
China involvement suspected in hack of US health insurer Anthem - landryraccoon
http://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored-hackers-seen-in-anthem-attack
======
malandrew
I honestly don't care who did this. Can we please take public key cryptography
mainstream now. The fact that basic metadata like Name, birthdate mother's
maiden name and SSN are sufficient to gain access to many aspects of my life
are ridiculous.

What I don't want to see is knee-jerk legislation that erodes our privacy and
rights further.

Really, just mandate by an act of congress that companies need to rely on
public key cryptography within 5 years for everything and you'll see user-
friendly solutions appear really friggin quick.

I remember back when I was in banking when they announced some crazy retention
policies on all communication (written and voice) that wasn't technically
feasible at the time congress passed the laws requiring those retention
policies. Within a few years, there were a bunch of vendors with solutions for
the banks to implement. Necessity is the mother of invention. Invent a
necessity through an act of Congress and people will invent.

~~~
meowface
Do you mean public key cryptography as a replacement to a world-readable SSN,
or public key cryptography to prevent breaches like these?

The first suggestion would be much more secure but would be difficult and very
lengthy to implement, and the second would not have helped in a situation like
this.

~~~
malandrew
I'm suggesting the former. For every transaction where my identification needs
to be verified, I should be able to sign off digitally.

Identity Theft is a completely made up thing, that used to be called fraud.
When it was called fraud it was the responsibility of the institutions to
protect themselves. Instead they use the word identity theft to make it the
problem of the victim. If someone goes to the bank and pretends to be me and
gets a line of credit, spends a ton of money, I am left holding the bag since
it destroys my credit rating. Yet, I didn't do anything at all wrong. These
institutions rely on woefully inadequate measures to determine identity and
when something goes wrong, the person who should pay for inadequately
verifying identity is the financial institution that messed up and gave credit
to the wrong person under false pretenses.

Anthem is my insurer and now I'm responsible for dealing with the fallout from
every institution's completely inadequate processes for verifying identity.
How is that fair?

The solution isn't hard, you'd get an account with an identity signing service
that goes to great lengths to confirm your identity. Once your identity has
been confirmed, you either generate your own private and public keys and
upload your public key to them or they can generate both on your behalf. After
that, you either host your own service to sign with your private key or you
redirect signing to the identity provider if they generated a key for you.

This is not a pipe dream. It just requires mandating that companies need to
require that you sign off on things cryptographically. If you have not signed
off, then the losses and consequences from fraud are their responsibility, not
yours.

~~~
csirac2
A few countries already do this around the EU - Latvia, Czech Republic:
[http://www.ica.cz/Get-ZEP-package](http://www.ica.cz/Get-ZEP-package)

------
cddotdotslash
Is this just becoming the easy thing to do? Blame China or Russia while the
story is still hot off the press? It seems that every time a company is
hacked, the first thing they do is exclaim how some big, scary government is
behind it or how "incredibly complex" the hack was. "Oh yeah, we lost your
entire life's information, but _it was the most complicated hacking attack we
've every seen_!" "Our team has never seen something of this magnitude." "We
immediately disabled the threat the second our complex internal systems
detected the activity." Every hack has the same corporate response.

~~~
famousactress
Super easy and really annoying but probably relatively effective PR. The news
on this stuff sees lots of eyeballs compared to follow-ups or clarifications.
Plus the consequences for being found wrong downstream and pretty minimal,
sadly. Casting these kinds of aspersions redirects fear & anger from the
company to boogeyman nation-states.

[Edit: I just noticed these are government and not private analysts making the
claims, so my comment is now a bit cynical for my own taste... but I think
it's still effective PR and I expect private security companies to field more
"So you're not saying is WASN'T North Korea, right?" kinds of questioning from
corporate clients.]

~~~
Estragon

      > I just noticed these are government and not private 
      > analysts making the claims, so my comment is now a bit
      > cynical for my own taste...
    

Not for mine... casting these issues as a threat to national sovereignty is a
great way to raise defense funding.

~~~
famousactress
Yeah, I don't object to suspecting our intelligence agencies have a habit of
using information to benefit their budgets in that way, especially when there
are opportunities to be technically accurate but let the media fill in the
blanks (ie: "We think the hackers were Russian" becomes headline: "Russia
involved in hacks").

------
sandworm
"Sophisticated attack" = Norton Antivirus didn't stop it.

"Chinese" = we saw an Asian IP address.

"state-sponsored hackers" = This is war!

"Sophisticated attack by Chinese state-sponsored hackers" = force majeure.

Force majeure = We don't owe you a penny.

------
Zirro
"...and increased pressure on the U.S. government to respond more forcefully."

Rather than responding to hacks with counterattacks or an attempt at
diplomacy, the first priority ought to be to strengthen the defences of
companies handling sensitive data.

While a large system may never be made impenetrable, it could certainly be a
lot harder and more costly to pull off an attack against most of these
companies than it is today.

If this is considered a crisis, redirecting a few of those billions earmarked
for NSAs offensive capabilities towards vetting and improving the security of
US companies would make a good strategy.

~~~
3am
Not sure about budgetary minutia but surely this qualifies?
[http://www.cnet.com/news/obama-adds-14b-to-budget-for-
steppe...](http://www.cnet.com/news/obama-adds-14b-to-budget-for-stepped-up-
cybersecurity/)

~~~
Zirro
Indeed, that seems very appropriate though arguably many years too late. I am
not an American myself, but I hope for their sake that it makes it through
Congress this time.

------
bendoernberg
Like how Russia was behind the JP Morgan hack, until they weren't?

USA Today, 10/07/14: "Report: Russian hackers behind JPMorgan Chase attack"

Reuters, 10/20/14: "Russia ruled out as culprit in Chase cyber security
breach, U.S. officials say"

[1]: [http://www.bloomberg.com/news/articles/2014-08-27/fbi-
said-t...](http://www.bloomberg.com/news/articles/2014-08-27/fbi-said-to-be-
probing-whether-russia-tied-to-jpmorgan-hacking)

[2]: [http://www.reuters.com/article/2014/10/21/cybersecurity-
jpmo...](http://www.reuters.com/article/2014/10/21/cybersecurity-jpmorgan-
idUSL2N0SF30M20141021)

~~~
meowface
The 2 headlines and claims aren't mutually exclusive. The FBI investigated
reports that the Russian _government_ was tied to the hack, and concluded they
weren't. That doesn't mean the actors weren't Russian citizens and/or living
in Russia.

Just as an example, the Target and Home Depot breaches were almost certainly
conducted by the same fairly well-known group of Russian hackers and
fraudsters, but they have no known ties to the Russian government.

------
bsder
Yeah, it's China's fault <rolls eyes>

The fact that Anthem could not be bothered to spend the time or money to
secure their data until it was stolen has nothing to do with it. Not at all.

This is a ploy to get out from under the HIPAA liabilities.

~~~
blackbagboys
This attitude is pervasive on HN, and I find it a little baffling. If someone
took advantage of a lax property-management company to successfully burgle an
apartment complex, I can't imagine anyone being so cavalier about pursuing the
actual criminals behind the theft.

~~~
benmanns
Even if the apartment complex didn't lock the doors and didn't allow tenants
to put locks on the doors? If the apartment complex was supposed to have
employees that install and check locks and cut the budget? If those cuts
helped the apartment complex turn $2.56B in net income last year?

~~~
mbreese
It's still illegal to enter an unlocked door unless you're authorized.

Two things can be true: you should have locks on your door AND you shouldn't
enter someone else's unlocked door.

(Ironically, not locking your doors could also increase your insurance
rate...)

~~~
chrsstrm
So we should expect that criminals, who by definition violate laws and
regulations, won't do something simply because it is illegal?

In that case, we should just put trespassing and breaking and entering laws on
the books and call it a day, that should stamp out the problem immediately.

------
PhasmaFelis
I remember reading cyberpunk novels when I was younger, Neuromancer and
everything since, and thinking that all those stories about plucky hackers
cracking governments and megacorps were hopelessly mired in the '80s. In the
internet era, no group with millions of dollars to spend and a reputation on
the line could possibly have such shoddy security.

It really seemed to make sense at the time.

------
chiph
What's the advantage to the Chinese government in acquiring the personal info
of 80 million Americans? Are they going to bring it up in the next meeting
with President Obama? "You know, Barack, it'd be a shame if all that info
about your citizens got misused. A real shame-like." That'd be silly. I just
don't see their motivation in being behind it.

The usual motivation for stuff like spying and data theft is the acronym MICE
- Money, Ideology, Coercion, and Ego. It's unlikely to be money - we're
already shipping dollars over there like crazy. It's also unlikely to be
Ideology - the Central Committee are closet capitalists these days. Coercion -
I don't see them trying to trade this for reducing our support for Taiwan.
Ego. Ego is a possibility - but they're not teen-aged boys.

~~~
EpicEng
I haven't seen any official statement which implicates the Chinese government,
only that the attack may have originated from China. Very different things. If
the media is reporting it as the former than that's on them.

------
lsiebert
Is it weird that this would make me feel ever so slightly better that my info
got hacked?

I mean, I'm not a government worker or contractor. Even if I was, my password
is randomly generated and not used elsewhere. If it wasn't for profit hackers,
identify theft with social security numbers is perhaps less of a concern. And
my password was randomly generated, so they can't get into any other accounts,
so identity theft and fraud based on it is probably the biggest threat.

I really wish there was a good health insurance company (or a single payer
system) I could switch to, but anthem is honestly the least bad company
currently available to me.

------
SixSigma
If it was really detected at egress then that would make it a sloppy
operation. The Chinese should object to the FBI insulting their espionage
teams - or say it was just a training exercise.

------
contingencies
Ahh, politics: _(insert nebulous threat)_ is going to eat your children!

------
dev1n
_Officials at Anthem detected the theft of the trove of customer information
as it was being sent from its computers on Jan. 29, according to one of the
people, which they said is still in its early stages._

As others have pointed out, running a whois on the anthemfacts webpage returns
a registration date of 12/13/2014 [1] which is most likely when the breach
occurred. Not January 29th.

[1]:
[http://whois.domaintools.com/anthemfacts.com](http://whois.domaintools.com/anthemfacts.com)

~~~
bbanyc
The domain doesn't prove they knew anything then. It's too generic, it's not
like it was something like anthemdatabreachfacts.com.

The company just changed its name from Wellpoint to Anthem in December and
could have bought up a bunch of "anthem*.com" domain names around then to keep
in reserve.

~~~
dmschulman
Or they bought the domain back then and planned to use it for this explicit
purpose. It's not a question of "will" a big company get hacked, it's a
question of "when".

Also I'm sure a major healthcare company that handles tens of millions of
sensitive personal records has enough foresight to see a data breach coming.
HIPAA and ACA probably mandate healthcare companies having this exact kind of
plan ready to deploy in the event of a hack.

~~~
yebyen
Come on, give them some credit for the facts they did provide. They detected a
breach where sensitive data was stolen on January 29th. This does not preclude
that they also detected a breach first, on or before December 13!

Did anyone record any downtime of their public-facing systems in this time?
You know when you're a sysadmin and you notice something really bad happening,
you shut down the affected systems immediately and try to minimize the damage?
You never know what kind of back doors have been put in place, after you are
breached.

It is also entirely plausible that the breach is still ongoing now, after a
month and a half why not, but they are just no longer able to detect it. These
people are some of the most important cogs in the health care machine, the
insurance providers! If they had some kind of downtime that was actually
affecting their ability to provide services, well then they might actually be
subject to some real form of legal action, maybe even pay serious damages to
their customers. Thank heavens that didn't happen!

They are paying lip service to security because it's not as important to them
as, you know, basically anything else. Like say, receivables. It's only
identity theft!

~~~
yebyen
Relevant:
[https://news.ycombinator.com/item?id=9012996](https://news.ycombinator.com/item?id=9012996)

"The company also confirmed Friday that it found that unauthorized data
queries with similar hallmarks started as early as Dec. 10 and continued
sporadically until Jan. 27."

