Last week I spoke at RSA Conference about using social engineering techniques as a form of espionage—a way to “game” big data, as it were. I believe that our current estimation of what can be derived from innocuous appearing data is not only lacking, but it’s nearing the level of irresponsibility.

Spoon, by felixtsao

In our talk, we discussed how an attacker might go after a prized piece of information, say the formula for Coca Cola. If an attacker wants to re-assemble such a formula, he could apply techniques often used in social engineering. Social engineers don’t bluntly ask targets for their social security number, they ask them for pieces they can use to reconstruct it. For example, people tend to give out the last four digits like candy and protect the first five. But if your parents were quick on the draw, I can guess the rest of your SSN if I know where it was issued, probably the city in which you were born (which is probably listed on your passport).

In the same way, an attacker looking to use big data to his advantage might start by looking at shipping and receiving manifests for a major production facility. From there, with enough data on factory inputs and outputs, applied analytics will derive the formula—or at least a close enough approximation to be viable. Given a large enough amount of data, it’s absolutely possible.

Now let’s think about a sneakier way. Attackers traverse informational supply chains to gather information so they stay undetected by the intended target. So let’s say I learn that one Coca Cola production facility sources raw materials from three major firms that make up 80% of their total supply. Chances are, a supplier like that will not have very strong electronic defenses. I could go after them and pull the manifests from them. Then let’s say that I learn that same production facility uses four main distribution companies to push product into retail environments. Pop those guys and I now have the before and after lists for the production facility and Coca Cola has no direct evidence that anything happened.

Things like shipping manifests don’t seem so innocuous anymore, do they? Everyone is a target.

This post originally appeared on