Defending Your DNA: 23andMe Security Wake-Up Call - Ep 68

Show Notes

23andMe promise that  "protecting your privacy has been our number one priority." But how does that claim stack up in the light of their recent data breach?
That's the question posed by Rob and Stan in the latest episode of Reimagining Cyber.
23andMe provide DNA kits allowing users to obtain  "the most comprehensive ancestry breakdown and 30+ trait reports." and the hackers targeted the individual accounts of hundreds of users. 

So what does this cybersecurity failure mean for the victims?
What are the wider repurcussions?
Here are just a few of their views on the hack:

"What if a nation state leverages that type of information? They already have plenty of details on individuals through other breaches. This is a much heavier set of data they can take advantage of. They can potentially be much more targeted in some of their blackmailing"

"You said that this wasn't 23andMe's fault but at the same time, they could have done more. They could have by default had two factor authentication. They could also have had privacy checkups that many other social platforms have available."

"They're mapping the data together to make categorized sets of information available at a cost. So very targeted and can be used for many different extortion capabilities. Who knows what else is going to come of it."

Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

Transcript

[00:00:00] Stan Wisseman: Hey there, this is Stan with Reimagining Cyber. I'm here with Rob. So hey Rob, I was at the Gartner IT Summit last week in Florida, or in Orlando, Mickey Mouse Land in Orlando, Florida., 

[00:00:13] Rob Aragao:  Yes that's right. I forgot you were out there. How was it? 

[00:00:15] Stan Wisseman: You know, it was actually very well attended. They had like 9, 500 people, they say, and you know, touted that they had 3, 300 CIOs.

[00:00:25] And I was actually really surprised at the mix. We had folks. A lot of folks coming by, talking to us at the, at our booth from Brazil and Argentina and Peru, as well as all across the United States, but I was just surprised at the international mix, especially from South America. 

[00:00:42] Rob Aragao: Interesting. So was there a good audience from the cyber side of it then?

[00:00:45] Stan Wisseman: 

[00:00:46] Yeah. Yeah. They had quite a few folks there cause they had a number of tracks. Associated with cyber, and just like with OpenText World, there's a lot of emphasis on artificial intelligence and how that can make a difference, not only in [00:01:00] productivity, but also in cyber. Yeah, no surprise 

[00:01:02] Rob Aragao: Yeah, no surprise 

there, right?

[00:01:03] It's the topic du jour. It seems like it's been going on for almost the entire year at this point. So not slowing down. So, Stan, anything specifically you wanted to call out today?

[00:01:12] Stan Wisseman: Well, I mean, one of the things we sometimes do is right. It's put a spotlight. Our highlight different data breaches that occur, right?

[00:01:21] Yeah. And one that caught my eye and actually I received a breach notification letter about not only caught my eye, but I was specifically impacted by this one was the 23andMe breach. Yes. Track that one. 

[00:01:37] Rob Aragao: So, so it's interesting. The short answer is yes. Just to make sure. We can't assume that everyone that's listening knows who 23andMe is, but you know, they basically collect genetic information.

[00:01:50] They collect genetic information for an industry and genetic disposition types of tests information. So you can go in, sign up, right, provide information, provide some [00:02:00] details, and then you can get all this information as it relates to more behind the scenes of your background, heritage, and so on.

[00:02:06] And I think that so many people in the cybersecurity kind of landscape have been focused on the MGM breach and so kind of, you know, enamored with the details behind that. That this one kind of is a little under the radar, but it's, it's, it's getting ignited, right? I mean, this is basically the beginning of the month of October when they came out 23andMe did and announced that there was a breach.

[00:02:29] So I think we're going to see a heck of a lot more information. There's some stuff that's been trickling out recently as well.

[00:02:34] Stan Wisseman: Yeah, I think the thing that was interesting to me, I mean, first off, the attack was pretty pedestrian and since it was just credential stuffing, right? And so they were leveraging username and password

[00:02:48] combos from previous breaches and just trying to get into an account. Exactly. So it wasn't really any kind of sophisticated attack, but the amount of data that they [00:03:00] dumped for sale was quite substantial. This is 

[00:03:04] Rob Aragao: This is a simple type of breach. If you think about an attack, I should say, and you know, 23andMe basically there's nothing there from their systems per se that were actually penetrated.

[00:03:15] Right? So, so not shame on them. It's shame on like the individuals for the type of, again, credentials that's just flown out there and they're not actually thinking about changing them if they were breached in the past, as an example, right

[00:03:25] Stan Wisseman: Right. I mean, it is one of those things where, well, let's face it, a lot of folks reuse their passwords.

[00:03:35] And, and so this was a situation where there wasn't privilege escalation and getting more data. When the logins worked, when they got a combination that worked, they didn't actually, you know, then go in and escalate privilege to another privileged account, right? They actually just scraped the data that was available, not only on that user, but also relatives that were associated to that user.

[00:03:55] 

[00:03:57] Rob Aragao: Well, that's the piece, right? That, that's, 

that's the, the, the... The bigger play 

[00:03:59] Rob Aragao: [00:04:00] here was so, yeah, they can get in leveraging the credentials, and it's not just that individuals’ data that now we're still on, right? It's the interconnections because this also goes to behind the scenes of reading what type of information they're going to collect on you when you sign up for a service like this.

[00:04:16] And it actually does connect. out to other individuals. So to your point, there's a I guess an option with, if you will, in there or a portion of information that they were able to gain access to around DNA relatives, you know, matches. And that's what basically multiply this out for all of these different individuals now up into the millions that have had their data out there.

[00:04:36] So think about that, right? We may not be actually signed up for this service, but we could actually still be impacted by that.

[00:04:43] Stan Wisseman:  Right, and I think that the other thing that was interesting, and I don't know if this is, you know, what their intent was, but that first data dump, you know, it was associated with the Jewish population, I think millions of records, and I don't know if they were deliberately attacking.

[00:04:59] That [00:05:00] particular ethnic group, or if it was just a tasteless way of drawing attention to the data set that they had, or if it was just, you know, basically a way of, you know, again, categorizing that this is what we've got. And the timing was interesting as far as everything else going on in the world right now in October.

[00:05:18] Rob Aragao: Well, you're absolutely right. I think, you know, so, so the interesting aspect of the data that they collected or had, I should say, posted out there. As kind of like, you know, here, here's the bait of information you can actually get from us and pay for, right? So you, so you have people's names, emails, physical addresses, date of birth, pictures, right?

[00:05:36] So all this information and to your point, that was the, the key here is, so it's not that they selectively took this information, it's that they now are selectively leveraging the information to be very targeted. This was an attacker, found a way in, took advantage of it. It's not trying to monetize it again, very targeted, like, Hey, I'm going to block this up and categorize this data into different kind of, you know, areas of interest that are going to, [00:06:00] again, people are going to pay for, you know, whether it's unfortunately Jewish heritage, if it's wealthy population and, you know, specific country, if you will flip it around the other way, what, what, what if a nation state goes in and leverages that type of information?

[00:06:16] They already have plenty of details on individuals through other breaches. Now, this is even that much more heavier set of data they can actually take advantage of potentially. And they're making more interconnection points of who your relatives are. So they can actually potentially be much more targeted in some of their, again, if it's blackmailing, if it's whatever efforts they're trying to approach to get intel out of certain people.

[00:06:37] So it's just another set of personal data available for them to actually put their hands around and leverage it for whatever they want. 

[00:06:45] Stan Wisseman: Now, now in my notification letter, I don't see this aligns with what you researched, but they said that none of the genetic data itself had been breached as far as they knew that it was general ancestry data, but it wasn't [00:07:00] genetic data associated.

[00:07:02] In this case, it was my wife that I had given her a kit, you know, as a birthday, as a Christmas present a couple of years ago. So, you know, there was none of her genetic data that had been exposed. Is that what you read as well?

[00:07:15] Rob Aragao: That's what I read, but then I also read that there might be some information that does pertain to connections of, you know, if you have diabetes and other types of medical.

[00:07:25] So, so I think it's still coming out.

[00:07:26] Stan Wisseman: But you bring up an interesting point. Yeah. So, again, this, this category of data of genetic data that is very important for disease markers like diabetes, right? That data, there's no federal law that clearly protects users. Of online genetic testing or anything else that's being using that kind of data.

[00:07:49] So that's a category of information that you, you have to think is sensitive. Right? Because that's, you know, associated with my genetics, and yet there's nothing really [00:08:00] specifically that says that that should be protected a certain way. 

[00:08:04] Rob Aragao: No, no, there's not. And I think that's, you know, one of the things that we should definitely talk about is the aspects of the privacy of the information

[00:08:10] We do need some different legal aspects tied into this because, again, it's not just the individual, it's also the trickle effect of that. But just go back for a second, Stan, on this information. So, as you pointed out, the initial kind of drop from, you know, the attacker or one of the folks that got their hands on it was pointed back at, again, you know, kind of unfortunately, people of Jewish heritage.

[00:08:33] And the timing, as you said, very interesting. But there's also been other things. It's been about the royal family. Mm hmm. It's been about the wealthiest in the U. S. So it's, so basically now they're taking that data, they're doing the interconnection points of everything else beyond the individual who had the 23andMe account.

[00:08:50] Mm hmm. Right. And they're starting to basically start mapping the data together to make these kind of categorized sets of information available at a cost. So very targeted, [00:09:00] right? Can be used for blackmail can be used for many different extortion capabilities that they can actually take advantage of now.

[00:09:05] And who knows whatever else is going to come of it. But just again, a prime example of just the privacy as you were alluding to that. We don't have these specific control mechanisms in place that really, truly protect individual because I mean, let's be real. Majority of especially the younger generation, and I say that because I know this is my kids do the download an app.

[00:09:26] They'll go ahead and just didn't read the privacy information notice. That was that there as you're actually launching the app. Don't know exactly what they're collecting on you and other information as well. That could tie into a 3rd party. So it's just kind of like, there's this educational aspect.

[00:09:40] This could be a great example of but yeah, you also need some, some, some different privacy kind of rules put in place to help some of these things. 

[00:09:47] Stan Wisseman: But you, you, you said earlier that this wasn't 23andMe's fault and, you know, this was not an indication of necessarily them doing something wrong, but at the same time, they could have done more.[00:10:00] 

[00:10:00] You know, it reminds me of, again, the whole concept of defense in depth and layers of security, right? The fact that if, if you have, for those that don't know that, that phraseology, that the concept is you, you can visualize this as concentric circles of defense. And if you have, one layer with a set of controls that is that's reached, then you have other layers of controls that can actually detect and hopefully enable you to respond quickly to some kind of bad actor.

[00:10:31] And so in this context, you know, you have again, credential stuffing, nothing that, you know, 23andMe could do about that. Somebody has reused a password, right? However, they could have by default had two factor authentication. They could also have had, you know, some of those privacy checkups that many other social platforms have available to help, you know, Hey, are you exposed because of a previous breach, [00:11:00] you know, you may want to change that password because it's been associated with another breach.

[00:11:04] And so there are things that they could have done. And, and I view that, you know, broadly as a layer of defense, right, to help the users as well as the company mitigate some of those threats. 

[00:11:17] Rob Aragao: And I think you know, that, that reminds me of I guess a very, very early episode that we did with Jim Routh, right.

[00:11:21] And his approach throughout his successful career and running security programs at many large organizations is kind of that unconventional controls approach, or as you said, right, defense in depth is something we've known for a long time, kind of multi layered security control mechanisms. What are you doing?

[00:11:36] You're basically driving the attacker away because you have these different layers that are making it that much more difficult for them to penetrate your environment. So you're too hard of a target. I'm going to go spend my time, because time is money to me, elsewhere on a softer target that I'm probably going to still be able to leverage, again, the information I gather from them and monetize that as effectively as I would [00:12:00] from yours.

[00:12:00] Stan Wisseman: Yeah, and I also was thinking about, you know, that was episode two, you know, that was our second episode. But one of the things that I really took away from Jim's, our conversation with Jim was the fact that, yes, you may have layers of protection using standard based controls, but that unconventional set of controls is really looking at ways in which you can sort of put in the unexpected and the bad actors, not necessarily expecting that control and you might be able to thwart the evolving threat.

[00:12:34] Because they don't think about just like, you know, Hey, you have 853 that lays out all these different security controls and people are implementing that or pick a framework, right? Jim would have a percentage of controls and hi control base were orthogonal or different than what's out there and then the standard set and it's more of a risk based approach as well that looking at what the attackers are actually [00:13:00] doing and responding with controls that hopefully will mitigate these evolving threats.

[00:13:05] Rob Aragao: And he would, he would kind of put those wild cards out there, right? So you haven't seen these type of things in the past as an attacker and you know, you're like, geez, why is it so difficult comparatively to others to get into? So I think it's a. It's a very solid approach that, you know, as much as he's used it over the years, and it's been a little time since he's kind of been, you know, a practitioner, if you will, over the past couple of years, since he's kind of gone off and done some other things, right?

[00:13:27] It's still very much a solid approach that many should actually account for within their own programs. 

[00:13:31] Stan Wisseman: And we, I started the conversation mentioning that, you know, that the Gartner IT Summit, they had a whole bunch of AI. Well, AI is one of those unconventional controls, right? You, you can, you can actually have.

[00:13:44] Embedded in or have a as a separate control, some kind of, let's say, unsupervised machine learning kind of control that helps you detect anomalous behaviors or things that again are outside the norm that you can then respond to quickly that.[00:14:00] may have bypassed some of your other controls. Yeah, most definitely, 

[00:14:03] Rob Aragao: most definitely.

[00:14:04] So, hopefully a 23andMe notice kind of is the last one and there's not much information of the Wisseman family yet out there.  

[00:14:11] Stan Wisseman: I can’t tell you how many credit re monitoring reports I've, I can actually leverage now because of all the different notifications received over the last few years, yes. 

[00:14:21] Rob Aragao: I'm sure of that.

[00:14:22] Well, until next time, Stan. Looking forward to it. 

[00:14:26] Producer Ben: You too. Hello, I'm Ben, producer of Reimagining Cyber, and during the episode you heard Rob and Stan talk about a conversation they had with Jim Routh way back in episode two. Now if you fancy a listen, the one to look out for is called Unconventional Approaches to Improve Cyber Security.

[00:14:47] Here's a clip.  

[00:14:49] Jim Routh: The best and most important decision that a see so or any cyber security professional makes is how to allcate scarce resource to the highest risk because there's [00:15:00] not enough capacity and resource to do everything. And even if, so if you have unlimited budgets, unlimited time, and you try to do everything, that's not real world.

[00:15:11] It's not the way business enterprises operate. 

[00:15:15] Producer Ben: That was Jim Routh there. Thanks for listening to Reimagining Cyber and remember to follow or subscribe wherever you listen to your podcasts. Goodbye.