Hacker News new | ask | show | jobs
by adolph 839 days ago
Since the user's eyeballs don't have builtin decryption there is a window of opportunity to steal information after encrypted at rest and encrypted transport. Hopefully vendors will be able to fix this defect by using Neuralink.
2 comments
MichaelZuo 839 days ago
You can also solve this problem by air-gapping any part of the system with physical human interaction.
link
Aeolun 839 days ago
If it’s at rest encrypted you generally do not manage to get 4TB of data before anyone notices.
link
reaperducer 839 days ago
If it’s at rest encrypted you generally do not manage to get 4TB of data before anyone notices.

If you're talking about your own personal hard drive in your home, yes.

But in this case, we're talking about a huge company conducting literally billions of database queries for tens of thousands of clients an hour.

You only have to have a listening post in one small part of the system that can see things in plaintext for a short time in order to accumulate 4TB in a matter of days.

link
adolph 838 days ago
Looks like the issue has to do with claims processing between pharmacies and UHG, effectively data in flight not at rest.

"We estimate more than 90% of the nation’s 70,000+ pharmacies have modified electronic claim processing to mitigate impacts from the Change Healthcare cyber security issue; the remainder have offline processing workarounds," Mason said.

https://www.bleepingcomputer.com/news/security/unitedhealth-...

The pharmacy network, which connects pharmacies and PBMs, is in final end-to-end testing with our partners. We anticipate that our Change Healthcare Pharmacy network will be back online for the vast majority of submitters as soon as Thursday.

https://www.unitedhealthgroup.com/ns/changehealthcare.html

link
blincoln 839 days ago
I think you'd be surprised.

How many organizations have their "encrypted at rest" data in a cloud provider account that's set up to give all developers (or at least all production support engineers) access to decrypt the data, maybe even transparently?

How many have the "encrypted at rest" data on servers that are set up to give all administrators transparent access to the data?

How many only allow application service accounts access to decrypt the data directly, but the credentials for those service accounts are stored as Kubernetes secrets that anyone in IT can read?

Etc.

link
nradov 839 days ago
I can guarantee you that UnitedHealth Group (Change Healthcare) doesn't give regular developers the credentials to decrypt production data, or access production environments at all.
link
adolph 838 days ago
probably not "developers," probably "data scientists"

Executives at UnitedHealth Group told workers to mine old medical records for more illnesses, to identify diagnoses of serious diseases that might have never existed, inflating bills paid by the federal government's Medicare Advantage program.

https://en.wikipedia.org/wiki/UnitedHealth_Group

link