I'll be speaking at the International Conference on Cyber Security 2009 in New York (Jan 5 - 9). My talk is titled Suddenly Psychic (content modified from the talk of the same name I discussed before). The agenda is below.
A recent US Army intelligence report identifies Twitter as a potential communication channel for terrorist activities. I think it is fantastic that intelligence efforts like this have the foresight to recognize emerging channels of communication and that there is effort being put into proactively enumerating the potential use cases. Yet, I am not impressed with the limited case studies presented in the report (the obvious case of Twitter being used for communication in addition to extremely specific situations of Twitter being utilized to trigger explosive devices). I feel that the use cases presented in this report are a good start, but they do not go beyond the obvious scenarios. Therefore, in this article, I want to further the discussion on how micro-blogging channels may be leveraged by terrorist organizations to obtain real time surveillance and intelligence of their efforts. I feel this sort of a conversation will be beneficial to counter-intelligence efforts (I will write a separate article on how Twitter may be actively leveraged by counter-intelligence).
Before I go any further, I want to get out of the way a probable knee-jerk reaction that I suspect some readers may have at this point. I am in no way proposing Twitter or social media as an evil (in fact I'm a huge fan of Twitter and I use it on a daily basis). That would be as absurd as saying that the Internet is evil because criminals can use it to communicate. Twitter is a channel of communication - my goal is to point out increased capabilities this channel may provide for criminal use.
I also want to point out that discussions like these are often
brushed off as fantastical. Perhaps this response comes from the
tendency to place too much weight on the (flawed) hypothesis that only
past and known mechanisms are going to (re)occur in the near future.
Consider 9/11: the incident would have been brushed off as fantastical
had someone had the foresight to predict the scenario prior. Often,
potential scenarios appear to be less probable not by rational
conclusions, but because to the human tendency to believe that only
past scenarios have the highest probability of occurrence. Nasim
Nicholas Taleb makes this point, in addition to stating that impactful
events are less predictable, in his his book The Black Swan: The Impact of the Highly Improbable - a must read for any security professional.
The heavily armed attackers who set out for Mumbai by sea last week navigated with Global Positioning System equipment, according to Indian investigators and police. They carried BlackBerrys, CDs holding high-resolution satellite images like those used for Google Earth maps, and multiple cellphones with switchable SIM cards that would be hard to track. They spoke by satellite telephone. And as television channels broadcast live coverage of the young men carrying out the terrorist attack, TV sets were turned on in the hotel rooms occupied by the gunmen, eyewitnesses recalled.
The authorities in India that responded to the attacks did not know about the Blackberries until after the fact. However, had the authorities known that the criminals possess Blackberries while the attacks were ongoing, they wouldn't have known how to leverage that knowledge. The point I'm trying to make here is that, in general, organizations that are responsible for researching and responding to incidents like these seem ill equipped because they do not know how to assess and leverage the increased utilization of information technology by criminals.
While the attacks in Bombay were ongoing, Twitter seemed to light up with conversations. From citizen journalists, to concerned individuals looking for relatives, to volunteers who attempted to orchestrate blood donations, there were approximately 80 new 'tweets' on the #Mumbai channel every five seconds!
It is clear how useful a micro-blogging channel like Twitter can be to the public during situations such as in the Bombay attacks. However, in the following list, I want to enumerate how potential terrorists may leverage a channel like Twitter to perform surveillance and mass manipulation, the sort of which were not possible prior to the micro-blogging medium. The list below is presented in the context of the recent attacks in Bombay but they can be applied for other situations as well. This is by no means an exhaustive list, but I think it is enough to get the conversation going.
Circumventing rescue efforts. Twitter was used by
citizens in vicinity of Bombay to call upon the public for blood
donations. Here is an actual Twitter message sent during while the
attacks were ongoing:
This message was then immediately 're-tweeted' by many others, the following is a snippet of just 5 of such 're-tweets':
It is clear that Twitter messages can assist in rescue efforts, and in this case, they played a positive role in broadcasting details on where volunteers may help out by donating blood.
Now, consider a situation where a malicious party were to sign up for multiple Twitter accounts and Tweet messages similar to the one presented in this use-case but using non-existent phone numbers:
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003351 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003352 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003353 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003354 #mumbai
JJ hospital needs A-blood urgently. Please call Ashwin at 92331003356 #mumbai
The potential for abuse in this case relies upon the fact that, during emergency situations, people are likely to accept and re-broadcast messages without verification. The malicious Twitter messages above, with incorrect phone numbers, are just as likely to be re-tweeted. People who are able and want to donate blood will now no longer be able to effectively utilize the micro-blogging channel to contact the proper resources.
Group sentiment analysis. The genuine nature of micro-blogging channels makes them a powerful channel to capture genuine human feelings. In my previous article, Hacking the Psyche, I presented how individual feelings from the social web, including Twitter, can be captured to create an emotion dashboard depicting the past and current states of feelings.
Since the goal of terror attacks is to cause terror - sentiment analysis can be a powerful tool for the terror agents to measure the impact of their attacks. A mashup of an automated sentiment analysis engine using the Twitter API coupled with the Google Maps API can easily give the agents a clear visual of how their terror attacks are impacting the emotional states of individuals in particular locations, for example, are people in target location location x upset / scared / worried / angry / happy in response to the ongoing or recently committed attack? What locations around the world have reacted negatively or positively to the attacks?
Following the news media. This is most likely to be one of the more obvious use cases. As mentioned earlier, the terrorists in the Bombay attacks were found to have used Blackberries to keep up with news websites to measure the impact of their ongoing efforts. Instead of having to surf to multiple news media websites, it is plausible that criminals can utilize traffic in the particular channel of interest, for example #Mumbai, to find pointers (URLs) to high quality reports pre-filtered by the Twitter community. The following is a screenshot of Twitter messages in the #Mumbai channel:
Leveraging and manipulating citizen journalists.
Individuals in the vicinity of the ongoing attacks in Bombay were
providing first hand reporting of police efforts. This information is
likely to be extremely useful to the criminals.
Furthermore, individuals on the scene may be remotely manipulated to
provide specific information that a criminal may be seeking, for
example, the following message could be posed to the #Mumbai
channel by a malicious entity seeking further details: "Can anyone
on-site please confirm the number of choppers above Nariman house asap?"
Data poisoning police efforts. In a future article, I will attempt to enumerate ideas on how police may be able to utilize social media, one of the uses cases being the ability to leverage information from citizen journalists to strategize counter-efforts. A malicious response to this is likely to take the form of data poisoning, where the malicious party may post false information onto the micro-blogging channels while posing as citizen journalists.
Geo-locating and instigating further panic. One of the goals of terrorism is to instigate panic. Many Twitter clients, specially those that run on mobile platforms, allow users to tag their specific geo-location. These information can be queried and coupled with sentiment analysis discussed above to measure the level of panic based on geographical locations.
Further panic and unrest may be instigated by spreading false
rumors. From the malicious party's perspective, it is a lot cheaper to
create panic from spreading rumors than having to carry out physical
activities. To illustrate, here is an example of messages that
overwhelmed the #Mumbai
channel by a single Twitter message from someone suggesting that the
terrorists may be reading the information being posted. It was unlikely
that the terrorists in the Mumbai incidents were reading Twitter, but
the point I'm trying to make here is how fast such a rumor can
snowball.
So what does all of this mean? The goal of this article is to spread
awareness and raise consciousness. The ideas presented in this article
may appear far fetched at the moment, but with the explosive growth and
integration of social applications into the lives of the Generation Y
culture, it is increasingly probable that malicious parties are likely
to leverage social media channels as time progresses. I feel it is
important that we have a good grasp of how criminals may utilize these
channels so we better understand the tactics of enemies we are likely
to deal with in the future.
Perhaps it may also be useful to extend this thought process to criminal use of social media in terms of cyber-warfare. Many people expect cyber-warfare tactics to be limited to defects in the network and application layers, yet it is increasingly plausible that government sponsored crime may take upon use cases that leverage social applications. I have discussed the abuse of sentiment analysis in my Hacking the Psyche article that illustrates one such example. If you are interested in this topic and if you are in New York during January 6 - 8, I will be speaking at the 2009 International Conference on Cyber Security.
In a previous article, Hacking the Psyche, I presented the security and privacy implications of capturing feelings of individuals using on-line mechanisms for good use as well as abuse and manipulation. Whenever controls around individual privacy are called into question, there is always, on the other side of the coin, a clear business opportunity.
Corporations often use indirect data such as demographic information and sales statistics to measure the health of their brand because the direct data, i.e how the public and their customers actually feel about their brand, is not available for capture. In this article, I want put forth a case study to demonstrate how capturing feelings on the social web can allow companies to measure the reputation of their brand.
In September 2008, Microsoft reportedly paid Jerry Seinfeld $10 Million dollars to star in it's recent TV commercial campaign. In this article I want to provide evidence to facilitate the hypothesis that Microsoft, in addition to paying Seinfeld, suffered the additional cost of damage to its brand from the commercials. On a positive note, the I'm a PC commercial that followed seems to have up for the damage.
Here are the TV advertisements:
September 4, 2008: Shoe Circus [starring Jerry Seinfeld and Bill Gates]
September 11, 2008: New Family [starring Jerry Seinfeld and Bill Gates]
September 18, 2008: I'm a PC [not starring Jerry Seinfeld]
Now, lets turn to Twitter to measure the feelings expressed towards these commercials during the month of September 2008. Using the Emotion Dashboard tool I presented in Hacking the Psyche, I was able to visualize how people on Twitter felt about these commercials. Here's a video of the tool in action:
Here is a screen-shot of the result including some annotations:
There you have it: a powerful method to use feelings expressed in social media to measure a corporation's brand and marketing efforts.
Brand reconnaissance is not the only effort that can be leveraged from feelings on the social web. If you are interested in this topic, I invite you to consider my upcoming talk the O'Reilly Money Tech Conference titled Emotion Dashboard: Harvesting Feelings on the Social Web for Powerful Decisioning.
In this article, I want to persuade you of the real possibility and high probability that, in the very near future, remote entities will be able target people’s on-line presence to capture and leverage their emotional states and feelings. There are some very extreme implications of this from a security and privacy perspective, and this is the scope I will adhere to in this article. On the flip side, the ideas presented in this article can be leveraged to construct powerful business decisioning and measurement capabilities, a topic that deserves it’s own space - I will cover this subject in a separate article in the next few days.
Before I go any further, I want to stress that the purpose of this article is not to spread undue alarm, nor is the purpose to portray social online media as an evil. I personally utilize the many avenues of online communication and collaboration facilitated by the Generation Y culture. The purpose of this article, instead, is to share some of my initial thoughts on the possibilities of abuse, specific to the mapping of individual feelings online and possible implications.
We Feel Fine.
To begin with, I insist that you watch Jonathan Harris’ TED talk titled The Art of Collecting Stories:
In this talk, Jonathan describes his passion for making sense of the emotional world and his deep compassion for the human condition. Regardless of this particular article, Jonathan’s talk stands on it’s own. I think Jonathan’s ideas, projects, and aspirations are true works of art. His ideas are powerful enough to inspire a security professional such as me to look outside the oft-incestual world of information security, and to reach out and connect with other venues of Science and understanding. In a small way, the material presented in this article are my attempts to try and do just that.
I invite you to visit one of Jonathan’s projects that he co-founded with Sep Kamvar - We Feel Fine :
Since August 2005, We Feel Fine has been harvesting human feelings from a large number of weblogs. Every few minutes, the system searches the world's newly posted blog entries for occurrences of the phrases "I feel" and "I am feeling". When it finds such a phrase, it records the full sentence, up to the period, and identifies the "feeling" expressed in that sentence (e.g. sad, happy, depressed, etc.). Because blogs are structured in largely standard ways, the age, gender, and geographical location of the author can often be extracted and saved along with the sentence, as can the local weather conditions at the time the sentence was written. All of this information is saved.
The result is a database of several million human feelings, increasing by 15,000 - 20,000 new feelings per day. Using a series of playful interfaces, the feelings can be searched and sorted across a number of demographic slices, offering responses to specific questions like: do Europeans feel sad more often than Americans? Do women feel fat more often than men? Does rainy weather affect how we feel? What are the most representative feelings of female New Yorkers in their 20s? What do people feel right now in Baghdad? What were people feeling on Valentine's Day? Which are the happiest cities in the world? The saddest? And so on.
...
At its core, We Feel Fine is an artwork authored by everyone. It will grow and change as we grow and change, reflecting what's on our blogs, what's in our hearts, what's in our minds. We hope it makes the world seem a little smaller, and we hope it helps people see beauty in the everyday ups and downs of life.
Here is a video I uploaded to Youtube, demonstrating We Feel Fine’s interface, including the ability filter for specific targets (for example: feelings expressed by individuals in their 20s in Iraq):
Emotion Dashboard: Targeting Individuals.
The We Feel Fine project does not target specific individuals. The creators of the project imply that doing so would violate an individual's privacy:
Privacy: We Feel Fine only collects and displays data that was already posted publicly on the World Wide Web? We Feel Fine never associates individual human names with the feelings it displays, though it always provides a link to the blog from which any displayed sentence or picture was collected....
We Feel Fine is a work of art designed by well meaning intellectuals. It doesn’t have the capability nor the intention of intruding on any one particular person’s privacy, yet the project raised my personal consciousness towards the security and privacy implications of capturing the feelings (past and present) of individuals.
To pursue discussion around the possibility and implications of capturing feelings projected by individuals online, I decided to develop a proof of concept visualization tool that I will call Emotion Dashboard. This is not a production-ready tool of any sort because I do not currently have the resources to develop such a thing. The goal of this tool (if you should even call it a tool) is to demonstrate my ideas and my vision on this particular topic to facilitate and encourage further discussion in the community. Here are the components of Emotion Dashboard:
In other words, the targeted individual’s online presence may include his or her Facebook profile updates, Blogs, and Twitter messages. In this way, updates on all of the sources of a particular individual’s online presence can be coupled together in one RSS feed and then supplied to Emotion Dashboard which will scan the feed from the past to the present (older entries first).
Immediately below the line graph is a solid bar that expresses the culmination of the individual’s overall mood. The color of this bar is either Yellow (happy), Blue (sad), or Red (angry). The hex code for these colors are also derived from the We Feel Fine CSV file listed above.
I concede that this technique of merely grepping for words lacks context and that is prone to an extremely high error rate. However, given the limited amount of resources I have at this point, my goal is not to provide something that readily usable for all cases, but to present a starting point of a possible approach and the probable implications should this be extended to apply intelligent grammar based contextual analysis. Do note that, even though I concede this is an approach vulnerable to a high error rate, the technique does, statistically speaking, get slightly more accurate the more words it consumes.
The word cloud allows the user to analyze the words being used to express feelings as the Emotion Dashboard reads the RSS feed from past to present. The words in the cloud are colored based on the associated hex color codes present in the CSV file.
The following is a screen-shot demonstrates a sample output of an individual’s (who we will call “Jack Smith” for the purposes of this discussion) online presence:
Here are some observations and implications:
Once enough information about Jack is collected to reasonably satisfy the personality test requirements, Jack’s personality patterns can be determined that may aid a malicious third party in exploiting Jack’s current emotional state. It is also plausible that this an be extended to automated and trigger based abilities. This is an extremely powerful idea - Jack may not be consciously aware of his negative mood, yet a third party may be able to analyze this remotely with some degree of probability. The following is a screen-shot of the results of a Big 5-like personality test (courtesy of Signal Patterns) :
Case Study: Criminal Investigation and Analysis.
There are numerous security and privacy implications of the discussion at hand. I am unlikely to succeed in attempting to iterate them all. Instead, I want to present one particular case study that can further illustrate the impact of this topic.
In this case study, I want to take upon the following real incident: http://blog.mlive.com/chronicle/2008/07/excon_vents_pain_online_then_k.html
Ex-con vents pain online, then kills
OCEANA COUNTY -- Danlee Mead was apparently using his MySpace site to tell the world how unhappy and desperate he felt in the hours before he abducted and killed his wife, then turned a shotgun on himself.... Hours later, the depth of the ex-convict's anguish turned to violence.....
A cached copy of Danlee’s MySpace page suggests that he changed his profile (moments before he committed the violent act) to use more positive-sounding words, even though his overall thoughts remained negative. His prior profile, also consisted of negative feelings, yet the words used in the original profile were more negative-sounding. Here is a demonstration of what his profile looks like when run through an analysis over time:
A few observations:
Following from the above observations, it is clear to see how this type of analysis can be used by investigators, admittedly after-the-fact, to get a glimpse into a suspect's state of mind over time.
It may not be possible to use data from online social media to proactively detect the future behavior of all individuals, yet in this situation, the criminal did indeed have prior history of crimes. Perhaps a proactive approach targeted towards known suspects’ online social presence can be used to detect certain deviance form tuned thresholds - possibly in an automatic fashion based on a set of defined triggers. Such an approach seems more tolerable for a set of individuals with known backgrounds because the elements in their history can aid in influencing the signal-to-noise ratio in favor of the signal.
Some Additional Thoughts.
The prior case study was just one illustration of the many impacts of using social media to capture the psyche of individuals. Here are some additional thoughts:
To conclude, I sincerely hope this article facilitates further discussion around the topics presented. You may feel that the probability of fruition of some of my thoughts and ideas is low. Perhaps you may find them extremely fantastical, or perhaps you agree that the scenarios presented indeed have a high probability of being relevant in the near future. I am obviously intrigued by the topic and I’d be delighted to hear your thoughts.
During the next few months, I will be presenting a brand-new talk titled "Suddenly Psychic: Knowing Everything About Everyone" at various conferences around the world. I will be presenting it with Akshay Aggarwal, a good friend of mine. Akshay and I have enjoyed researching the business, security, criminal, social, and psychological implications of this topic, and we look forward to sharing our research with you.
Currently, this talk is scheduled debut at the Microsoft Blue Hat Conference [v8] in October, followed by Hack in the Box in Kuala Lumpur.
TITLE: Suddenly Psychic: Knowing Everything About Everyone
ABSTRACT:
Imagine a world where you can remotely influence other people's behavior. This talk will expose how information about people in the physical world, coupled with voluntary information from new communication paradigms such as social networking applications, can enable you to remotely read people's minds to influence their behavior.
Topics of discussion will include:
The goal of this presentation is to raise consciousness on how the new paradigms of social communication bring with it real risks as well as marketing and economic advantages. Perspectives on negative and positive uses will be presented in addition to academic discussions and thoughts on how to enable the upcoming online social age.
Issue 13 of [IN]Secure Magazine is now available. It contains my article: Social Engineering Social Networking Services: A LinkedIn Example (originally a blog post, but now with cool graphics). Download it here.
