Missouri governor Mike Parson has sparked derision among the infosec community over allegations that a journalist who reported a security vulnerability in a state government website had violated computer crime laws.
The controversy relates to a story published by the St. Louis Post-Dispatch on Wednesday (October 13) disclosing an alleged security vulnerability in the site, which is maintained by the Department of Elementary and Secondary Education (DESE).
The flaws, unearthed by one of its reporters, potentially exposed more than 100,000 Social Security numbers (SSNs) belonging to teachers and other school staff, said the publication.
The newspaper said it notified DESE of the flaws and delayed publication of the story to give the agency time to secure the data in question – an approach in line with vulnerability disclosure as routinely practiced by professional security researchers.
Missouri’s Office of Administration Information Technology Services Division (OA-ITSD) has now disabled the vulnerable tool, which is used by local education agencies to verify educators’ certifications, and says it has fixed the vulnerability.
‘No malicious intent’
However, in a series of tweets posted yesterday (October 14), Governor Parson said the journalist “had no authorization to convert and decode the code” and DESEx had referred the case to the county prosecutor.
Citing a Missouri state statute, he said: “Under Missouri law, a person commits the offense of tampering with computer data if her or she knowingly and without authorization accesses, takes, and examines personal information.”
But in a statement published by the St. Louis Post-Dispatch, its attorney, Joseph Martineau, said “the reporter did the responsible thing by reporting his findings to DESE so that the state could act to prevent disclosure and misuse”, and that “there was no breach of any firewall or security and certainly no malicious intent”.
However, Governor Parson said: “An individual accessed source code and then went a step further to convert and decode that data in order to obtain Missouri teachers’ personal information. This data was not freely available, and by the actors own admission, the data had to be taken through eight separate steps in order to generate a SSN.”
‘Not a hacking situation’
But Rachel Tobac, a prominent US-based hacker and infosec educator, suggested the journalist’s actions required no special technical skills: “If your code leaks personal data via public development tools that any person can see by simply pressing F12 on a keyboard then you have a huge data leak issue, not a hacking situation, on your hands. Fix your website,” she tweeted.
Hitting the F12 key on a Windows computer or right-clicking on a web page enables users to view a web page’s source code.
“This person reported a vulnerability – a big data leak issue that anyone could see – and took time out of their day to report it to keep people safe,” said Tobac. “Changes were made to protect data, *and now they want to slap that person with criminal charges?* Absolutely not.”
Ben Goerz, founder of infosec firm Guardero, tweeted: “This is more than a ‘security blunder’. @GovParsonsMO, your web developers encoded (without encryption) SSNs and displayed them openly on the web.
“You have a massive data breach here. You need to engage a competent Incident Response firm & legal counsel immediately.”
Remediation
In a statement, Jeff Wann, chief information officer for the State of Missouri, said: “All similarly situated public-facing systems were evaluated for this vulnerability and no other instances were found.”
OA-ITSD said “a number of vulnerability scans” conducted since the 2011 launch of the vulnerable tool “did not yield any concerns or potential threats”.
DESE sought to downplay the scope of the vulnerability, saying “these records were only accessible on an individual basis”, and said “the state is unaware of any misuse of individual information or even whether information was accessed inappropriately outside of this isolated incident”.
DESE said the state would “make every effort to contact” potentially affected educators “to share information about the next steps”.
Source: https://portswigger.net/daily-swig/missouri-governor-criticized-for-confusing-vulnerability-disclosure-with-criminal-hacking