New Form of Malware Promises to Have Real Life Consequences

By October 08, 2010
Security threat

Until now, malware threat has been limited to our digital assets - login information, computer files, bank accounts, etc. But a recent treatment explains the inevitability of a new form of data theft where behaviors and search queries are tracked and connected until people’s social networks and real lives are compromised.

Yaniv Altshuler and four others submitted their conclusions on Tuesday to the public via the Cornell University Library site. In the paper, the group discusses “the threat of malware targeted at extracting information about the relationships in a real-world social network as well as characteristic information about the individuals in the network, which we dub Stealing Reality.”

The new sort of information that Altshuler, et al. are considering is derived “from communication and other behavioral data for a great deal of applications, like marketing campaigns, customer retention, security screening, recommender systems, etc.” This type of data is resold on black market sites, and with more thorough social data, it can be broken into different price tiers. Individuals with more social connections and influence are more valuable as social hubs than those who are more on the outer edge of a social map.

Not only is this type of data gathering more invasive than previous types, it is harder to deal with the results. A victim of previous types of viruses can cancel accounts, wipe computers, etc. but it is nearly impossible to change patterns of life. Friend and family relationships, and behaviors are not easily changed, and once this information is sold or released, it is prohibitively difficult to locate all copies and ensure that they are deleted. Altshuler references a case in Korea where millions of citizens’ real life identity info was stolen and sold, and when Israel’s citizen database was compromised, both in 2007.

These viruses will attack differently that their previous forms, whereas the former were more effective with a higher infection rate, these will spread slowly. Since Stealing Reality data takes longer to collect, cases will rely upon being thorough instead of virulent. An SR “type of attack, which is targeted at learning the social communication patterns, could ‘piggyback’ on the user generated messages, or imitate their natural patterns, thus not drawing attention to itself while still acheiving its target goals.”

Legal mentions © L’Atelier BNP Paribas