from Hacker News

US hit by 'massive data breach'

by alan_cx on 6/4/15, 10:00 PM with 148 comments

  • by dpcan on 6/4/15, 11:32 PM

    I feel like we need to change our direction in terms of "identity" all together.

    We seem to be relying on an "identity" that is our name, ssn, phone number, credit card number, or all these different little bits of data clumped together. Too messy, too easy to steal, to fake, to easy to sell.

    Maybe our identity is more like a bitcoin wallet. It's an encrypted clump of data that we only keep with ourselves, and ourselves alone. It could store money, confirm that we are who we say we are because it can have our picture in it, our names, our "numbers" for various things.

    Then, when someone needs ANYTHING from us, be it proof of identity, money, or trivial info, we can send them a piece of useless information salted with something that they then return to us with the same salt to get back a confirmation, or money, or access to "use" our other numbers, but they never GET our other numbers.

    If you want my phone number, you send a request to me asking for it. I get the request, confirm it, send back another piece of data to you. This is NOT my phone number, but something you can use to send to me again in the future when you want to call me, and then my number is dialed, but you never see it. At any time, I can wipe you off my safe list, and you don't have my phone number anymore. Same thing can work when paying for something, or proving I am who I say I am when getting a loan, buying beer, whatever.

    Maybe this is ridiculous.

  • by SCAQTony on 6/4/15, 10:38 PM

    Huge data breech and the FBI is screaming from an Ivory tower that encryption is hallmark of all evil and that backdoors are a really good idea.

    ""Privacy, above all other things, including safety and freedom from terrorism, is not where we want to go..."" FBI Associate director Michael Steinbach

  • by jacinda on 6/4/15, 10:43 PM

    As a former government contractor, I wish I could say I'm surprised. Unfortunately, computer/network security in many government agencies frequently has more to do with policy documents than with anyone technical actually determining whether the system is secure.

  • by jsingleton on 6/4/15, 10:15 PM

  • by bashinator on 6/4/15, 10:41 PM

    * cyber attack * cybersecurity system * cyber-intrusion * cyber databases (twice!) * cyber threat

    Use of the word "cyber" adds virtually no insight or context to this article.

  • by nedwin on 6/4/15, 10:56 PM

    We hear a lot about Chinese attacks on the US but virtually nothing about the opposite, which undoubtably does happen.

    Reading the wiki page on "Cyberwarfare" there are sections on each country, like "Cyberwarfare in Germany", "Cyberwarfare in India" etc.

    Both the "Cyberwarfare in USA" and Cyberwarfare in China" are about Chinese attacks on the US...

    http://en.wikipedia.org/wiki/Cyberwarfare

  • by rmrfrmrf on 6/4/15, 10:33 PM

    It's OK, I'm sure whoever did it had a warrant.

  • by ChrisAntaki on 6/4/15, 10:38 PM

    This is a great example of why the NSA & FBI should invest in strengthening American encryption standards, instead of trying to weaken them.

  • by Zikes on 6/4/15, 10:13 PM

    https://news.ycombinator.com/item?id=9661848

    I am shocked. Shocked, I tell you.

  • by cm2187 on 6/4/15, 10:42 PM

    It's hard not to make this trivial comment so let's make it:

    At least it may give a taste to US nationals of what it feels like to have your country hacked by a foreign power, like most European countries nationals felt after the Snowden leaks.

  • by fieryscribe on 6/4/15, 10:40 PM

    The timing of this report is very "interesting", given recent news: https://news.ycombinator.com/item?id=9659784

  • by themeek on 6/4/15, 10:38 PM

    This is part of an ongoing cyberwar between great powers - the largest adversaries to the US being China (mostly smash and grab) and Russia (primarily sophisticated and surgical).

    It would be nice if there was some place where we could see the scoreboard to know how effective and how often we hack the Chinese back. Right now it looks like our tax dollars are being spent getting hacked, but the US government has doubled down many times on offensive cyberwar capabilities and now have professional cybersoldier career tracks in the DoD.

    What's the assessment?

  • by foxhedgehog on 6/4/15, 10:52 PM

    A lot of people here are commenting, rightly, that this is an example of why the USG should be strengthening encryption. It's also a reminder that, despite its disproportionate focus in media, including on HN, the US is obviously not the only government engaged in this behavior.

  • by Red_Tarsius on 6/4/15, 10:38 PM

    I wonder how much social engineering was involved in the hack. No matter how great is your tech, if your staff is not trained to be paranoid you're going to suffer the consequences.

    "Hey I just found a usb pen on the floor. I wonder what it's inside it..."

  • by blisterpeanuts on 6/4/15, 11:18 PM

    This is perhaps a stupid or uninformed question, but if databases are so vulnerable, why is so much information still stored in cleartext? It seems to me that taking the extra step to strongly encrypt data prior to writing to tables would make the intruder's job much harder.

    I speak not only as a programmer and database guy from way back, but as one of the millions of Anthem subscribers whose personal data was stolen a few months ago in a massive breach.

    I know that "data breach" might well mean the keys were stolen which decrypted an otherwise secure file, but the terminology suggests that the breach was simple access into the system rather than acquisition of the precious keys themselves.

    Someone with superior knowledge of these things, kindly explain.

  • by redwards510 on 6/4/15, 10:26 PM

    What would be a suitable response to this? America does not have a clear cyberwar policy and I haven't heard many suggestions.

  • by ephemeralgomi on 6/4/15, 10:37 PM

    what differentiates a 'cyber database' from a 'database'

  • by dpweb on 6/4/15, 10:51 PM

    Of course, China. How is it they are incompetent to protect the data, yet competent enough to know immediately who did it.

  • by sgacka on 6/5/15, 6:19 AM

    This hit every US news service. How is it so low in points?

    "breach could potentially affect every federal agency, officials said"

    I love HN's ability to filter news that matters to dev/tech-professionals, but when stuff like this pops up it should be top 10, for at _least_ a few hours. This is some serious shit. Who here does business with government agencies? Most of you have IRS Tax/Employer IDs... with the rate that this is "expanding" what is to say that it wasn't just HR records, but more. Your e-filed IRS return could be sitting with folks outside of the IRS...

    No intention to fear monger but think of the statement "breach could potentially affect every federal agency" - every business in the US does something, with sensitive data, with an agency :/

  • by fleitz on 6/4/15, 11:36 PM

    It's not a data breach, it's essential that the US keep their database unencrypted so that the Chinese national security agency can search their records for ties to terrorism.

    If anything China just did the OPM a favour to help them keep their freedom.

  • by thyrsus on 6/4/15, 11:13 PM

    Note the Office of Personnel Management's scores in this report, and note the scores of the State Department. Ms. Clinton's e-mails may have been more secure at her private residence :-\

    https://www.whitehouse.gov/sites/default/files/omb/assets/eg...

  • by danso on 6/4/15, 10:44 PM

    Interested in hearing the details about this one. How much of it was facilitated by phishing or social engineering? Are there any government systems that require two-factor auth? So much of federal web infrastructure is based on old code/systems that, while invulnerable to a mass exploit of Rails/WordPress/Bash, have not even remotely been tested and studied against edge cases in the way that large scale open source platforms have.

  • by ams6110 on 6/5/15, 3:22 AM

    The breach did not involve background checks and clearance investigations, officials said.

    No, that breach[1] was a couple of years ago.

    1: http://www.nextgov.com/cybersecurity/2014/12/opm-alerts-feds...

  • by gress on 6/4/15, 10:27 PM

    If only there had been a backdoor in the system, or no encryption, law enforcement could have prevented this. /s

  • by multinglets on 6/5/15, 12:48 AM

    Oh no, the Chinese are stealing all our datas in an unprecedented cYbErattack!

    I didn't realize it was Thursday again already.