A Missouri newspaper told the state about a security risk. Now it faces prosecution

[ZiprHead]

https://www.npr.org/2021/10/14/1046124278/missouri-newspaper-security-flaws-hacking-investigation-gov-mike-parson

Missouri Gov. Mike Parson is vowing to prosecute the staff of the St. Louis Post-Dispatch after the newspaper says it uncovered security vulnerabilities on a state agency website.

The governor is characterizing the paper's actions as a hacking that the state will investigate. He said it could cost taxpayers $50 million.

"Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them," Parson said at a news conference on Thursday.

The backstory is a little complicated, so stick with us. It starts with a website maintained by the state's Department of Elementary and Secondary Education (DESE).

The Post-Dispatch said in a story published Wednesday night that an unnamed reporter had discovered flaws on that website that made the Social Security numbers of teachers and other school staff "vulnerable to public exposure."

The issue involved a web application that allowed the public to search teacher certifications and credentials. The newspaper said that no private information was clearly visible or searchable, but teachers' Social Security numbers were contained in the HTML source code of those pages. More than 100,000 Social Security numbers were vulnerable, it added.

Newspaper staff reportedly alerted DESE of the findings and delayed publishing the story to give the agency time to protect teachers' personal information and enable the state to check other websites for similar risks.

The reporter simply used the "View Source" function available on every browser.

 

[Keith&Co.]

So, THEY Put this information on the internet with no protection to speak of, finding it is 'hacking.'
That's like finding where my Chief wrote the safe combinations down and suddenly i'm a 'safecracker.'

Ah, well, i guess it beats admitting an error....

 

[Jarhyn]

https://www.npr.org/2021/10/14/1046124278/missouri-newspaper-security-flaws-hacking-investigation-gov-mike-parson

Missouri Gov. Mike Parson is vowing to prosecute the staff of the St. Louis Post-Dispatch after the newspaper says it uncovered security vulnerabilities on a state agency website.

The governor is characterizing the paper's actions as a hacking that the state will investigate. He said it could cost taxpayers $50 million.

"Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them," Parson said at a news conference on Thursday.

The backstory is a little complicated, so stick with us. It starts with a website maintained by the state's Department of Elementary and Secondary Education (DESE).

The Post-Dispatch said in a story published Wednesday night that an unnamed reporter had discovered flaws on that website that made the Social Security numbers of teachers and other school staff "vulnerable to public exposure."

The issue involved a web application that allowed the public to search teacher certifications and credentials. The newspaper said that no private information was clearly visible or searchable, but teachers' Social Security numbers were contained in the HTML source code of those pages. More than 100,000 Social Security numbers were vulnerable, it added.

Newspaper staff reportedly alerted DESE of the findings and delayed publishing the story to give the agency time to protect teachers' personal information and enable the state to check other websites for similar risks.

The reporter simply used the "View Source" function available on every browser.

So, in another thread I pointed out the character of a sort of statement that might be shit-in-their-mouth worthy. I take it back. THIS is so much MORE "shit-in-their-mouth worthy". What is going to cost taxpayers 50m is the shitty job they did developing the platform and not hiring penetration testing and exploit/vulnerability analysis, not someone's stray right clicks that revealed their malfeasance.

As if REAL hackers would tell them about the issue. A real hacker would have left them scratching their heads right to the moment the fulls-dump appeared on a DNM.

 

[Ruth Harris]

I actually have some inside information on this. What this really involved was set up years ago, by some not very bright web developers. If I understand correctly, they had used the social security number as a key field in the tables containing this data. It was encoded in ROT-13. And then the web developers allowed that key field to be published to the client side html when users queried the online database. Even through all the website changes over the years, this was never fixed. So the social security number, in ROT-13 format, was included in the webpage source code on every user's computer.

Of course, decoding ROT-13 is now trivial. Any good programmer can do that. I suspect this has been mined by bad actors already, and this reporter is the only person who actually did the right thing by reporting it to the appropriate agency. Our governor is an idiot, and I told him so in a tweet. I am just hoping that the prosecutor and the MO Highway Patrol investigative unit have enough sense to tell him that too - but I am not holding my breath.

Every time our state government does something stupid I cringe, and hope things don't get worse. Invariably every time they do.

Ruth

 

[Tigers!]

Every time our state government does something stupid I cringe, and hope things don't get worse. Invariably every time they do.

Ruth

Your state government sounds like mine in Australia.

 

[funinspace]

I actually have some inside information on this. What this really involved was set up years ago, by some not very bright web developers. If I understand correctly, they had used the social security number as a key field in the tables containing this data. It was encoded in ROT-13. And then the web developers allowed that key field to be published to the client side html when users queried the online database. Even through all the website changes over the years, this was never fixed. So the social security number, in ROT-13 format, was included in the webpage source code on every user's computer.

Of course, decoding ROT-13 is now trivial. Any good programmer can do that. I suspect this has been mined by bad actors already, and this reporter is the only person who actually did the right thing by reporting it to the appropriate agency. Our governor is an idiot, and I told him so in a tweet. I am just hoping that the prosecutor and the MO Highway Patrol investigative unit have enough sense to tell him that too - but I am not holding my breath.

Every time our state government does something stupid I cringe, and hope things don't get worse. Invariably every time they do.

Ruth

ROT-13 ROTFL...wow, that is quite a use for something good for hiding a tasteless joke, at least they upgraded from Pig-Latin. Maybe I shouldn't have fumed about a credentialed InfoSec buffoon for asking if OpenSSL could be removed since it has to be patched so much for security issues...

I think it is even down to bad programmers can handle it, at least in Perl...
use Crypt::Rot13;

 

[Ruth Harris]

I actually have some inside information on this. What this really involved was set up years ago, by some not very bright web developers. If I understand correctly, they had used the social security number as a key field in the tables containing this data. It was encoded in ROT-13. And then the web developers allowed that key field to be published to the client side html when users queried the online database. Even through all the website changes over the years, this was never fixed. So the social security number, in ROT-13 format, was included in the webpage source code on every user's computer.

Of course, decoding ROT-13 is now trivial. Any good programmer can do that. I suspect this has been mined by bad actors already, and this reporter is the only person who actually did the right thing by reporting it to the appropriate agency. Our governor is an idiot, and I told him so in a tweet. I am just hoping that the prosecutor and the MO Highway Patrol investigative unit have enough sense to tell him that too - but I am not holding my breath.

Every time our state government does something stupid I cringe, and hope things don't get worse. Invariably every time they do.

Ruth

ROT-13 ROTFL...wow, that is quite a use for something good for hiding a tasteless joke, at least they upgraded from Pig-Latin. Maybe I shouldn't have fumed about a credentialed InfoSec buffoon for asking if OpenSSL could be removed since it has to be patched so much for security issues...

I think it is even down to bad programmers can handle it, at least in Perl...
use Crypt::Rot13;

Well, since I am not a programmer I will take your word for that

But the worst thing in my opinion is that according to office rumors, they had been told long ago that this was a serious security risk, and nothing was ever done to fix it. That is close to criminal neglect. It is bad enough that they continued to use old tech for encoding the information - but passing it to the end user in the html is positively unforgivable as far as I am concerned. I wouldn't think that would be a big issue to fix.

Ruth

 

[funinspace]

I actually have some inside information on this. What this really involved was set up years ago, by some not very bright web developers. If I understand correctly, they had used the social security number as a key field in the tables containing this data. It was encoded in ROT-13. And then the web developers allowed that key field to be published to the client side html when users queried the online database. Even through all the website changes over the years, this was never fixed. So the social security number, in ROT-13 format, was included in the webpage source code on every user's computer.

Of course, decoding ROT-13 is now trivial. Any good programmer can do that. I suspect this has been mined by bad actors already, and this reporter is the only person who actually did the right thing by reporting it to the appropriate agency. Our governor is an idiot, and I told him so in a tweet. I am just hoping that the prosecutor and the MO Highway Patrol investigative unit have enough sense to tell him that too - but I am not holding my breath.

Every time our state government does something stupid I cringe, and hope things don't get worse. Invariably every time they do.

Ruth

ROT-13 ROTFL...wow, that is quite a use for something good for hiding a tasteless joke, at least they upgraded from Pig-Latin. Maybe I shouldn't have fumed about a credentialed InfoSec buffoon for asking if OpenSSL could be removed since it has to be patched so much for security issues...

I think it is even down to bad programmers can handle it, at least in Perl...
use Crypt::Rot13;

Well, since I am not a programmer I will take your word for that

I might qualify as a bad programmer, but I was an UNIX systems administrator, so I did my share of scripting over the years like in Perl...so in Perl one would just need to load the above module, and then one could in a couple lines encrypt/decrypt a bunch of lines of data. It's also a version of what is called the Caesar cipher, as it is from Julius' time.

But the worst thing in my opinion is that according to office rumors, they had been told long ago that this was a serious security risk, and nothing was ever done to fix it. That is close to criminal neglect. It is bad enough that they continued to use old tech for encoding the information - but passing it to the end user in the html is positively unforgivable as far as I am concerned. I wouldn't think that would be a big issue to fix.

Ruth

Yeah, it sounds close enough to criminal negligence to warrant an investigation IMPOV...I would be hesitant to even call ROT13 encryption, anymore than I would call the Spanish language encryption in the US.

 

[ZiprHead]

Up for Discussion: Why did the state post teacher Social Security numbers online?

Video in the link,

 

[bigfield]

How much legal trouble can a public servant or contractor get into for publishing a bunch of people's social security numbers next to their name? Seems like quite a few teachers have been exposed to identity theft by this negligent programming.