Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/14/2008
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool Hacks the Psyche

Microsoft Blue Hat summit to feature proof-of-concept for extrapolating a user's emotional state based on his or her online postings

Next time you blog or post an update to your social networking site, consider what the net of all of your online postings could reveal about what’s really going on inside your head.

Security researchers Nitesh Dhanjani and Akshay Aggarwal have been researching how your online persona and activity can actually be used to hack into your psyche for intelligence-gathering and even as a way to influence your behavior. They’ll be presenting their work at Microsoft’s upcoming Blue Hat security summit in October.

“This is the next generation of hacking: ‘I want to hack you, not your app,’” says Dhanjani, who is a senior manager with Ernst & Young.

The researchers are building a prototype “emotion dashboard” that gathers feeds from a user’s online presence -- from Flickr, blogs, MySpace, Facebook, Twitter, etc. -- into a single RSS feed that populates the dashboard. The tool is based on Microsoft’s Silverlight Media Web plug-in, and lets you basically glean a person’s emotions based on correlations among his or her online postings and activities.

In its basic form, the dashboard will serve as a visual history that gauges the user’s mood and emotions in real-time and historically. When the targeted user uses negative words like “cry,” the dashboard will log a dark color, while a happy word could generate yellow or another bright color. “It’s almost like those stock market orbs you can buy at Brookstone,” he says. “You can look at it and derive something about what’s going on with that person overall.”

Dhanjani says the color graph will use a similar color-coding scheme to that of the We Feel Fine project, a data-collection engine that automatically searches the Web every ten minutes for expressions of human feelings from blogs and social networking sites. It then graphs the mood of the Net in color.

Dhanjani and Aggarwal’s emotion dashboard prototype also will come with a pulse monitor of sorts, graphing the ups and downs of the targeted user’s moods online over a period of time. “The pulse would show that in the past six months, this user has been upset, and now it looks like something happened,” Dhanjani says.

Aside from the creepy voyeuristic aspects of this proof-of-concept, there are the obvious privacy concerns that the researchers are trying to demonstrate. And there’s no stopping a social engineer or bad guy from trying to manipulate a targeted user’s behavior by preying and playing on his or her moods. “If you are extremely angry, I can see it in real-time,” Dhanjani says. “And you can make that person even more upset by leaving a comment on their blog that says ‘I agree with you and I understand because that person pissed me off, too,’ leading you to think about it more” and incite the emotion or encourage an action, he says.

The researchers will show how this remote behavior analysis can be used to create personality profiles, for predicting the targeted user’s state of mind or possible actions, even before the user is aware that they are feeling sad or depressed. That obviously could be used for the good in a criminal investigation, or abused by criminals or sociopaths.

“I’m just trying to show a proof of concept that this can be done,” Dhanjani says. “If you just take what we’re presenting, it doesn’t seem like you could get a real understanding of what’s going through [a user’s] brain,” but just adding a few more features could, he says.

One such feature is a trigger, where the dashboard could be set to automatically send the targeted user a manipulative message via comment or their social networking site when they hit a certain emotional threshold to fan the fire, for instance. Dhanjani says he and Aggarwal didn’t take the prototype that far, however, due to limited resources.

Another potential risk is data poisoning attacks on social networking sites, he says, with phony profiles aimed at discrediting or smearing someone, for instance. Researchers last week at Black Hat USA demonstrated a similar hack, easily building a convincingly real yet fake LinkedIn profile of security icon Marcus Ranum. (See LinkedIn Hack Demonstrates Ease of Impersonation.)

“The message we do not want to send is ‘don’t use these social networking apps,’” he says. “But there are some clear privacy implications today as well as some clear benefits for criminal research.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.