On Wednesday, the St. Louis Post-Dispatch ran a story about how its staff discovered and reported a security vulnerability in a Missouri state education website that exposed the Social Security numbers of 100,000 elementary and secondary teachers. In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”
The Post-Dispatch says it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials, and that more than 100,000 SSNs were available. The Missouri state Department of Elementary and Secondary Education (DESE) reportedly removed the affected pages from its website Tuesday after being notified of the problem by the publication (before the story on the flaw was published).
The newspaper said it found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved. In other words, the information was available to anyone with a web browser who happened to also examine the site’s public code using Developer Tools or simply right-clicking on the page and viewing the source code.
The Post-Dispatch reported that it wasn’t immediately clear how long the Social Security numbers and other sensitive information had been vulnerable on the DESE website, nor was it known if anyone had exploited the flaw.
But in a press conference Thursday morning, Gov. Parson said he would seek to prosecute and investigate the reporter and the region’s largest newspaper for “unlawfully” accessing teacher data.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million.”
While threatening to prosecute the reporters to the fullest extent of the law, Parson sought to downplay the severity of the security weakness, saying the reporter only unmasked three Social Security numbers, and that “there was no option to decode Social Security numbers for all educators in the system all at once.”
“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson continued. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”
Parson said the person who reported the weakness was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet.”
“We will not let this crime against Missouri teachers go unpunished, and refuse to let them be a pawn in the news outlet’s political vendetta,” Parson said. “Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.”
In a statement shared with KrebsOnSecurity, an attorney for the St. Louis Post-Dispatch said the reporter did the responsible thing by reporting his findings to the DESE so that the state could act to prevent disclosure and misuse.
“A hacker is someone who subverts computer security with malicious or criminal intent,” the attorney Joe Martineau said. “Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.”
Aaron Mackey is a senior staff attorney at the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in San Francisco. Mackey called the governor’s response “vindictive, retaliatory, and incredibly short-sighted.”
Mackey noted that Post-Dispatch did everything right, even holding its story until the state had fixed the vulnerability. He said the governor also is attacking the media — which serves a crucial role in helping give voice (and often anonymity) to security researchers who might otherwise remain silent under the threat of potential criminal prosecution for reporting their findings directly to the vulnerable organization.
“It’s dangerous and wrong to go after someone who behaved ethically and responsibly in the disclosure sense, but also in the journalistic sense,” he said. “The public had a right to know about their government’s own negligence in building secure systems and addressing well-known vulnerabilities.”
Mackey said Gov. Parson’s response to this incident also is unfortunate because it will almost certainly give pause to anyone who might otherwise find and report security vulnerabilities in state websites that unnecessarily expose sensitive information or access. Which also means such weaknesses are more likely to be eventually found and exploited by actual criminals.
“To characterize this as a hack is just wrong on the technical side, when it was the state agency’s own system pulling that SSN data and making it publicly available on their site,” Mackey said. “And then to react in this way where you don’t say ‘thank you’ but actually turn on the reporter and researchers and go after them…it’s just weird.”
Secrecy is the lamest, most ineffective form of computer security. If the laughable governor actually sues, that will be laughed out of court.
Since social service numbers were exposed, the damage is done. Unless the SSA wants to reissue new numbers; that will never happen.
No. They need to strip some of the power away from a simple 9 digit number.
The reason why people are scared to have that little number breached, is because people treat it like a secret. Particularly, lenders.
Lenders are willing to open a line of credit based on someone claiming an identify, and showing proof by knowing some public info about a person, and a simple 9 digit number that they treat as a PIN to unlock a person’s identity.
Don’t reissue the SSN, stop using it like a secret.
This seems like the worst kind of knee-jerk reaction a Government could have to this situation.
This actively discourages researchers/reporters from reporting vulnerabilities, that left un-checked can cause massive and long lasting impact to individual people’s livelihoods. By threatening reporters/researchers with the repercussions of being liable for the cost to fix the systems they reported the vulnerability on, whether being held criminally or financially liable doesn’t matter, they are being held liable because of the COST. Keep in mind that’s what the Governor and his office keep pointing to, that $50 million. They are actively disregarding the INTENT of the reporter’s actions and looking at the RESULT. Never mind the cost the state would have incurred having to correct the hundreds or possibly thousands of fraudulent tax returns that would have doubtlessly been submitted next year if those SSNs had leaked, not to mention disability, unemployment, financial assistance claims that would be fraudulently submitted by malicious actors.
“Mackey noted that Post-Dispatch did everything right, even holding its story until the state had fixed the vulnerability.”
This alone shows that the reporter was was not “hacking” with the intent of stealing those SSNs, if there was any “hack” (and no, right clicking and viewing source of a web page is NOT hacking, regardless of how those legal hobgoblins want to try and spin the definition of “hack”) then it was done with the INTENT of discovering, detailing, and reporting the vulnerability.
This effectively “shooting the messenger” by promising to prosecute the reporter who discovered and reported the vulnerability, simply because of how much it’s going to cost the State to correct their systems? It sounds to me like that Governor is to old to understand how these systems work and/or is taking some (bad) advice from someone who is only seeing the Dollar signs.
I doubt they will, but I hope that the Governor’s office can come to their senses and realize how bad of a decision they are making.
Accessing protected information without authorisation is still illegal, even if it is publicly available on the internet. This is why every confidential document needs to have clearly marked sign that says “confidential”, so that people on the internet knows to not illegally read the document. The same principle applies to the social security numbers that were accidentally revealed to the internet via view-source mechanism. This doesn’t mean that view-source is some evil hacking tool, but instead that users of the internet need to evaluate all available information and decide themselves if they’re allowed to read/access the information. These particular social security numbers would be illegal to access, because their originating location comes from computers protected via password authentication. While the damage has already been done, and information leaking to the internet, reporting these issues is still dangerous activity and should be reserved for the security professionals. They would know when the leaking of the secrets is serious enough that it needs to be reported to the government. Government obviously considers every report as an hacking attempt.
the information was public. I.e, it was not secured and anything made public, is not protected by any privacy law. You forfeited that right. Source code viewing and robot.txt are information that people make public. https://www.findlaw.com/state/missouri-law/missouri-computer-crimes-laws.html#:~:text=Missouri%20statute%20identifies%20a%20few%20distinct%20computer-related%20crimes%3A,receiving%20data%20known%20to%20have%20been%20obtained%20illegally.
You do realize this is a part of the web page not meant to be read. Good luck with that legalize stamp.
But that’s just not how the internet works.
Just because something is not properly wrapped in HTML and rendered readable in common browsers, does not mean it’s not meant to be read.
People have to understand that the internet is more than just human eyes.
A page that is accessible from the internet gets scraped by spiders/web crawlers, so they can be searched, categorized, and archived. This includes the source code.
It is false to suggest that this data was not authorized. An HTTP GET request, resulted in HTTP 200 response that SERVED this data in plaintext. There is no authorization. It was given to anyone and everyone whether they were looking for it or not.
The dispatch post can make the argument that they cannot be singled out. The state of Missouri would have to press criminal charges against Google for scraping their website, and subpoena the hard drives of everybody who ever visited because web browsers can cache pages.
Finds wallet on bus. Opens it up to see driver’s license. Returns wallet. “THIEF!”
This argument is ridiculous and won’t hold up in court, if it even gets that far. I’m sure there’s someone in the Missouri AG’s office that will put the kibosh on this lawsuit nonsense.
It just shows the mentality of the politicians we have these days!
Mentality of *GOP* politicians post Trmp seems to be about 90% Looney Toons, all taking up Trmp’s rallying cry: The Law is neither more or less than what I want it to be! (also attributable by paraphrase to Humpty Dumpty, who also took a great fall).
@MattyJ said:
Finds wallet on bus. Opens it up to see driver’s license. Returns wallet. “THIEF!”
Ooh Ooh!! I know this one. It’s one of those trick quetions yeah? It’s the Driver of the bus’s wallet!!! He/she’s the only one who needs a driver license while on a bus 😉
Umm, nice try…
It was the state government that dropped the ball by not protecting the data. And if anyone thinks that protecting data means hiding it in the source code of a web page, they have no business working in the technology industry.
If anyone should be prosecuted, it’s the state agency responsible for protecting it’s data. Or maybe the governor himself who failed to allocate funds to data security like he failed to do up to this point.
I’m sorry, but to anyone who works professionally with software, what you’re saying does not make sense.
Firstly, in this case, the SSN numbers are on your computer, in plaintext, upon accessing the site. That’s a security breach regardless of what happens to the data after it’s compromised.
Also, there is no decoding or special tools necessary, just hitting F12 and reading. This is like signing up for a newsletter, being mailed SSNs, and then being prosecuted for telling the newsletter that they mailed out people’s SSNs.
Secondly, reporting software vulnerabilities is an important part of maintaining a safe internet. Software vulnerabilities that go unreported, will go unfixed. These are called zero-day vulnerabilities and are more dangerous the longer they exist, because they further expose people to harm.
It is like blaming the person who found mishandled confidential docs in public space and attempts to return it on good will. The responsibility of securing confidnental info lies on the person(s) and group(s) who are supposed to keep them confidential.
Also I don’t think fixing this would cost 50 million USD to fix. My employer (an organisation larger than Missouri school adminstration) spend a lot less than that to have Microsoft sort adminstrative things out for them…
“This is why every confidential document needs to have clearly marked sign that says ‘confidential’, so that people on the internet knows to not illegally read the document.”
LOL, no. Confidential markings inform those who DO have authorized access to a document of the handling requirements for that document.
In fact, when someone with access to confidential information mishandles it – such as by sending out unencrypted copies of it to any person or machine that asks for a loosely-related publicly available document – then it is the person/entity who mishandled it (i.e. the State of Missouri in this case) who is legally liable. They don’t get to blame the people they sent it to.
Your argument completely falls apart in any case because this document WAS NOT marked confidential. In fact the user requested publicly available information, and UNTIL THEY SAW THE SSN’s, THEY HAD ZERO REASON TO SUSPECT THAT ANY INFORMATION THEY WERE GIVEN WAS ANYTHING BUT PUBLICLY AVAILABLE INFORMATION. So you’re claiming that they had to use the “available information” to decide whether to “illegally read” the SSN’s, when the ONLY AVAILABLE INFORMATION that would indicate the problem WAS the SSN’s? Is the problem that you believe that, or that you hope we’re dumb enough to believe it?
Once they were aware there was information that shouldn’t have been there, they notified the responsible party – which is exactly the correct thing to do.
Every state official, employee, or contractor who has taken part in trying to blame the reporter for this incident should be fired, period.
Again… Another idiot…
https://arstechnica.com/tech-policy/2021/10/missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue/
Prosecuting the newspaper for hacking, is like streaking naked in front of an audience and then prosecuting the audience for voyeurism.
How was this buffoon elected? He should be replaced. This sets a horrible precedent if it goes anywhere. No-one is going to want to try to help keep our state’s infrastructure websites secure. A+
Does that mean the state broke the law?
610.035. State entity not to disclose Social Security number, exceptions. — No state entity shall publicly disclose any Social Security number of a living person unless such disclosure is permitted by federal law, federal regulation or state law or unless such disclosure is authorized by the holder of that Social Security number or unless such disclosure is for use in connection with any civil, criminal, administrative or arbitral proceeding in any federal, state or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation and the execution or enforcement of judgments and orders, or pursuant to an order of a federal, state or local court. Notwithstanding any other provision of law to the contrary, the disclosure of Social Security numbers of deceased persons shall be lawful, provided that the state agency disclosing the information knows of no reason why such disclosure would prove detrimental to the deceased individual’s estate or harmful to the deceased individual’s living relatives. For the purposes of this section, “publicly disclose” shall not include the use of any Social Security number by any state entity in the performance of any statutory or constitutional duty or power or the disclosure of any Social Security number to another state entity, political subdivision, agency of the federal government, agency of another state or any private person or entity acting on behalf of, or in cooperation with, a state entity. Any person or entity receiving a Social Security number from any entity shall be subject to the same confidentiality provisions as the disclosing entity. For purposes of this section, “state entity” means any state department, division, agency, bureau, board, commission, employee or any agent thereof. When responding to any requests for public information pursuant to this chapter, any costs incurred by any state entity complying with the provisions of this section may be charged to the requester of such information.
Reference: https://revisor.mo.gov/main/OneSection.aspx?section=610.035
“vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication”
That’s a bold (and pretty clueless) strategy.
What a putz.
I was gonna say “what a schmuck”, but I see he’s been called a “putz”, so that about covers it. What a schmuck…
He was the sheriff for a few years in a county just a few miles away from me. Yes, he really is that stupid and tech ignorant. Since then he’s been a state senator, lieutenant governor and now governor. Anything more complex than driving a patrol car exceeds his capabilities. People around here generally like him because he’s Trump really really lite.
Shoot the messenger. Again.
Let’s see this stand up in court. Low level nobody elected beyond his capabilities pretending to act tough.
Companies pay big bounties to be told this stuff – this good old boy moron just played into the hands of every hacker and wannabe hactivist out there.
Let’s see this stand up in court. Low level nobody elected beyond his capabilities pretending to act tough.
Companies pay big bounties to be told this stuff – this good old boy moron just played into the hands of every hacker and wannabe hactivist out there.
Deny your own stupidity.
Put an exact number on just how much taxpayers wasted on your stupidity ($50M).
And on how many constituents you fucked because of it (100K teachers).
Prosecute and publicly shame the people who pointed out you were stupid.
Still probably a 50/50 shot that he;ll be (R)e-elected.
What a moronic statement for a Governor to make. Asinine and counterproductive.
“They had no authorization to convert or decode, so this was clearly a hack.”
“It is unlawful to access encoded data and systems..”
Even though it’ll never happen, I kind of wish this would go to court so technical experts could explain and correct this fundamental flaw in understanding.
I would imagine a courtroom scene where the defense attorney speaks pig Latin to the jury. Then accuses the prosecution of decoding the secret conversation in their minds.
Encoding is not encryption.
Encryption exists for the purpose of confidentiality. Encoding does not.
Classic case of childish petulance, killing the messenger like that!
The journalist was trying to save the state government from embarrassment.
And if ‘protected’ information is made publicly available, then it’s not ‘protected’ information, and therefore not illegal to access.
It”s the state government’s responsibility to protect classified, sensitive, and other private information. They failed, and now the governor is trying to put the blame on a reporter who caught them with their pants down… Unfortunately for Gov. Parson, his tactics won’t work. He just shot himself in the foot, politically that is …
$50M to fix the problem? That’s an expensive web page. By the sound of it they spent $50 writing version 1.0.
Its hard to understand how you arrive at that 50million figure no matter how much inefficiency and waste you build in. The only thing I can think of is that what it would cost to completely replace the application (still highly suspect but government contracting and “Enterprise” vendors…). If something like this was not caught at some layer of testing before finding its way into the wild it means nobody was doing any testing. A point click web vulnerability scanner has reg-ex patterns in it for SSNs, even the free ones would have reported an information disclosure. Not that it ever should have got that far, just peer code review should have captured umm why are writing out SSNs when you don’t even display them?
Fixing this though should be 5min of developer time to modify whatever server side template spits this out, and probably lets be super duper crazy generous 20 hours or so of other people doing sign offs commits/merges, pushing to prod. That isn’t the ‘right way to fix it’ more than like because its basically a certainty the entire application is hot-garbage with kind of flaw present but still.
Parsons has also “distinguished” himself by continuing to refuse pardoning Kevin Strickland, 62, who has been in prison since his conviction for a 1978 triple murder in Kansas City that the Jackson County Prosecutor’s Office now maintains he did not commit — and of which he is “factually innocent” (https://www.kansascity.com/news/local/crime/article252244473.html), while pardoning Mark and Patricia McCloskey, who had brandished firearms outside their house as a crowd of peaceful (and unarmed) protesters walked by on their way to then-St. Louis Mayor Lyda Krewson’s house (https://www.stltoday.com/news/local/crime-and-courts/missouri-governor-pardons-mark-and-patricia-mccloskey/article_c3f5c751-5cf4-5042-af36-2abc7deffdf9.html).
The governor is right, of course.
Too late now, but best way to handle this: the State of MO pays the newspaper $25M to bury the story, then continues to operate their site as ‘normal’. No teachers need be concerned about their personal information leaking, the State saves a cool $25M in remediation costs, and a struggling local newspaper scores a nice little payday. In other words, everyone wins!
If you spot any flaws in my reasoning, keep it to yourself – otherwise I may sue you.
The “crime” here is in the poor development of the website, not the person who notified DESE.
Parson has shown a complete lack understanding basic,,,, anything. I expect he was smarter when younger, but age has not been kind to his brain. Time to retire when you get that bad. I hear there are openings in NYC retirement homes.
Dear Missouri Governor,
Real cyber criminals don’t report unsecured data. They exploit it.
This headline is actually incorrect and lends a bit of undeserved support to the governor.
By no means is there a security vulnerability in this story.
Data exposure was reported. The state exposed private data. There was no security involved.
3 words….
Archive dot org
Some context, I lived next to Missouri for years. Thickheaded, inflexable, aggressive ignorance is like, a thing there, its an identity. Most of their state employees remind me of the police in Idiocracy. They probably still burn witches and atheists. Confederate flag waving descendants of former slavers would certainly keep electing Parsons, he’s a reflection of their social majority.
I am not a professional web developer but I do use “hidden” HTML tags to hold certain information such as version number and other information that I may want to relay but not necessarily make visible in the web page. That does not mean it is a secret. The information may be retrieved by viewing the source code. I will sometimes have endusers retrieve that information from the source code so that I may know which version of a webform they are using. This information gets cached on the users endpoint. Sometimes the browser just reads from cache rather than retrieving the updated page. Not supposed to happen but it does.
The information was made publically available by the district. No hack was involved. I have discovery tools on my computer that would routinely catch SSNs in plain text files. Suing the researcher is not likely to go very far. The response from the governor is childish and somewhat narcissistic.
The only ones who have ground to sue here are the teachers, as they have incurred potential damages by having their SSNs released publicly. Someone should turn this into a class-action suit against the state and this buffoon.