Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

New Tool Hacks the Psyche

Microsoft Blue Hat summit to feature proof-of-concept for extrapolating a user's emotional state based on his or her online postings

Next time you blog or post an update to your social networking site, consider what the net of all of your online postings could reveal about what’s really going on inside your head.

Security researchers Nitesh Dhanjani and Akshay Aggarwal have been researching how your online persona and activity can actually be used to hack into your psyche for intelligence-gathering and even as a way to influence your behavior. They’ll be presenting their work at Microsoft’s upcoming Blue Hat security summit in October.

“This is the next generation of hacking: ‘I want to hack you, not your app,’” says Dhanjani, who is a senior manager with Ernst & Young.

The researchers are building a prototype “emotion dashboard” that gathers feeds from a user’s online presence -- from Flickr, blogs, MySpace, Facebook, Twitter, etc. -- into a single RSS feed that populates the dashboard. The tool is based on Microsoft’s Silverlight Media Web plug-in, and lets you basically glean a person’s emotions based on correlations among his or her online postings and activities.

In its basic form, the dashboard will serve as a visual history that gauges the user’s mood and emotions in real-time and historically. When the targeted user uses negative words like “cry,” the dashboard will log a dark color, while a happy word could generate yellow or another bright color. “It’s almost like those stock market orbs you can buy at Brookstone,” he says. “You can look at it and derive something about what’s going on with that person overall.”

Dhanjani says the color graph will use a similar color-coding scheme to that of the We Feel Fine project, a data-collection engine that automatically searches the Web every ten minutes for expressions of human feelings from blogs and social networking sites. It then graphs the mood of the Net in color.

Dhanjani and Aggarwal’s emotion dashboard prototype also will come with a pulse monitor of sorts, graphing the ups and downs of the targeted user’s moods online over a period of time. “The pulse would show that in the past six months, this user has been upset, and now it looks like something happened,” Dhanjani says.

Aside from the creepy voyeuristic aspects of this proof-of-concept, there are the obvious privacy concerns that the researchers are trying to demonstrate. And there’s no stopping a social engineer or bad guy from trying to manipulate a targeted user’s behavior by preying and playing on his or her moods. “If you are extremely angry, I can see it in real-time,” Dhanjani says. “And you can make that person even more upset by leaving a comment on their blog that says ‘I agree with you and I understand because that person pissed me off, too,’ leading you to think about it more” and incite the emotion or encourage an action, he says.

The researchers will show how this remote behavior analysis can be used to create personality profiles, for predicting the targeted user’s state of mind or possible actions, even before the user is aware that they are feeling sad or depressed. That obviously could be used for the good in a criminal investigation, or abused by criminals or sociopaths.

“I’m just trying to show a proof of concept that this can be done,” Dhanjani says. “If you just take what we’re presenting, it doesn’t seem like you could get a real understanding of what’s going through [a user’s] brain,” but just adding a few more features could, he says.

One such feature is a trigger, where the dashboard could be set to automatically send the targeted user a manipulative message via comment or their social networking site when they hit a certain emotional threshold to fan the fire, for instance. Dhanjani says he and Aggarwal didn’t take the prototype that far, however, due to limited resources.

Another potential risk is data poisoning attacks on social networking sites, he says, with phony profiles aimed at discrediting or smearing someone, for instance. Researchers last week at Black Hat USA demonstrated a similar hack, easily building a convincingly real yet fake LinkedIn profile of security icon Marcus Ranum. (See LinkedIn Hack Demonstrates Ease of Impersonation.)

“The message we do not want to send is ‘don’t use these social networking apps,’” he says. “But there are some clear privacy implications today as well as some clear benefits for criminal research.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vul...
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. T...
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,...
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSS...
PUBLISHED: 2021-01-20
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields.