Tuesday, August 22, 2017

Encoded DNA Used To Carry Computer Malware

Researchers in the US have used digitised human DNA loaded with malware to infect a computer as part of an experiment to demonstrate that open-source programs used by laboratories worldwide are vulnerable to hackers.

What?

It has been reported that researchers at the University of Washington's Paul G. Allen School of Computer Science and Engineering have successfully infected a computer system by using a strand of encoded human DNA (not actual human DNA), loaded with malware.

As well as causing some alarm, the experiment, conducted by biologists and cyber security researchers, brings to the fore concerns about the vulnerabilities to hackers of open-source software being used in laboratories around the world.

Laboratories Vulnerable

The reason for the experiment was to explore the possibility that future attacks may come from the source material being handled for analysis, in this case DNA that can be transcribed and digitised.

Laboratories world-wide use computers to handle the large amount of processing that is necessary to filter through billions of DNA cases from one sample alone. The processing of data to store the basic units that make up DNA uses multiple open-source programs. The experiment has, therefore, shown that these open-source programs have vulnerabilities that could be exploited by hackers.

What Kind of Programs?

The programs highlighted by the researchers on their blog are C and C++ languages. These are commonly used to create laboratory bioinformatics tools. These programs are known to have security vulnerabilities, and may not have followed best security processes, and could have a number of insecure functions.

What Could Happen?

The full and precise implications would depend on the type and purpose of the malware, but hackers could embed malware into the base of an artificial (digitised) DNA strand so that, once this strand undergoes transcription, malware may be transferred onto the computer system.

Typically, this could give cyber criminals remote access to (and a way to) take control of an important laboratory computer system. Since the motivation for hackers is often money, ransomware could be used, or malware could be used to gather sensitive personal data or valuable industrial / commercial secrets, and payment details. Data could also be used to launch wider attacks across the organisation e.g. phishing and other social engineering attacks.

Just Raising Awareness

Although the focus of this particular experiment i.e. using digitised human DNA as a Trojan horse for hackers, seems a little leftfield, the researchers said that security around DNA sequencing is not under attack, and that the research was just conducted to raise awareness of the possibility.

The research team are due to present their full findings next week at the USENIX Security Symposium in Vancouver.

What Does This Mean For Your Business?

Although this research had a niche industry focus, it does highlight the fact that no industry, segment or niche wordwide is safe from the risk of hackers.

Also, as the WannaCry malware attack demonstrated, malware makes no distinction between industries and organisations (the NHS was badly affected), but simply exploits the weaknesses that it has been written to exploit in order to spread and achieve the aim of its writers / users.

Another important point raised by this research that is not industry specific is the potential vulnerabilities of business programs written in open-source languages to cyber criminals.

Companies and organisations of all kinds should, along with their other security measures, conduct a security audit and risk assessment of purpose-written, open-source programs. This could allow potential vulnerabilities to be fixed / patched / protected.

No comments: