Journalists In St. Louis Discover State Agency Is Revealing Teacher Social Security Numbers; Governors Vows To Prosecute Journalists As Hackers
Last Friday, Missouri's Chief Information Security Officer Stephen Meyer stepped down after 21 years working for the state to go into the private sector. His timing is noteworthy because it seems like Missouri really could use someone in their government who understands basic cybersecurity right now.
We've seen plenty of stupid stories over the years about people who alert authorities to security vulnerabilities then being threatened for hacking, but this story may be the most ridiculous one we've seen. Journalists for the St. Louis Post-Dispatch discovered a pretty embarrassing leak of private information for teachers and school administrators. The state's Department of Elementary and Secondary Education (DESE) website included a flaw that allowed the journalists to find social security numbers of the teachers and administrators:
Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.
The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability “a serious flaw.”
“We have known about this type of flaw for at least 10-12 years, if not more,” Khan wrote in an email. “The fact that this type of vulnerability is still present in the DESE web application is mind boggling!”
In the HTML source code means that it sent that information to the computers/browsers of those who knew what pages to go to. It also appears that the journalists used proper disclosure procedures, alerting the state and waiting until it had been patched before publishing their article:
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.
Also, it appears that the problems here go back a long ways, and the state should have been well aware that this problem existed:
The state auditor’s office has previously sounded warning bells about education-related data collection practices, with audits of DESE in 2015 and of school districts in 2016.
The 2015 audit found that DESE was unnecessarily storing students’ Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.
This is where a competent and responsible government would thank the journalists for finding the vulnerability and disclosing it in an ethical manner designed to protect the info of the people the state failed to properly protect.
But that's not what happened.
Instead, first the Education Commissioner tried to make viewing the HTML source code nefarious:
In the letter to teachers, Education Commissioner Margie Vandeven said “an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
It was never "encrypted," Commissioner, if the journalists could simply look at the source code and get the info.
Then DESE took it up a notch and referred to the journalists as "hackers."
But in the press release, DESE called the person who discovered the vulnerability a “hacker” and said that individual “took the records of at least three educators” — instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE’s own search engine.
And then, it got even worse. Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol's Digital Forensic Unit to investigate. Highway Patrol? He also claimed (again) that they had "decoded the HTML source code." That's... not difficult. It's called "view source" and it's built into every damn browser, Governor. It's not hacking. It's not unauthorized.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
— Governor Mike Parson (@GovParsonMO) October 14, 2021
It gets worse. Governor Parson claims that this "hack" could cost $50 million. I only wish I was joking.
This incident alone may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies. This matter is serious.
The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them — In accordance with what Missouri law allows AND requires.
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. This was clearly a hack.
We must address any wrongdoing committed by bad actors.
If it costs $50 million to properly secure the data on your website that previous audits had already alerted you as a problem, then that's on the incompetent government who failed to properly secure the data in the first place. Not on journalists ethically alerting you to fix the vulnerability. And, there's no "unauthorized access." Your system put that info into people's browsers. There's no "decoding" to view the source. That's not how any of this works.
As people started loudly mocking Governor Parson, he decided to double down, insisting that it was more than a simple "right click" and repeating that journalists had to "convert and decode the data."
We want to be clear, this DESE hack was more than a simple “right click.”
THE FACTS: An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information. (1/3) pic.twitter.com/JKgtIpcibM
— Governor Mike Parson (@GovParsonMO) October 14, 2021
Again, even if it took a few steps, that's still not hacking. It's still a case where the state agency made that info available. That's not on the journalists who responsibly disclosed it. It's on the state for failing to protect the data properly (and for collecting and storing too much data in the first place).
Indeed, in doing this ridiculous show of calling them hackers and threatening prosecution, all the state of Missouri has done is make damn sure that the next responsible/ethical journalists and/or security researchers will not alert the state to their stupidly bad security. Why take the risk?
Filed Under: blame the messenger, dese, disclosure, ethical disclosure, hacking, mike parson, private information, schools, social security numbers, st. louis, teachers, vulnerabilities
Companies: st. louis post-dispatch
'That took care of them, now why does my foot hurt so much?'
'If you aren't made aware of the problem it doesn't exist' seems to be the motto for far too many people in positions of authority, with the corollary of 'If you shoot the current messenger giving you bad news that reduces the odds that another one will show up'.
The state was caught with it's pants down and rather than admit they screwed up they decided on the absolute worst response, to punish the people who notified them of the problem and desperately try to shift the blame to them.
Not only is this stupid in the short term as it leaves the governor and state looking all sorts of boneheaded and pathetic but it just massively screwed them over long-term as no sane white-hat, security researcher or journalist is likely make use of the 'official channels' from this point on such that the first the Missouri government is likely to know about future hacks or security breaches/holes is after they've either been exploited or made public anonymously, leaving the affected agencies to do damage control after the fact.
Probably the only silver lining of this whole mess is the response to the governor's statements as my oh my is that idiot getting roasted for his stupidity on twitter, with just so many people pointing out what an idiot he is and how the 'we got hacked!' claim is nothing more than CYOA garbage.
Hmmm...
So, was that SSN perhaps MIME-encoded or somesuch in the source...? It would at least explain the "decrypting" rhetoric, albeit not justify it...
Re: Hmmm...
They removed the dashes...
Re: Hmmm...
You're giving them way too much credit.
Encryption on the client-side is next to useless. I'd be willing to gamble that the data in question was in the HTML as plain-text or another human-readable format.
Claiming the source code was encrypted is just a way for them to try to minimize the issue and discredit the reporters.
Even if I did give them the biggest possible benefit of the doubt, the data would probably have been base64-encoded instead of encrypted.
Friday deep thoughts
Bitcoin For Dummies
perfect security
Our security is based on telling people what they can and cannot do, and so it is perfect.
Your state governor.
Is this qualified immunity?
I get the appeal of qualified immunity: it means that you just need to claim dumb enough not to know what you are dealing with, and you win against the pesky elite of those who know what they are talking about. It's exhilarating.
Problem is that it leads to positions getting filled by incompetent persons (like upper IQ limits for police officer applications) because they are both easier maintaince as well as immune against prosecution.
Now here we have a politician who is proud to parade his incompetence repeatedly to the applause of other incompetents, and like with qualified immunity for lawless police officers, we get effective qualified immunity for clueless politicians since voters will reward "owning the hackers".
Add to that the kill-all excuse "I believe otherwise because I seem to remember someone saying the Bible saying so, and while I never bothered actually studying it thoroughly myself, I'll take that lame excuse over having to actually look at the details of how God's creation works" of science not being allowed to impede on religion in schools, and the U.S. is really heaven for the stupid. All careers are open to them, and they get preferred treatment before the law and before public opinion.
Sheesh
Guess it is good I work with law enforcement when I accidentally hit F12…
Highway Patrol is clearly appropriate in this case as the offense took place on the information superhighway!
Re:
49 of 50 states have a state police force. 15 refer to that force as highway patrol. The biggest job is handling jobs outside city jurisdictions, which i suppose at some points is mostly work writing moving violations and dealing with accidents. But they will be called in for any intra-state crimes that involve multiple local jurisdictions.
people have got to wise up and realise that the most important thing happening atm is to suppress everyone except those in government, other politicians and all security service staff, along with any and all of their friends. us ordinary people are there (here) now simply to provide wealth and power for those above while they dont give a fuck what they take away from us! it's the result that certain people tried to get through WWII, but achieving it without murdering millions and destroying the Planet in the process!
Backwater cybersecurity...
actually was encrypted in transit
that's what https does, encrypts for transit over internet, and web browser decrypts it.
It's even the wrong argument...
The governor and DESE are deflecting from the real problem:
You can't leak what you don't hold. You can't lose by decryption what you don't send. The auditor's office called it out, they didn't listen. Or they did the bare minimum to comply.
I think most of you miss what he's doing. Do a google search on "governor parsons hack" and see what you find.
Hint, it won't be "incompetent dipshit of a governor accuses responsible journalists....".
I went to FoxNews and they didn't even mention the, um, hack.
He's just successfully played the media to the only group that matters in Missouri Republicans.
