Apr 272016
 

A reader kindly informed me that Movimiento Ciudadano, one of the political parties that had legitimate access to Mexico’s voter data list, has admitted it was responsible for the leak on Amazon. Except that as I read more, I realized they weren’t really admitting they were responsible for the leak.

I’ve been trying to read/translate a number of news stories on today’s developments, including the political party’s statement (ES).

From what I’m reading in their statement and from a number of sources, it seems like the Citizens Movement party is filing a criminal complaint against Chris Vickery, claiming he broke Amazon’s great security, or some such nonsense. They write, in part:

Para hacer pública la información que estaba salvaguardada en los servidores de Amazon Web Services fue necesario violar las medidas de seguridad a través de métodos altamente especializados, característicos de hackers profesionales.

To be clear: Chris Vickery never hacked into the database. Citizens Movement left port 27017 open, and so anyone and everyone could access it and download the voter data with no login required. Amazon was not responsible for securing that database and Vickery didn’t break any security: there was no security, and that was Citizens Movement’s responsibility.

Trying to make it out that Vickery engaged in criminal conduct  is a lame attempt on their part to deflect blame for their infosecurity failure. It is especially lame in light of how appreciative Mexico INE has been of Vickery’s discovery and notification.

In response to an inquiry from DataBreaches.net, Chris Vickery issued the following statement:

I strongly deny any accusations of hacking. This database had no password or
any other protection enabled. It was being published openly to the world.
There simply was nothing to hack even if I had wanted to do so. I have
screenshot evidence proving this.

If the database was protected in any way, it would not have appeared in the
Shodan search engine. The attached screenshot is directly from the Shodan
results page.

shodan_screenshot

Screenshot courtesy of Chris Vickery

Vickery added:

I have reached out to Amazon and am awaiting a reply regarding whether or not
Amazon informed the “Citizens Movement” that there was a hacking incident.

  4 Responses to “Movimiento Ciudadano admits it was their copy of the Mexican voter list on AWS, tries to deflect blame to researcher”

  1. I did my best efforts to traduce the political party statement to English:
    If there is something that is not clear, please notify me.

    **********************************************************
    http://www.elfinanciero.com.mx/nacional/mc-reconoce-que-subio-lista-nominal-a-nube-de-amazon.html
    “Movimiento Ciudadano” (Citizen Movement) Admits that they uploaded the Nominal List to Amazon.

    Dante Delgado, leadership member of the political party said that they uploaded the information of the “Padron Electoral” to Amazon’s Cloud. They do it because of recommendation of Indatcom (Apparently a company that offers consulting on telecommunications ).

    They uploaded just 1 of 3 copies that INE gave them.

    Leader from “Citizen Movement” recognized this Wednesday that they uploaded the information of 90 million Mexicans to amazon web services.

    Dante Delgado, inform that, for recommendation of indatcom, they decided to protect in amazon’s site 1 of the 3 copies that the INE gave them in a USB drive in February 2015.

    They give back the other 2 drives to the Executive direction of the Federal Register of voters.

    Delgado said in the press conference at the INE facilities:
    “One of the arguments presented to select the Amazon Web Services to protect the information is that it is a company with higher security standards and data protection worldwide, and because some of they clients are NASA, Samsung and US Universities like Chicago, Notre Dame and San Francisco”

    Delgado also added that the past April 22th, Amazon(?) notified to Indatcom that the contracted server suffered a cybernetic assault, and that the safeguarded information was compromised because of an external attack, and as part of the security protocol amazon removed the data.

    Citizen Movement was notified when the Cyber Police downloaded the data.

    Dante Delgado denied that Citizen Movement violated the law when they uploaded the data to Amazon’s site.
    They received the data on February 15 2015 to make observations in the context of the elections of that year.

    He also affirmed that his political party decided to do this upload to secure the database and to not be a victim of its misuse.

    They did this, because in 2013 a copy of the list appeared on sale at buscardatos.com site. Because of this, INE fined citizen movement with 76 million pesos some weeks ago.

    Delgado added that they presented a complaint to the FEPADE (a institution for Electoral Crimes) against the hacker who originaly found the data and notified the INE.

    **********************************************************

    My personal thought is, that they are trying to blame other people for their mistake.

  2. Disgraceful excuse of a political party. Here’s their attempt at covering themselves up translated. Oh, and on behalf of the Mexican people I’d like to apologize to Chris Vickery that has been now apparently made the target of politicians trying to justify themselves (just check out the number of references to “highly specialized cyber hackers” in this “statement”).

    1. February 12 2015, Movimiento Ciudadano received thee copies of the nominal electors’ list on USB devices for revision, like required by law.

    2. The National Operative Commission, governing body of Movimiento Ciudadano decided to return unopened two of the aforementioned copies and backup the third copy, with the purpose of ensuring its integrity.

    3. The decision to backup was made considering the resolution by the National Electoral Institute (INE) of sanctioning Movimiento Ciudadano, alleging carelessness in the care of the electoral roll. That sanction was contested for lack of footing because in no moment there was any proven link between Movimiento Ciudadano and the company that published the roll; actually we’re awaiting the final resolve from the Federal Electoral Court.

    4. The National Operative Commission requested to the company Indatcom, Movimiento Ciudadano’s tech provider, assistance on the best way to backup information.

    5. Derived from their advice, the National Operative Commission approved unanimously the decision of making the secure backup on servers property of Amazon Web Services; backup, protection and data administration company that has the most advanced security measures and the best reputation in the world.

    6. In the arguments presented to select Amazon Web Services for saving the backup, we noted that it’s the company with the highest security and data protection standards in the world, and has companies and organisations such as NASA, Samsung and American universities such as Chicago, Notre Dame and San Francisco as their customers.

    7. The company Indatcom S.A de C.V. made the necessary arrangements to hire Amazon Web Services, to secure the information, and delivered passwords and the exclusive access to the server to the Documents and Information Center’s Direction of Movimiento Ciudadano.

    8. On Friday April 22 we were notified, through our tech services provider (Indatcom) that Amazon Web Services notified them that the used server had suffered an cybernetic breach, that the information secured was compromised by an external attack and, as part of their security protocol, requested removal of it.

    9. Indatcom notified me immediately, in my capacity as coordinator of the National Operative Commission, and I decided to comply with Amazon Web Services’ request, so I gave the order to take down the content permanently.

    10. Ta make public the information stored in Amazon Web Services’ servers it was necessary to violate security measures through highly specialized methods, a characteristic of professional hackers.

    11. Having said that, it is evident that the stored information was never for sale, it was never commercialized and there wasn’t any bad use given to it; nor was it made public for general users, but the assistance and intervention of highly specialized hackers was needed to breach the security protocols to obtain it.

    12. Under the above, today we file a criminal complaint against who was responsible for the cybernetic attack and that had as a purpose accessing by illegal means the information that we stored in one of the most prestigious and recognized data backup and securing companies. Movimiento Ciudadano demands punishment for the cybernetic thieves that violated our security protocols.

    13. I take this opportunity to communicate to the president councilor that we’re on the same side on this new front for the defense of the Mexicans’ personal data and for the digital security of the nation, and that in all moments we’ll collaborate with the National Electoral Institute (INE), and with other authorities that are involved, to find and punish the hackers that launched this cybernetic attack.

    14. This situation shows the latent risk that all digital databases available to the Mexican state are exposed to and it highlights the need to rethink and to make laws regarding digital security to secure the right to privacy and the personal data protection. Our deputees assume the commitment to take this issue to the Union Congress in the next days.

Sorry, the comment form is closed at this time.