Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

New Tool Hacks the Psyche

Microsoft Blue Hat summit to feature proof-of-concept for extrapolating a user's emotional state based on his or her online postings

Next time you blog or post an update to your social networking site, consider what the net of all of your online postings could reveal about what’s really going on inside your head.

Security researchers Nitesh Dhanjani and Akshay Aggarwal have been researching how your online persona and activity can actually be used to hack into your psyche for intelligence-gathering and even as a way to influence your behavior. They’ll be presenting their work at Microsoft’s upcoming Blue Hat security summit in October.

“This is the next generation of hacking: ‘I want to hack you, not your app,’” says Dhanjani, who is a senior manager with Ernst & Young.

The researchers are building a prototype “emotion dashboard” that gathers feeds from a user’s online presence -- from Flickr, blogs, MySpace, Facebook, Twitter, etc. -- into a single RSS feed that populates the dashboard. The tool is based on Microsoft’s Silverlight Media Web plug-in, and lets you basically glean a person’s emotions based on correlations among his or her online postings and activities.

In its basic form, the dashboard will serve as a visual history that gauges the user’s mood and emotions in real-time and historically. When the targeted user uses negative words like “cry,” the dashboard will log a dark color, while a happy word could generate yellow or another bright color. “It’s almost like those stock market orbs you can buy at Brookstone,” he says. “You can look at it and derive something about what’s going on with that person overall.”

Dhanjani says the color graph will use a similar color-coding scheme to that of the We Feel Fine project, a data-collection engine that automatically searches the Web every ten minutes for expressions of human feelings from blogs and social networking sites. It then graphs the mood of the Net in color.

Dhanjani and Aggarwal’s emotion dashboard prototype also will come with a pulse monitor of sorts, graphing the ups and downs of the targeted user’s moods online over a period of time. “The pulse would show that in the past six months, this user has been upset, and now it looks like something happened,” Dhanjani says.

Aside from the creepy voyeuristic aspects of this proof-of-concept, there are the obvious privacy concerns that the researchers are trying to demonstrate. And there’s no stopping a social engineer or bad guy from trying to manipulate a targeted user’s behavior by preying and playing on his or her moods. “If you are extremely angry, I can see it in real-time,” Dhanjani says. “And you can make that person even more upset by leaving a comment on their blog that says ‘I agree with you and I understand because that person pissed me off, too,’ leading you to think about it more” and incite the emotion or encourage an action, he says.

The researchers will show how this remote behavior analysis can be used to create personality profiles, for predicting the targeted user’s state of mind or possible actions, even before the user is aware that they are feeling sad or depressed. That obviously could be used for the good in a criminal investigation, or abused by criminals or sociopaths.

“I’m just trying to show a proof of concept that this can be done,” Dhanjani says. “If you just take what we’re presenting, it doesn’t seem like you could get a real understanding of what’s going through [a user’s] brain,” but just adding a few more features could, he says.

One such feature is a trigger, where the dashboard could be set to automatically send the targeted user a manipulative message via comment or their social networking site when they hit a certain emotional threshold to fan the fire, for instance. Dhanjani says he and Aggarwal didn’t take the prototype that far, however, due to limited resources.

Another potential risk is data poisoning attacks on social networking sites, he says, with phony profiles aimed at discrediting or smearing someone, for instance. Researchers last week at Black Hat USA demonstrated a similar hack, easily building a convincingly real yet fake LinkedIn profile of security icon Marcus Ranum. (See LinkedIn Hack Demonstrates Ease of Impersonation.)

“The message we do not want to send is ‘don’t use these social networking apps,’” he says. “But there are some clear privacy implications today as well as some clear benefits for criminal research.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...