Slashdot Mirror
What Federal Employees Really Need To Worry About After the Chinese Hack
HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
NO! A million times no!
Proper multi-factor authentication is ALWAYS "something you have" and "something you know". The idea is that if someone steals the thing you know (i.e. password), then they have to also steal something you have (i.e. hardware token / smartcard / phone, you name it). The hope is that even if you don't notice that your password is compromised, you'll notice when you lose your phone. Similarly, if someone copies the smartcard you have, they still don't know the PIN to access your account.
The hack of fingerprint databases illustrates this. For example, someone with access to the hacked OPM databse can steal/copy your smartcard and can now impersonate you at will if you've relied on Smartcard + Fingerprints. Now, "something you have" could certainly be your fingerprint, but 2-factor auth is NOT "something you have" and "something else you have." Just like the bank's "security questions" are not two-factor auth, because they're "something you know" and "something else you know."