Arkansas Can't Secure Financial Assistance Site So Governor Decides To Call The Person Discovering The Breach A Criminal

from the bless-your-soul,-Governor-Fuckwit dept

The best place for a messenger is six feet under, according to the governor of Arkansas, Asa Hutchinson. Despite being a founding chair of Governors for CS [Computer Science] (according to Slashdot), Hutchinson has decided to blame a security researcher for the state’s inability to properly secure one of its websites. Lindsey Millar, who reported the breach exposing the sensitive information of the site’s users, reports that Governor Hutchinson is trying to villainize the person who stumbled upon the unexpected data flow.

It all started innocently enough when a programmer, who had attempted to apply for financial aid via Arkansas’ Pandemic Unemployment Assistance website, discovered it was exposing Social Security numbers and bank account numbers. This person got in touch with Millar, who brought it to the attention of the state.

That’s where things went extremely wrong.

Beginning on Saturday at a news conference and continuing Monday, Hutchinson has framed the applicant who sounded the alarm as acting illegally. He announced Monday that the FBI was investigating the matter. He said he understood personal information had been “exploited.”

Wat…

“Exploited” how? By informing the press after the state had ignored efforts by the programmer to get the government to fix the problem? Millar says the programmer reached out to two state agencies and received nothing in response. Obviously concerned about this very dangerous data leak, the programmer talked to the press. That’s “exploitation?” I guess it is, if you’re the governor and co-founder of a foundation that claims to be all about that tech stuff and whatnot.

The governor offered up a nonsensical statement that was supposed to reassure assistance applicants that their private financial stuff hadn’t actually been compromised. I’m sorry, but I cannot explain the following:

“We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do…”

WHAT EVEN THE FUCK

No one needs to alter actual, useful, goddamn usable routing numbers to do damage… especially when they have the Social Security numbers to work with as well. The governor followed up this bizarre explanation with one that was even worse: a justification for calling someone, who discovered a data breach, a criminal.

Asked about his rationale for framing the programmer’s actions as illegal, the governor said, “When you go in and manipulate a system in order to gain an access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place in these systems, and it would be a violation of the law as well, I would think.”

THINK HARDER.

This is baseline CFAA thinking — the kind the federal government engages in when it’s convenient. A person who gains access to data on a website an entity thought was secure is a criminal because it’s assumed that, just because someone browsing the front page of a website wouldn’t stumble across the data breach, any other discovery method must be unethical… if not actually illegal.

Adding “I would think” doesn’t mean the person saying those words is actually thinking. It just means that if they decided to engage in actual thinking, it wouldn’t lead to much insight. The fact of the matter is the applicant only had to alter the URL to gain access to information the website should have locked down tight. This isn’t “manipulation.” It’s Pen Test 101 — something the government should have engaged in before allowing a site collecting bank account and Social Security info to go live.

Trying to kill the messenger doesn’t make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news — with the added benefit that it make others think twice before coming forward with information that might embarrass the State.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Arkansas Can't Secure Financial Assistance Site So Governor Decides To Call The Person Discovering The Breach A Criminal”

Subscribe: RSS Leave a comment
31 Comments
This comment has been deemed insightful by the community.
That One Guy (profile) says:

Go loud or don't bother

Trying to kill the messenger doesn’t make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news — with the added benefit that it make others think twice before coming forward with information that might embarrass the State.

Not to mention further reinforces the idea that if you find something bad do not attach your name to it, simply dump it anonymously with the loudest press outlet you can find and let those responsible scramble to fix the problem once it’s gone public and can’t be ignored any more.

Tactics like that may make people hesitate to call the emperor on his choice of clothing, but it also means that those that do decide to do so are much more likely to do so in a manner loud enough for everyone to hear, rather than keeping it quiet.

Uriel-238 (profile) says:

Re: ...Or go black-hat

Tactics like that may make people hesitate to call the emperor on his choice of clothing, but it also means that those that do decide to do so are much more likely to do so in a manner loud enough for everyone to hear, rather than keeping it quiet.

Or quietly tell more mischievous entities where the proverbial loose threads are.

This comment has been deemed insightful by the community.
Anonymous Anonymous Coward (profile) says:

Deflection

Asa Hutchinson appears to be trying to create a shitstorm where none exists to hide the failure of Arkansas’ Pandemic Unemployment Assistance program to create a secure website, which is a shitstorm. It’s a classic ‘hey, look over there’ scenario, and ripe for a Streisand Effect nomination, with Asa playing the wizard behind the curtain.

mcinsand says:

Re: 'bless your/his/her heart'

I’m southern, and we say ‘bless you/his/her heart’ a lot. The best translation for ‘bless your heart’ that I’ve heard is my mom’s; "you poor idiot!" So, as for this so-called governor, yes, bless his heart and the heart of anyone that would accept his explanations.

Mc

Anonymous Coward says:

> “We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do…"

No one needs to alter actual, useful, goddamn usable routing numbers to do damage…

It depends on the kind of damage one wants to do. Hypothetically, someone who wanted to obtain money to which he was not entitled might do so by exploiting the system to change the bank account numbers for legitimately entitled users to point to an account over which the fraudster has control. Once the state deposits the money, the fraudster transfers it elsewhere and walks away richer. This may be a safer exploit than the one Techdirt implied, since the victim’s injury is failure to receive payment, rather than an obviously unauthorized withdrawal. That failure-to-receive might be not be reported as soon, since the victim needs to wait long enough to be sure the state is not merely slow. Once reported, it may be misdiagnosed as "State incompetently sends money to wrong account"; such a diagnosis wouldn’t immediately trigger a criminal inquiry, and the fraudster might never be indicted. An investigation might still be opened when the attempt to reverse the payment fails due to insufficient funds, but that might well be a lower priority investigation and thus easier to evade.

By contrast, if the fraudster uses the exploit to obtain the victim’s account data and withdraw money from the victim’s account, that will be noticed more quickly and, once noticed, be correctly categorized as theft. The banks then get involved and trace the money. Evading prosecution for that would require the fraudster to have the money handled in a way that precludes tracing, which is presumably more trouble than just talking the state into sending money to the wrong account.

This comment has been deemed insightful by the community.
JoeCool (profile) says:

Re: Re:

Hypothetically, someone who wanted to obtain money to which he was not entitled might do so by exploiting the system to change the bank account numbers for legitimately entitled users to point to an account over which the fraudster has control. Once the state deposits the money, the fraudster transfers it elsewhere and walks away richer.

No criminal would do this as it would give the investigators a LOT more info on tracking them down. You can’t just walk into a bank and set up an account that you can point the system to, you have to provide ID and your social security number at a minimum so the bank can keep the government aware of your transactions as necessary for tax purposes and the like. It’s been this way for decades. The only way you could set up an account this way would be to have legitimate faked ID good enough to stand up to the IRS (not likely), or the cooperation of a bank employee (also not likely). So changing the account info to point to another account is highly unlikely, while having the account info and social security number is enough to spend money from that account without much fuss, and little to no paper trail.

Anonymous Coward says:

Re: Re: Re:

This is not unlikely, it is a high volume tactic targeting large organizations, mainly Accounts Payable rather than payroll, but both can be targeted (but AP payments are often much greater than individual paychecks).

When you have construction contracts with multi-million dollar payments regularly for progress, they only have to re-direct one of those to an account they control to make a healthy gain before they disappear (the account used first is often stolen or ‘borrowed’ from someone else, the old we will deposit X and you get to keep Y, but they drain the account, they can also transfer the funds again, with this chain possibly repeating until it gets to an offshore bank with no obligation to return the funds or investigate the fraud issues..

Scary Devil Monastery (profile) says:

Re: Re: Re: Re:

"When you have construction contracts with multi-million dollar payments regularly for progress, they only have to re-direct one of those to an account they control to make a healthy gain before they disappear…"

…which is why the first Red Flag shown in any AML (anti-moneylaundering) training is to consider any account change requests the basis for a due diligence-check. It should be standard practice for any company handling any sizeable form of revenue.

The probable target for schemes like this will be those companies who already engage in shady practices and thus don’t have slipshod internal controls to begin with.

ECA (profile) says:

Re: Re:

There was this hacker, who found a site who didnt Protect their data..
He did something very interesting, as he redirected all Payments to goto an Account, and he made it so NO ONE could open it without a password. then he sat, until the State came to him. AFTER him. And he HAD to make a deal.. That he was NOT to be charged for anything, and he would give them the password.

the outcome I do not know, as that part was never recorded/posted/printed…

Anonymous Coward says:

Re: Re:

In cases like this where political heads may roll due to the piss poor planning & design of the much publicised assistance scheme it may be the politician’s best call to blame it all on an administrative oversight & let it die in the 24 hour news cycle. It’s taxpayers money after all so they wouldn’t give a rat’s bottom.
Banks on the other hand would find it coming out of their own pockets & bonuses may be in jeopardy so a bit more investigation into the issue would be called for. Inaction versus action.

That One Guy (profile) says:

Re: So long as they're shooting at white hats,

That is probably the dumbest part of the ‘shoot/sue the messenger’ tactic, yes.

The flaws exist no matter who finds them, but if you punish those that find and expose them who aren’t doing so for malicious reasons then the only people left are those that are malicious, and the first time you find out that a system has been compromised will not be when someone tells you in the hopes that you will fix it, but after it’s been exploited, potentially in highly damaging ways.

That Anonymous Coward (profile) says:

What did they expect?
Honestly, we live in the age of never ever ever make your betters look bad or else.
I am sure they awarded the contract to make the leaky thing to someones sisters cousins brother for a hefty fee & thought they were done. Now you DARE suggest we screwed up?
Well fsck you buddy, we will tell the media you are the bad guy & people will believe me because I’m better than you…
(just not better at hiring competent coders or having a system where this could have been reported & I could have avoided looking like a jackbooted fsckboy).

Its easier to blame the invisible enemies than to accept perhaps maybe you are the problem.

Jamie says:

It sounds like the issue here is a classic insecure direct object reference. It’s been be apart of OWASP’s top 10 list for a long time, and there no excuse for any modern site to be vulnerable to this type of flaw.

Perhaps Millar needs to release his own press release.

The so-called "hacker" did nothing wrong. They simply modified the page location to change a "2" to a "1" and was presented with someone else’s personal data. I tried contacting 2 separate state agencies but neither took any action. The governor is trying to misdirect from the state’s inability to protect your privacy.

Rishdur (user link) says:

how to tell if a chinese girl likes you

Online Adult Dating club system

When one thinks of an adult clubcomes up a club on land where members gather to find matches for love, romantic movie, And sexual activity. One is proper. this is what an adult club is for.

The online dating club is a common meeting ground for people of all avenues of life and lifestyle. discover swinger clubs for adult swinger couples, Gay clubs for gay individuals, And lesbian clubs for lesbian females on the internet. These specific online clubs cater only to persons who follow that way of. The membership is closed to those who do not seek this alternative lifestyle.

these online clubs are a community site also that offer private networking, texting, live on the internet chats, And am living webcams too. These are a great place for dating and interactivity within. Adult club on the internet is more than a dating site.

Unlike a friends club for friendship <a href=https://www.love-sites.com/signs-that-you-can-recognise-when-a-vietnamese-lady-is-into-you/>how to tell if a vietnamese girl likes you</a> and a single club for single dating or matchmaking adult clubs are for sharing sex working relationships. as an example, A swinger club would be for looking for swinger party, Wife trading couple, Group sex or partner currency. as well, A gay club would be for seeking gay sex and lesbian club would be for locating lesbian sex and love. These are dating sites that offer a virtual environment that is more than international dating.
[—-]

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...