About six months ago, I met one of my former students. He told me how he was now working in data mining. I figured I knew what that entailed. The company he worked for probably analyzed customer data or gathered data from potential customers through information it acquired from the internet and, then, sold this information to advertisers. This was more or less true. But then he began to tell me more. He told me how his company’s algorithms could identify individuals solely through their browsing habits, just like fingerprints can be used to physically identify individuals. Once they categorized an individual, they could target ads at them that would be most effective. He went on to tell me much more, which, quite frankly, I found a little hard to believe. It did make me think, however, and, to get these disturbing ideas out of my mind, I wrote a short story about this which took the ideas he gave me to their science-fiction-logical conclusions… or so I thought. You see, since that time, what had been science fiction has become science fact.
Let me give a few examples. A team of scientists from the University of Rochester found that by using Twitter feeds and locations, they were able to predict, with 90% accuracy, that a person would get the flu, even before they had any symptoms. They could do this up to eight days before the person got the flu. To put it succinctly, the algorithm they used knew more about the people they researched than the people themselves did. That should be pretty scary. But, there’s more. The credit card firm, Visa, according to researcher, Ian Ayers, can predict, with 98% accuracy, that you will get a divorce, based on your credit card purchases. You may have not even consciously entertained the idea. As a Canadian Tire executive said after analyzing the credit card purchasing data of its customers, “If you show us what you buy, we can tell you who you are, maybe even better than you know yourself.”
Raytheon Corporation seems to take data mining to the next logical step. It has developed a program called RIOT (Rapid Information Overlay Technology) which analyzes social network data (mainly from Facebook and Twitter), builds an individual profile, and, then uses it to predict where you will be at a specific time in the future. Since announcing the program, information on it has been scarce, probably due to the fact that the CIA has become involved in its development. Other programs are more specific to certain networks. FBStalker is a tool that analyzes data mined from Facebook to build a profile about an individual. It can gather information on a user even if that user has no public profile and keeps the information in Facebook private. The tool uses other contacts, comments, and photographs to build its profiles. But so what? What can they do with this information except target you for certain advertisements?
Think again. In 2013, journalist Adam Penenberg challenged a team of white-hat hackers to find out all they could about him. It was more difficult for the hackers to get good information on him than they expected. But, through the internet, they learned that his wife had an exercise studio. They, therefore, targeted her. They sent her an email from a woman in San Francisco asking for a job as an instructor. The woman was real. If her identity was checked online, Penenberg’s wife would find out that the woman really was an instructor. The woman’s email address, however, was not real. They also included a zip file which was supposed to be a video. In fact, it was malware which, after she opened it, gave the hackers access to her computer whenever she was online. The computer was an old Apple that Penenberg had given to his wife to use at her studio. He had not deleted all of his files from it. The hackers were eventually able to find or figure out all of their passwords, got access to their bank accounts, Amazon accounts, and got access to his laptop computer. They eventually shut down his laptop and phone and demanded a four digit pin code to activate it. Yes, they could have held his computer hostage until he wired them money, they could have wiped out his bank account, and they could have destroyed his reputation. There is one interesting footnote. They said it was more difficult to get information from him than it was from a company because a company has more people that they can target. BYOD (Bring Your Own Device) administrators take note.
This carefully constructed attack on one person is known as spear phishing. Done well, it is almost impossible to detect and will never be filtered out by spam filters. Let’s take a look at a possible scenario. Given an available program like FBStalker (though many others are available) a hacker can find out information on anyone who works for a company. They may send the employee a fake email, presumably from a friend or distant family member. The email address will be believable but it will not be the person’s real email address. They may send you a photo of that person that may have code related to it or in it that releases malware when clicked upon. They may direct you to a site to view photos or send you another file to open. Sure, some employees may be suspicious, but it only takes one who is curious enough to take a look and the hacker is into the company network. Think about it. Would you reject an invitation to look at photos from an old boy or girlfriend? What about from a cousin or uncle you haven’t seen for years?
Basically, hackers use your digitalized self to hack your real world self. You are your own worse enemy. In the future, expect more and more psychiatrists and linguists to enter the world of data mining. Together they could craft much more effective targeted advertisements or, on the negative side, spear phishing attacks. What can you do as an IT administrator? Unfortunately, not much. With the proliferation of potential network entrance points through the implementation of BYOD strategies, hackers have gained control of the digital landscape. All software security barriers put in their way have only served as temporary impediments. Besides, how would you know if you haven’t been manipulated by data miners to choose the security protection that they want you to choose?
InZero Systems has been working on such problems for years. They have rejected software solutions as ineffective and have developed a hardware-based security solution. Their WorkPlay Tablet, for example, has two hardware-separated operating systems on one tablet so that any spear phishing attack on an employee does allow an attacker access to the company’s network.