Tag Archive for: Missouri

Missouri Threatens to Sue a Reporter Who Flagged a Security Flaw

/in


Missouri Governor Mike Parson Thursday threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees, claiming that the journalist is a “hacker” and that the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor also vowed to hold the Post-Dispatch “accountable” for the supposed crime of helping the state find and fix a security vulnerability that could have harmed teachers.

Despite Parson’s surprising description of a security report that normally wouldn’t be particularly controversial, it appears that the Post-Dispatch handled the problem in a way that prevented harm to school employees while encouraging the state to close what one security professor called a “mind-boggling” vulnerability. Josh Renaud, a Post-Dispatch web developer who also writes articles, wrote in a report published Wednesday that more than 100,000 Social Security numbers were vulnerable “in a web application that allowed the public to search teacher certifications and credentials.” The Social Security numbers of school administrators and counselors were also vulnerable.

“Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved,” the report said.

The Post-Dispatch seems to have done exactly what ethical security researchers generally do in these situations: give the organization with the vulnerability time to close the hole before making it public.

“The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” the article said. The news report was published one day after the “department removed the affected pages from its website.”

As of this writing, the DESE’s educator-credentials checker was “down for maintenance.”

Governor: Journalist Tried…

Source…

Messenger: Missouri has an award-winning cybersecurity team. Why is Parson calling such work a crime? | Tony Messenger

/in


That’s what the news release with the dead link says. I copied and pasted the link into an internet site called the “Wayback Machine,” which captures websites in real time, so that when future links go dead, for whatever reason, the information is still archived. Here’s what it says about why state workers looked at publicly available HTML code at government and private business sites:

“The program identifies high-risk systems that, if left insecure, could lead to disruptions within critical infrastructure or significant data loss, and contacts the owners of the impacted systems to mitigate risks. … The primary business goal of this program is to protect the critical infrastructure belonging to governments, businesses, utilities, and academic institutions across the State of Missouri. Critical infrastructure provides the foundation of many life sustaining services such as healthcare, government, public safety, energy, transportation, communication, food/agriculture, and manufacturing. Keeping these services available around the clock are critical to today’s way of life. A secondary business goal is to safeguard the data belonging to Missouri citizens, students, and customers. Our data lives online as much as we do, and to safeguard it has become essential to prevent identify theft, financial loss, and brand reputation impact.”

This is the same sort of motivation that drives data journalists to check state websites, and, when they find something that could lead to citizens’ personal information being insecure, letting government officials know of the potential weakness. That’s what Renaud found out. He discovered the state’s Department of Elementary and Secondary Education was storing social security numbers of teachers in publicly available HTML code. Then he told the state about it so they could fix the problem.

Source…

Journalist warns Missouri about security breach. He’s threatened with criminal charges. – East Bay Times

/in


JEFFERSON CITY, Mo. (AP) — Gov. Mike Parson on Thursday condemned the St. Louis Post-Dispatch for exposing a flaw in a state database that allowed public access to thousands of teachers’ Social Security numbers, even though the paper held off from reporting about the flaw until after the state could fix it.

Parson told reporters outside his Capitol office that the Missouri State Highway Patrol’s digital forensic unit will be conducting an investigation “of all of those involved” and that his administration had spoken to the prosecutor in Cole County.

The governor suggested that the Post-Dispatch journalist who broke the story committed a crime and said the news outlet would be held accountable.

The state’s schools department had earlier referred to the reporter who broke the story as “a hacker.”

The Post-Dispatch broke the news about the security flaw on Wednesday. The newspaper said it discovered the vulnerability in a web application that allowed the public to search teacher certifications and credentials.

It notified the Department of Elementary and Secondary Education and gave it time to fix the problem before the story was published.

After removing the pages from its website Tuesday, the agency issued a news release that called the person who discovered the vulnerability a “hacker” — an apparent reference to the reporter — who “took the records of at least three educators.” The agency didn’t elaborate as to what it meant by “took the records” and it declined to discuss the issue further when reached by The Associated Press.

The Post-Dispatch journalist found that the school workers’ Social Security numbers were in the HTML source code of the pages. It estimated that more than 100,000 Social Security numbers were vulnerable.

Source codes are accessible by right-clicking on public webpages.

The newspaper’s president and publisher, Ian Caso, said in a statement that the Post-Dispatch stands by the story and  journalist Josh Renaud, who he said “did everything right.”

“It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to the Department of Elementary…

Source…

Missouri governor accuses journalist who warned state about cybersecurity flaw of criminal ‘hacking’

/in


When a St. Louis Post-Dispatch journalist discovered that the Missouri state teachers website allowed anyone to see the Social Security numbers of some 100,000 school employees, he did what any reporter might do. He published a story about the security vulnerability — though not before warning the state and giving it time to remove the affected webpages.



A July 2020 file photo of Missouri Gov. Mike Parson, who called a St. Louis Post-Dispatch reporter a "hacker" after the discovery of a security flaw in a state website.

© Alex Brandon/AP
A July 2020 file photo of Missouri Gov. Mike Parson, who called a St. Louis Post-Dispatch reporter a “hacker” after the discovery of a security flaw in a state website.

Another official might have thanked the newspaper for spotting the flaw and giving a heads-up before publicizing it — or at least downplayed what appears to be an embarrassing government mishap. But Missouri Gov. Mike Parson (R) did the opposite: He called the journalist “a hacker” who may face civil or criminal charges for “decod[ing]” HTML code on the Department of Elementary and Secondary Education website and viewing three Social Security numbers.

Loading...

Load Error

The journalist was “acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet,” Parson announced Thursday. He said that he had referred the case to the Cole County prosecutor and the Missouri State Highway Patrol’s Digital Forensic Unit.

The announcement immediately drew appalled reactions from the Post-Dispatch and other journalistic organizations.

“We stand by our reporting and our reporter who did everything right,” Ian Caso, president and publisher of the Post-Dispatch, said in a statement. “It’s regrettable the governor has chosen to deflect blame onto the journalists who uncovered the website’s problem and brought it to DESE’s attention.”

Committee to Protect Journalists’ U.S. and Canada program coordinator Katherine Jacobsen called Parson’s legal threats “absurd.”

“Using journalists as political scapegoats by casting routine research as ‘hacking’ is a poor attempt to divert public attention from the government’s own security failing,” she told The Washington Post in an email.

A spokeswoman for…

Source…