SIX MILLION fingerprints of US govt workers nicked in cyber-heist The fingerprints of nearly six million US government workers were copied by hackers who raided Uncle Sam's Office of Personnel Management (OPM), it emerged today. Back in June, it was feared that crooks had made off with four million highly sensitive personal records on government employees from the OPM's systems, although …
*Every* time I have had a background check for my clearance, my fingerprints are taken.
After all, I should have to prove that I am me and not somebody else equally ugly as me.
My DNA is on file as well, secondary to military service, so that my remains may be easier to identify.
Now, how many CIA operatives fingerprints were in that grab, who now will have one hell of a time covertly entering China as a businessperson?
Don't be silly - even the US Govt knows that's impossible. Instead they're going to introduce a super secret protocol, known only to US Govt employees: when asked to place your forefinger on a fingerprint scanner, use your index finger instead. That'll catch out any Chinese agents and their latex dodgy digits!
Project Starfish
- scanning every U.S govt employees rear-ends for security purposes...
- It'll get derailed by budget problems designing a special reinforced ass-scanner.
David Cameron (hence gimp logo) will hear about it and try to roll it out across the U.k, basically to keep up with the neighbours (and also the U.S have started requesting ass-scans for all transatlantic passengers).
Followed closely be fecal recognition cameras installed in the lavs at the next music festival.
So what? What can an attacker do with them? If a particular level of access requires a biometric in addition to other credentials they have to have the "other" credentials first.
Oh, I get it, considering their success rate so far we can pretty much assume that they have that too.
So what? What can an attacker do with them?
Easy: fingerprint scanners will become very popular in the criminal world. Kinda sucks to do undercover work when they have a file which can identify you as a government employee.
Whoever didn't do their job on security has got an awful lot to account for. If that isn't negligence I don't know what is.
So if a certificate is exploited, it can be revoked.
If a password is cracked it can be changed.
If your 2FA device is lost or nicked it can be replaced.
What are we supposed to do when biometric credentials are hacked?
If (or when) someone figures out a way to crack and exploit a biometric database, its not like I can ask them to change my authentication details.
So if a certificate is exploited, it can be revoked.
[etc.]
What are we supposed to do when biometric credentials are hacked?
And it's not just your passport of course, it's your laptop or your mobile phone or - and this has really annoyed me - your bloomin' school dinner money. The schools dinner service around here is rolling out fingerprint scanners to pay for school lunches. After a bit of a fuss by a relatively few parents (most people don't seem to care, frankly, but just look at the personal details people put online to find out why) the dinner service has agreed that the existing smart cards can still be used.
They claim fingerprints are better because they are more secure and less likely to be stolen. Really?
M.
"They claim fingerprints are better because they are more secure and less likely to be stolen. Really?"
We kept multiple fingers registered on a fingerprint time clock registration system at a hospital I worked at. One cut, a burn, etc can keep the scanner from registering the employee being present for work, with wage loss resulting.
Eventually, the fingerprint feature was given up in disgust, as even the hospital CIO/VP couldn't register in with the bloody thing and only the ID card swipe was used.
Largely because the hospital BOFH was getting irritated and several time clocks near the IT shop had suspicious laser holes through the case and circuitry that corresponded in direction to the closet where the security androids were stored. And the horrific accident with the elevator next to the HR department, which was odd, as HR was on the ground floor and no elevator was ever installed in that building.
We kept multiple fingers registered on a fingerprint time clock registration system at a hospital I worked at. One cut, a burn, etc can keep the scanner from registering the employee being present for work, with wage loss resulting.
Eventually, the fingerprint feature was given up in disgust, as even the hospital CIO/VP couldn't register in with the bloody thing and only the ID card swipe was used.
You're confusing quality with functionality. Biometrics have two parts: the physical detector (fingerprint, retina scan or camera etc), the matching algorithm behind it and then there is also how they're implemented and used. You screw up in either place and you get what you deserve.
Typically, such a cockup occurs because someone hasn't done their homework on the technology they plan to use. To start, I would not want anything I'd have to TOUCH in a hospital..
And that is exactly why using biometrics as passwords is idiotic. Consider 2FA best practice of 1 'what you have' and 1 'what you know'. A biometric is clearly something that you *have* but in many systems it's treated as something you *know*.
This hack now means there's 6 million US gov employees whose identity, now and forever till their death, can be spoofed to a fingerprint reader (let's not kid ourselves about spoof-proof readers).
Incidentally, according to OPM themselves, the total number of federal employees (executive + legislative/judiciary + military) = 4.185 million in 2014. So who do the other 2 million fingerprints belong to??
https://www.opm.gov/policy-data-oversight/data-analysis-documentation/federal-employment-reports/historical-tables/total-government-employment-since-1962/
Well, if the employee is absent for registration, OPM can always ask the Chinese ambassador for a copy of that employee's fingerprints.
Actually, two smart cards are used, a regular user account and an elevated user account to work on the machines.
The system was considered insurmountable, while I chuckled at the notion. Shortly after, the middleware was abused to compromised the machine remotely.
A couple of minor tweaks resulted in the ability to compromised the box when that employee is logged in with their smart card.
Whenever someone comes up with a better mousetrap, some bastard bioengineers a smarter mouse.
Interestingly, the one doing the bioengineering has a contract with the mousetrap company.
as I'm sure I've said before, that any system that stores this sort of information should be airgapped. Whether or not the storage of this sort of personal data is required is another question, but given that it is, there is absolutely no reason why it should be on a networked machine, with physical access restricted to a very few.
any system that stores this sort of information should be airgapped
It should at a minimum be at least 2 layers away from any public network, on a separate segment so that access and possible breach attempts can be monitored, and on a platform that is hardened.
The problem is that this is a reference system, so the data must be available to those authorised and that means it has to either live live on a network or has controlled replicas. However, for most uses this precise data was not needed, only a yes/no and maybe a clearance level. In the case of FP authentication, all you'd need is the hashes of the fingers, and then a confirmation, maybe with some ID number. It would then be up to the clearance of the entity requesting the data if they got any detail to go with it.
Honestly, I cannot understand this. This is so stupid it almost seems intentional.
This post has been deleted by its author
This is the big flaw with biometrics, you cannot revoke it when it gets compromised. If megacorp X has a password hack then at least the customers can change passwords and have some chance of getting through this unscathed. If Omni Consumer Products Y has a fingerprint database and it leaks (as it inevitably will) then the mitigation involves mutilation.
(Icon picked for relevance not agreement)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
