees Use It Chances Are That I Harvest Their Data

Metadata is information generated as you use technology, and its use has been the subject of controversy since NSA’s secret surveillance program was revealed. Examples include the date and time you called somebody or the location from which you last accessed your email. The data collected generally does not contain personal or content-specific details, but rather transactional information about the user, the device and activities taking place. In some cases you can limit the information that is collected – by turning off location services on your cell phone for instance – but many times you cannot. Below, explore some of the data collected through activities you do every day.

Icons Come From The Guardian Wednesday 12 June 2013 11.52 EDT
Icons Come From The Guardian Wednesday 12 June 2013 11.52 EDT

Now, if any of the above icons look familiar; if any of your personnel are utilizing them on behalf of your firm outside of your facility, chances are that you are already in a world of shit. More on point, though, I most assuredly have a file on you in the ISTAR Clear Base. Here is the information that is regularly transmitted on any given day from all the above accouterments which are somewhat mandatory in the Mortgage Field Services Industry today,

Email

  • sender’s name, email and IP address
  • recipient’s name and email address
  • server transfer information
  • date, time and timezone
  • unique identifier of email and related emails
  • content type and encoding
  • mail client login records with IP address
  • mail client header formats
  • priority and categories
  • subject of email
  • status of the email
  • read receipt request

Phone

  • phone number of every caller
  • unique serial numbers of phones involved
  • time of call
  • duration of call
  • location of each participant
  • telephone calling card numbers

Camera

  • photographer identification
  • creation and modification date and time
  • location where photo was taken
  • details about a photo’s contents
  • copyright information
  • camera make and model
  • camera settings: shutter speed, f-stop, focal length and flash type
  • photo dimensions, resolution and orientation

Facebook

  • your name and profile bio information including birthday, hometown, work history and interests
  • your username and unique identifier
  • your subscriptions
  • your location
  • your device
  • activity date, time and timezone
  • your activities, likes, checkins and events

Twitter

  • your name, location, language, profile bio information and url
  • when you created your account
  • your username and unique identifier
  • tweet’s location, date, time and timezone
  • tweet’s unique ID and ID of tweet replied to
  • contributor IDs
  • your follower, following and favorite count
  • your verification status
  • application sending the tweet

Google search

  • your search queries
  • results that appeared in searches
  • pages you visit from search

Web browser

  • your activity including pages you visit and when
  • user data and possibly user login details with auto-fill features
  • your IP address, internet service provider, device hardware details, operating system and browser version
  • cookies and cached data from websites

1. To communicate, Paula Broadwell and David Petraeus shared an anonymous email account.

From The Guardian Wednesday 12 June 2013 11.52 EDT

2. Instead of sending emails, both would login to the account, edit and save drafts.

3. Broadwell logged in from various hotels’ public Wi-Fi, leaving a trail of metadata that included times and locations.

4. The FBI crossed-referenced hotel guests with login times and locations leading to the identification of Broadwell.

Now, when people simply come to the Foreclosurepedia Website, I gather a tremendous amount of information which, actually, your devices voluntarily distribute. So, I am able to determine within inches of precisely where you are from your IP Address. I am able to know what Operating System you use on your Smartphone, Tablet, Laptop or Desktop including the build and version. I know, if you are using a telco and whom it is to access the website — AT&T, Verizon or whatever if you are using a Smartphone, Tablet or slaving from a hotspot. I know if you are in the comfort of your home utilizing your ISP via your router, as well. There are a few other pieces of data which are stored that then, in turn, allow me to map a footprint of your travels along the Internet if I so chose to — the reality is that it is illegal to track another human being physically, unless you are the parent of a child, in the United States. Much of this deals with ESN, IMSI, IMEI, ICCID or otherwise. — Do a bit of research on Measurement and Signature Intelligence (MASINT) if you really want to get scared!  😉

The reality is that if you are well versed in technology, the world is your oyster today. For instance, a VPN connects to tunnelling software after connecting to a Wi-Fi hub, meaning that at least for a few seconds, their web traffic is known to anyone wants to find out. So, taboo if you are handling documents for virtually ANYONE in the Industry whom is not capable of hitting a hard line internet connection. If you walk around with WiFi enabled on your phone then it will broadcast its MAC address; a unique ID, a Media Access Control (MAC) address, when they’re looking for networks and, unlike an IP address which changes over time or when you switch networks, a MAC address is constant for the lifetime of a device.

Everyone is tracking you out there today. As a Developer for Google — yeah, I contribute code from time-to-time to help keep the Suit and Ties at bay — there is a pretty cool feature that is little known to many people. If you have GMail and just because your email address is your company’s like mine is @foreclosurepedia.c04.tmdcloud.com the reality is that I stream everything through Google Servers — the DNS, the MX Records, everything. When I send you an email it is originating from a Google Server, sends your email to me via a Google Server and resolves as a Google Server. The main reason for this was so that my email address would always be whitelisted. In fact, I got on when it was free and still have 10 free Google Business Application Accounts for email and all the bells and whistles.

Most devices use both passive and active discovery in an attempt to connect to known/preferred networks. So it’s very likely that your smartphone is broadcasting the names (SSIDs) of your favourite networks for anyone to see. This alone might be enough for someone to glean information about you: where you work, where you live or your favourite coffee shop for instance. Even worse, an attacker could set up a rogue WiFi with the same SSID as the one you are trying to connect to with the aim of forcing your phone to connect and transfer data through it. So while someone knowing that your phone is trying to connect to ‘BTHomeHub-XYZ’ isn’t immediately condemning, it may allow for them to launch a ‘man-in-the-middle’ attack against you, intercepting data sent between you and a friend, giving the impression you’re talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. An ‘evil twin’ attack could even accomplish this without needing any knowledge of your WiFi password – very damaging for all of those who use mobile banking for instance!

The Google Location Feature Makes It Easier For Intelligence Personnel To Develop Patterns
The Google Location Feature Makes It Easier For Intelligence Personnel To Develop Patterns

So, as we have demonstrated above, a person need not even have any knowledge about 802.1 Protocols and with about $30 they are in business locally. Obviously, the level of sophistication dramatically increases when one wishes to explore all options remotely. When you are out and about with that fancy phone or tablet or even log in from your home based computer, a record is stored on Google Servers provided that your email is syncing. Think I bullshit you? If you  have GMail, go and visit the Google Map Location History Page — you will have to be logged in to your GMail Account when you click the link. Now, there are ways to prevent this, but I am not going to delve into that today. What is of great import is this: Even though Google deprecated Google Latitude, the reality is that Google Maps on Facebook is alive and well. For many of you out there you know two things about me: I rarely, if ever, use a cell phone; and I never and I MEAN NEVER get on Facebook!

Facebook has been testing data mining methods that would silently follow users’ mouse movements to see not only where we click but even where we pause, where we hover and for how long. It is not much different than that which Microsoft pioneered back in 2011 — well, that’s not true in the technological sense, but most of you don’t really care anyway.

Heat Map Projections from Microsoft's Paper submitted in 2011 and followed up upon by MIT
Heat Map Projections from Microsoft’s Paper submitted in 2011 and followed up upon by MIT

And just when you thought you had heard the worst of it, let’s actually talk about all those pesky apps people keep running in the background — and that is when the Smartphones, Tablets, Laptops and Desktops are running optimally! The picture below is from a Paper drafted which dealt with the fact that most people have no clue what their phone is doing at any given point in time. Throw into the mix the requirements for a shitload of third party apps now being delivered by both Aspen Grove Solutions and Pruvan and we have a recipe for catastrophe.

With Ten Applications running, the above occurred over a 14 day period.
With Ten Applications running, the above occurred over a 14 day period.

On a final note, before I wrap this up with my Commentary, the reality is that it is far, FAR worse than many believe. While I understand that the Mortgage Field Services Industry is trying to cut every damn corner that they can; while I see every day that the Industry has both cut pay and timelines so as to keep the vast majority of the Regional and Otherwise Unspecified Order Mills up and running, the reality is that this comes at a price. Let’s take the Camera on the Smartphone, for example. It is a mandatory feature and second only to the fact that the Smartphone must be equipped with Data Plan. What many people do not know is that in the same manner that I could — if I wanted to, but would never do it — turn on a webcam on a laptop or a USB PnP, the reality is that the same is true for the Cameras on the Smartphones.

The most difficult aspect of creating a covert feature to be inserted into an Asset’s device is that generally speaking, they all require a coding sequence to trigger the phone to be on — not only the faceplate, but a plethora of other issues to boot. Remember our good friends over at Facebook? Yeah, the vast majority of you whom come here have an account there. Well, Facebook messages draws to the UI, even when the app is not technically running. Now, generally speaking, one would have to put say a 1 x 1 pixel; set the preview size to 0 by 0 dp; or simply use a dummy surfaceholder.callback on the screen to float the program; however, and I probably should keep my mouth shut, you can alter the LayoutParams; the feature for the SYSTEM_ALERT_WINDOW; or if you are smart one would simply set up the following call bearing in mind that I am not going to publish the entirety of it:  privateSurfaceHolder.Callback dummySurfaceCallback =newSurfaceHolder.Callback() and then obviously close out the package with:  <uses-permission android:name=“android.permission.CAMERA”></uses-permission>

What becomes critical here is two things: First, you do not want the Asset to know the Camera or Video Recorder are on. So, we must insure that there is NO PREVIEW of the photo or the recording taken — this includes audio which is just as easily implemented. In essence, the main.xml file you are hacking implements the Surface Holder is set at either 0 or 1 depending on how it is set up. Then, as we already defined the class, we implement the SurfaceHolder.Callback and to render the photo we additionally implement SurfaceChanged() to decode the information the camera captured into a Bitmap vis-a-vis ImageView. Finally, surfaceCreated() hooks the entire process and we close it out with surfaceDestroyed() so that the Camera is released for other apps to use it.

Now, your question might be, “That’s pretty cool Paul, but you are never going to get that bullshit on my phone!” Really? Let me tell you some interesting things about the third rock from the Sun that many of you believe to be so quaint. Simple Notepad is a fake app name over on Google Play and used by Mobile Hidden Camera, which really is an app designed to let people take photos and videos covertly. Remember all the fuss about the NO PREVIEW earlier? So, you may actually have occasion to need to take photos; get video; or simply make an audio recording. That is what it does. Been on play Store for quite a while actually. The reality, though, is that one way or another an Intelligence Professional will deposit their necessary payload to complete the Mission. This is simply one of many and the reality is that most people do not have a clue what they download on any given day. All it takes is your phone in someone else’s hands 23 seconds.

In closing, I support the fact that many within the Industry have broken away from the brick and mortar setting. With specificity to the administrative sector, remote servicers make sense. What I never have and I never will support is the fact that National, Regional and Otherwise Unspecified Order Mills are, once again, putting both Members of Labor and the US Taxpayer at risk. The reality is that the Order Mills have absolutely no Policy or Procedure with respect to this uncharted water. Additionally, the fact of the matter is most of the Regional and Otherwise Unspecified Order Mills are not sophisticated enough to even perform an IT Audit upon their Remote Personnel.

I am rarely, if ever wrong, and I predict that very, VERY soon we are going to see enormous data breaches — I think everyone knows that if I am saying VERY SOON, it has probably already happened — and with those breaches we are going to see shit hit the fan. You see, not only are the Loan Numbers cobbled in the mix of the information hitting all of these public wi-fi routers; not only are most of the Remote Personnel running antiquated and unsafe Operating Systems which have viruses in them, the reality is that we also have Members of Labor whose personal and financial information has been stored.

You see, that is the deal at the end of the day. There are already Regulations on the Books which state that whatever computer you use for the Industry must ONLY BE — USED for Industry Work. So, when people are all out and about on Facebook, YouTube, Porn Sites and downloading garbage, they have already set themselves and their Employers up for failure. More on point, though, I subscribe to the fact that this same Regulation ought be applied to the Smartphones as well.

Paul Williamshttps://foreclosurepedia.org
Linux addict buried deep in the mountains of East Tennessee.

Followers

21,432FansLike
124,324FollowersFollow
45,102FollowersFollow
11,243SubscribersSubscribe

Most Popular