Journalists In St. Louis Discover State Agency Is Revealing Teacher Social Security Numbers; Governors Vows To Prosecute Journalists As Hackers
from the wtf-missouri? dept
Last Friday, Missouri’s Chief Information Security Officer Stephen Meyer stepped down after 21 years working for the state to go into the private sector. His timing is noteworthy because it seems like Missouri really could use someone in their government who understands basic cybersecurity right now.
We’ve seen plenty of stupid stories over the years about people who alert authorities to security vulnerabilities then being threatened for hacking, but this story may be the most ridiculous one we’ve seen. Journalists for the St. Louis Post-Dispatch discovered a pretty embarrassing leak of private information for teachers and school administrators. The state’s Department of Elementary and Secondary Education (DESE) website included a flaw that allowed the journalists to find social security numbers of the teachers and administrators:
Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers? Social Security numbers were contained in the HTML source code of the pages involved.
The newspaper asked Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, to confirm the findings. He called the vulnerability ?a serious flaw.?
?We have known about this type of flaw for at least 10-12 years, if not more,? Khan wrote in an email. ?The fact that this type of vulnerability is still present in the DESE web application is mind boggling!?
In the HTML source code means that it sent that information to the computers/browsers of those who knew what pages to go to. It also appears that the journalists used proper disclosure procedures, alerting the state and waiting until it had been patched before publishing their article:
The Post-Dispatch discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials. The department removed the affected pages from its website Tuesday after being notified of the problem by the Post-Dispatch.
Based on state pay records and other data, more than 100,000 Social Security numbers were vulnerable.
The newspaper delayed publishing this report to give the department time to take steps to protect teachers? private information, and to allow the state to ensure no other agencies? web applications contained similar vulnerabilities.
Also, it appears that the problems here go back a long ways, and the state should have been well aware that this problem existed:
The state auditor?s office has previously sounded warning bells about education-related data collection practices, with audits of DESE in 2015 and of school districts in 2016.
The 2015 audit found that DESE was unnecessarily storing students? Social Security numbers and other personally identifiable information in its Missouri Student Information System. The audit urged the department to stop that practice and to create a comprehensive policy for responding to data breaches, among other recommendations. The department complied, but clearly at least one other system contained an undetected vulnerability.
This is where a competent and responsible government would thank the journalists for finding the vulnerability and disclosing it in an ethical manner designed to protect the info of the people the state failed to properly protect.
But that’s not what happened.
Instead, first the Education Commissioner tried to make viewing the HTML source code nefarious:
In the letter to teachers, Education Commissioner Margie Vandeven said ?an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.?
It was never “encrypted,” Commissioner, if the journalists could simply look at the source code and get the info.
Then DESE took it up a notch and referred to the journalists as “hackers.”
But in the press release, DESE called the person who discovered the vulnerability a ?hacker? and said that individual ?took the records of at least three educators? ? instead of acknowledging that more than 100,000 numbers had been at risk, and that they had been available to anyone through DESE?s own search engine.
And then, it got even worse. Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol’s Digital Forensic Unit to investigate. Highway Patrol? He also claimed (again) that they had “decoded the HTML source code.” That’s… not difficult. It’s called “view source” and it’s built into every damn browser, Governor. It’s not hacking. It’s not unauthorized.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.
We notified the Cole County prosecutor and the Highway Patrol?s Digital Forensic Unit will investigate. pic.twitter.com/2hkZNI1wXE
— Governor Mike Parson (@GovParsonMO) October 14, 2021
It gets worse. Governor Parson claims that this “hack” could cost $50 million. I only wish I was joking.
This incident alone may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies. This matter is serious.
The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them ? In accordance with what Missouri law allows AND requires.
A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code. This was clearly a hack.
We must address any wrongdoing committed by bad actors.
If it costs $50 million to properly secure the data on your website that previous audits had already alerted you as a problem, then that’s on the incompetent government who failed to properly secure the data in the first place. Not on journalists ethically alerting you to fix the vulnerability. And, there’s no “unauthorized access.” Your system put that info into people’s browsers. There’s no “decoding” to view the source. That’s not how any of this works.
As people started loudly mocking Governor Parson, he decided to double down, insisting that it was more than a simple “right click” and repeating that journalists had to “convert and decode the data.”
We want to be clear, this DESE hack was more than a simple ?right click.?
THE FACTS: An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers? personal information. (1/3) pic.twitter.com/JKgtIpcibM
— Governor Mike Parson (@GovParsonMO) October 14, 2021
Again, even if it took a few steps, that’s still not hacking. It’s still a case where the state agency made that info available. That’s not on the journalists who responsibly disclosed it. It’s on the state for failing to protect the data properly (and for collecting and storing too much data in the first place).
Indeed, in doing this ridiculous show of calling them hackers and threatening prosecution, all the state of Missouri has done is make damn sure that the next responsible/ethical journalists and/or security researchers will not alert the state to their stupidly bad security. Why take the risk?
Filed Under: blame the messenger, dese, disclosure, ethical disclosure, hacking, mike parson, private information, schools, social security numbers, st. louis, teachers, vulnerabilities
Companies: st. louis post dispatch
Comments on “Journalists In St. Louis Discover State Agency Is Revealing Teacher Social Security Numbers; Governors Vows To Prosecute Journalists As Hackers”
'That took care of them, now why does my foot hurt so much?'
‘If you aren’t made aware of the problem it doesn’t exist’ seems to be the motto for far too many people in positions of authority, with the corollary of ‘If you shoot the current messenger giving you bad news that reduces the odds that another one will show up’.
The state was caught with it’s pants down and rather than admit they screwed up they decided on the absolute worst response, to punish the people who notified them of the problem and desperately try to shift the blame to them.
Not only is this stupid in the short term as it leaves the governor and state looking all sorts of boneheaded and pathetic but it just massively screwed them over long-term as no sane white-hat, security researcher or journalist is likely make use of the ‘official channels’ from this point on such that the first the Missouri government is likely to know about future hacks or security breaches/holes is after they’ve either been exploited or made public anonymously, leaving the affected agencies to do damage control after the fact.
Probably the only silver lining of this whole mess is the response to the governor’s statements as my oh my is that idiot getting roasted for his stupidity on twitter, with just so many people pointing out what an idiot he is and how the ‘we got hacked!’ claim is nothing more than CYOA garbage.
Re: 'That took care of them, now why does my foot hurt so much?'
Unfortunately, the same people who voted for Trump will believe the governor.
This comment has been flagged by the community. Click here to show it.
Re: Re: 'That took care of them, now why does my foot hurt so mu
Seriously? You’re making this political? So you’re really willing to stand on the statement that “All non-Trump supporters understand the difference between a hacker and a responsible disclosure.” Because that house of cards would topple really fast.
Re: Re: Re: 'That took care of them, now why does my foot hurt s
That is not even close to what that person said.
Re: Re: Re:2 'That took care of them, now why does my foot hu
That’s exactly what ‘Whoever’ said. "Unfortunately, the same people who voted for Trump will believe the governor" which insinuates that anyone who didn’t vote for Trump wouldn’t believe him and would understand the difference. It also insinuates that there are no (or at least few) people who voted for Trump and wouldn’t believe the governor. This has nothing to do with politics, and making it so is a dangerous way of thinking.
Re: Re: Re:3 'That took care of them, now why does my foo
"It also insinuates that there are no (or at least few) people who voted for Trump and wouldn’t believe the governor. This has nothing to do with politics, and making it so is a dangerous way of thinking."
All evidence so far suggests trump supporters are willing to eat bigger whoppers than what the governor put out, without salt. I mean, the "stolen election" has far less credibility and is still believed by what…90% of trump supporters or so? Sorry, but if you voted trump and still give the man enough benefit of doubt to support him over…well, anyone, really…then yes, we can say with good safety margin, that those people will believe anything as long as it comes from a politician in the leash of Dear Leader.
"…which insinuates that anyone who didn’t vote for Trump wouldn’t believe him and would understand the difference."
There are always idiots. Key difference is that idiocy and willful ignorance are considered an undesirable state of affairs among non-trumpers whereas it’s literal party policy among the pro-trumpers.
Hence yes, we can make that claim. That’s how sad a state of affairs we’re at right now.
"…making it so is a dangerous way of thinking."
It’s already self-evident that this is how things are. Made so by 70-90 million morons unwilling to believe Dear Leader could be wrong. Pointing to this state of affairs isn’t running any risk of invoking what is already there.
Re: Re: Re:3 'That took care of them, now why does my foo
The first part yes, the second part no. There is no implication that non-Trump voters know the difference, only that they wouldn’t take the governor’s word for it. It seems like a pretty good bet to me.
Everything a governor says in his official capacity has something to do with politics.
Re: Re: Re: 'That took care of them, now why does my foot hurt s
"Seriously? You’re making this political?"
It’s about the actions of an elected governor. It would take a blisteringly witless moron to assume it could somehow not be political given the primary actor is, in fact a politician pulling a less well thought out act of office.
Here’s a hint – leading with a demonstration you don’t understand the topic you’re upset about isn’t exactly making your case for Trump supporters…
"So you’re really willing to stand on the statement that "All non-Trump supporters understand the difference between a hacker and a responsible disclosure.""
Well, no. There are idiots in every camp. It’s just that among "non-trump supporters" stupid is considered an undesirable aberration, not official policy.
"Because that house of cards would topple really fast."
…and this you claim while shouting it at the castle walls from the pile of collapsed cards on the table.
At some point it ought to be inevitable that even a trump supporter manages to make a point without undermining their own argument from the first sentence. So far though, you guys have a "perfect" record in that regard…
Re: Re: Re: 'That took care of them, now why does my foot hurt s
"Seriously? You’re making this political?"
yeah, why would an article about the actions of politicians be political! Wait…
Hmmm...
So, was that SSN perhaps MIME-encoded or somesuch in the source…? It would at least explain the "decrypting" rhetoric, albeit not justify it…
Re: Hmmm...
They removed the dashes…
Re: Hmmm...
You’re giving them way too much credit.
Encryption on the client-side is next to useless. I’d be willing to gamble that the data in question was in the HTML as plain-text or another human-readable format.
Claiming the source code was encrypted is just a way for them to try to minimize the issue and discredit the reporters.
Even if I did give them the biggest possible benefit of the doubt, the data would probably have been base64-encoded instead of encrypted.
Re: Hmmm...
He’s probably relying on a dumbed down explanation of SSL: "everything we send out is encrypted".
Re: Re: Hmmm...
He used the term "decoded". Some people in the Twitter thread are thinking things like base64 encoding; I don’t know whether that’s true.
Re: Re: Re: Hmmm...
There is approximately zero percent chance the governor of Missouri understands the difference between encoding and encrypting.
Re: Re: Re: Hmmm...
Several children’s education shows call reading "decoding", so perhaps that what he’s think of? If he would watch these more, maybe he could master the skill of googling "view source", or even learn to read the right click menu which include "view page source" …… nope, too busy practicing his "cover your ass by attempting to kill the messenger".
Re: Hmmm...
So were the Journalists in North Decoder, or South Decoder?
This comment has been flagged by the community. Click here to show it.
Friday deep thoughts
Bitcoin For Dummies
perfect security
Our security is based on telling people what they can and cannot do, and so it is perfect.
Your state governor.
Is this qualified immunity?
I get the appeal of qualified immunity: it means that you just need to claim dumb enough not to know what you are dealing with, and you win against the pesky elite of those who know what they are talking about. It’s exhilarating.
Problem is that it leads to positions getting filled by incompetent persons (like upper IQ limits for police officer applications) because they are both easier maintaince as well as immune against prosecution.
Now here we have a politician who is proud to parade his incompetence repeatedly to the applause of other incompetents, and like with qualified immunity for lawless police officers, we get effective qualified immunity for clueless politicians since voters will reward "owning the hackers".
Add to that the kill-all excuse "I believe otherwise because I seem to remember someone saying the Bible saying so, and while I never bothered actually studying it thoroughly myself, I’ll take that lame excuse over having to actually look at the details of how God’s creation works" of science not being allowed to impede on religion in schools, and the U.S. is really heaven for the stupid. All careers are open to them, and they get preferred treatment before the law and before public opinion.
Re: Is this qualified immunity?
"qualified immunity"
The ability to say, ‘no one told me that’
The idea that you dont need to teach them ANYTHING, and they have an excuse to be DUMB.
The ability to Fix a leaky faucet by calling a plumber, and not using a wrench to fix it. And pay $200+ for a $15+ 1 hour of work at most.
To have a low pressure tire, take it to the deal ship, be charged $50 to check all your tires, be sold 4 new tires, Leave the dealer ship and STILL have a low pressure tire.
To search on the net for sycology, and not find a thing, and not pay attention to the SPELL CHECK that suggests psychology.
To wonder around your home looking for your Glasses, and your spouse asks, ‘what you are looking for?’, you tell her, and she points UP, and you look at the ceiling, and they fall on the floor behind you, and you say, ‘What?’ and not see/hear the glasses hit the carpet.
Sheesh
Guess it is good I work with law enforcement when I accidentally hit F12…
Highway Patrol is clearly appropriate in this case as the offense took place on the information superhighway!
Re: Re:
49 of 50 states have a state police force. 15 refer to that force as highway patrol. The biggest job is handling jobs outside city jurisdictions, which i suppose at some points is mostly work writing moving violations and dealing with accidents. But they will be called in for any intra-state crimes that involve multiple local jurisdictions.
people have got to wise up and realise that the most important thing happening atm is to suppress everyone except those in government, other politicians and all security service staff, along with any and all of their friends. us ordinary people are there (here) now simply to provide wealth and power for those above while they dont give a fuck what they take away from us! it’s the result that certain people tried to get through WWII, but achieving it without murdering millions and destroying the Planet in the process!
Backwater cybersecurity…
actually was encrypted in transit
that’s what https does, encrypts for transit over internet, and web browser decrypts it.
Re: actually was encrypted in transit
But it wasn’t encrypted at the time the reporters viewed it.
Re: actually was encrypted in transit
In transit, yes. With an explicit permission granted to the web browser at the receiving end to decrypt it once received. The copy viewed by the journalist on their computer was both authorised and unencrypted.
It's even the wrong argument...
The governor and DESE are deflecting from the real problem:
You can’t leak what you don’t hold. You can’t lose by decryption what you don’t send. The auditor’s office called it out, they didn’t listen. Or they did the bare minimum to comply.
Re: It's even the wrong argument...
allot of places, have forgotten the basics of security in the first place.
The WHOLE system, probably, is integrated into the school system. When it pulls up the info it GRABS everything, insted of just the names and info it needs.
To many systems are designed like that. Insted of using Specific, and Supplied data, they link it to the MAIN system. Which can make the main system hackible. But they didnt need the hack, because the Data base grabbed everything.
I think most of you miss what he’s doing. Do a google search on "governor parsons hack" and see what you find.
Hint, it won’t be "incompetent dipshit of a governor accuses responsible journalists….".
I went to FoxNews and they didn’t even mention the, um, hack.
He’s just successfully played the media to the only group that matters in Missouri Republicans.
It’s a bit like Red Riding Hood except in this version Granny has the Woodsman arrested for cruelty to animals.
Re: Re:
Well, the pro-trumpers are addicted to dystopian fairy tales so the metaphor surely fits.
Kill the messenger
Wait, is Mike Parson actually Donald Trump? We need that new Clearview tech to find out!
What an idiot. "It’s going to cost taxpayers $50 million!"…to do what would have taken $100 with proper updating.
Seems he’s in the position of blaming the expense of putting guardrails on a bridge on the driver who took a picture of the bridge to show they built it without them.
It was encrypted!
It was encrypted with ROT 26.
I like Popehat’s response:
Re: Re:
To be fair, while in France. There is no reasonable expectation there for anybody to understand English.
Re: Re: Re:
And yet it would be outrageous to prosecute someone for listening to an English phone call in France.
Re: Re: Re:
Believe it or not, there are beaucoup des Personnes françaises who can speak English. I know some IRL (one unfortunately passed away last year. ????).
Highway Patrol? …well, sure. The Information Superhighway in Missouri. All speed limit signs will now be encoded for your protection.
Beware, Mike Parson is very dangerous, he’s a bio hacker, he changed my brain forever through electronic means!
Or how the MSM (like techdirt) will spin it "I read an online article about him doing something stupid and now remember his name".
These Dunning–Kruger poster children would be hilarious if it wasn’t for the fact that they cause people with brains so much trouble.
Governor is also an expert on vaccination!
From his press release last month:
"Today, Governor Mike Parson announced that his administration will reject the Biden Administration’s attempt to enforce an unconstitutional, federal vaccine mandate for Missourians and private businesses. The Office of the Governor has been in communication with leadership from the Missouri General Assembly and the Attorney General’s Office to align resources for a pending legal fight.
"This assault on individual liberty and free enterprise is a poorly executed attempt by the Biden Administration to reset after its disastrous withdrawal from Afghanistan," Governor Parson said. "With our southern border in crisis and as we are experiencing out-of-control inflation, President Biden is desperate to divert attention from his failures. However, Missouri will not be a pawn in this publicity stunt that seeks to force Missourians to disclose private health care decisions and dictate private business operations.""
https://governor.mo.gov/press-releases/archive/governor-parson-condemns-biden-administrations-vaccine-mandate-vows-legal
Re: 'Only WE are allowed to disclose private information!'
Throws a fit over the idea that people might be told ‘stop being plague carriers and getting people killed’, attacks the messenger when they expose that his government screwed up and exposed SSN’s for a lot of people… what a charming scumbag.
However, Missouri will not be a pawn in this publicity stunt that seeks to force Missourians to disclose private health care decisions and dictate private business operations.""
Well that line didn’t age well.
Re: Governor is also an expert on vaccination!
We can draw one of three plausible conclusions regarding the governor;
1) He knows what he’s talking about but needs to throw more red meat to his base of baying MAGA’s and appease Dear Leader in order to retain standing within the GOP.
2) He’s an ignorant asshole eager to blame the messenger for the failings of his administration.
3) Both of the above.
There’s always been this weird sort of one-upmanship from southern states about trying to prove which state is the most anachronistic, superstitious and backward…but is it just me or has that competition escalated radically in these past few years?
Did a dim-bulb relative of Gov Parsons have security contract?
Otherwise, this outrage makes no sense.
Good job there getting ratioed, Governor
As of 11am PDT on Friday morning, this tweet had 5.7K replies and 971 likes.
Good job there getting ratioed, Governor!
If it hadn't been for journalists, they'd have had no trouble!
https://archive.is/pKoN7
Reminds me of publishers
If you want to read New York Times, you have to block their cookies. If you want to read Business Insider, you have to block their third-party scripts. Every publisher seems to have the notion that a "paywall" works by sending you all their content, then telling your browser to hide it.
How long is it before it is an act of "piracy" to change the settings in your browser, or to use one not made by Google?
First Amendment lawsuit in 3..2..1..
The state disclosed teachers’ social security numbers? Well, Missouri is the Show Me State.
It was encrypted
No it’s the children who are hackers, we aren;t wrong.
T-shirts?
I feel a new t-shirt coming soon: F12 is not a crime.
Multi-step process, my ass
You realize those extra steps were just expanding nodes that were collapsed by default in the source code view.
SMH
Re: Multi-step process, my ass
And some terrorism is just expanding pressure cookers that are closed by default. It’s really troubling that Techdirt is turning into a place where criminal hackers exchange tips about their favorite tools and workflows.
You don’t need to reply to that. You have already been earmarked.
Re: Re: Multi-step process, my ass
Did you actually fall for the narrative that right click -> view source is "hacking"?
Re: Re: Re: Multi-step process, my ass
Current information is that the govt had used rot13 to encode the info, so the data wasn’t in plaintext format, and definitely not available via view-source alone.
Re: Re: Multi-step process, my ass
The things we’re talking about expanding are expressly designed to be expanded, and—in fact—that is their entire purpose. There’s nothing criminal about it.
Again, every browser has this tool, and its express purpose is to reveal these nodes and allow them to be expanded. You don’t even need to have much computer know-how or download any additional tools to do this.
Re: Re: Multi-step process, my ass
I understood your sarcasm, sir
Surprised it was in the HTML source
I thought the standard nowadays was that the HTML source of the page is just a script tag to load the Javascript that loads the Javascript that loads the webapp, so there wouldn’t be anything of value in the source code. (The really high tech websites also include in the HTML a worthless "This page requires Javascript" warning. Budget sites omit that and just dump you to a blank page if the Javascript breaks.)
Re: Surprised it was in the HTML source
Yeah, but this was ancient software from the dawn of the internet, when web pages were in web format and everybody assumed that a bank stupid enough to believe only YOU know a number that has to be given to a hundred different people would be out of business and that in any case it was none of YOUR concern if a bank handed out two hundred thousand dollars to a piece of paper with some vital statistics written on it.