US State of Missouri Intends to Prosecute ‘Hacker’ Who Informed State About Data Leak!

US State of Missouri Intends to Prosecute ‘Hacker’ Who Informed State About Data Leak!

Missouri, US, State Gov. Mike Parson launched a criminal investigation of a reporter who flagged a state website that exposed 100k+ Social-Security numbers for teachers & other state employees.

The St. Louis Post-Dispatch newspaper recently found a huge security mistake: The Missouri educational agency’s site was displaying 100,000+ clearly visible Social-Security numbers for schoolteachers, administrators & counsellors in its HTML source code.

Leaking Site

The newspaper verified its findings with a cyber-security professor & then informed the agency responsible for the leaking site – the US Department of Elementary & Secondary Education (DESE) – on Tues. On the same day, the DESE took down the affected pages. Then, on Wed., having waited to disclose the vulnerability until after the pages came down, the outlet published its story.

The next day, on Thurs. morning, a ‘naked emperor shot the messenger,’ as Missouri Gov. Mike Parson threatened legal action against whoever found the vulnerability & whoever may have helped them.

He called the unnamed journalist a “hacker,” vowed to set the courts on the individual & said the state would try to recoup incident-response costs that might cost taxpayers “as much as $50m.”

How to Become a Source-Code-Sniffing ‘Hacker’

“Through a multistep process,” Parson gravely outlined, “an individual took the records of at least 3 educators, decoded the HTML source code & viewed the Social-Security numbers of those specific educators.”

That surely sounds nefarious to those who are not familiar with how the magic of the internet works, but the truth is that HTML source code is only “encoded” as it travels from a website to a browser, which automatically “decodes” the HTML because that is what browsers do: They interpret HTML instructions.

Publicly Available Web Application

Jake Williams, Co-Founder and CTO at incident-response provider Breach Quest, revealed on Fri. that the journalist’s means of discovering the flaw “is certainly not hacking in any sense of the word.”

He continued: “It appears that the reporter used a publicly available web application intended to facilitate searching for teacher certifications. When the results were displayed, the reporter simply viewed the source code of the web page and found the social security numbers.

Governor Parson

While Governor Parson said the reporter ‘decoded the HTML source code’ in reality they simply used the feature built into every web browser since the dawn of the internet.”

Williams explained that because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request.

“It seems likely that these hidden form fields included the Social-Security number of the teacher,” he suggested.

The Post-Dispatch reported that it had found the Social-Security numbers in the HTML source code of the website’s pages, exposed due to a vulnerability in a web app that allowed the public to search teacher certifications & credentials. No other confidential information was clearly visible.

Publicly Available

That means that it was publicly available to anyone with a web browser who decided to examine the site’s public code.

As Williams suggested, doing so is simple. Every major browser allows you to view HTML source code of any web page by using the browser’s developer tools. For example, in Chrome, to view a page’s source code, choose the 3 dots in the upper right, select More Tools, then click on Developer Tools.

Even easier is to press Ctrl+U on your keyboard or Opt+Command+U on a Mac keyboard. Presto: A page’s source code is displayed.

Verifying

The Post-Dispatch reached out to Shaji Khan, a cybersecurity professor at the University of Missouri at St. Louis, to verify what it had found. He confirmed that it was “a serious flaw” & that it was “mind-boggling” to find this type of vulnerability in the DESE web app.

The professor urged the state to audit its apps to ensure that similar vulnerabilities get weeded out. DESE reportedly started an audit on Tues. that was still ongoing as of Wed. but had not yet uncovered other examples of the flaw.

Source-Code Sins

It is not the 1st entity to commit source-code sins. For example, in 2019, data scientist David Stier reported that for months, the source code for Instagram’s website was showing some user profiles that displayed phone numbers & emails: data that wasn’t available on public-facing pages.

It is not clear how long the Social-Security numbers were accessible on DESE’s site, nor if the data was accessed by anyone with ill intent.

‘Attempt to Embarrass the State & Sell Headlines’

Regardless of how easy it reportedly was to get at the sensitive information, the Post-Dispatch journalist who discovered it was denounced as a criminal “hacker,” 1st in a statement issued by the educational agency & then by the governor.

“Nothing on DESE’s [US Department of Elementary & Secondary Education’s website gave permission or authorisation for this individual to access teacher data,” the governor claimed during his Thur. press briefing, suggesting that the journalist just wanted to “sell headlines.”

“This individual is not a victim,” Parson proclaimed. “They were acting against the state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for the news outlet. We will not let this crime against Missouri teachers go unpunished. We refuse to let them be a pawn in the news outlets’ political vendetta.”

Personal Information

Parson added that his administration “is standing up against any & all perpetrators who attempt to steal personal information & harm Missourians. It is unlawful to access encoded data and systems in order to examine other peoples’ personal information.”

The governor notified the Cole County Prosecutor about the matter, along with the Missouri State Highway Patrol’s digital forensic unit, which he said will also be conducting “an investigation of all of those involved.”

Focusing on the Flaw

Tim Wade, Technical Director & CTO team at AI cybersecurity company Vectra, believes that the hubbub underscores the need to protect security researchers who operate in the public good. He suggested that a wise path would be to redirect the spleen that is directed toward bug-finders & to instead focus that energy on “the root causes of why these security failures continue to occur.”

Legally, he just does not see merit in the sabre-rattling. “Courts recognise limits to protections from unlawful search when activities occur clearly in a public context,” Wade observed.

“It’s hard to imagine that the low technical sophistication of the behaviours described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context.”

Available for Public Use

Other security practitioners agreed. Williams commented that rather than focus on this so-called “hacking,” Parson “should be worried about the security of the state’s applications, particularly those that are available for public use.”

Frankly, the state should be embarrassed to find a flaw like this in 2021, Williams stated. But it is not the first time that “a politician has fired on all cylinders, claiming that accessing publicly available information was hacking,” he noted, referring to a 2017 incident in which then State of Georgia Secretary of State Brian Kemp alleged that voter records taken from an open directory on a Kennesaw State web server also constituted “hacking.”

“That hasn’t exactly aged well, & no charges were ever filed,” Williams commented.

True to Form

It is all true to form for politicians, as pointed out by John Bambenek, Principal Threat Hunter at digital IT & security operations firm Netenrich. “Throughout human history, emperors have responded to those telling them they were wearing no clothes by lashing out in anger at the audacity of those who’d dare say such a thing,” he explained.

“Life would be better if they, you know, just put on pants,” Bambenek stated.

“Government leaders should be thanking people who notify government of problems, not threatening them. I’m sure every actual criminal hacker on the planet noticed this tirade & you can bet they’re adjusting their targeting accordingly.”

https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/

 

SHARE ARTICLE