Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/14/2008
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool Hacks the Psyche

Microsoft Blue Hat summit to feature proof-of-concept for extrapolating a user's emotional state based on his or her online postings

Next time you blog or post an update to your social networking site, consider what the net of all of your online postings could reveal about what’s really going on inside your head.

Security researchers Nitesh Dhanjani and Akshay Aggarwal have been researching how your online persona and activity can actually be used to hack into your psyche for intelligence-gathering and even as a way to influence your behavior. They’ll be presenting their work at Microsoft’s upcoming Blue Hat security summit in October.

“This is the next generation of hacking: ‘I want to hack you, not your app,’” says Dhanjani, who is a senior manager with Ernst & Young.

The researchers are building a prototype “emotion dashboard” that gathers feeds from a user’s online presence -- from Flickr, blogs, MySpace, Facebook, Twitter, etc. -- into a single RSS feed that populates the dashboard. The tool is based on Microsoft’s Silverlight Media Web plug-in, and lets you basically glean a person’s emotions based on correlations among his or her online postings and activities.

In its basic form, the dashboard will serve as a visual history that gauges the user’s mood and emotions in real-time and historically. When the targeted user uses negative words like “cry,” the dashboard will log a dark color, while a happy word could generate yellow or another bright color. “It’s almost like those stock market orbs you can buy at Brookstone,” he says. “You can look at it and derive something about what’s going on with that person overall.”

Dhanjani says the color graph will use a similar color-coding scheme to that of the We Feel Fine project, a data-collection engine that automatically searches the Web every ten minutes for expressions of human feelings from blogs and social networking sites. It then graphs the mood of the Net in color.

Dhanjani and Aggarwal’s emotion dashboard prototype also will come with a pulse monitor of sorts, graphing the ups and downs of the targeted user’s moods online over a period of time. “The pulse would show that in the past six months, this user has been upset, and now it looks like something happened,” Dhanjani says.

Aside from the creepy voyeuristic aspects of this proof-of-concept, there are the obvious privacy concerns that the researchers are trying to demonstrate. And there’s no stopping a social engineer or bad guy from trying to manipulate a targeted user’s behavior by preying and playing on his or her moods. “If you are extremely angry, I can see it in real-time,” Dhanjani says. “And you can make that person even more upset by leaving a comment on their blog that says ‘I agree with you and I understand because that person pissed me off, too,’ leading you to think about it more” and incite the emotion or encourage an action, he says.

The researchers will show how this remote behavior analysis can be used to create personality profiles, for predicting the targeted user’s state of mind or possible actions, even before the user is aware that they are feeling sad or depressed. That obviously could be used for the good in a criminal investigation, or abused by criminals or sociopaths.

“I’m just trying to show a proof of concept that this can be done,” Dhanjani says. “If you just take what we’re presenting, it doesn’t seem like you could get a real understanding of what’s going through [a user’s] brain,” but just adding a few more features could, he says.

One such feature is a trigger, where the dashboard could be set to automatically send the targeted user a manipulative message via comment or their social networking site when they hit a certain emotional threshold to fan the fire, for instance. Dhanjani says he and Aggarwal didn’t take the prototype that far, however, due to limited resources.

Another potential risk is data poisoning attacks on social networking sites, he says, with phony profiles aimed at discrediting or smearing someone, for instance. Researchers last week at Black Hat USA demonstrated a similar hack, easily building a convincingly real yet fake LinkedIn profile of security icon Marcus Ranum. (See LinkedIn Hack Demonstrates Ease of Impersonation.)

“The message we do not want to send is ‘don’t use these social networking apps,’” he says. “But there are some clear privacy implications today as well as some clear benefits for criminal research.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...