You can actually hack a computer with DNA

Hackers have used all sorts of attack vectors to gain control of someone else’s computer, from USB drives to phishy emails. In what appears to be the first successful hack of a software program using DNA, researchers say malware they incorporated into a genetic molecule allowed them to take control of a computer used to analyse it.

Akin to something from the pages of science fiction, the researchers used the life-encoding molecule to attack and take over a computer, using strands of DNA to transmit a computer virus from the biological to the digital realm.

The researchers used the four bases in DNA, adenine, cytosine, guanine and thymine – A, C, G and T – to encode their malware, which when read by a piece of DNA sequencing equipment converted the molecular code into computer code capable of taking over the computer connected to the DNA sequencer.

“When this physical strand was sequenced and processed by the vulnerable program it gave remote control of the computer doing the processing. That is, we were able to remotely exploit and gain full control over a computer using adversarial synthetic DNA.” said the researchers.

The researchers say that there is no reason for concern: “Note that there is not present cause for alarm about present-day threats. We have no evidence to believe that the security of DNA sequencing or DNA data in general is currently under attack.” They argue the attack could be leveled against any facility that accepts DNA samples for computer-based gene sequencing and processing. For example, if an attacker knew DNA samples will be sequenced on a computer they contaminate blood and saliva samples with a specially crafted synthetic gene.

The results show that it is technically possible to use DNA as a way to transfer malware and attack vulnerabilities in the sequencing compute program.

Microsoft Attempts To Fix Stuxnet For The Third Time Nearly Five Years Later

One of the patches released by Microsoft as part of its June 2017 security updates represents the company’s third attempt at patching an old vulnerability exploited by the notorious Stuxnet worm in 2010. The initial vulnerability, tracked as CVE-2010-2568, allows a remote attacker to execute arbitrary code on a system using specially crafted shortcut files with the LNK or PIF extension.

CVE-2010-2568 was one of the four zero-day vulnerabilities exploited in the 2010 Stuxnet attacks targeting Iran’s nuclear program. It's arguably the first, and most famous example of government-developed malware. Its creation is said to have been a joint operation between Israel and the United States.

In 2015, researchers discovered that Microsoft’s initial fix could be bypassed and the tech giant released another patch. The flaw, tracked as CVE-2015-0096, was treated by Microsoft as a completely new issue.

The flaw leveraged by Stuxnet allowed .LNK files, which are what define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files.

"The problem is that in Windows, icons are loaded from modules (either executable or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, by convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device.

Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult. This is a classic example of the Defender’s Dilemma -- the defender must be strong everywhere, while the attacker needs to find only one mistake.

CERT/CC pointed out that Microsoft patched the new vulnerability, tracked as CVE-2017-8464, with its June security updates. Microsoft informed customers at the time that this flaw had been exploited in the wild. Exploits for the security hole are now publicly available, including a Metasploit module made by Securify's Yorick Koster.

The organization pointed out that in addition to applying Microsoft’s patches, users can prevent potential attacks by blocking outgoing connections on TCP and UDP ports 139 and 445. This prevents machines from accessing a remote SMB server, which is typically needed to exploit the vulnerability.

Former Bupa employee offered 1 million customer records for sale on dark web

Current advancements to the internet and all of its capacities bring about a sense of urgency when it comes to safeguarding online security, especially in situations where crucial information can be stolen and exploited.

A Bupa employee managed to copy and steal data regarding more than 108,000 customers, then exposing a majority of that information on the dark web. Data Breaches found the breach on the dark web on June 23, posted by a vendor called MoZeal. The listing contained insurance information from 122 countries and included information like member and registration IDs, names, birthdates, all contact information and information about intermediaries.

It would appear that “MoZeal” is likely the rogue employee that Kenton referred to in his videotaped statement. Also of note: while Bupa reports that 108,000 were affected, MoZeal’s listing and thread indicated that there were over 130,000 in the U.K. alone, and that overall there were about 500,000 – 1 million records for sale.

Bupa has reportedly taken legal action, so this post will be updated as more information becomes available. The breach has had an intense effect primarily on the international health insurance industry as a whole.

Bupa responded to the reported discrepancy between their numbers and the AlphaBay vendor’s claims with a statement to Insurance Business reconciling some of the differences by noting that they referred to “policies” while the vendor referred to number of individuals. Ever since the breach was spotted, the company has already taken the necessary measures to notify each and every customer whose information has been stolen.

Company representatives also say the security of customer information has been made a paramount priority by the health insurer to prevent such breaches in the future. The employee responsible for the breach has already been terminated from his position, and Bupa is also pursuing legal action against the employee.

This attack is the latest in a series of data breaches taking place this year. There have been several such hacks so far that deliberately target entities in the health sector, and the number continues to increase with each passing period of time.