[quote]Customer data that was compromised during a massive breach of Equifax's (EFX) systems was not encrypted, the company's ex-CEO told a congressional committee Tuesday.
During a three-hour hearing before the House Energy and Commerce Committee, Richard Smith blamed the massive hack on a combination of failed technology and human error. [/quote]
[url=https://www.cbsnews.com/news/equifax-ex-ceo-hacked-data-wasnt-encrypted/]Source[/url]
What a fuck up to make.
The gift that just keeps on giving.
Sounds like more proof of gross criminal negligence
I'm still in disbelief over this sheer amount of incompetence.
Data, the one dish that could always use a little more salt.
I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?
Everyone involved should be in prison. This is the identities of almost every single adult in the us. Everyone who owns a car, a house, or even a cell phone or cable. Even people with credit cards. This is their entire identities.
[QUOTE=Savage Octane;52746168]Everyone involved should be in prison. This is the identities of almost every single adult in the us. Everyone who owns a car, a house, or even a cell phone or cable. Even people with credit cards. This is their entire identities.[/QUOTE]
We need to begin treating high power white collar crime and negligence with the same severity, if not more, than that which we treat violent crime and theft.
Who's going to get the harsher sentence, some dumb fuck who gets caught stealing from someone's house or drunk driving, or the people responsible for this negligence? We all know the answer to that question, but the other question that's really telling is which one of these failures has a greater ripple effect on society at large? Who caused the most damage? Imagine how much fraud is going to be committed now that this information has been leaked.
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
Please tell me you're not serious.
Someone was dressed as the monopoly guy during the hearing. :v:
[img]http://fm.cnbc.com/applications/cnbc.com/resources/styles/skin/monopoly_guy_360.gif[/img]
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
Please do tell why there is no point in encrypting important personal data so that even if it gets stolen the thief will have trouble retrieving your data.
[QUOTE=Mega1mpact;52745023]Sounds like more proof of gross criminal negligence[/QUOTE]
Yeah I can't wait for my $100 check in the mail after the class action. There isn't a feasible punishment that fits this crime.
[QUOTE=Snapster;52746490]Someone was dressed as the monopoly guy during the hearing. :v:[/QUOTE]
[media]https://twitter.com/Public_Citizen/status/915593704827695104[/media]
Actually from a pretty big nonprofit organization.
On topic: Failing to do even basic encryption on personal data, even more so on more sensitive data should just straight up be a crime. Lock them all up.
Realistically it might not happen, not the first kind of leak where data wasn't encrypted and those people got away.
So, does that mean we're all doomed then?
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
The fact that you even have to ask that question is the same exact reason we're in this situation to begin with. If people and companies knew more about data security then hackers would have nothing but a bunch of useless encrypted information instead of millions of sensitive records.
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand.[/QUOTE]
That's kind of how encryption works, you don't just encrypt stuff as if you were locking it in a prison and throwing away the key. Besides, encryption and decryption is fast these days. Decrypting 20MB of data can take a few seconds, but 20MB is a shitton of plaintext data. A single megabyte can store roughly the equivalent of 500 pages of text, to give you an idea just how much data that is. If you're decrypting a few things like user addresses and credit card info, you probably won't notice an interruption.
Basically, it's easy and fast and Equifax has zero excuse.
The incompetence of these asshole giant tech companies is just unbelievable these days. How did we go from making things secure to "uh oh! accident! whoops!" and blowing serious shit off? I find it insulting that these assholes who will take their sweet ass time to add a handful of points to your credit but will gladly slash it in half for [I]one[/I] late payment can't even have basic fucking security.
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
The fact you have a programming (scripting, but let's not be pedantic :v:) language in your username makes this post magnitudes more offensive than if you were just some random "xxxGayWeedDad69xxx".
You should feel ashamed for even entertaining this thought, let alone making this post. And I can only pray you don't genuinely believe this.
The only consolation I can take from all of this is the fact that you capitalized "LUA" like an acronym, rather than the proper name "Lua" that it is.
[QUOTE=Gmod4ever;52747103]The fact you have a programming (scripting, but let's not be pedantic :v:) language in your username makes this post magnitudes more offensive than if you were just some random "xxxGayWeedDad69xxx".
You should feel ashamed for even entertaining this thought, let alone making this post. And I can only pray you don't genuinely believe this.
The only consolation I can take from all of this is the fact that you capitalized "LUA" like an acronym, rather than the proper name "Lua" that it is.[/QUOTE]
But he's not wrong in this sense, even if the data was encrypted all it would protect against is surface level attacks hitting a database directly. As far as I'm aware of this issue, the attackers had pretty deep access to the system where encryption would not matter in the slightest, as for data to be meaningful it had to be decrypted. Encryption only protects against certain attack vectors, however if you have access to certain parts of a system, encryption literally cannot be used. It's not a fixall solution like you guys are making it out to be. Encryption is usually best kept to the world of information transaction. Furthermore, depending on how the data needs to be used later on hashing might not be the soultion either, take for example:
The company might want to store SSN and needs to check up on them later, hashing would work for this case, however you loose all ability to display a SSN if needed. This is why hashing works great for passwords.
Therefore only static, non-meaningful data can be hashed, which in the real world is a lot less then you think.
For reals, to have this little security, you have to practically be [I]trying[/I]. Like, a conscious concerted effort to leave your data that exposed.
[QUOTE=Hiruty;52747338]But he's not wrong in this sense, even if the data was encrypted all it would protect against is surface level attacks hitting a database directly. As far as I'm aware of this issue, the attackers had pretty deep access to the system where encryption would not matter in the slightest, as for data to be meaningful it had to be decrypted. Encryption only protects against certain attack vectors, however if you have access to certain parts of a system, encryption literally cannot be used. It's not a fixall solution like you guys are making it out to be.[/QUOTE]
Assuming a competent encryption schema is used, such as [url=https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks][b]AES256[/b][/url] (which one could argue to be overkill, but for the point of argument here, let's assume it), then there are [b]only[/b] two feasible ways that information can be recovered:
Either the attacker has direct access to the key (which, if properly secured, should not at all be feasible), or the attacker has indirect access to the key (such as being physically located at a computer than can decrypt the information).
This "surface level attack" rhetoric is bullshit. Properly encrypted information can not be compromised without the key itself being compromised or the information being leaked from an insider (such as a trusted operator decrypting the information with their workstation and then copying / uploading the decrypted results). [b]Period.[/b]
Let's note this snippet from the article, though:
[quote]Even if the data were encrypted, however, the application that the hackers exploited would still have had access to it, said Williams. So encryption wouldn't have stopped the hack.[/quote]
They should still absolutely be encrypting fucking everything, though.
[QUOTE=Protocol7;52747415]Let's note this snippet from the article, though:
They should still absolutely be encrypting fucking everything, though.[/QUOTE]
Which is why I explicitly brought up the "indirect access to the key, EG a computer capable of decrypting it."
Encrypting the data may not have made a difference [i]in this case[/i], but that's not an excuse to never encrypt data.
And then of course, there's the matter of fact about the application being compromised in the first place. That's an entirely different security story...
[QUOTE=Gmod4ever;52747404]Assuming a competent encryption schema is used, such as [url=https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Known_attacks][b]AES256[/b][/url] (which one could argue to be overkill, but for the point of argument here, let's assume it), then there are [b]only[/b] two feasible ways that information can be recovered:
Either the attacker has direct access to the key (which, if properly secured, should not at all be feasible), or the attacker has indirect access to the key (such as being physically located at a computer than can decrypt the information).
This "surface level attack" rhetoric is bullshit. Properly encrypted information can not be compromised without the key itself being compromised or the information being leaked from an insider (such as a trusted operator decrypting the information with their workstation and then copying / uploading the decrypted results). [b]Period.[/b][/QUOTE]
The only way this is secure is if the key must be manually entered by a human any time the data is needed. If an automated program needs access to the data without human intervention, then the key will be compromised shortly after the data is, as it must be stored somewhere that the program can read it from. At best, you will delay the hacker for a short while.
[QUOTE=Jcw87;52747439]The only way this is secure is if the key must be manually entered by a human any time the data is needed. If an automated program needs access to the data without human intervention, then the key will be compromised shortly after the data is, as it must be stored somewhere that the program can read it from. At best, you will delay the hacker for a short while.[/QUOTE]
...
Which is, [b]again[/b], in/direct access to the key.
Either they gain access to something capable of decrypting the information natively (such as, in this case, the program used), or they gain access to the key itself (such as if the program used a web-server to store the key [not even getting into the security of that], and the hackers penetrate that web-server).
[QUOTE=Gmod4ever;52747434]Which is why I explicitly brought up the "indirect access to the key, EG a computer capable of decrypting it."
Encrypting the data may not have made a difference [i]in this case[/i], but that's not an excuse to never encrypt data.
And then of course, there's the matter of fact about the application being compromised in the first place. That's an entirely different security story...[/QUOTE]
So, what I said, was correct. You added context, correct, however, the information was being parsed at this level of the attack, and information literally could not be encrypted at this point. So as I said before, encryption is not a save-all. Furthermore, AES256 is only secure in it's implementation, which again just because something is encrypted does not mean it's not vulnerable. This form of encryption also adds a magnitude more of complexity to securely hotkey a key into memory over a distributed system. You look like you know a little bit about this topic, so you should know that encryption is not straight forward.
Yes it's terrible that this data had been compromised, but spouting this rhetoric about how encrypting it would've saved everyone and their dog is just wrong.
[QUOTE=Hiruty;52747459]So, what I said, was correct. You added context, correct, however, the information was being parsed at this level of the attack, and information literally could not be encrypted at this point. So as I said before, encryption is not a save-all. Furthermore, AES256 is only secure in it's implementation, which again just because something is encrypted does not mean it's not vulnerable. This form of encryption also adds a magnitude more of complexity to securely hotkey a key into memory over a distributed system. You look like you know a little bit about this topic, so you should know that encryption is not straight forward.
Yes it's terrible that this data had been compromised, but spouting this rhetoric about how encrypting it would've saved everyone and their dog is just wrong.[/QUOTE]
You said it's "only good against surface-level attacks." I want to know what the hell you consider to be the bottom end of "surface-level" if [b]having direct access to the actual program that does the decryption[/b] is considered "surface-level" to you.
And again, just because the attackers had deep access [i]in this case[/i] does not, in any way, justify "never encrypting information." Which is what the post you were defending stated: that encrypting information is pointless.
To try and use this as a case to justify "never encrypting information" is analogous to saying "Well someone's baby died, I guess we better all stop having kids."
[QUOTE=Gmod4ever;52747446]...
Which is, [b]again[/b], in/direct access to the key.
Either they gain access to something capable of decrypting the information natively (such as, in this case, the program used), or they gain access to the key itself (such as if the program used a web-server to store the key [not even getting into the security of that], and the hackers penetrate that web-server).[/QUOTE]
My point is, that this post:
[QUOTE=KillerLUA;52746045]I'm not sure if this is clickbait or not, because there's no point encrypting the actually stored data. Since no matter what you do at some point you're gonna have to decrypt the data to be able to access it on demand. Or do they mean not hashing/salting passwords or something?[/QUOTE]
isn't as dumb as you guys are making out to be. The only way they will have access to the database, but not the rest of the machine (and thus, the encryption key), is if you have an SQL injection vulnerability, in which case, you should fire your programmers for using string concatenation to build their queries. SQL injections are a [i]solved problem[/i], so long as the programmers always use prepared statements.
Remote execution exploits seem to be how these major breaches are performed most of the time, so the encryption becomes a feel-good measure.
[QUOTE=Gmod4ever;52747467]You said it's "only good against surface-level attacks." I want to know what the hell you consider to be the bottom end of "surface-level" if [b]having direct access to the actual program that does the decryption[/b] is considered "surface-level" to you.
And again, just because the attackers had deep access [i]in this case[/i] does not, in any way, justify "never encrypting information." Which is what the post you were defending stated: that encrypting information is pointless.
To try and use this as a case to justify "never encrypting information" is analogous to saying "Well someone's baby died, I guess we better all stop having kids."[/QUOTE]
I was never defending that never encrypting is a good idea, I'm defending the fact that encryption does not fix the issue. If I have to explicitly say that encryption is a good idea (It's literally law in Australia), you've missed my point. Furthermore, I don't think you know much about how these systems work, and expect programmers to be the panacea to these problems. Having indirect access or direct access to the key does nothing because [B]at this point in the system, the data is inherently plaintext, it can not be shown as anything else, as it's in it's intermediate state.[/B]. Surface level attacks refer to SQL injection attacks and XSS attacks as stated by Jcw87 above, and were not the attack vectors. The hacker attacked a flaw in the outdated API used by the system and shows that this is not an issue of encryption but an issue of legacy systems
imagine unintentionally doxxing half of america
Sorry, you need to Log In to post a reply to this thread.
