{"id":551,"date":"2017-08-15T18:11:55","date_gmt":"2017-08-15T18:11:55","guid":{"rendered":"http:\/\/securitycurve.com\/?p=551"},"modified":"2017-08-15T18:11:55","modified_gmt":"2017-08-15T18:11:55","slug":"dna-malware-and-bash-fork-bombs","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=551","title":{"rendered":"DNA Malware (and bash fork bombs)"},"content":{"rendered":"

I saw this in the blogosphere the other day and I wasn’t planning on commenting . \u00a0But then I saw it also in the trade press… and then I saw it getting more coverage… and then I saw it in some more blogs and more press… and then Ars Technica covered it…<\/a>\u00a0and then Schneier covered it<\/a>. \u00a0Apparently, it’s a thing – DNA as a “malware vector”.<\/p>\n

The original research paper is here<\/a> if you want to go read about it, but the short story is that some researchers inserted malware into DNA. \u00a0They demonstrated that they could take DNA, manipulate it in such a way that software used to analyze it (that they modified specifically for this purpose) could be attacked when processing the DNA. \u00a0The Ars story is probably the best balance between being concise but still rounding out the pertinent details.<\/p>\n

Now… \u00a0I say this carefully because I get it that people are interested in this (I don’t want to be the wet blanket)… And also, because it’s a cool thing they did over there. \u00a0But is it me or does anybody else question why this is getting the “full monte” media treatment in the security press? \u00a0I mean, I get it that it’s interesting about encoding malware in the DNA — but isn’t it more interesting “because DNA” than it is from a security point of view specifically? \u00a0Again — the research is interesting , I’m super glad they did it, and it’s the you-dub, so you know it’s high quality. \u00a0But what specifically about this makes it security news?<\/p>\n

Here’s what I mean. \u00a0This thing is conceptually analogous to me hiring a skywriter to write a bash fork bomb (e.g. “:(){ :|: & };:”) in the sky — or, for that matter, to drag a banner sign behind a cropduster that says “rm -rf \/”. \u00a0Were I to do that, am I demonstrating a cool new attack vector? \u00a0Of course not, right? \u00a0Yes, it’s “malicious”, but who cares?<\/p>\n

Now how about if I write an app that takes pictures of the sky, does optical character recognition on stuff it might happen to find written there, and runs it on some UNIX host as root? \u00a0What if the “some UNIX host” is an MRI machine? \u00a0None of that stuff is interesting from a security point of view, right? \u00a0To which, I could say “Hey. \u00a0But I just totally just haxored an MRI machine using the sky<\/strong>… just\u00a0the sky<\/strong><\/em>, man! Because the\u00a0sky was vulnerable<\/span>, man.” \u00a0To which, you’d say, “but you created that whole convoluted chain of events just so you could create that effect.” \u00a0And I’d say, “Yeah. \u00a0You’re right. \u00a0I did do that.”<\/p>\n

Isn’t this the same thing? \u00a0Here, they’ve created an attack vector and then embedded an exploit to that vector in a (super creative) transmission medium. \u00a0Then, they allowed the process to transpire. \u00a0Yes, the medium is creative – because DNA. \u00a0But really, that’s the interesting part. \u00a0The rest seems like cause and effect. \u00a0The DNA part? \u00a0Interesting. The malware part? \u00a0Performs as expected.<\/p>\n","protected":false},"excerpt":{"rendered":"

I saw this in the blogosphere the other day and I wasn’t planning on commenting . \u00a0But then I saw it also in the trade press… and then I saw it getting more coverage… and then I saw it in some more blogs and more press… and then Ars Technica covered it…\u00a0and then Schneier covered […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[42,77],"class_list":["post-551","post","type-post","status-publish","format-standard","hentry","category-security","tag-dna","tag-malware"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=551"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/551\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}