In The News

Missouri and the worst response to a bug disclosure we’ve ever seen

Governor Mike Parsons is the 57th Governor of the State of Missouri, and he knows very little about the fundamentals of how the Internet works or basic cybersecurity principles.

That’s okay, of course. We all have our strengths and weaknesses, and if you’re presiding over an entire state, we imagine you’ve got your hands full with plenty of other different and important matters. You probably don’t have that much time to take any Internet 101 evening classes.

But before you undertake a press conference and post a series of tweets, both vowing to catch and prosecute a “hacker” who managed to “decode HTML” of the Missouri Department of Elementary and Secondary Education’s website to extract the social security numbers of several educators, we think that perhaps – perhaps – it would be prudent to speak to at least one cybersecurity expert.

Just to make sure you have all your ducks in order first.

And we can only assume that Governer Mike Parsons did not do that.

But let’s start at the beginning.


Sponsored Content. Continued below...




At some point in the not-so-distant past, a reporter for the St. Louis Dispatch found a pretty glaring privacy vulnerability on the website of the Missouri Department of Elementary and Secondary Education (DESE.)

And as far as vulnerabilities go, this was a whopper. It turned out that the DESE website had been storing sensitive information (social security numbers) of 100,000 educators within the HTML source code of the DESE website. That’s bad.

It’s bad because the HTML of a webpage is publicly visible to anyone who visits the website. Yes, really. You can see the HTML source code for this webpage – if you’re using Google Chrome, just right click on the page and select View page source. Easier still, you could just press F12 on your keyboard to bring up the developer toolkit.

Don’t fret. You’re not “hacking us” by doing that.

The HTML code is simply the code given to your browser by the website server, so your browser knows how to display the website’s pages correctly. As such, the HTML code has to be public. Otherwise how would your browser know how to display the page?

From the St. Louis Dispatch

…the newspaper found that teachers’ Social Security numbers were contained in the HTML source code of the pages involved.

Not everything in the HTML code will display on an actual webpage, but the HTML code can still be seen by anyone capable of pressing F12. It’s the public offering given by a website. Consequently, it’s a terrible, terrible place to store sensitive information. And yet that is what the DESE website was doing.


Sponsored Content. Continued below...




The St. Louis Dispatch reporter – presumably with some knowledge of responsible disclosure of such vulnerabilities – disclosed the vulnerability to the DESE, and delayed publishing an article on the discovery until the department removed the vulnerability and worked to find if any other related sites and applications contained similar vulnerabilities.

A DESE spokesperson later confirmed that the vulnerabilities were removed.

And that’s really where the story should have ended. A comparative non-story about privacy vulnerabilities; discovered and duly fixed.

But this is where things get a little… weird.

Usually, when you responsibly disclose a vulnerability of this magnitude, you can expect a big “thank you”. In fact, many companies and organisations will pay you the “big bucks” and actually operate paid bounty programs for just this sort of thing. After all, it’s best to have the “good guys” discover a problem and tell you, rather than have the bad guys discover it and profit from it.

The DESE went along another route, instead accusing the St. Louis Dispatch journalist of being a “hacker”. This was quickly followed by the Missouri Office of Administration Information Technology Services Division releasing a statement saying a “hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number of those specific educators“.

And after that, Governor Parsons himself took to the stage in a press conference (and series of tweets) saying [of the journalist] –

We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them.

And

Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.

And

This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.

And

[the reporter is] attempting to embarrass the state and sell headlines for their news outlet.

Let’s be clear – that’s nonsense.

A hacker is someone who gains unauthorised access to a computer system or network. That is not what the journalist did. If the DESE website was indeed storing sensitive information amid the HTML code of its webpage, then technically the DESE website was actually sending that information to the journalist as well as anyone else who loaded up the relevant part of the vulnerable website/application.

No “decoding” necessary.
No hacking necessary.
No intrusion required.

And it’s not illegal to “decode” HTML – whatever that means – and if it was, both Google Chrome and Microsoft Edge would be going to prison for a very long time.

To put in perspective, if you right clicked on this webpage – assuming you’re using Google Chrome – and selected View page source, that doesn’t mean you’re attempting to hack our website, nor does it give us good reason to accuse you of such. Even if you did spend some time rummaging through all the HTML code.


Sponsored Content. Continued below...




If you did do that, and we inexplicably had put sensitive information within that HTML source code, well… that’s on us. Not you.

Governor Parsons – after being universally schooled on cyber basics by Twitter’s cybersecurity alumni – subsequently opted to double down on Twitter by claiming the information taken was “not freely available” and that the journalist needed to complete 8 steps to take it.

And while we’re not sure what constitutes a “step”, if the information was embedded in the HTML code, it indeed was freely available. That is, after all, the point of HTML code for public-facing websites and apps.

If Governor Parsons wants to be angry at anyone, he should direct it instead at the web administrators putting the social security numbers of educators at risk for an indefinite amount of time – not at the person who disclosed the problem.

The kerfuffle has demonstrated that the Missouri Governor’s office has no working knowledge of –

– Cybersecurity
– Online privacy
– Software vulnerability disclosure.
– The law in the context of hacking.

And the longer they put on this misguided and inexplicable façade of claiming this was all the work of an unscrupulous hacker, well…

The journalist did the DESE and the state of Missouri a big favor by responsibly disclosing a glaring software vulnerability, and the governor chose to baselessly accuse him of being a hacker operating outside the law. The governor should apologize immediately and work to ensure that the state’s computer systems are better secured.

And finally, some of the reaction from the cyber community on Twitter.

Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)


Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)


Share
Published by
Craig Haley