Missouri Gov. Mike Parsons on Thursday threatened to harass and seek civil damages from a St. Louis journalist after a dispatch who identified a security breach revealing the social security numbers of teachers and other school staff, claiming the journalist was a “hacker” and that the report was the newspaper was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news.” The Republican governor also vowed to hold Post-Dispatch “responsible” for the alleged crime, helping the state find and fix security vulnerabilities that could harm teachers.
Despite Parson’s surprising description of a security report, which would not normally be particularly controversial, Post-Dispatch appears to have tackled the problem in a way that prevents school staff from being harmed, while encouraging the state to close what a professor of Josh Reno, a post-submission web developer who also writes articles, wrote in a report published Wednesday that more than 100,000 social security numbers are vulnerable “in a web application that allows the public to search certificates and identification data for teachers. ”The number of social security school administrators and counselors was also vulnerable.
“Although no personal information was clearly visible and could not be searched on any of the web pages, the newspaper found that teachers’ social security numbers were contained in the HTML source code of the relevant pages,” the report said.
Post-Dispatch seems to have done exactly what ethical security researchers usually do in these situations: give the vulnerable organization time to close the hole before making it public.
“The newspaper delayed the publication of this report to give the department time to take steps to protect teachers ‘personal information and allow the state to ensure that other agencies’ web applications do not contain similar vulnerabilities,” the article said. The news report was published one day after “the department removed the affected pages from its website.”
At the time of this writing, the verification of the DESE teacher credentials has been “deleted for maintenance”.
Governor: Journalist Tries to “Harm Missourians”
Parson described the journalist as a “perpetrator” who “took the records of at least three teachers, decoded the HTML source code, and reviewed the social security numbers of those particular teachers” in an “attempt to steal personal information and harm the Missourians.”
Basic web browsers include options such as “source view” or “page source view” for viewing HTML on a web page, so everything in this code is easily accessible. The initial post-submission article did not go into detail about how Social Security numbers were obtained from the HTML source code, but a subsequent article on Parson’s legal threats on Thursday said that “Teacher Social Security numbers are present in a publicly visible HTML source. code of the participating pages. “Numbers were not available in plain text, but were easily converted, after sending continued:
The data on the DESE website is encrypted but not encrypted, said Shaji Khan, a professor of cybersecurity at the University of Missouri-St. Louis – and this is a key award. No one can view encrypted data without the specific decryption key used to hide the data. But coded only means that the data is in a different format and can be relatively easily decoded and viewed.
“Anyone who knows something about development – and the bad ones are far ahead – can easily decode this data,” Hahn said on Thursday.
Governor notified prosecutor of “Crime against teachers”
Parson spoke Thursday (see video) at a “press conference on [the] data vulnerability and [the] the state plan to hold the perpetrators accountable “, and he posted an abridged version of his remarks on Facebook.
“It is illegal to access encrypted data and systems to investigate other people’s personal information, and we coordinate government resources to respond and use all available legal methods. My administration has notified the Cole County Attorney about this. Highway. of Missouri, the Digital Forensic Patrol will also investigate all participants, “he said.