Skip to main content

Huge DNA Database Just Waiting for Big Ol' Hack

Huge DNA Database Just Waiting for Big Ol' Hack

It's the one police used to catch the Golden State Killer.
By Caroline Delbert
concept of leaky software, data with a tap sticking out
THE-LIGHTWRITERGETTY IMAGES
  • Researchers have breached a crowdsourced DNA database by reverse engineering a user profile.
  • DNA testing and database sites are vulnerable to many kinds of attacks and data sales.
  • Users must ask themselves if the potential benefits of DNA testing outweigh privacy concerns.
    Genealogy and security are clashing yet again, this time over the massively crowdsourced DNA database GEDmatch. MIT Technology Review reports that computer science researchers designed targeted attacks that breached the GEDmatch database by making complex search strings that let them guess much of users’ DNA.
    The founder of GEDmatch, Curtis Rogers, told Tech Review he’s not that surprised, because genealogy has always involved sharing information and comparing it directly to others to find commonality. This has been exploited in the past by social engineering, the low-tech but effective form of hacking that involves searching for written-down passwords, asking personal questions to glean security clues, and more.
    We’re all asked for our mother’s maiden name, which is an anachronism in a hundred ways in 2019, least of all that it’s very easily findable on any genealogy site. Even sites that attempt to use other information still ask for family names and relationships, probably because users who don’t understand the importance of a secure password also won’t spend time or energy to make secure passwords, let alone remember them without an accessible hint.
    Now, services like Ancestry or 23andMe bank users’ genome data, and amassing more and more sample data lets their results grow more specific and accurate by reducing the margin of error. But these services are also likely selling your genome to drug companies or even insurers. It seems like there’s a paradox in information security where users are so sure their identity will be stolen or their data will be sold that they choose not to worry about it or attempt to prevent it.
    Enter GEDmatch, a user-sourced database designed to help match people with unknown relatives. Because of the openness and accessibility of the project, it’s available to law enforcement as well. (Last year, California police revealed they used GEDmatch to finally ID the notorious Golden State Killer.) Without your express permission, law enforcement can only obtain your DNA if you’re arrested for a related crime. But departments are beginning to collect samples from entire communities as a way to, purportedly, exclude the innocent.
    With that in mind, it’s easy to see why the vulnerability that researchers found in GEDmatch is so troubling. They put together a DNA profile and uploaded it to the site, which in turn unlocked the ability to search for close matches. GEDmatch is run by volunteers who have, apparently, done too good a job building their user interface and search capability; this specific kind of attack only works on their system, not those of commercial sites like Ancestry or 23andMe.
    Experts told Tech Review that one of the big ways an open database could be exploited is that strangers could claim to be relatives in order to gain an advantage. Think of the classic “Nigerian prince” scam, but with an even more tempting sheen of science credulity based on shared DNA. The reason commercial testing sites aren’t vulnerable is that they don’t let users share their own data. If someone sought to defraud 23andMe in the same way, they’d have to do something like take a sample from another person and submit it as their own.
    If GEDmatch is like a bank of data, right now the bank doesn’t even have a security guard snoozing by the front door. Years ago, internet users at corporations or universities would share corporate credit card information or FedEx account numbers on public websites they just assumed strangers would have no reason to look at, and this mismatch of audience and intention is nothing new. Hopefully, other services can learn from this hack and better secure their information.

    Comments

    Post a Comment

    Popular posts from this blog

    Hackers Can Shine Lasers at Your Alexa Device and Do Bad, Bad Things to It

    Hackers Can Shine Lasers at Your Alexa Device and Do Bad, Bad Things to It Move the Echo away from the window. Now. By  Courtney Linder Nov 6, 2019 A  new paper  funded by DARPA and a Japanese organization for the promotion of science and technology find that simple lasers can basically hack into voice-controlled assistants. Researchers are able to use lasers to inject malicious commands into smart devices, even remotely starting a victim's car if it's connected through a Google account. To be safe, keep your voice devices away from windows in your home. Keep Alexa away from all windows: Turns out hackers can shine lasers at your Google Assistant or Amazon Alexa-enabled devices and gain control of them, sending commands to the smart assistants or obtaining your valuable account information. Researchers proved this by using lasers to inject malicious commands into voice-controlled devices like smart speakers, tablets, and phones ...
    Post a Comment
    Read more

    The Xbox Adaptive Controller

    The Xbox Adaptive Controller What is it? The Xbox Adaptive Controller is a video game controller designed by Microsoft for Windows PCs and the Xbox One video game console. The controller was designed for people with disabilities to help make user input for video games more accessible. Cool isn't it? What Does it do? Designed primarily to meet the needs of gamers with limited mobility, the  Xbox Adaptive Controller is  a unified hub for devices that help make gaming more accessible. Connect external devices such as switches, buttons, mounts, and joysticks to create a custom  controller  experience that  is  uniquely yours. Compatibility You can play it on Xbox consoles and Windows 10 PCs with familiar features such as Xbox Wireless, Bluetooth, USB connectivity, Copilot, and a 3.5mm stereo headset jack. Click here to watch the trailer
    Post a Comment
    Read more

    MIT Little Robot Dog

    It’s that time of year again — fall is here and packs of robot dogs are frolicking in the leaves Just listen to the scuttle of those tiny metal legs By   James Vincent   Share this story re this on Twitter (opens in new window) All sharing options There’s nothing I like more on bright and cold autumnal days than heading down to the park and watching the robot dogs playing in piles of leaves. To hear the scuttle of their little metal legs! To imagine the joy in their tiny silicon brains! Ah, what bliss. If you’ve not experienced these delights before, then the video above from MIT’s biomimetics lab will give you the basic idea. The bots you can see are the university’s Mini Cheetah: a lightweight and modular quadruped that’s been under development for years. We saw the Mini Cheetah earlier in 2019 when it  learned to backflip , but the biomimetics lab has obviously cranked up production and now has at least nine of these littl...
    Post a Comment
    Read more