Tag Archives: DNA

States Restricting Cops Use of DNA

Over the last few years the police have been using the large commercial DNA databases to help them find criminals. The highest profile case was their use of DNA to find the Golden State Killer (1970’s and 1980’s murders; captured in 2018). They did that by running a DNA sample against GEDMatch, one of the smaller DNA databases.

They don’t need to find an exact match. Even if they find a cousin or other relative, it dramatically reduces the pool of suspects from a few billion to maybe a couple hundred.

What they usually do not have is an exact match (although that would be helpful).

Privacy advocates are concerned that currently, law enforcement can just ask some of the DNA providers “hey, I got me some DNA, can you see if you have any close matches”. It does not require a court order – no judicial review.

Some DNA services, like GEDMatch, are very helpful and don’t need no stinkin’ warrant. Other services, like 23 and Me, want a warrant.

In either case, if there is a warrant, then the data is available. In the case of the Golden State Killer, some distant relative got tested which dramatically narrowed down the pool of suspects and bingo, they caught the guy.

This year two states enacted laws regarding the use of DNA searches by law enforcement.

Maryland.

And Montana.

Two very different states.

After the use of the database for catching crooks – sometimes very bad crooks – a couple of the services said that the police could only search against users who opted in to that kind of use.

Of course, the default is that you are opted in automatically, so probably 3 people in the world know there is option to opt out and one of them chose that option, assuming he could find out where that option was.

To make things more interesting, GEDMatch was recently acquired by a crime scene DNA company.

What is real is that the technique works. Nevada police recently used the database to identify a victim and a murder trial started last month for a man identified through GEDMatch.

Utah introduced a bill banning the practice entirely. Washington state considered requiring law enforcement to get court orders. Neither of these are law yet.

Montana did pass a law and requires the police to get a warrant. The challenge in getting a warrant is that the police have no idea whether the DNA is in any given database, making it hard to get a judge to sign on the dotted line.

Maryland now requires a judge’s order. They also limit the use to murder, kidnapping and human trafficking. And, they also have some additional requirements.

This is still early in the lawmaking sausage-grinding process, so expect a fair number of variations as the sausage (law) is being made. Ultimately, we will strike the right balance. In the meantime it is still pretty much the wild west. Credit: The Verge

Cybersecurity News for the Week Ending May 14, 2021

If You Thought the FTC Was Toothless Before, Just Wait

I always complained that the FTC’s penalties were way too meek. Now I understand why, but it has just gotten MUCH worse. 99.99% of the blame goes to Congress. Initially, the FTC could not bring lawsuits against businesses at all. All they could do was to hold an administrative hearing. Then they could issue telling a business to stop doing bad things. In 1973 Congress added Section 13(b) to the FTC act, allowing the FTC to go to court and get an injunction – again no penalty for past bad deeds. In 1975 Congress added Section 19 which allows the FTC to seek monetary damages – after obtaining a cease and desist order and then only after future bad deeds which were obviously malicious, so still no relief. Last month the Supreme Court agreed that Congress, in its stupidity, did not grant the FTC any ability to make consumers whole for companies that break the law. Individually, a person can still sue the company – spending a lot money and years. Maybe they can convince some State AG to take up their case – maybe. If you can convince the Justice Department to go after some company, that is possible too, but all of those take years, maybe a decade with appeals. Congress intentionally neutered the FTC. This is the result. Will Congress act now? Your guess is as good as mine. Credit: ADCG

Apple is Privacy Focused – Except if it Hurts their Rep

Epic games and Apple are fighting in court and lawsuits tend to get dirty. In countering Apple’s argument that they didn’t want Epic to bypass their store because they want to protect their customers, Epic trotted out emails that Apple chose not to notify 128 million customers after a supply chain attack called XcodeGhost. This is the largest ever known attack against Apple products. They said notifying all those people would be hard and it would damage their reputation. They never did notify anyone. So much for being a privacy focused company.

The True Cost of Ransomware

Insurance giant CNA, which announced that it suffered a “sophisticated cyberattack” (what you and I call ransomware) in March. This week, two months later, they announced that all of the systems were back up and that yes, surprise, it was a ransomware attack. They said it took them two months to get back online because they had to restore each system, then scan and clean it and finally, harden it. This is the cost of ransomware. A lot of hard work and more importantly, months of time. If you do not have good backups, add to that the loss of data. And, as Colonial Pipeline learned this week, just because the hackers give you the decryption key, it doesn’t mean that the decryption process will be fast (they said that they were restoring from backups, even though they paid the $5 million in ransom) or that it will even work. Credit: Security Week

Global Chip Shortage Much Worse than Communicated

OUT OF STOCK! Expect to see more of that message.

In addition to phones, computers and laptops, expect to see those signs elsewhere such as appliances and kids toys. Already car makers are replacing cool tech like high tech entertainment consoles with radios. Probably with knobs and dials. Maybe that fancy auto-parking feature, well it is not available. Manufacturers are looking at which products are more popular or offer them higher margins and just not shipping some other models. Samsung is considering completely skipping the next generation of the super popular NOTE phones altogether. Expect the problem to continue into and through 2022. Credit: ZDNet

China has Collected Health Data of 80% of US Adults

China wants our data. Our health data is particularly useful because our population is very diverse. That makes us useful for them to test their software and systems on. Besides stealing that data, the are doing things like setting up Covid testing labs. What do you get with every sample? Our DNA. China wants to beat the US out of the biotech industry and stealing our data is helping them. Credit: The Hill

Security News for the Week Ending December 27, 2019

Russia Claims to Have Successfully Disconnected from the Internet

Russia has been planning to install an Internet kill switch for a couple of years now.  Of course, we have no clue what that means.  Likely, it means that they have their own DNS servers so that they do not have to resolve web site addresses using servers controlled by the US and EU.  But that means any web sites that are outside of Russia will not work if they do this.

More likely, this process, which forces all traffic through government controlled gateways, is designed to surveil its citizens even more than it already does.  Details at ZDNet.

Pentagon Tells Military Not To Use “At Home” DNA Tests

I am not sure that Ancestry.com or 23AndMe are terribly happy about the message, but the Pentagon put out a memo this week telling members of the armed services not to take at home DNA tests unless otherwise notified.

The cover story is that the tests might be unreliable and not reviewed by the FDA.  The next story is that negative results might require members of the armed forces to disclose things that could end their military careers.

The real story is they are worried about state actors getting their hands on the DNA of our service men and women for nefarious purposes.

It looks like the military is actually starting to understand risks of the 21st century.  Good work.  Note this is not voluntary or optional. Source: MSN

Telemarketing Firm Lays off 300 Before Christmas Due to Ransomware

A Sherwood, Arkansas telemarketing firm laid off 300 people just before Christmas after a ransomware attack shut down their systems.  The attack happened about two months ago and even though they paid the ransom, they have not yet been able to restore the systems.  Apparently, at this point, they have run out of money. The company finally put out a memo explaining what was happening and told employees to call on January 2nd to see if they were going to get their jobs back.  Merry Christmas.  Source: KATV

British Pharmacy Fined $350K for Failing to Protect Medical Records

It is not just the big companies that are getting fined.  In this case a British pharmacy was fined $350,000 for leaving a half million records unprotected and exposed to the elements.  In addition, the pharmacy was issued an order to fix its security practices in 90 days or face more fines.  We are seeing less willingness by courts and regulators on both sides of the Atlantic to deal with companies missteps when it comes to security and privacy.   Source The Register.

Georgia Supreme Court Says Victims of Medical Clinic Hack Can Sue

Moving to this side of the Atlantic, the Georgia Supreme Court says that victims of an Atlanta area medical clinic that was hacked can sue the clinic for negligence.  As I said, courts are becoming much less understanding as to why companies are not effectively protecting the data entrusted to them.  This decision reverses the Court of Appeals decision and is only binding in Georgia, but courts in other states may use this as a precedent in their decision process.  Source: Atlanta Journal Constitution

Security News for the Week Ending Friday August 3, 2018

Old Hacks Never Die

Brian Krebs is reporting that state government agencies are receiving malware laced CDs in the mail, hoping that someone is curious enough to place it in their computer and infect it.  This is an older version of a ploy that is still common of dropping malware infected flash drives in areas outside businesses like break areas, again hoping that curious workers will plug them into their computers and infect them.

The simple solution is  not to do it and hand the media to your information security team to review. Source: Krebs on Security.

 

23 and Me Licensed All Customer’s DNA to Big Pharma

In case you thought you owned your DNA, you might, sort of, but apparently not exclusively.

23 and Me made a deal with Glaxo Smith Kline (GSK) to provide all of their customer’s DNA for “research”, whatever that means.  The deal lasts for four years.  I am not sure what happens after four years – do they have to give back everyone’s DNA?  Probably not.

And, kind of like Google, 23 and Me got a check for $300 million, but did not share that the the people who’s DNA they sold.

23 and Me says that you can opt out of letting them sell your DNA when you sign up.  Apparently I opted out.  You can also change that option at any time but it is not obvious how to do that.  It is buried in the research tab after you sign in.  I assume that change is not retroactive.  If you didn’t opt out, GSK has a copy of your DNA.  Source: Motherboard.

More Woes for CCleaner

Ccleaner, the popular utility for cleaning up your computer, has added some more woes to it’s basket.

Piriform sold CCleaner to security firm Avast a few months ago.  Right after the sale CCleaner was found to be distributing a malware laced version of the software.  Over a million copies of the infected software were downloaded but it only targeted a handful of victims.  That was done by an attacker.

This problem is self inflicted.  The new version of CCleaner has a data collection feature which vacuums up information about the victims computer with no way to disable it and no way to opt out.

Apparently someone must have explained that this nifty feature was likely a violation of the new EU data privacy law GDPR which could result in a fine of the larger of 20 million Euros or 4% of their global revenue.  They are rethinking the wisdom of doing this and will release a new version of the software.  Real soon.  Source: ZDNet.

Idaho Inmates Hack Prison Issued tablets

Prisons in Idaho issue inmates specially locked down tablets to send emails to loved ones and other limited functions.  Some of those functions cost money and that is where the rub comes in.  The tablets, managed by a vendor called JPay were hacked by several hundred inmates to the tune of almost a quarter million bucks.  Now JPay is trying to get their money back.  At least it is not taxpayer money.  Source: TechCrunch.