Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

New Tool Hacks the Psyche

Microsoft Blue Hat summit to feature proof-of-concept for extrapolating a user's emotional state based on his or her online postings

Next time you blog or post an update to your social networking site, consider what the net of all of your online postings could reveal about what’s really going on inside your head.

Security researchers Nitesh Dhanjani and Akshay Aggarwal have been researching how your online persona and activity can actually be used to hack into your psyche for intelligence-gathering and even as a way to influence your behavior. They’ll be presenting their work at Microsoft’s upcoming Blue Hat security summit in October.

“This is the next generation of hacking: ‘I want to hack you, not your app,’” says Dhanjani, who is a senior manager with Ernst & Young.

The researchers are building a prototype “emotion dashboard” that gathers feeds from a user’s online presence -- from Flickr, blogs, MySpace, Facebook, Twitter, etc. -- into a single RSS feed that populates the dashboard. The tool is based on Microsoft’s Silverlight Media Web plug-in, and lets you basically glean a person’s emotions based on correlations among his or her online postings and activities.

In its basic form, the dashboard will serve as a visual history that gauges the user’s mood and emotions in real-time and historically. When the targeted user uses negative words like “cry,” the dashboard will log a dark color, while a happy word could generate yellow or another bright color. “It’s almost like those stock market orbs you can buy at Brookstone,” he says. “You can look at it and derive something about what’s going on with that person overall.”

Dhanjani says the color graph will use a similar color-coding scheme to that of the We Feel Fine project, a data-collection engine that automatically searches the Web every ten minutes for expressions of human feelings from blogs and social networking sites. It then graphs the mood of the Net in color.

Dhanjani and Aggarwal’s emotion dashboard prototype also will come with a pulse monitor of sorts, graphing the ups and downs of the targeted user’s moods online over a period of time. “The pulse would show that in the past six months, this user has been upset, and now it looks like something happened,” Dhanjani says.

Aside from the creepy voyeuristic aspects of this proof-of-concept, there are the obvious privacy concerns that the researchers are trying to demonstrate. And there’s no stopping a social engineer or bad guy from trying to manipulate a targeted user’s behavior by preying and playing on his or her moods. “If you are extremely angry, I can see it in real-time,” Dhanjani says. “And you can make that person even more upset by leaving a comment on their blog that says ‘I agree with you and I understand because that person pissed me off, too,’ leading you to think about it more” and incite the emotion or encourage an action, he says.

The researchers will show how this remote behavior analysis can be used to create personality profiles, for predicting the targeted user’s state of mind or possible actions, even before the user is aware that they are feeling sad or depressed. That obviously could be used for the good in a criminal investigation, or abused by criminals or sociopaths.

“I’m just trying to show a proof of concept that this can be done,” Dhanjani says. “If you just take what we’re presenting, it doesn’t seem like you could get a real understanding of what’s going through [a user’s] brain,” but just adding a few more features could, he says.

One such feature is a trigger, where the dashboard could be set to automatically send the targeted user a manipulative message via comment or their social networking site when they hit a certain emotional threshold to fan the fire, for instance. Dhanjani says he and Aggarwal didn’t take the prototype that far, however, due to limited resources.

Another potential risk is data poisoning attacks on social networking sites, he says, with phony profiles aimed at discrediting or smearing someone, for instance. Researchers last week at Black Hat USA demonstrated a similar hack, easily building a convincingly real yet fake LinkedIn profile of security icon Marcus Ranum. (See LinkedIn Hack Demonstrates Ease of Impersonation.)

“The message we do not want to send is ‘don’t use these social networking apps,’” he says. “But there are some clear privacy implications today as well as some clear benefits for criminal research.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...