The St. Louis Post-Dispatch reported a security vulnerability on a state website. The Missouri governor vowed to prosecute the organization.
It’s one of the more vivid examples of shooting the messenger we’ve seen in a while. Staff at the St. Louis Post-Dispatch discovered a security vulnerability in the Missouri state education website. It was a pretty bad vulnerability. Essentially, if you right clicked on a teachers profile and viewed the source code, their Social Security Numbers were visible for the whole world to see. It’s a security lapse that shouldn’t have happened at all – especially when it’s a government website where, presumably, the internal developers should have known better.
Fortunately, the staff at the St. Louis Post-Dispatch did the right thing and privately reported the vulnerability to the government administrators. In turn, the vulnerable pages were taken down. Only after affected pages were taken down did the staff publish a report on their findings. In a normal situation, the government would thank the staff for reporting the vulnerability and point out that the vulnerability has since been patched. The government might take some flack for allowing such a bad security vulnerability to be public in the first place, but time would then move on and the story would fade from the headlines.
Not in this case.
Missouri is run by Republican’s. In this Trump world, many Republican’s seem to wear ignorance and stupidity as a badge of honour. So, rather than doing the expected and right thing, the governor started making threats to the staff, calling them “hackers” and demanding that they be prosecuted. From Krebs On Security:
In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.”
But in a press conference Thursday morning, Gov. Parson said he would seek to prosecute and investigate the reporter and the region’s largest newspaper for “unlawfully” accessing teacher data.
“This administration is standing up against any and all perpetrators who attempt to steal personal information and harm Missourians,” Parson said. “It is unlawful to access encoded data and systems in order to examine other peoples’ personal information. We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter, the Missouri State Highway Patrol’s Digital Forensics Unit will also be conducting an investigation of all of those involved. This incident alone may cost Missouri taxpayers as much as $50 million.”
While threatening to prosecute the reporters to the fullest extent of the law, Parson sought to downplay the severity of the security weakness, saying the reporter only unmasked three Social Security numbers, and that “there was no option to decode Social Security numbers for all educators in the system all at once.”
“The state is committed to bringing to justice anyone who hacked our systems or anyone who aided them to do so,” Parson continued. “A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert or decode, so this was clearly a hack.”
To be clear, the steps to actually replicate what the journalism outlet did, we can demonstrate in two simple screen shots:
(right click > view source)
After that, you can see the source code of the page itself:
You can see the source code. The governor is really saying that this constitutes someone who “hacked our systems”. There’s nothing sophisticated about this. In this modern day and age, this is grade school level knowledge of web development. By it’s very nature, HTML is open source. The web browser downloads the HTML pages and encodes it to be more human readable. Accessing any website gives you access to the pages source code. It’s normal. What isn’t normal is someone developing a website that puts personal information like this in plain text and letting anyone with no login credentials to view that information. It’s not even security 101, it’s “slap you in the back of the head for building something so bad”.
To make matters worse, it seems as though the governor is firing up his bullhorns and amplifying his idiocy even further. Techdirt is noting that the governor has turned this incident into a fundraising advertising campaign:
Earlier this week, United Missouri seemed to think that Parson’s blatant technical illiteracy was worth doubling down on and turning into a culture war against “the fake news.” It produced a video that is so embarrassing and cringeworthy it feels like a parody.
It’s things like this that makes the security communities job harder. This is far from the first time that an organization that responsibly reported a security vulnerability received threats of retaliation. Still, it’s always that fear of retaliation that makes some in the community hesitant on reporting these in the first place. You can see some them getting sweaty with a cursor hovering over the send e-mail button asking themselves, “Am I going to be the next messenger who gets shot?” It shouldn’t be this way, but that’s the reality of today.
To further add to this, this is what responsible disclosure looked like. Had it been a black hat hacker with malicious intent, things would have turned out much differently (for all we know, that did happen and we simply don’t know about it). That person could have taken the social security numbers, quietly sold them on the dark web, and allowed someone else to steal those teachers identities, racking up credit card debt or who knows what else. That is a very probable alternative here. That has the potential to ruin lives. That is why the journalism staff should be thanked for their actions – because it was an act of honesty.
Sadly, it looks like the governor is going to try and make political hay out of this and turn it into yet another front on the culture wars. None of that should have happened, yet here we are. It further proves that no good deed goes unpunished.