A Missouri newspaper told the state about a website security risk. Now it faces prosecution.

[CodenameJK]

Summary

Missouri Governor Mike Parson threatened to sue the St. Louis Post-Dispatch and prosecute a journalist who discovered a flaw in a state public records database and reported it to the state. The flaw involved the public exposure of 100,000 SSNs of educators that were inadvertently left in the HTML source of the webpage. After giving the state ample time to fix the issue, the paper published a story about the vulnerability. The governor responded in a press statement vowing to prosecute all involved under computer tampering laws.

 

Quotes

Quote from original article from Post-Dispatch

Quote

The Social Security numbers of school teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state’s Department of Elementary and Secondary Education.

The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.

Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.

The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.

...

Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.

The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability “a serious flaw.”

“We have known about this type of flaw for at least 10-12 years, if not more,” Khan wrote in an email. “The fact that this type of vulnerability is still present in the DESE web application is mind boggling!”

Quote from Ars Technica

Quote

Parson spoke today (see video) at a "press conference regarding [the] data vulnerability and [the] state's plan to hold perpetrators accountable," and he posted a condensed version of his remarks on Facebook.

"It is unlawful to access encoded data and systems in order to examine other people's personal information, and we are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol's Digital Forensic Unit will also be conducting an investigation of all of those involved," he said.

Parson went on to say that state law "allows us to bring a civil suit to recover damages against all those involved." He cited Missouri code 569.095, which classifies "tampering with computer data" as a class A misdemeanor.

Parson continued:

"Nothing on DESE's [the Department of Elementary and Secondary Education's] website gave permission or authorization for this individual to access teacher data. This individual is not a victim. They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet.

We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta. Not only are we going to hold this individual accountable but we will also be holding accountable all those who aided this individual and the media corporation that employs them."

My thoughts

Research and testing are the backbone of the cybersecurity field, and these things should always be encouraged through safe harbors and bug bounty programs. Compromised data from a bad actor will always be worse than embarrassment from being called out (no matter how pathetic it is to be sending unnecessary sensitive data "hidden" in HTML source). I think many people here will agree that prosecution is the last thing needed in this case, but this incident is a reminder of how technically-illiterate many of our elected officials can be, and could easily cause a chilling effect in vulnerability reporting, ultimately making everyone less safe.

 

Sources

Original Report from St Louis Post-Dispatch

Governor's Press Conference

 

Further Analysis:

NBC

Ars Technica

NPR

[JLO64]

If anyone's interested, r/ProgrammerHumor on Reddit has some memes mocking the Missouri governor right now.

[Arika]

[Jacksharkben]

OOF please cover this. 

[Jurrunio]

Looking at my 104-key keyboard, this tech idiot would probably call this a "hacking tool" because he only uses 64 of them (including the duplicated ones). The rest must be bad for national security

[mecarry30]

52 minutes ago, CodenameJK said:

Summary

Missouri Governor Mike Parson threatened to sue the St. Louis Post-Dispatch and prosecute a journalist who discovered a flaw in a state public records database and reported it to the state. The flaw involved the public exposure of 100,000 SSNs of educators that were inadvertently left in the HTML source of the webpage. After giving the state ample time to fix the issue, the paper published a story about the vulnerability. The governor responded in a press statement vowing to prosecute all involved under computer tampering laws.

 

Quotes

Quote from original article from Post-Dispatch

Quote from Ars Technica

My thoughts

Research and testing are the backbone of the cybersecurity field, and these things should always be encouraged through safe harbors and bug bounty programs. Compromised data from a bad actor will always be worse than embarrassment from being called out (no matter how pathetic it is to be sending unnecessary sensitive data "hidden" in HTML source). I think many people here will agree that prosecution is the last thing needed in this case, but this incident is a reminder of how technically-illiterate many of our represented officials can be, and could easily cause a chilling effect in vulnerability reporting, ultimately making everyone less safe.

 

Sources

Original Report from St Louis Post-Dispatch

Governor's Press Conference

 

Further Analysis:

NBC

Ars Technica

NPR

Can't wait to see the memes on this

[leadeater]

1 minute ago, Jurrunio said:

Looking at my 104-key keyboard, this tech idiot would probably call this a "hacking tool" because he only uses 64 of them (including the duplicated ones). The rest must be bad for national security

I thought hacking was when you used more than 1 finger to type?

[Jacksharkben]

XD https://twitter.com/lila_kilgore/status/1448788995991875593?s=20

[Jurrunio]

4 minutes ago, leadeater said:

I thought hacking was when you used more than 1 finger to type?

Might as well call the use of keyboards hacking altogether. Normies use phones for texting and that's all right?

[TetraSky]

As usual, the govt shows they understand nothing about technology. Just like how they spend millions for things that could be done by one person in a week for less than $500, with fewer security flaws.

[CodenameJK]

4 minutes ago, TetraSky said:

As usual, the govt shows they understand nothing about technology. Just like how they spend millions for things that could be done by one person in a week for less than $500, with fewer security flaws.

the governor claimed it will cost $50 million to figure out how to stop sending social security numbers

 

that's not a meme that's in the Ars Technica article

[poochyena]

12 minutes ago, TetraSky said:

the govt shows

No, don't do that. This is Missouri Governor Mike Parson. Don't generalize the wrong doing of a specific person.

[lurchstan]

Excited to hear Luke take on WAN. We're having a pretty stupid week in technology.

[Lightwreather]

49 minutes ago, lurchstan said:

Excited to hear Luke take on WAN. We're having a pretty stupid week in technology.

Yes we did

[Taf the Ghost]

2 hours ago, CodenameJK said:

the governor claimed it will cost $50 million to figure out how to stop sending social security numbers

 

that's not a meme that's in the Ars Technica article

Depending on what contracts the State is locked into, it's entirely possible this wasn't a lie.

 

Gov. Parson also needs to fire some staff. Whoever was handling this portfolio clearly isn't competent. 

[pythonmegapixel]

So let me get this straight...

 

Government agency somehow accidentally manages to leak confidential information into a publicly accessible web page.

Newspaper privately reports this to government agency.

Government agency doesn't fix it.

Newspaper publicly reports the vulnerability (as is very common practice when it remains unfixed months after private disclosure)

Government agency takes newspaper to court for accessing the confidential information which they literally put onto a publicly accessible web page.

 

What a stupid world we live in.

[Master Disaster]

Quote

"It is unlawful to access encoded data and systems in order to examine other people's personal information, and we are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol's Digital Forensic Unit will also be conducting an investigation of all of those involved

 

"State law allows us to bring a civil suit to recover damages against all those involved "Missouri code 569.095", which classifies "tampering with computer data" as a class A misdemeanor."

 

"Nothing on DESE's [the Department of Elementary and Secondary Education's] website gave permission or authorization for this individual to access teacher data. This individual is not a victim. They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet."

 

"We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta. Not only are we going to hold this individual accountable but we will also be holding accountable all those who aided this individual and the media corporation that employs them."

Candidate for the second dumbest statement about the internet ever made (behind the classic series of tubes).

 

From top to bottom...

1) HTML Source code is not encoded

2) Reading HTML source code is not tampering with it

3) If the website was live then nobody needs permission to view its contents, if you don't want it readable then don't put it there

4) The person accountable for the crime is the dumbass who coded the website in such a way as hitting F12 shows staff SSNs

[CodenameJK]

3 minutes ago, pythonmegapixel said:

So let me get this straight...

 

Government agency somehow accidentally manages to leak confidential information into a publicly accessible web page.

Newspaper privately reports this to government agency.

Government agency doesn't fix it.

Newspaper publicly reports the vulnerability (as is very common practice when it remains unfixed months after private disclosure)

Government agency takes newspaper to court for accessing the confidential information which they literally put onto a publicly accessible web page.

 

What a stupid world we live in.

The page was taken offline before the newspaper ran the story (and it's uncertain how long it took the state to respond), but otherwise yes, this exactly.

[wanderingfool2]

7 minutes ago, pythonmegapixel said:

Government agency somehow accidentally manages to leak confidential information into a publicly accessible web page.

Newspaper privately reports this to government agency.

Government agency doesn't fix it.

Newspaper publicly reports the vulnerability (as is very common practice when it remains unfixed months after private disclosure)

Government agency takes newspaper to court for accessing the confidential information which they literally put onto a publicly accessible web page.

Well the portion of the site that contained the SSN's was pulled, so while yes the vulnerability still exists the page that has the vulnerability is no longer accessible.  So yea, the newspaper waited until after the page was brought offline to report on it.

 

This is a real travesty, and the unfortunate thing the way the laws are written it really would be another case like Aaron Swartz.  Laws surounding this sort of thing really need to change.  Yes the SSN's wasn't human readable, but it wasn't encrypted either.  To me, that is posting it in a public form, and people who figure it out should never be punished (well if they tried doing the right thing by reporting it, which they did)

[mr moose]

4 hours ago, leadeater said:

I thought hacking was when you used more than 1 finger to type?

Hacking requires at least 4 monitors with rotating 3d structures and the hacker manipulates the program with their code as it's being run.

[wanderingfool2]

1 minute ago, mr moose said:

Hacking requires at least 4 monitors with rotating 3d structures and the hacker manipulates the program with their code as it's being run.

And here I thought I could just whistle my way through cereal boxes to learn the l33t skills of hax0rs

[mr moose]

6 minutes ago, wanderingfool2 said:

And here I thought I could just whistle my way through cereal boxes to learn the l33t skills of hax0rs

I learnt everything I need to know from a movie,  the password is "swordfish"

 

 

[SorryBella]

8 hours ago, CodenameJK said:

Missouri Governor Mike Parson threatened to sue the St. Louis Post-Dispatch and prosecute a journalist who discovered a flaw in a state public records database and reported it to the state.

Insert 1984 Joke here, alongside the other 1984 jokes that comes before it.

[TetraSky]

9 hours ago, poochyena said:

No, don't do that. This is Missouri Governor Mike Parson. Don't generalize the wrong doing of a specific person.

I mean.... Yes, generalized it. Because it's not just a Missouri thing. This is not the first time we see a government overspend and go after "whistleblowers" while claiming they are hacking when really, even a 5 year old could've accessed that data because it was almost in plain sight. Even here in Quebec, while it didn't go as far as suing, they did file a formal police complain when someone "hacked" the vaccine passport app, when really all they did was make a QR scanner that showed more than what the Govt wanted... Meaning data that shouldn't have been accessible. 

 

As for being incompetent and paying millions for tech, It also happens a lot up here in Canada with pretty much anything internet related. 

Just have to look at the botched Phoenix pay system, where the government paid millions upon millions, reaching over 2 billions... for something that failed outright and now they are looking to replace it. Even though it should be a pretty standard software that checks your clock-in/clock-out and plenty of ready to use available solutions were available, but they decided to go "custom"...

[poochyena]

3 hours ago, TetraSky said:

I mean.... Yes, generalized it. Because it's not just a Missouri thing. This is not the first time we see a government overspend and go after "whistleblowers"

Should we blame men since he's a man and not the first time a man has done such a thing? Or how about blame white people for it? Or boomers? Or married people?

You can never hope to see positive change if you paint anyone looking to make positive changes as being the same as the people who don't. The government is exactly as useful as the people you elect, and if you refuse to blame individuals and continue to generalize, you can never hope to see change.