The Office of Personnel Management announced that 5.6 million people are now estimated to have had their fingerprint information stolen – originally thought to be about 1.1 million. About 21.5 million individuals had their Social Security Numbers and other sensitive information affected by the hack. Security Experts from STEALTHbits, Lastline, Tripwire, Lieberman and Securonix have the following comments on OPM Breach.
[su_note note_color=”#ffffcc” text_color=”#00000″]Jeff Hill, Channel Marketing Manager, STEALTHbits :
“Public details of the OPM breach are sparse. We don’t know how long the attackers operated on the OPM network undetected. We don’t know the means of initial infiltration. However, that the Government is revising its damage estimates yet again implies the extent to which sensitive data was exposed is still unclear, a troubling development further suggesting the time between initial breach and detection was substantial. It takes time to compromise privileged credentials, find the sensitive personnel data those credentials have access to, and exfiltrate millions of records without attracting attention. Few in the data security world would be surprised if we eventually learn the bad actors operated with relative impunity on the OPM network for a timeframe measured in months, if not years.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Giovanni Vigna, CTO of Lastline :
“This clearly exemplifies the weaknesses of some kinds of biometrics. Biometrics are based on what a person “is”, instead what a person “knows” or “has” (which are the basis for traditional security systems). If the secret on which the biometric system is based is disclosed, it cannot easily be changed, because it is directly related to the body of a person. Changing your fingerprints can be a painful proposition, especially as these breaches become more common (yes, it’s a joke)…”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin Director of IT Security and Risk Strategy at Tripwire :
“One of the key challenges with biometric authentication is that it’s immutable. You can’t change your fingerprints, retinas or voice prints. When biometric credentials are compromised, it’s very hard to recover. Using multi-factor authentication can provide mitigation in these cases. The best authentication, as the old adage goes, requires something you are, something you have and something you know.
“While cybercriminals may not be positioned to leverage stolen biometrics now, that will change as these types of authentication are more widespread. Most iPhones can use a fingerprint for authentication these days, and criminals always look for the most profitable targets.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy for Lieberman Software :
“Biometrics like fingerprints are the passwords of the future, and the staggering 5.6 million people of interest who have had their future passwords stolen from OPM are exposed to potential threats no one really understands. If they are used well, fingerprints can be a very strong way to secure systems. As we learned from the recent Ashley Madison analysis, though, you can take potentially good security (encryption in that case) and use it so poorly that the bad guys get a big leg up. In theory, these fingerprints stolen from OPM shouldn’t be able to do much harm right now. But who knows what shortcuts may exist in future applications that will allow a mere shadow of a print like the data OPM had to become the way some future breach is pulled off.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Igor Baikalov, Chief scientist for Securonix :
“OPM got it all wrong again: it’s not the affected individuals, it’s the government that needs identity protection! Contrary to a popular belief, fingerprints are not unique, and out of 5.6 million fingerprints compromised, there can be quite a few people who have fingerprints similar enough to be accepted by the biometric authentication system. Now, if there is someone with access to top secret information, and his fingerprint data can be matched to someone else with a known gambling problem (known from the background checks also leaked by OPM), the attacker has a way to potentially circumvent biometric authentication. Farfetched? Probably, but not impossible. The only good news might be that government is so much behind in implementing biometric authentication, that this threat will not materialize in the near future.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.