
Personal info of 93M Mexicans exposed on AWS - elorant
http://www.databreaches.net/personal-info-of-93-4-million-mexicans-exposed-on-amazon/
======
jordigh
They've identified who leaked the database to AWS:

[http://www.diariodemexico.com.mx/inemexico-encuentra-
quien-f...](http://www.diariodemexico.com.mx/inemexico-encuentra-quien-filtro-
lista-nominal-amazon/)

The government isn't publishing details, but the article gives the impression
that it was some Mexican political party acting out of line who should not
have uploaded this data to US servers. It appears that each party receives a
copy of electoral registrations.

¿Qué chingados? I didn't know every party got a copy of all voter
registrations. This seems grossly undemocratic.

~~~
Spooky23
In the US, voter registration is completely open. You can walk down to your
Board of Elections and look at the full register, including party registration
and whether you voted or not.

For contested elections, party inspectors will note active voters who haven't
voted yet and report, which generates phone calls or even volunteers dropping
by to drive voters to the polls.

IMO, transparency is required for democracy.

~~~
laen
Exactly. I'm failing to see why this story is generating so much interest.

Here's one of the 50 websites where you can see every American citizen
registered to vote... includes their DOB, Address, Voter ID etc...

[http://www.oklavoters.com/](http://www.oklavoters.com/)

and while you're there check out the removal request policy page - it's quite
humorous.

EDIT: If you are wondering how the website obtained data specifically for
Oklahoma please see
[https://www.ok.gov/elections/Candidate_Info/Voter_List/index...](https://www.ok.gov/elections/Candidate_Info/Voter_List/index.html)

~~~
yxlx
>check out the removal request policy page - it's quite humorous.

I found it childish and unprofessional, just like the reply letters TPB wrote
in response to DMCA requests.

~~~
Hondor
In both cases, don't forget who it's addressed to - people who have made rude,
unreasonable demands and threats. Those people are bullies so it's fair to
insult them.

~~~
facetube
_Those people are bullies so it 's fair to insult them._

Ladies and gentlemen, this is why we can't have nice things (as a species).

------
verelo
This title seems a bit off. Mentioning the hosting provider like this almost
implies the leak is the fault of AWS, which to me feels like blaming Lexmark
for someone printing sensitive info and then leaving it in the printer for
others to find it.

~~~
ihsw
This happened the same time a while ago -- at the time it was a misconfigured
S3 bucket but the title was worded in a way that AWS to blame.

This seems to be a misconfigured MongoDB server hosted in AWS but details are
scarce.

Personally, with the vast swaths of PII data being leaked, I am interested in
whether there is a global database of these people yet. Not for nefarious
purposes, mind you, but for global legal representation not limited to voting.

~~~
ryanlol
It's not misconfigured, this is how mongo is intended to work.

~~~
skj
It's misconfigured in that you can reach the host at all.

------
partisan
> Chris decided to report his discovery to the State Department and let them
> contact their Mexican counterparts in the spirit of cooperation. When he got
> no meaningful response, he reached out to the State Department’s Office of
> Mexican Affairs, who told him they would forward his alert up the chain.
> When that still didn’t achieve the desired results of getting the database
> secured, Chris contacted the U.S. Secret Service, Department of Homeland
> Security, and US-CERT

I definitely am all for doing the right thing and I might make a best effort
in the same situation, but that's pretty gutsy. My overdeveloped sense of
paranoia would tell me that contacting these agencies would put me on all
sorts of lists I wouldn't want to be on. Who knows how easy it is for "There
is a data breach" could become "I have your data, meet my demands".

~~~
arcticfox
I agree, your sense of paranoia is overdeveloped.

~~~
astrodust
Given how the Department of Homeland Security thinks a tiny bottle of
mouthwash is a threat to national security, I wouldn't trust them to
understand what a computer does.

~~~
arcticfox
Yeah, but that's theater performed by low-wage employees. I think it's
extremely unlikely that sending a tip to help higher-level officials isn't
going to accidentally get you on some watch list, as long as you're acting in
good faith.

~~~
astrodust
Any organization that hires these security muppets in the first place is not
one I'd put any trust in _whatsoever_.

If some awful, unfortunate thing does happen on their watch I honestly hope
the first thing they do is get the hell out of the way so professionals can
handle the situation.

------
username223
"MacKeeper[1] security researcher?" It's good to know that the crapware you
have to remove from your parents' computer, which they installed thanks to
dishonest pop-unders, is funding something useful.

[1]
[https://en.wikipedia.org/wiki/Mackeeper](https://en.wikipedia.org/wiki/Mackeeper)

~~~
antoncohen
That was my reaction too. I looked into it, the MacKeeper security researcher
is Chris Vickery. In December 2015, while not employed by MacKeeper, he
discovered a database of 13 million MacKeeper usernames and passwords [1].
MacKeeper then hired him in January 2016 to create a "Analytical and Security
Center" [2].

[1] [http://krebsonsecurity.com/2015/12/13-million-mackeeper-
user...](http://krebsonsecurity.com/2015/12/13-million-mackeeper-users-
exposed/)

[2] [https://www.linkedin.com/pulse/mackeeper-chris-vickery-
launc...](https://www.linkedin.com/pulse/mackeeper-chris-vickery-launch-
security-research-alliance-corp-)

------
jordigh
93 million Mexicans? That 78% of all Mexicans, essentially every adult. Wow.
I'm kind of glad I haven't registered to vote recently, but perhaps my old
registration which I haven't renewed is still there. My only consolation is
that most of the troublesome information such as occupation and address would
be outdated for me.

~~~
necessity
Here in Brazil there are websites which will give you info (address,
telephone, mother's name, even salary) on basically anyone. They take it from
CADSUS, i.e. the SUS (publich health system) registration system, which is
available for every public hospital to do queries, but those hospitals receive
a default and very common username/password combination which they usually
don't change. They also take info from credit protection agencies such as
Exparin (presumably some employers sell access passwords).

It's completely nuts. I always give fake or incomplete information to
everyone, private or public (and you must give info for practically anything
here). If it's absolutely necessary to give real info, then I never update it.

------
yoo1I
> Amazon’s automated system for reporting abuse was equally frustrating to
> navigate, Vickery said. It repeatedly asked him to submit irrelevant
> information. [0]

This is generally a problem I've come across multiple times. Small hosters are
usually quicker to respond ( or they don't at all), and then actually try and
handle malicious hosts on their networks.

The large ones like Amazon or CloudFlare (especially CloudFlare) have a semi-
automated process, where the impression I get is that I am talking to a really
stupid bot. Or when I get through to a human, that they are so overworked that
they aren't able to comprehend the sentences that write to them in plain
english, so nothing get's resolved. Or they just forward my info to their
customers, which in many cases is a real security risk.

[0] [http://www.dailydot.com/politics/amazon-mexican-voting-
recor...](http://www.dailydot.com/politics/amazon-mexican-voting-records/)

------
deepnet
Insufficient security at a national level has been frontpage of hnews all this
week from various countries: Turkey, USA, Malaysia, Mexico, &c.

From this and many other leaks and breaches from companies, governments &
institutions one could deduce security is imperfect & digitally massively so.

Identity theft is rampant; Biometrics are irrevocable - yet the solution is
used by most people everyday.

Cryptography solves both the problem of identity and privacy simultaneously.

It is establishable as persona via chains of trust, e.g. PGP signing.

Apart from societal control there seems no good reason not to adopt a system
whereby everyone is issued a private and public key - which signs every email,
bank instruction, comminucation & vote.

Akin to good practice being to store only password hashes so _only_ the
individual posses the secret.

Ones identity would be ones own responsibility and huge leaks like this would
reveal nothing but a list of public keys obtainable by crawling the web.

One can imagine a dystopian future nation where individuals must fight to
protect their basic fundamental rights from state level adverseries operating
outside the law - punchline is the worst threat is their own government.

Ever since Gibson the best science fiction is set in the present.

~~~
icebraining
Some countries are already implementing that - for example, in Portugal, the
Citizen's Card is a smartcard with a private/public key pair, signed by the
issuing department, and which one can use to login to certain governmental
sites (like the IRS) and to sign documents. I hear Estonia has a similar
system.

While I think it's a good idea for services that already required official
documents (governmental services, bank accounts, certain utility contracts), I
fear that once the system is actually used by most people - right now it's
still mostly ignored - more and more services that were once somewhat
anonymous will start requiring the card, since the barrier is much lower than
having to send an authenticated photocopy.

~~~
deepnet
Cryptography is useful for anonimity in that it doesn't have to be tied to a
real identity and PGP keypairs can be generated by anyone.

This allows anonymous accounts that are also verifiable.

National ID databases or Government Overreach can be enacted using an insecure
system like Social Security Number as a database key, already.

Certain private elements of ones file, such as credit card, or medical
records, could be kept encrypted until the citizen grants a temporary access
token.

------
jeffdavis
Can someone explain the significance of AWS in this story?

~~~
akerro
New ground breaking application written in NJS!

------
SeanDav
Chris got lucky - he is lucky he is not under criminal investigation for
hacking or even spying. It is a sad fact that all too often the people who
bring attention to data breaches and security issues, get targeted and accused
of hacking. The people involved do not want to admit they are at fault, so try
to justify this by saying the whistle-blower / good Samaritan are criminally
accessing the data.

If one discovers a security issue or data breach, it is best to either do
nothing, or at most raise the issue very anonymously.

------
cddotdotslash
The article isn't entirely clear how AWS is as fault here. Usually, it comes
down to misconfigured AWS settings which are the users' responsibility in the
shared security model. A shameless plug, but there are ways to scan your
account for these misconfigurations which can lead to leaks like this. I've
been working on CloudSploit
([https://cloudsploit.com](https://cloudsploit.com)), an open-source and
hosted scanning service that can continually check your accounts for these
kinds of risks.

------
imaginenore
> _" and their unique voting credential code (number/identifier)"_

I find this the most interesting. I thought of a voting system where every
citizen gets a unique voting key. It obviously would be a huge mistake to vote
directly with such a key. Signing your voting decision makes a lot more sense.
This way only the government and you know the key.

I wonder what will happen now, looks like they will have to reissue 93M codes.

~~~
holiveros
It's not a signing code, votes are truly anonymous; it's the unique serial of
the physical card and one of the various citizen IDs used in the country.

These numbers are typically abused in mass fraud for government
monetary/physical goods assistance programs.

------
flying_dutchman
Does anybody have contact details for Chris? My wife is a journalist in Mexico
and looking to get in touch. I have the admin@databreaches.net address

~~~
antoncohen
cvickery@kromtech.com, found at [https://mackeeper.com/blog/post/197-the-
danger-of-apps-that-...](https://mackeeper.com/blog/post/197-the-danger-of-
apps-that-die).

------
alex_g
Can someone explain how MacKeeper was the one to figure this out? I thought
all they did was spam the internet with popups.

------
jbpadgett
According to the world bank, 2015 population of Mexico is around ~125 million.
This means that roughly 75% of the population could be affected.
[http://data.worldbank.org/indicator/SP.POP.TOTL](http://data.worldbank.org/indicator/SP.POP.TOTL)

------
Aelinsaar
The INE really screwed the pooch this time; 93 million is essentially every
adult Mexican!

------
known
[https://en.wikipedia.org/wiki/Cloud_computing#Private_cloud](https://en.wikipedia.org/wiki/Cloud_computing#Private_cloud)
could have prevented this mess

------
amelius
I think it is surprising we didn't see any breach of data from an advertising
network yet, given the shady nature of that industry.

------
savrajsingh
Searchable database for Oklahoma:
[http://www.badvoter.org](http://www.badvoter.org)

------
kapad
Any details on what exactly was the misconfiguration in mongo?

~~~
rbanffy
For one, it should never have a publicly accessible IP.

------
batat
Someone should make MongoRoulette.com at last.

