Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

Malware

9/28/2017
11:33 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Security Takes On Malicious DNA (Files)

Securing biomedical research can mean protecting systems from malicious code in the samples under investigation.

At the 15th annual Bio-IT World Conference & Expo this past May, Ari Berman, vice president and general manager of consulting services at BioTeam, urged life-science organizations to adopt a more lax, less restrictive "alternative security model" that would -- inter alia -- fast-track DNA files through systems, presumptively earmarking them as "safe" within a "science DMZ."

"It's time for security to evolve. Use security methodologies that are appropriate to the measures that you are trying to control… [because] we do have that technology to separate the traffic based on what it is," said Berman in a presentation titled "Security Sobriety in 2017." "A mouse genome does not carry a computer virus. And it's huge. You don't need to inspect every computer packet in a mouse genome. You're wasting a lot of time and effort by doing that."

A computer file is still just a computer file, however -- and can be infected or compromised as such. Indeed, not long after Berman's impassioned criticisms of restrictive information-security practices in the life sciences, University of Washington security researchers developed a proof of concept that -- yes -- genetic data can be hacked to carry a computer virus.

In a paper published this summer and presented last month at the 26th USENIX Security Conference, University of Washington professor Tadayoshi Kohno and four other researchers related how they were able to create a strand of DNA containing malicious code to hack a popular DNA-compression software known as fqzcomp -- and then use that strand of DNA to corrupt DNA-sequencing software and seize control of a connected computer via a buffer-overflow attack.

The ramifications are enormous. "Infected" DNA could be used to steal intellectual property in a field where IP protection and prosecution is already cumbersomely ferocious, compromise employee or patient data, falsify genetic analysis (such as in the criminal justice system), hijack organizational systems, and otherwise wreak general havoc.

On the other hand, the researchers have emphasized that "there is not present cause for alarm about present-day threats" -- perhaps because they didn't exactly play fair. They inserted their own flaw -- instead of exploiting an actually pre-existing vulnerability -- into the open source code of fqzcomp for the sake of the general proof of concept. Even with this advantage, the difficult and time-consuming process paid off only to the extent of a successful translation of the malicious code about 37% of the time.

Berman, for his part, does agree that these findings are a concern -- but implicitly eschews the notion that research organizations must necessarily tighten their security controls. Instead, Berman contends, that onus belongs to vendors.

"[The UW study] opens a whole can of worms for sequencer vendors about the nature of how their software runs that they should address immediately," said Berman in an email interview. "The focus should be on why this vulnerability exists in the first place, not on locking things down more."

Where proprietary sequencing software is concerned, it is hard to disagree -- although, as information-security veterans know all too well, zero-days can pop up anywhere and at any time.

In the instant case, however, the nature of open source lies at issue. Because fqzcomp, like many other tools used in the world of genetic sequencing, is open source, it is no stretch of the imagination that an attacker could do exactly what the researchers did -- insert a vulnerability into open source code, and then feed a target a malicious genetic file. Hence, trust is paramount when it comes to the sources of open source.

"No matter what the threat, it's important to have data security as a top priority all the time, across all systems," said David Bernick, director of technical operations for DevOps and security at the Broad Institute -- a nonprofit genomics research organization that offers its Genome Analysis Toolkit ("GATK"), an open source(ish) genetic-sequencing software package, to clinical researchers. "For GATK, we make the full source code available. As long as people are getting the software directly from us, they benefit from the efforts we put into keeping our software safe, [including] code-security analysis [and] authenticated pen-tests."

In any event, Berman remains stalwart that the life-science community's accessibility problems are bigger than its security problems.

"I don't see this as a major issue to deal with at the moment. If folks decided to treat it as a real threat, the DNA sequence patterns could be programmed into an IDS analyzer and flagged if they came through," said Berman in an email interview. "Panic and overreaction will just result in tighter policies and more restrictive security measures that will only serve to make medical and research data even less accessible, which is in direct opposition to scientific discovery and data availability."

Berman's contentions are hardly unique to the life-science space; they are as old as the notion of security itself. Moreover, he is not alone in envisioning a world of optimizing networks to deal specifically with genomics files in a way that increases accessibility while maintaining sufficient security.

"Genomics data are a fairly high workload on the Internet," Shawn Hakl, Verizon's vice president of business networks and security solutions, told Security Now. "If you knew that's what you were transporting between a group of users, and you knew you had a certain type of data with a certain type of data structure, and you knew you had some common security requirements -- like the need to make sure that it was HIPAA compliant, and the need to validate certain kinds of users -- you could build a combination of security encryption and optimization algorithms very specific to the exchange of that data within a particular closed user group."

Hakl elaborated that intelligent, virtualized networks could thereby be the answer.

"You would never have been able to deploy a custom packet network to do that in a hardware world because you'd have to have somebody... deploy a bunch of specialized switches, " said Hakl. "In a new, software-defined network world, it's really not that hard for me to instantiate a collection of virtual appliances with a specialized packet-optimization algorithm built for your data all over the place between you and a relatively closed group of users -- and [then] optimize that content for distribution."

Hakl concedes that these ideas may still be "at the PowerPoint stage," but they are valuable ones in the wake of the UW study -- whose authors have called upon the DNA-sequencing community to act proactively today rather than reactively tomorrow. Thus, Berman's vision of a science DMZ could help drive the much-needed innovation to satisfy both security geeks and accessibility freaks. Otherwise, time may tell as to which way the scales should skew.

Related posts:

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.