Missouri Governor Threatens Journalist Who Discovered State Site Dumping Private Information


Missouri Governor Mike Parson threat of legal action against a journalist and newspaper who responsibly discovered and disclosed a security breach that left the social security numbers of teachers and education staff exposed and easily accessible.

The St. Louis Post-Expedition reports that it informed the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages containing employee Social Security numbers, potentially endangering the information of more than 100,000 employees. Despite the fact that the outlet waited for the tool to be withdrawn by the state before publishing his article, the reporter was called a “hacker” by Governor Parson, who says he will involve the county prosecutor and them. investigators.

According to Post-shipment, the tool that contained the vulnerability was designed to allow the public to see the credentials of teachers. However, he also reportedly included the employee’s SSN in the page he returned – while it apparently didn’t appear as visible text on the screen, KrebsOnSecurity reports that access would be as easy as right-clicking on the page and clicking Inspect Item or View Source.

While the reporter followed standard protocols to disclose and report the vulnerability, the governor treats him as if he were attacking the site or trying to gain access to the teacher’s private information for nefarious purposes.

At a press conference, Governor Parson called the journalist’s actions “decoding the HTML source code”, making him suspicious and underground. However, it literally describes how viewing a website works – it’s the server’s job to send an HMTL file to your computer so you can see it, and whatever is included in that file does. is not secret (although it is not physically visible on your screen when viewing this web page). Governor Parson says nothing on the DESE website gave users permission to access the SSN data, but it was provided free of charge.

You can see the governor’s full press conference below.

The edge contacted the Missouri DESE to clarify if the tool was publicly available or if a login was required, and in response, the DESE says its only comment (due to the ongoing investigation) is that the data is now protected . Of course, being reachable is an issue whether or not it is behind a connection.

Missouri’s response is, to put it bluntly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which they will pay to hackers who responsibly find and disclose vulnerabilities like these. The reason they exist is that they will make your systems more secure – yes, people will search and find vulnerabilities, but there was probably someone already doing it anyway. With a bug bounty, they tell you so that you can fix it rather than selling this information on the dark web or using it for personal gain. Obviously, this sort of amount is not reasonable for school districts, which often have underfunded IT services due to shrinking budgets, but there are many options between paying large sums of money and threaten legal action.

Governor Parson said the incident could cost state taxpayers $ 50 million. If a malicious hacker had found the SSN treasure, it probably would have cost even more: the state would still have had to fix the system, and it would have teachers who would have solid claims against it if they needed them. identity protection services.

Governor Parson (with a press release from the Administration Office) clarified that SSNs were only accessible one at a time – a list of all employee private information was not included in the HTML files. But like whoever is watched the opening scene of Social network knows, it can be trivial for hackers to download all pages of an application and extract specific information from them. It is not because the journalist did not do it (it would undoubtedly have been irresponsible if he had done so) that it was not possible and does not talk about good security practices.

To be clear: suing the reporter, the media outlet, and anyone involved will only serve to endanger the people of Missouri, as no one will want to report the security holes they have found in public systems if the response from the ‘The state will send the police after them. Security breaches like this are extremely regrettable, but they will inevitably occur (the Post-shipment reports that DESE was found to have stored student SSNs by an audit in 2015). With public entities like businesses, the real test isn’t whether it happens, but how you respond to it. Unfortunately, it appears that Governor Parson fails this test.

Updated October 14 at 5:52 p.m. ET: Updated to reflect DESE comments.

Source link

Leave A Reply

Your email address will not be published.