security risks to third party genetic genealogy services
play

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , - PowerPoint PPT Presentation

May 13, 2023 •265 likes •620 views

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

  1. Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

  2. Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction, ... AncestryDNA MyHeritage Raw Genetic Data FamilyTreeDNA

  3. Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction, ... AncestryDNA MyHeritage Raw Genetic Data FamilyTreeDNA 3rd-Party Genetic Service Genetic Interpretation Health, Ethnicity, Relative Prediction, ...

  4. Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction, ... AncestryDNA MyHeritage Raw Genetic Data FamilyTreeDNA Research Focus 3rd-Party Genetic Service Genetic Interpretation Health, Ethnicity, Relative Prediction, ...

  5. Third-Party Genetic Genealogy Services Genetic Genealogy Database Alice’s Genetic Data Relative Matching Bob is Alice’s Sibling Bob Frank is Alice’s 2nd-Cousin Carol … ... Alice 1M+ Dan Frank

  6. Relative Matching Algorithms Chromosome 7 Long shared segments of DNA are - indicative of recent shared ancestry Aunt More and longer shared segments - means a closer relationship Relative matching algorithms try to - identify these shared segments Matching Segments between users Nephew

  7. Prior Attacks Against Genetic Genealogy Services: Identity Inference Anonymous DNA sample or genetic data Goal: identify the source (person) of an anonymous DNA sample or genetic data Research Dataset Crime Scene

  8. Prior Attacks Against Genetic Genealogy Services: Identity Inference Step 1 Anonymous DNA sample or genetic data Process sample and construct genetic files DTC Genetic Data Research Dataset Crime Scene (Unknown)

  9. Prior Attacks Against Genetic Genealogy Services: Identity Inference Genetic Genealogy Database Step 2 Unknown Genetic Data Relative Matching Bob Carol … Carol is a grandmother Frank is a cousin 1M+ Malory Dan Frank

  10. Prior Attacks Against Genetic Genealogy Services: Identity Inference Step 3 : Combine the relatives with other sources of information like genealogies to identify the source of the sample or data Law enforcement 100+ samples identified from ● crimes and unknown remains Suspected Golden State Killer ● Anonymous research data Ex: 1000 Genomes Data ( Erlich ● et al. Science. 2018)

  11. Attack 1: Extract Genetic Markers from Other Users Genetic Genealogy Database Artificial or Manipulated Genetic Data … Relative Matching Queries Bob Carol … … Malory 1M+ Dan Frank Matching Segments and Visualizations Bob

  12. Attack 2: Forge Genetic Relationships Genetic Genealogy Database Artificial or Manipulated Genetic Data Bob Carol … Malory is Bob’s second cousin Malory 1M+ Dan Frank

  13. Case Study on GEDmatch GEDmatch runs the largest third-party DTC ● genetic genealogy service Over 1.2 millions files have been uploaded ○ Used extensively by law enforcement ● Used to solve Golden State Killer case ○ Government contracting (Parabon ○ Nanolabs) Unidentified remains (DNA Doe Project) ○ Identity inference attacks demonstrated on ● GEDmatch ( Erlich et al. Science. 2018) Goal is to evaluate the feasibility of these ● new attacks on GEDmatch

  14. Experimental Setup Account 1 Normal User Experimental Genetic X 5 GEDmatch Profiles Account 2 Adversary X n Artificial data Relative Matching Queries Relative Results and Visualizations

  15. Ethics of Data Uploads and Queries Uploaded all data to a sandboxed “Research” setting so that the ● uploaded files would not interact with real GEDmatch users Only ran queries with and analyzed results from data that we ● uploaded GEDmatch let’s you target relative matching queries against ○ specific data files ToS allowed artificial data uploads if: ● (1) Intended for research ○ (2) Not used to identify anyone in the database ○ IRB determined that research was exempt from review because the ● experimental data was derived from public sources with no identifiers

  16. Attack 1: Extract Genetic Markers from Other Users Genetic Genealogy Database Artificial or Manipulated Genetic Data … Relative Matching Queries Bob Carol … … Malory 1M+ Dan Frank Matching Segments and Visualizations Bob

  17. GEDmatch Visualizations and Segments 18M 64M 159M 164M Both visualizations leak information about the underlying DNA markers in other genetic files.

  18. GEDmatch Visualizations and Segments 18M 64M 159M 164M Both visualizations leak information about the underlying DNA markers in other genetic files.

  19. Genetic Extraction via Marker Visualizations Each pixel corresponds to a single genetic marker (many are missing)

  20. Genetic Extraction via Marker Visualizations Each pixel corresponds to a single genetic marker (many are missing) Unknown Known Relative Matching Queries

  21. Genetic Extraction via Marker Visualizations Step 1 Run 20 relative matching queries against a target and gather visualizations Malicious Data Target User (known) (unknown) 20X

  22. Genetic Extraction via Marker Visualizations Step 1 Step 2 Run 20 relative matching queries against Use mastermind-like algorithm to a target and gather visualizations determine which pixels correspond to specific markers. (Similar to Goodrich. S&P. 2009. DNA sequence extraction Malicious Data Target User via DNA sequence alignment scores.) (known) (unknown) 20X 1 4 7 12 17 22 28 37 42 44 45 67 70 72

  23. Genetic Extraction via Marker Visualizations Step 3 Combine known artificial genetic markers with visualizations to infer target’s genetic markers 1 4 7 12 17 22 28 37 42 44 45 67 70 72 A A G T T G G G C A T T A C A C C T C C G G G A G T C C + Malicious File 1 4 7 12 17 22 28 37 42 44 45 67 70 72 A A G C T C G G C C T T A T A A G C C C T A G C G G C T Target File

  24. Genetic Extraction via Marker Visualizations Step 3 Step 4 Combine known artificial genetic Fill in the gaps with genetic imputation markers with visualizations to infer (statistical technique) target’s genetic markers 1 4 7 12 17 22 28 37 42 44 45 67 70 72 1 2 3 4 6 7 8 9 10 11 12 13 14 5 A A G T T G G G C A T T A C A A G C T C G G C C T T A T A C C T C C G G G A G T C C A A G C C C T A G C G G C T + Malicious File In total we were able to extract an average of 92% of the 1 4 7 12 17 22 28 37 42 44 45 67 70 72 genetic markers with 98% A A G C T C G G C C T T A T accuracy from the 5 test files. A A G C C C T A G C G G C T Target File

  25. GEDmatch Visualizations and Segments 18M 64M 159M 164M Individual Genetic Markers (SNPs) Edge and Coop. eLife. 2020. (independently discovered). Both visualizations leak information about the underlying DNA markers in other genetic files.

  26. Attack 2: Forge Genetic Relationships Genetic Genealogy Database Artificial or Manipulated Genetic Data Malory is Bob’s second cousin Bob Carol … Malory 1M+ Dan Frank

  27. Generating Artificial Relatives Amount of DNA sharing determines the relative prediction Parent/Child: 50% - 1st cousin: 12.5% - Target Artificial Known Generate

  28. Generating Artificial Relatives Amount of DNA sharing determines the relative prediction Parent/Child: 50% - 1st cousin: 12.5% - Target Artificial Relative Matching Forge segments and relationships. Known Generate

  29. Generating Artificial Relatives Amount of DNA sharing determines the relative prediction Parent/Child: 50% - 1st cousin: 12.5% - Target Artificial Relative Matching Forge segments and relationships. Known Generate Discover target’s genetic profile using: Genetic extraction attacks (shown earlier). Tested on GEDmatch. 1) Gather DNA sample surreptitiously and sequence it. 2) Adversary wants to forge relative for themselves. 3)

  30. Why Make Artificial Relatives? “Long lost relative.” Not uncommon in genetic genealogy 1) because of misidentified paternity. Change inferred identity 2) 2nd-Cousin

  31. Why Make Artificial Relatives? “Long lost relative.” Not uncommon in genetic genealogy 1) because of misidentified paternity. Change inferred identity 2) 2nd-Cousin 2nd-Cousin (artificial)

  32. Why Make Artificial Relatives? “Long lost relative.” Not uncommon in genetic genealogy 1) because of misidentified paternity. Change inferred identity 2) Falsely predicted relatives Search occurs on wrong branch of tree Open question is how this could affect import inferences, like law enforcement, which is currently an expert driven and manual process 2nd-Cousin 2nd-Cousin (artificial)

Recommend

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

627 views • 46 slides
SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive Efficiencies and Build Market Trust? IIA/ISACA Chicago Hacking Conference October 28, 2019 BDO USA, LLP, a Delaware limited liability partnership, is the U.S.

153 views • 13 slides
What will be covered? A little about me Why I do genealogy The Book of Me Written by You How I

What will be covered? A little about me Why I do genealogy The Book of Me Written by You How I

Handouts for Genealogy Presentation 06/11/2016 What will be covered? A little about me Why I do genealogy The Book of Me Written by You How I started my genealogy How to start your genealogy Facebook, Geni and My Heritage Your Digital

333 views • 20 slides
School Health and Related Services Third Party Liability Recoveries and Medicaid 1 Third Party

School Health and Related Services Third Party Liability Recoveries and Medicaid 1 Third Party

School Health and Related Services Third Party Liability Recoveries and Medicaid 1 Third Party Liability HHSC is required by the Social Security Act to seek out reimbursement for covered services from legally liable third parties before

458 views • 11 slides
Overview of the USCIS Genealogy Program December 14, 2016 An Introduction to the USCIS Genealogy

Overview of the USCIS Genealogy Program December 14, 2016 An Introduction to the USCIS Genealogy

Overview of the USCIS Genealogy Program December 14, 2016 An Introduction to the USCIS Genealogy Program Zack Wilske USCIS History Office USCIS U.S. Citizenship and Immigration Services (USCIS) is the government agency that oversees lawful

446 views • 42 slides
Gen enea ealog ogy y @ MFPL Generations Genealogy Interest Group is a monthly program for

Gen enea ealog ogy y @ MFPL Generations Genealogy Interest Group is a monthly program for

Gen enea ealog ogy y @ MFPL Generations Genealogy Interest Group is a monthly program for new and intermediate genealogists wanting to learn more about genealogy. Additional Genealogy Classes Genealogy Software Basics Saturday, November

553 views • 5 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
Mtis Genealogy 101 26 March 2013 - Sudbury, Ontario Goals Confirm your Mtis genealogy

Mtis Genealogy 101 26 March 2013 - Sudbury, Ontario Goals Confirm your Mtis genealogy

Mtis Genealogy 101 26 March 2013 - Sudbury, Ontario Goals Confirm your Mtis genealogy and ancestors. What do we mean by genealogy? Original a study of family lineage starting with the oldest known ancestors and tracing down to the

432 views • 22 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Irish Genealogy Resources & Dan Boyle Genealogy Club January 13, 2016 My BreakThrough to

Irish Genealogy Resources & Dan Boyle Genealogy Club January 13, 2016 My BreakThrough to

Irish Genealogy Resources & Dan Boyle Genealogy Club January 13, 2016 My BreakThrough to Ireland Start with what you know. -Genealogy Standard Martin Boyle Boyle Family 1894 North Dakota Sheldon, ND Sheldon, ND Sheldon, ND

500 views • 35 slides
Automatically Recreating Probabilistic History through Genealogy Robert Ball and Patrick Beck

Automatically Recreating Probabilistic History through Genealogy Robert Ball and Patrick Beck

Automatically Recreating Probabilistic History through Genealogy Robert Ball and Patrick Beck School of Computing Weber State University What is the importance of non-religious genealogy? People form identities based on their genealogy.

319 views • 6 slides
Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in

Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in

Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in Computa8onal Genomics Genome Polymorphisms A Human TCGAGGTATTAAC Genealogy The ancestral chromosome From SNPS

490 views • 36 slides
Gedcom CGI Protocol and Web Services John Finlay PhpGedView Project Manager The Problem We

Gedcom CGI Protocol and Web Services John Finlay PhpGedView Project Manager The Problem We

Gedcom CGI Protocol and Web Services John Finlay PhpGedView Project Manager The Problem We need a way to inter-connect different genealogy systems GEDCOM provides a standard for encoding genealogy data, but we still lack a common

354 views • 11 slides
Security in the age of social media Exploring the benefits and security risks Please note the

Security in the age of social media Exploring the benefits and security risks Please note the

Sponsored by Security in the age of social media Exploring the benefits and security risks Please note the audio line will remain silent until 5 minutes before the webcast commences. Join our expert panel to discuss your security issues

481 views • 24 slides
Finding Third - party Risks Fourteenforty Research Institute, Inc.

Finding Third - party Risks Fourteenforty Research Institute, Inc.

Fourteenforty Research Institute, Inc. Kyoto, 2012 FIRST Technical Colloquium Sma martphone tphone Securi ecurity ty and Finding Third - party Risks Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Tsukasa Oi

644 views • 36 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Genealogy Fair 2013 Wednesday, September 4,

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Genealogy Fair 2013 Wednesday, September 4,

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Genealogy Fair 2013 Wednesday, September 4, 10 A . M .5 P . M . (EDT) TIME # LECTURE TITLE PRESENTER Genealogy and the Freedmans Bank: Damani Davis 10 A.M. Records of the

517 views • 36 slides
GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS

GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - GLOBAL RISKS - - - GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS GLOBAL RISKS - - - - What should the Asian market worry about? Dr. Paul Fisher, LBMA Chairman Asia Pacific Precious Metals Conference,

517 views • 9 slides
FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents,

FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents,

Presenting a live 90-minute webinar with interactive Q&A FCPA Compliance: Third-Party Due Diligence Minimizing Corruption Risks When Using Foreign Agents, Distributors and Other Intermediaries WEDNESDAY, JANUARY 16, 2013 1pm Eastern |

720 views • 59 slides
Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas

Cambridge Innovation Centre Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS Andreas Gutmann, Steven J. Mudoch, WAY19 | @kryptoandi PLEASE RAISE YOUR HAND Have you ever received a security code via SMS

289 views • 24 slides
Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the

Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the

Genealogy of D3 Code Cathy Zhu, Lucas Throckmorton Genealogy of D3 Code Goal: identify the shared pieces of code amongst pieces of d3 code via MOSS and visualize the evolution of D3 code snippets. Scope: about 30k examples of D3 code

278 views • 16 slides
GENEALOGY BASICS Valerie Edgeworth CE Consultant Kentucky Department for Libraries and Archives

GENEALOGY BASICS Valerie Edgeworth CE Consultant Kentucky Department for Libraries and Archives

GENEALOGY BASICS Valerie Edgeworth CE Consultant Kentucky Department for Libraries and Archives Presentation Overview Steps to begin Genealogy Research Research Tips Common Genealogy Records Research Repositories in Kentucky

542 views • 25 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
ACH and Third Party Payment Processors Definition of Third-Party Relationship Entity with

ACH and Third Party Payment Processors Definition of Third-Party Relationship Entity with

ACH and Third Party Payment Processors Definition of Third-Party Relationship Entity with which financial institution has entered into a business relationship Facilitate customer access to bank services or products Perform functions

369 views • 26 slides
EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain

EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain

EVALUATING THIRD PARTY RELATIONSHIPS OVERVIEW BENEFITS Gain expertise Gain efficiencies Reach new members Provide more products and services RISKS Reputation Risk Operational Risk Transaction Risk

361 views • 19 slides

More recommend