Friday, April 29, 2016

Don’t be such a weenie.  Admit you screwed up.  (It will save you so much embarrassment later.)
DataBreaches.net is not alone in being outraged that in response to a massive data leak that put the information of 87 million Mexican voters at risk, Movimiento Ciudadano appears to be falsely claiming that the voter data list they stored on Amazon cloud was “hacked.”  The political party has been repeating that false claim on Twitter and in the media, and has claimed to have filed a criminal complaint against Chris Vickery for allegedly hacking them.
Instead of being grateful that Vickery noticed that they had not secured their database and then spent a lot of time trying to identify them and alert them so that they could secure it, Movimiento Ciudadano is blaming Vickery and telling the public that Amazon told them that the database had been “hacked” or the victim of a “cyberattack.”
Movimiento Ciudadano is either incredibly ignorant or liars.  Amazon told them no such thing.
Chris Vickery contacted Amazon last night to ask what they had actually said to Movimiento Ciudadano or its vendor, Indatcom. He received the following statement from Amazon.
All AWS security features and networks did, and continue to, operate as designed. Once AWS was notified that an unsecured database containing sensitive information was being hosted on the AWS Cloud and was publicly accessible via the Internet, we followed our standard security protocols and have since confirmed that this database is no longer publicly accessible. Customers who have questions about security best practices can find information at our Security Resources page (http://aws.amazon.com/security/security-resources/).
   DataBreaches.net understands that in 2013, Movimiento Ciudadano was fined over another data leak involving voter information that was found up for sale.  It would be understandable that they do not want to be responsible for this newest incident, but they are responsible for this incident, and the Mexican public needs to understand that.


While we were busy watching Apple v. FBI, the FBI won a bigger argument. 
U.S. high court approves rule change to expand FBI hacking power
The Supreme Court on Thursday approved a rule change that would let U.S. judges issue search warrants for access to computers located in any jurisdiction despite opposition from civil liberties groups who say it will greatly expand the FBI's hacking authority.
U.S. Chief Justice John Roberts transmitted the rules to Congress, which will have until Dec. 1 to reject or modify the changes to the federal rules of criminal procedure. If Congress does not act, the rules would take effect automatically.
Magistrate judges normally can order searches only within the jurisdiction of their court, which is typically limited to a few counties.

(Related) For now…
Cory Bennett report:
A key senator is trying to block the Justice Department’s request to expand its remote hacking powers, after the Supreme Court signed off on the proposal Thursday.
“These amendments will have significant consequences for Americans’ privacy and the scope of the government’s powers to conduct remote surveillance and searches of electronic devices,” warned Sen. Ron Wyden.
Read more on The Hill.


Perhaps the director was exaggerating a bit.  (Or was making it up as he talked.)  What are the legal implications of using a tool you don’t understand? 
FBI paid under $1 million to unlock San Bernardino iPhone: sources
The FBI paid under $1 million for the technique used to unlock the iPhone used by one of the San Bernardino shooters - a figure smaller than the $1.3 million the agency's chief initially indicated the hack cost, several U.S. government sources said on Thursday.
   The FBI, not the contractor, has physical possession of the mechanism used to open the phone but does not know details of how it works, one of the sources said.
The identity of the contractor is so closely-held inside the FBI that not even Comey knows who it is, one of the sources said.


Definitely something my Computer Security students should read.
Breach concealment is not a security strategy
   I saw a security "strategy" this week in the wake of a major data breach which was alarming, to say the least.  I want to capture the details of it here and frankly, tear it to shreds because we should never see an organisation playing fast and loose with people's data in this way.  Hopefully if this strategy is ever considered by others in future they'll stumble across this post and think better of it.
This relates to the Lifeboat data breach from earlier this week.  Well actually, the breach itself was many months ago but the disclosure was only this week and therein lies the problem.


Facebook’s government requests report.
Government Requests Report


Perspective. 
Snapchat Users View 10 Billion Videos A Day: Report
Snapchat reaches a new high with reports of 10 billion video views per day as the users have started using videos as an important means of communication, alongside messaging and photo-sharing.

No comments: