Mauriella E. DiTommaso is Program Director for forensic programs and adjunct faculty at Champlain College Online, overseeing Computer Forensics & Digital Investigations and Digital Forensic Science. She also serves as Chief Information Security Officer for Washington State’s Department of Social and Health Services, bringing over two decades of cybersecurity and digital forensics leadership. She holds an M.S. in Forensic Sciences from Champlain College, an MBA from Delaware Valley College, and a B.A. from Edinboro University.
Scott Douglas Jacobsen asked Mauriella E. DiTommaso how security thinking changes when people treat chatbots as trusted advisers. DiTommaso explained that classic threat-modeling methods still apply, but AI chatbots expand scope because they touch more systems and data. On social engineering, she warned that impostor sites with embedded bots can coax personal details for later exploitation. For sensitive transcripts, she stressed data-classification rules, storage and proper access controls, and required investigator clearances during digital-forensic work.
Scott Douglas Jacobsen: What new threat models emerge when users treat AI chatbots as trusted advisers?
Mauriella E. DiTommaso: Threat models provide a structured representation covering various aspects of an application, software, system, etc. that impact security and as AI-powered chatbots are relatively new or being more regularly deployed across information technology environments, the approach to threat modeling for technologies deploying AI chatbots as well as the chatbots themselves would still follow established threat modeling processes but would potentially encompass much larger and/or more complex scope of information being assessed.
Jacobsen: How can chatbots be weaponized for social engineering?
DiTommaso: A fake website crafted to impersonate a trusted entity with a chatbot deployed could be leveraged to collect personal information from an unsuspecting user, and that information in turn can be leveraged for social engineering. Information a chatbot in this example could collect would depend on the impersonated entity, however, the more personal data the chatbot can be programmed to coax out of the user the more information the actor will be able to obtain and utilize for social engineering.
Jacobsen: What privacy and digital forensics challenges arise when chatbot transcripts contain sensitive self-disclosures?
DiTommaso: From a privacy perspective, this will depend on the classification or category of the data being disclosed and the privacy/security rules governing the sensitive data. The ramifications of sensitive data being exposed via a chatbot interaction will also depend on the type of organization hosting the chatbot, and where/how the chatbot transcripts are handled (ie., stored, shared, accessed). From a digital forensic perspective, if the transcripts are part of an investigation, one of the main challenges would be ensuring the investigator(s) possesses the proper clearances to view and work with that data. This should be part of an investigator’s onboarding to the organization so they are prepared and have proper coverage to view specified sensitive data at any given time.
Jacobsen: Thank you very much for the opportunity and your time, Mauriella.
—
Scott Douglas Jacobsen is the publisher of In-Sight Publishing (ISBN: 978-1-0692343) and Editor-in-Chief of In-
***
If you believe in the work we are doing here at The Good Men Project and want a deeper connection with our community, please join us as a Premium Member today.
Premium Members get to view The Good Men Project with NO ADS. Need more info? A complete list of benefits is here.
—
Photo by Levart_Photographer on Unsplash
