Missouri Threatens to Hire a Reporter Flagging a Security Flaw
Missouri Governor Mike Parson threatened on Thursday to file a complaint and seek civil damages from a spokesman in St. Louis. Louis Post-Dispatch identified a security breach that revealed the numbers of teachers and other school staff, claiming the reporter was a “hacker” and the newspaper was reporting. It was nothing but a “commercial commercial” and an attempt to embarrass the state and sell news headlines for their outlet. The Republican governor also promised that he would hold the Post-Dispatch accountable for the alleged crime. help the state find and fix the security vulnerabilities that would be detrimental to teachers.
Despite Parson’s bizarre description of a security report as often non-controversial, it was shown that the Post-Dispatch handled the problem in a way to prevent injury to school staff while encouraging the state. to close what a security professor said was a “mind. -boggling” vulnerability. Josh Renaud, a Post-Dispatch web developer who also writes articles, writes a report published Wednesday that more than 100,000 Social Security numbers are vulnerable “to a web application that allows the public to search for teacher certifications and credentials.” The Social Security numbers of school administrators and counselors are also dangerous.
“Even if no private information is clearly visible or searchable on any web pages, the newspaper finds that teachers’ Social Security numbers are in the HTML source code of the participating pages,” it said. in the report.
Post-Dispatch seems to have done exactly what is ethical security researchers usually do in these situations: give the organization the weak time to close the gap before making it public.
“The newspaper delayed the publication of this report to give the department time to take steps to protect teachers’ private information and allow the state to ensure that no other agency’s web applications have similar vulnerabilities. , “according to the article. The news report was published a day after the “department removed the affected pages from its website.”
As of this writing, DESE’s examiner of credentials is in “down for maintenance.”
Governor: Reporter Tried to ‘Harm Missourians’
Parson described the reporter as a “perpetrator” who “took records of at least three teachers, decoded source code in HTML, and looked at the Social Security number of specific teachers” of a “attempting to steal personal information and harm Missourians.”
The main web browsers come with options like “view source” or “view source page” to find an HTML webpage, so whatever is in the code is easily accessible. The initial Post-Dispatch article did not detail how Social Security numbers were derived from the HTML source code, but a follow-up article on Parson’s legal intimidation It said Thursday that “teachers’ Social Security numbers are in publicly visible HTML source code on the pages involved.” Numbers are not available in plain text but can be easily converted, Post-Dispatch continues:
The data on the DESE website is encoded but not encrypted, according to Shaji Khan, a professor of cybersecurity at the University of Missouri-St. Louis – and that’s the main difference. No one can view encrypted data without the specific decryption key used to hide the data. But encoded simply means that the data is in a different format and can be easily decoded and viewed.
“Anyone who knows about progress-and the bad guys are ahead-can easily decode the data,” Khan said on Thursday.
Governor announces ‘Crime Against Teacher’ prosecutor
Parson spoke Thursday (watch the video) at a “press conference about [the] data weakness and [the] the state plans to hold those who do it accountable, ”and he posted a short version as he said on Facebook.
“It is against the law to access encoded data and systems to check other people’s personal information, and we are targeting state resources to respond and use all available legal means. “My administration has notified the Cole County prosecutor about this matter. The Missouri State Highway The Digital Forensic Unit of the Patrol will also investigate all those involved,” he said.