
Army National Guard announces data breach - aestetix
http://www.nationalguard.mil/News/ArticleView/tabid/5563/Article/607769/army-national-guard-announces-data-breach-establishes-call-center.aspx
======
arkem
This isn't what most people think of when they hear data breach. There was a
breach of DoD security standards when data was transferred to an inappropriate
environment but no evidence that the data has been leaked beyond that
transfer.

I think it's laudable that the Army National Guard would do a breach
notification when there's only the possibility of malicious data loss.

~~~
gesman
Maybe there is some untold, yet upcoming story behind this.

~~~
staunch
I immediately assume China and/or Russia are working on a World War III plan.
Dossiers are being built to help carry out the targeted and synchronized
assassination of tens of thousands of key U.S. military personnel by sleeper
cell agents during a coordinated world-wide attack.

~~~
jackweirdy
Why would either of them do that, though?

~~~
camillomiller
You don't need any why like that to write a successful novel!

~~~
logicallee
I second this! staunch, get cracking.

------
gesman
Startup idea: apologeticpressrelease.com

Just input corporation, firm or department name.

Select multiselect dropdown "what you take very seriously".

Select number of "employees|customers|people" (pick one) that will get free
credit monitoring.

Select for how long.

Press [Submit]

Input payment information.

Press release automatically issued.

(we( at )?|CORP_NAME) take your (data|privacy|security|information) very
seriously

~~~
redwards510
Don't forget to mention that the malware used was "extremely sophisticated".

~~~
jagermo
"not yet sure if there is a nation behind it, as it seems to be too advanced
for everyday hackers"

------
jtchang
So basically someone (who was probably getting paid by the DoD) scp'ed some
info to a server he/she wasn't suppose to.

This more like a breach of standards. At least they know where the data went.
The OPM breach is far worse.

------
x5n1
It is better to simply assume that all data has been breached unless
incontrovertible proof is found to the contrary.

~~~
shortstuffsushi
Seems kind of like the "law of security testing" \-- the lack of evidence of
data breaches doesn't preclude the possibility of leaked data.

~~~
shawndumas
the absence of evidence is not evidence of absence.

[http://youtu.be/MFBjCM0mZHg](http://youtu.be/MFBjCM0mZHg)

~~~
spacehome
Off topic, but absence of evidence is in fact evidence of absence, though
depending on the circumstances it might be weak.

Say we'd like to know if A exists. There's some evidence for A's existence,
which we'll E. The absence of this evidence is ~E.

By Bayes' theorem:

P(A) = P(A intersect E) + P(A intersect ~E) = P(A|E)* P(E) + P(A|~E)*P(~E)

So the probability that A exists is a weighted average of the probability that
A exists when there is and is not evidence.(Since P(E)+P(~E)=1) There is a
kind of 'conservation of probability'.

If the idea that 'E is evidence of A' is to mean anything at all, then it
means that P(A|E) > P(A). Hence P(A|~E) must be less than P(A). Another way to
say it is that P(~A|~E) > P(~A). And absence of evidence is absence of
evidence.

~~~
shawndumas
You're speaking of negative evidence; as in, evidence that negates a
particular truth claim.

Negative evidence is not the same thing as the utter and complete non-
existence of any evidence whatsoever—the _absence_ of evidence. That's because
negative evidence absolutely _is_ evidence.

The saying goes, 'the absence of evidence is not evidence of absence' _not_
'the evidence of absence is not evidence of absence'. See the difference?

Watch the linked video when you have a moment.

~~~
spacehome
> You're speaking of negative evidence

I wasn't. ~E is a shorthand way to write that E is not found, not that the
opposite of E is found. In the language of probability/set theory, ~E is E's
complement - every event in the space of probabilities except for what's in E.
It's the unique set such that ~E intersect E = empty set, and ~E union E is
the whole space.

The point of the proof I gave is that there is no distinction between
'negative evidence' and 'absence of evidence'.

As I mentioned earlier, there is a kind of conservation of probability. The
only way for a piece of evidence to give evidence for A is that the lack of
that evidence reduces the probability of A. The probability mass has to come
from somewhere.

~~~
shawndumas
"I wasn't. ~E is a shorthand way to write that E is not found"

You where. What you are describing is, 'we constructed a hypothetical
experiment and arrived at a null result'; that is, in fact, evidence.

No one is saying, 'a null result is not evidence of absence'.

Please stop conflating the _presence_ of something with the _absence_ of
something.

Yes, the statement is a tautological statement. We are repeating the same
assertion twice using different phrasing. And as such, the proposition as
stated is logically irrefutable.

'No evidence is no evidence', is a correct—but diminished—restatement.

Have you watched the video?

~~~
spacehome
I watched the video you linked. It's a straw man and misrepresents the way the
maxim is commonly used.

Let's go back to my original example and say we want to know if A is true. We
have the choice to run an experiment whose positive result E would give
support to A. The linked video would say that before we run any experiment, we
have no additional evidence for A. Essentially that P(A) = P(A). This is true.

The way this should be used in the real world is: I look even the slightest
bit for A and don't find it. As long as my search for A had the smallest
positive chance of finding it were it to exist, then my lack of ability to
find A gave me information about the world, and we get that P(~A | ~E) >
P(~A).

Edit: To be precise the maxim should be something like: "Absence of evidence
after looking for evidence is evidence of absence".

~~~
shawndumas
The very act of "looking for evidence" moves it out of the category of the
absence of evidence.

Again, what is being said is, 'no evidence is no evidence'. If you have the
_absence_ of evidence then you have no evidence of absence.

We are--kind of--using the word absence in two senses. First as a synonym for
none, a number less than one, zero; the second as a synonym for non-presence,
non-existence, the lack of an extant sample.

Having _zero_ [absent] evidence is not evidence that there is _no extant
sample_ [absence]. I hope that helps.

------
chrissnell
As a former ARNG member and a current Army Reserve member, this doesn't
surprise me at all. The U.S. military's regard for personal information has
been dreadful. Service in the military entails endless filling out of paper
and electronic forms and almost every one of them has the servicemember's SSN
on them. These forms get filed in filing cabinets, e-mailed around and--quite
often--left on desks. The situation is made worse because our pay grades are
typically part of the form, too, so a potential identity thief knows the
approximate salary of the victim because our salaries are standardized and
readily available.

Things are getting better and the DoD has switched to a non-SSN identification
number but the SSN is still frequently used.

~~~
reustle
The point I take away from this is, how long is SSN going to be a super secret
11-digit pin for your life? Banking online, job forms, etc all use SSN and it
gets thrown around everywhere. Are there any indicators that we're working on
something a bit more modern for identification?

~~~
shubb
This new version of 0Auth is based on a military grade security model.

You authenticate everywhere using a long number (PIN) (so long you have to
write it down and store it). All the services you authenticate with will store
this PIN unhashed.

You should keep your PIN safe, because it can be used to apply for bank
accounts, loans, and commit tax fraud if it is stolen.

If you ever forget your PIN don't worry. We will print it on various letters
and mail them to you. If you need it urgently, you will find it next to your
name in various post-hack data dumps around the internet.

------
rebootthesystem
> files containing personal information was inadvertently transferred to a
> non-DoD-accredited data center

Which could be anything. For example, an AWS server somewhere. Or, how about a
VPS hosted by GoDaddy? A lame attempt at humor. Yet, what do we really know?

> by a contract employee,

Which could be anybody, right?

> we do not believe the data will be used unlawfully

We don't guarantee...we do not "believe".

More detail would have been useful. If my data was with the Guard I would not
know what any of the above meant other than my data was made available to a
contractor who uploaded it to a random server somewhere and, at the moment, it
could be floating in space for anyone to grab.

Brilliant.

~~~
fixermark
Two things to be aware of:

1) This was an external press release. It's possible communication to the
actual Guard had more detail. Or not; it's the military, and they'll tell you
what you "need to know."

2) While they don't guarantee the data wasn't leaked, I read that as more in
the sense that "The non-DoD-accredited datacenter is outside of our auditing
trail" than in the sense that it's actually likely the data was leaked. If you
take my state's drivers' license database and uploaded it to AWS, the state
can't "guarantee" the data wasn't used unlawfully either, but you can be
certain that Amazon has a lot to lose if some failure of _their_
infrastructure gives China access to a list of passport-authorizing documents.

------
valgaze
"All current and former Army National Guard members since 2004 could be
affected by this breach because files containing personal information was
inadvertently transferred to a non-DoD-accredited data center by a contract
employee [...]"

~~~
MangoDiesel
I may be overly cynical of US government policies and procedures, but I read
this as someone tried to use AWS or similar without permission.

~~~
fixermark
I'm reminded of the breach reported by Britain's National Health Service in
2014 ([http://www.theguardian.com/society/2014/mar/03/nhs-
england-p...](http://www.theguardian.com/society/2014/mar/03/nhs-england-
patient-data-google-servers)), where data was uploaded to make use of Google's
big-data sifting technologies in violation of NHS policy about secured storage
of British citizenry PII.

The irony that the data had been uploaded to a physically secured, encrypted
datacenter network from 27 DVDs in the possession of someone who could do
whatever they wanted to with the contents of those DVDs without audit was not
lost on me.

I don't reference this to imply it was good and proper use of the data; merely
to note the difference between policy security and actual security.

------
sp332
Wow, excellent response. It's encouraging to see that they don't just sweep
this under the rug.

~~~
click170
Its good that they own up to it but I'm getting a bit tired of hearing "we
take security very seriously."

I feel like this phrase has become the mating call of organizations who aren't
serious about security until they get hacked.

~~~
Encosia
Obligatory: [http://www.troyhunt.com/2015/07/we-take-security-
seriously-o...](http://www.troyhunt.com/2015/07/we-take-security-seriously-
otherwise.html)

~~~
shredprez
Was just about to comment. Ever since I read the article, it's the first thing
I notice (whether or not that's fair).

------
trengrj
When I read that "an employee transferred data to a non DoD-accreditated data
centre", I imagine the employee transferring a dataset to Amazon Web Services
or something similar (usually because the tooling in their current environment
is horrible).

Edit: I just had a look and found AWS is actually DoD-certified
[http://aws.amazon.com/compliance/dod/](http://aws.amazon.com/compliance/dod/).
I wonder what the data centre in question could be.

~~~
jon-wood
Only some parts of AWS are DoD certified, and even then only some services in
the GovCloud region (which isn't widely available) are fully certified. It's
entirely possible some contractor made use of a service which isn't certified
still.

------
chasb
This seems non-adversarial, more like a violation of DoD's own internal
policies. I wonder why they don't say whether they were able to perform any
remediation?

------
lifeisstillgood
I'm sorry but there is likely to be more to come. "All current and former
since 2004" .. No one transfers _all_ the files by accident unless the systems
and controls and sheer "WTF am I doing this for" attitude is simply missing.

This Inwill guess is the least awful of a series of breaches to be released,
as everyone falls over themselves to check their seals.

~~~
fixermark
It's likely similar to the British NHS policy failure in 2014.

The shear between the tools publicly available on private data networks for
analyzing and slicing bulk data and the tools available on cloud networks is
wide and growing. As it continues to widen, you can anticipate that more and
more tech-savvy mid-level staff in government positions will look at the
status quo and say "I could follow policy to the letter, or I could use the
cheap-and-easy tools I'm familiar with to get some Goddamn work done and trust
that data living in AWS is at least as secure as where it currently lives, in
that tool-shed-looking building on the back of the base with the door that
doensn't quite latch correctly."

------
rezand
Ahem...I'm just going to leave this here for now on when I spot the following
pr cliche

[http://www.troyhunt.com/2015/07/we-take-security-
seriously-o...](http://www.troyhunt.com/2015/07/we-take-security-seriously-
otherwise.html?m=1)

------
curiousjorge
who could possibly benefit by having this data? I don't think it's of any use
to scammers and criminals.

