As soon as I read the headline, I immediately thought "AWS misconfiguration". A few recent massive government-data breaches (by contractors) have fallen into that category:
Note that all of these breach reports (including this Chicago one) come from Upguard, which seems to have a method for scanning/crawling public S3 buckets.
Isn't this considered public data anyways? Illinois (and I believe every other US state) requires that certain voter data be publicly accessible. To access it in bulk, you'll have to pay a small fee, but anyone can get this.
A misconfigured AWS instance is always an issue. I'm not trying to downplay that. Only that this data being released to the public isn't anything new - the public already had access to it.
No. The Chicago Tribune [0] reported on the type of data exposed:
> The files included names, addresses, dates of birth, the last four digits of many voters' Social Security numbers, driver's license and state ID numbers for the 1.8 million who are registered to vote in Chicago.
Well, there's an unpleasant reminder of why knowledge-based authentication should never be based on something immutable.
How many services do all of use use that accept name/birthdate/SSN as identification? How many other services, like phone companies, claim not to but would still yield for someone who sounded earnest and knew all of that?
And what can the leak victims possibly do? TFA is great where you can get it, but it's not universal, and none of this information can be refreshed.
Last four of social is so abused it shouldn't count, and date of birth is in nearly every company's loyalty database. That leaves drivers license and state ID number as the leaked data. I'm honestly not sure how important or secure those are.
Exactly. Every leak already has it. Every company already has it. The fact that fraud is trivial is already true, and this leak really adds little to it.
OK, now would be so kind as to pretend that we've been leaked your birth year and state of birth?
Before you answer, you may want to poke your answers into this site and have a look at the outcome: https://www.ssn-check.org/lookup/
Caveat: This tracks your issue date, not truly your birthdate. In the past couple of decades many/most babies get registered at birth, but if I stick my own (birth) data in there I actually get the wrong answer, because when I was born issuance wasn't automatic yet. But that will work for a lot of people.
Both the first three and the middle two have a pretty clear rhyme and reason to them which would likely make getting them right a not-so-difficult task after a bit of homework.
Voter registration data is available for purchase, but only by registered political committees and can't be used for commercial purposes. This also doesn't include a lot of the breached data like partial SS#'s and drivers license #'s. As a Chicagoan I'm not too happy about this breach, and there has been surprisingly little coverage of it locally.
Yes. One of my first jobs out of school I worked with a Standford professor Doug Rivers (@pollingpoint) that had millions of users voting records he obtained from the government for 'research' purposes. That data: your name, address, what party you are in, et al. is TOTALLY public and passed around legally to other research centers and government agencies. He had me match address information with other databases.
This is a false and defamatory. I (Chris Vickery) have never ransomed any data. I have protected the private data of hundreds of millions. Post some evidence or retract your comment.
I never said "you" (assuming it's really you, new account and all) ransomed the "data" specifically, but I do know of two instances where you threatened companies to go to their customers and/or the FTC unless they met your specific demands.
jsjohnst- I've posted on my twitter account (@vickerysec) to verify that this is indeed me. Now, please explain the two situations you refer to. I vehemently deny the accusation and would love to know the origin of those false claims.
So, what, now somehow a group of people impacted by this potential identity theft vector will need to rally together under some keen prosecutor to personally sue? Why aren't the vendors auto-summoned to court by the government when these breaches occur?</rhetoricalQuestion>
The free market says they don't care. I've had my identity stolen from a data breach. Could I have sued? Yes. Could I have led a class action lawsuit? Yes.
Did I? No. Why? I'm fine now and just like billions of other humans, I'm lazy and simply just don't care enough.
Recently, I got an email from AWS notifying my that one of my S3 buckets was publicly accessible (intentionally, for a static site). They really try to make sure that people can't screw this up.
As both a Chicagoan and (obviously) an Illinois resident, this means my voter info has been exposed twice this year alone.
Amazon sent out warning emails for owners of misconfigured boxes about 60 days ago. Why didn't the firm in question take action? I am an engineer and literally had to do that same task at work at that time. Easy as 2 clicks.
My guess is they were staffed with contractors to build it out and it was no ones responsibility to maintain after they left. I've seen that happen more than once..
I've wondered before why the UK doesn't have e-voting, and after watching it is sort of seems obvious. With traditional voting, it can easily be changed on a small scale, but is very hard to do in a meaningful way. Whilst with e-voting, its almost just as much effort to change on a small scale as a bigger scale, with much fewer people being involved.
I particularly like the idea that the reason we use pencils is as a protection against somebody replacing pens with ones with invisible ink. Not sure if this is true though.
It's worth noting that SSN is far worse than a credit card number.
"Something you know" isn't a great standard as the entirety of auth, but it'll probably stay common for practical reasons. But "something you know and can never change if breached" is absolutely idiotic, and there are plenty of good alternatives already in existence.
Currently it's between 48 months and 27 years (see federal sentencing guidelines) if caught. What sort of real consequences would you like to see? I don't think making the numbers above bigger would make that much of a difference.
I just looked around and only found 42 U.S. Code § 408, which offers a maximum penalty of five years (higher for Social Security workers or medical professionals engaged in fraud).
Also, the vast majority of the text concerns misuse of an SSN to defraud of mislead the government, particularly by claiming benefits. (8) does read "discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States", but at a quick look I only see prosecutions where that was tied to benefit fraud.
I don't think 5 years is an insufficient sentence, and I think the urge to raise sentences as a deterred is usually counterproductive. But I do think there's room for progress here.
Most SSN abuse as identification appears to be prosecuted as simple identity theft, not SSN fraud. Adding the secondary charge specifically for SSN abuse might encourage thieves to rely on other, less permanent information like passwords.
More broadly, I'd rather see the government concede that SSNs have become a standard form of identification, and make the renewal process less heinous. Right now you have to show grievous hardship over an extended period, can't appeal a bad decision, and will still lose your credit history when the new one is issued. That's simply not a reasonable system for a number people are expected to give out so often.
Well, I haven't yet patented an alternative, but I think it's pretty clear that, in this climate of routine breaches, the old system of secret data is no longer viable.
But, if you're interested in building an alternative, then off the top of my head, I'd suggest that we've got the blockchain. We've all got omnipresent palm-sized computing devices. We've got 2FA schemes, and more. The tools are there for you to create a much more robust system than one that says "here are a handful of secret numbers. Don't let anyone else see them or else your life may be ruined".
How far fetched would it be for this data to make it's way into Cambridge Analtyica-type targeting for future election advertising?
Putting on my tinfoil hat for a moment, I have this nagging feeling in my guy that these issues are a little too coincidental.
So how can we make sure all this data isn't used to tamper with voter rolls or uploaded to FB, etc. to create Custom Audiences based on voting history and district?
AFAIK, the latter use-case is currently done all the time. Much of the data can be obtained legally, and is public data. Political campaigns are most definitely using all the data they have on you, including public data/legally-obtainable information such as voter turnout history/registration/party affiliation, street address, etc. to do targeting advertising already.
I can tell you that campaigns have much of this information already, often provided directly by the state as public information. The idea that campaigns don't already "create Custom Audiences based on voting history and district" is laughable at best. Communications are often targeted in exactly this way.
"Voter registration information is public record in Florida with a few exceptions. Information such as your social security number, driver’s license number, and the source of your voter registration application cannot be released or disclosed to the public under any circumstances. Your signature can be viewed, but not copied. Other information such as your name, address, date of birth, party affiliation, and when you voted is public information."
The data is for registrations, not who actually voted. There's probably quite a few people who are deceased or moved who are probably still in the registration db.
Is there any way for one to know if their info has been exposed? I had been registered to vote in Chicago ~6+ years ago but have since moved. Knowing Chicago, I'd bet I was still on the rolls (and probably having ballots cast for me ;)
Not sure why my original question has been down-voted. I think it's a legitimate issue – when things like this make the news, there's often an interest for potential victims to find out if they've been put at risk. Many companies go out of their way to protect their customers/users with offers of identity monitoring/credit monitoring, etc – will the city of Chicago do the same?
Not a particularly useful comment but if you read the article it does say that there were admin credentials to the voting systems in the then publicly accessible data, so maybe.
It does, however also say that there is no indication the data had been accessed previously, not that I believe that statement.
Where are you getting your 2.1 million figure? It was 913,000[0].
Combined with 699,000 votes for Clinton/Kaine from suburban Cook County[1]—whose voters seem to have been unaffected by this breach—you get the 1.6 million number reported by AP for the county[2].
I'm pretty sure this is a reference to the "vote early and vote often" phrase that is typically correlated with Chicago, and especially with the Democratic machine politics.
Someone else in this thread made a similar joke and has an all too literal response. I'm starting to think our irreverent sense of humor for our city's politics doesn't translate well.
Choosing to abdicate your civic responsibility is certainly your right but this is easily the most bullshit rationale I've heard offered to support the choice. I'm guessing you also don't shop at Target or Amazon?
As soon as I read the headline, I immediately thought "AWS misconfiguration". A few recent massive government-data breaches (by contractors) have fallen into that category:
June 2017: http://gizmodo.com/gop-data-firm-accidentally-leaks-personal...
May 2017: http://gizmodo.com/top-defense-contractor-left-sensitive-pen...
Note that all of these breach reports (including this Chicago one) come from Upguard, which seems to have a method for scanning/crawling public S3 buckets.