security risks to third party genetic genealogy services
play

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , - PowerPoint PPT Presentation

May 13, 2023 •265 likes •620 views

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

  1. Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

  2. Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction, ... AncestryDNA MyHeritage Raw Genetic Data FamilyTreeDNA

  3. Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction, ... AncestryDNA MyHeritage Raw Genetic Data FamilyTreeDNA 3rd-Party Genetic Service Genetic Interpretation Health, Ethnicity, Relative Prediction, ...

  4. Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction, ... AncestryDNA MyHeritage Raw Genetic Data FamilyTreeDNA Research Focus 3rd-Party Genetic Service Genetic Interpretation Health, Ethnicity, Relative Prediction, ...

  5. Third-Party Genetic Genealogy Services Genetic Genealogy Database Alice’s Genetic Data Relative Matching Bob is Alice’s Sibling Bob Frank is Alice’s 2nd-Cousin Carol … ... Alice 1M+ Dan Frank

  6. Relative Matching Algorithms Chromosome 7 Long shared segments of DNA are - indicative of recent shared ancestry Aunt More and longer shared segments - means a closer relationship Relative matching algorithms try to - identify these shared segments Matching Segments between users Nephew

  7. Prior Attacks Against Genetic Genealogy Services: Identity Inference Anonymous DNA sample or genetic data Goal: identify the source (person) of an anonymous DNA sample or genetic data Research Dataset Crime Scene

  8. Prior Attacks Against Genetic Genealogy Services: Identity Inference Step 1 Anonymous DNA sample or genetic data Process sample and construct genetic files DTC Genetic Data Research Dataset Crime Scene (Unknown)

  9. Prior Attacks Against Genetic Genealogy Services: Identity Inference Genetic Genealogy Database Step 2 Unknown Genetic Data Relative Matching Bob Carol … Carol is a grandmother Frank is a cousin 1M+ Malory Dan Frank

  10. Prior Attacks Against Genetic Genealogy Services: Identity Inference Step 3 : Combine the relatives with other sources of information like genealogies to identify the source of the sample or data Law enforcement 100+ samples identified from ● crimes and unknown remains Suspected Golden State Killer ● Anonymous research data Ex: 1000 Genomes Data ( Erlich ● et al. Science. 2018)

  11. Attack 1: Extract Genetic Markers from Other Users Genetic Genealogy Database Artificial or Manipulated Genetic Data … Relative Matching Queries Bob Carol … … Malory 1M+ Dan Frank Matching Segments and Visualizations Bob

  12. Attack 2: Forge Genetic Relationships Genetic Genealogy Database Artificial or Manipulated Genetic Data Bob Carol … Malory is Bob’s second cousin Malory 1M+ Dan Frank

  13. Case Study on GEDmatch GEDmatch runs the largest third-party DTC ● genetic genealogy service Over 1.2 millions files have been uploaded ○ Used extensively by law enforcement ● Used to solve Golden State Killer case ○ Government contracting (Parabon ○ Nanolabs) Unidentified remains (DNA Doe Project) ○ Identity inference attacks demonstrated on ● GEDmatch ( Erlich et al. Science. 2018) Goal is to evaluate the feasibility of these ● new attacks on GEDmatch

  14. Experimental Setup Account 1 Normal User Experimental Genetic X 5 GEDmatch Profiles Account 2 Adversary X n Artificial data Relative Matching Queries Relative Results and Visualizations

  15. Ethics of Data Uploads and Queries Uploaded all data to a sandboxed “Research” setting so that the ● uploaded files would not interact with real GEDmatch users Only ran queries with and analyzed results from data that we ● uploaded GEDmatch let’s you target relative matching queries against ○ specific data files ToS allowed artificial data uploads if: ● (1) Intended for research ○ (2) Not used to identify anyone in the database ○ IRB determined that research was exempt from review because the ● experimental data was derived from public sources with no identifiers

  16. Attack 1: Extract Genetic Markers from Other Users Genetic Genealogy Database Artificial or Manipulated Genetic Data … Relative Matching Queries Bob Carol … … Malory 1M+ Dan Frank Matching Segments and Visualizations Bob

  17. GEDmatch Visualizations and Segments 18M 64M 159M 164M Both visualizations leak information about the underlying DNA markers in other genetic files.

  18. GEDmatch Visualizations and Segments 18M 64M 159M 164M Both visualizations leak information about the underlying DNA markers in other genetic files.

  19. Genetic Extraction via Marker Visualizations Each pixel corresponds to a single genetic marker (many are missing)

  20. Genetic Extraction via Marker Visualizations Each pixel corresponds to a single genetic marker (many are missing) Unknown Known Relative Matching Queries

  21. Genetic Extraction via Marker Visualizations Step 1 Run 20 relative matching queries against a target and gather visualizations Malicious Data Target User (known) (unknown) 20X

  22. Genetic Extraction via Marker Visualizations Step 1 Step 2 Run 20 relative matching queries against Use mastermind-like algorithm to a target and gather visualizations determine which pixels correspond to specific markers. (Similar to Goodrich. S&P. 2009. DNA sequence extraction Malicious Data Target User via DNA sequence alignment scores.) (known) (unknown) 20X 1 4 7 12 17 22 28 37 42 44 45 67 70 72

  23. Genetic Extraction via Marker Visualizations Step 3 Combine known artificial genetic markers with visualizations to infer target’s genetic markers 1 4 7 12 17 22 28 37 42 44 45 67 70 72 A A G T T G G G C A T T A C A C C T C C G G G A G T C C + Malicious File 1 4 7 12 17 22 28 37 42 44 45 67 70 72 A A G C T C G G C C T T A T A A G C C C T A G C G G C T Target File

  24. Genetic Extraction via Marker Visualizations Step 3 Step 4 Combine known artificial genetic Fill in the gaps with genetic imputation markers with visualizations to infer (statistical technique) target’s genetic markers 1 4 7 12 17 22 28 37 42 44 45 67 70 72 1 2 3 4 6 7 8 9 10 11 12 13 14 5 A A G T T G G G C A T T A C A A G C T C G G C C T T A T A C C T C C G G G A G T C C A A G C C C T A G C G G C T + Malicious File In total we were able to extract an average of 92% of the 1 4 7 12 17 22 28 37 42 44 45 67 70 72 genetic markers with 98% A A G C T C G G C C T T A T accuracy from the 5 test files. A A G C C C T A G C G G C T Target File

  25. GEDmatch Visualizations and Segments 18M 64M 159M 164M Individual Genetic Markers (SNPs) Edge and Coop. eLife. 2020. (independently discovered). Both visualizations leak information about the underlying DNA markers in other genetic files.

  26. Attack 2: Forge Genetic Relationships Genetic Genealogy Database Artificial or Manipulated Genetic Data Malory is Bob’s second cousin Bob Carol … Malory 1M+ Dan Frank

  27. Generating Artificial Relatives Amount of DNA sharing determines the relative prediction Parent/Child: 50% - 1st cousin: 12.5% - Target Artificial Known Generate

  28. Generating Artificial Relatives Amount of DNA sharing determines the relative prediction Parent/Child: 50% - 1st cousin: 12.5% - Target Artificial Relative Matching Forge segments and relationships. Known Generate

  29. Generating Artificial Relatives Amount of DNA sharing determines the relative prediction Parent/Child: 50% - 1st cousin: 12.5% - Target Artificial Relative Matching Forge segments and relationships. Known Generate Discover target’s genetic profile using: Genetic extraction attacks (shown earlier). Tested on GEDmatch. 1) Gather DNA sample surreptitiously and sequence it. 2) Adversary wants to forge relative for themselves. 3)

  30. Why Make Artificial Relatives? “Long lost relative.” Not uncommon in genetic genealogy 1) because of misidentified paternity. Change inferred identity 2) 2nd-Cousin

  31. Why Make Artificial Relatives? “Long lost relative.” Not uncommon in genetic genealogy 1) because of misidentified paternity. Change inferred identity 2) 2nd-Cousin 2nd-Cousin (artificial)

  32. Why Make Artificial Relatives? “Long lost relative.” Not uncommon in genetic genealogy 1) because of misidentified paternity. Change inferred identity 2) Falsely predicted relatives Search occurs on wrong branch of tree Open question is how this could affect import inferences, like law enforcement, which is currently an expert driven and manual process 2nd-Cousin 2nd-Cousin (artificial)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno

Security Risks to Third-Party Genetic Genealogy Services Peter Ney , Luis Ceze, Tadayoshi Kohno Direct-to-Consumer (DTC) Genetic Testing and Analysis DTC Testing Company Genetic Interpretation 23andMe Health, Ethnicity, Relative Prediction,

627 views • 46 slides
SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive

SECURITY. RISKS. COMPLIANCE. How Can Third Party Assurance Help Your Business Drive Efficiencies and Build Market Trust? IIA/ISACA Chicago Hacking Conference October 28, 2019 BDO USA, LLP, a Delaware limited liability partnership, is the U.S.

153 views • 13 slides
What will be covered? A little about me Why I do genealogy The Book of Me Written by You How I

What will be covered? A little about me Why I do genealogy The Book of Me Written by You How I

Handouts for Genealogy Presentation 06/11/2016 What will be covered? A little about me Why I do genealogy The Book of Me Written by You How I started my genealogy How to start your genealogy Facebook, Geni and My Heritage Your Digital

333 views • 20 slides
School Health and Related Services Third Party Liability Recoveries and Medicaid 1 Third Party

School Health and Related Services Third Party Liability Recoveries and Medicaid 1 Third Party

School Health and Related Services Third Party Liability Recoveries and Medicaid 1 Third Party Liability HHSC is required by the Social Security Act to seek out reimbursement for covered services from legally liable third parties before

458 views • 11 slides
Overview of the USCIS Genealogy Program December 14, 2016 An Introduction to the USCIS Genealogy

Overview of the USCIS Genealogy Program December 14, 2016 An Introduction to the USCIS Genealogy

Overview of the USCIS Genealogy Program December 14, 2016 An Introduction to the USCIS Genealogy Program Zack Wilske USCIS History Office USCIS U.S. Citizenship and Immigration Services (USCIS) is the government agency that oversees lawful

446 views • 42 slides
Gen enea ealog ogy y @ MFPL Generations Genealogy Interest Group is a monthly program for

Gen enea ealog ogy y @ MFPL Generations Genealogy Interest Group is a monthly program for

Gen enea ealog ogy y @ MFPL Generations Genealogy Interest Group is a monthly program for new and intermediate genealogists wanting to learn more about genealogy. Additional Genealogy Classes Genealogy Software Basics Saturday, November

553 views • 5 slides
Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done

Supreme Leader Pulkit Party!!!!!! Party!!!!!! Just us Party!!!!!! What we have done Party!!!!!! Party!!!!!! Curling Orientation Party!!!!!! Party!!!!!! Party!!!!!! National day parade Airport picking-uping Party!!!!!!

1.18k views • 69 slides
Mtis Genealogy 101 26 March 2013 - Sudbury, Ontario Goals Confirm your Mtis genealogy

Mtis Genealogy 101 26 March 2013 - Sudbury, Ontario Goals Confirm your Mtis genealogy

Mtis Genealogy 101 26 March 2013 - Sudbury, Ontario Goals Confirm your Mtis genealogy and ancestors. What do we mean by genealogy? Original a study of family lineage starting with the oldest known ancestors and tracing down to the

432 views • 22 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Irish Genealogy Resources & Dan Boyle Genealogy Club January 13, 2016 My BreakThrough to

Irish Genealogy Resources & Dan Boyle Genealogy Club January 13, 2016 My BreakThrough to

Irish Genealogy Resources & Dan Boyle Genealogy Club January 13, 2016 My BreakThrough to Ireland Start with what you know. -Genealogy Standard Martin Boyle Boyle Family 1894 North Dakota Sheldon, ND Sheldon, ND Sheldon, ND

500 views • 35 slides
Automatically Recreating Probabilistic History through Genealogy Robert Ball and Patrick Beck

Automatically Recreating Probabilistic History through Genealogy Robert Ball and Patrick Beck

Automatically Recreating Probabilistic History through Genealogy Robert Ball and Patrick Beck School of Computing Weber State University What is the importance of non-religious genealogy? People form identities based on their genealogy.

319 views • 6 slides
Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in

Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in

Lecture: Genetic Basis of Complex Phenotypes 02-715 Advanced Topics in Computa8onal Genomics Genome Polymorphisms A Human TCGAGGTATTAAC Genealogy The ancestral chromosome From SNPS

490 views • 36 slides
Gedcom CGI Protocol and Web Services John Finlay PhpGedView Project Manager The Problem We

Gedcom CGI Protocol and Web Services John Finlay PhpGedView Project Manager The Problem We

Gedcom CGI Protocol and Web Services John Finlay PhpGedView Project Manager The Problem We need a way to inter-connect different genealogy systems GEDCOM provides a standard for encoding genealogy data, but we still lack a common

354 views • 11 slides
Security in the age of social media Exploring the benefits and security risks Please note the

Security in the age of social media Exploring the benefits and security risks Please note the

Sponsored by Security in the age of social media Exploring the benefits and security risks Please note the audio line will remain silent until 5 minutes before the webcast commences. Join our expert panel to discuss your security issues

481 views • 24 slides
Finding Third - party Risks Fourteenforty Research Institute, Inc.

Finding Third - party Risks Fourteenforty Research Institute, Inc.

Fourteenforty Research Institute, Inc. Kyoto, 2012 FIRST Technical Colloquium Sma martphone tphone Securi ecurity ty and Finding Third - party Risks Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Tsukasa Oi

644 views • 36 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Genealogy Fair 2013 Wednesday, September 4,

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Genealogy Fair 2013 Wednesday, September 4,

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Genealogy Fair 2013 Wednesday, September 4, 10 A . M .5 P . M . (EDT) TIME # LECTURE TITLE PRESENTER Genealogy and the Freedmans Bank: Damani Davis 10 A.M. Records of the

517 views • 36 slides
CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian

CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian

CSE 127: Introduction to Security Lecture 17: Privacy and Anonymity Nadia Heninger and Deian Stefan UCSD Fall 2019 Lecture outline Foundations of privacy Historical and current crypto wars in the US Privacy-enhancing

611 views • 50 slides
ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas

ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas

ReAssert: Suggesting Repairs for Broken Unit Tests Brett Daniel Tihomir Gvero Danny Dig Vilas Jagannath Darko Marinov IBM Research Almaden. San Jose, CA. August 10, 2010 Google. Mountain View, CA. August 11, 2010 Passing Unit Tests

702 views • 58 slides
Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With

Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With

Functional abstraction Readings: HtDP , sections 21-24. Language level: Intermediate Student With Lambda Topics: Anonymous functions Syntax & semantics Example: Transforming strings Abstracting: Map Abstracting: Foldr Abstracting: Foldl

502 views • 27 slides
The presentation will start shortly COVID-19 Health Care Provider Briefing Middlesex and London

The presentation will start shortly COVID-19 Health Care Provider Briefing Middlesex and London

The presentation will start shortly COVID-19 Health Care Provider Briefing Middlesex and London Region September 29, 2020 Welcome Presenter: Dr. Alex Summers Associate Medical Officer of Health Middlesex-London Health Unit @alexsummers4

816 views • 20 slides
The Tor Project, Inc. Our mission is to be the global resource for technology, advocacy, research

The Tor Project, Inc. Our mission is to be the global resource for technology, advocacy, research

The Tor Project, Inc. Our mission is to be the global resource for technology, advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. 1 Alice makes a session key with

741 views • 37 slides
Swiss cheese security or the real challenges faced by internet facing companies About me

Swiss cheese security or the real challenges faced by internet facing companies About me

Swiss cheese security or the real challenges faced by internet facing companies About me Almost 20 years in information security / hacking OWASP Project leader Latest research interests: Large scale RSA crypto survey

691 views • 49 slides
Whistle-Blowing 1 Whistleblowing Disclosure, using other than approved organizational

Whistle-Blowing 1 Whistleblowing Disclosure, using other than approved organizational

Whistle-Blowing 1 Whistleblowing Disclosure, using other than approved organizational channels, of wrongdoing to someone in a position to take action. disclosure: information intentionally conveyed channels: chain of command,

429 views • 12 slides
DELEGA TE TEE : Brokered Delegation DELE Using Trusted Execution Environments Sinisa Matetic and

DELEGA TE TEE : Brokered Delegation DELE Using Trusted Execution Environments Sinisa Matetic and

DELEGA TE TEE : Brokered Delegation DELE Using Trusted Execution Environments Sinisa Matetic and Moritz Schneider, ETH Zurich ; Andrew Miller, UIUC ; Ari Juels, Cornell Tech ; Srdjan Capkun, ETH Zurich CSC 6991 Presented by: Shikha Sikligar

596 views • 18 slides

More recommend