Missouri Governor Mike Parson threatened Thursday to sue and seek civil damages against a St. Louis Post-Dispatch reporter who discovered a security flaw that exposed Social Security numbers for teachers. He claimed that the journalist was a hacker and that his reporting was nothing but a political vendetta and an attempt to embarrass and sell headlines to their newspaper. The Republican governor also promised to hold the Post-Dispatch accountable for helping the state identify and fix a security flaw that could have caused harm to teachers.
Ars Technica. This article originally appeared on Ars Technica. It is a trusted source of technology news, analysis, reviews and other information. Cond Nast, WIRED's parent company owns Ars.
Parson's unusual description of a security report normally not controversial seems to indicate that the Post-Dispatch managed the problem in a manner that prevented harm to school workers while encouraging the state's closure of what one security professor called "mind-boggling." Josh Renaud is a Post-Dispatch web designer who also writes articles. He reported Wednesday that more 100,000 Social Security numbers were at risk in an application that allowed the public search for teacher credentials and certifications. Also vulnerable were the Social Security numbers of counselors and school administrators.
The report stated that although no private information was visible or searchable on the web pages, the newspaper discovered that the HTML source codes of the pages were containing teachers' Social Security numbers.
The Post-Dispatch appears to have done exactly as ethical security researchers usually do in such situations: It gave the organization with the vulnerability enough time to close it before making it public.
The article stated that the newspaper delayed publishing the report in order to give the department the time to safeguard teachers' private data and allow the state to make sure no other agency's web applications have similar vulnerabilities. The news report was published a day after the "department" removed the affected pages from their website.
At the time of writing, the DESE's educator credentials checker was "down to maintenance."
Missouri Governor: A Journalist Tried To Harm Missourians
Parson described the journalist a "perpetrator", who "took records of at least 3 educators, decoded HTML source code and viewed the Social Security numbers of these specific educators" to "attempt steal personal information and harm Missourians."
Major web browsers offer options like "view source" and "view page source" that allow you to view a webpage's HTML. This makes it easy to access any code within the webpage. Although the initial Post-Dispatch article did not go into details about how Social Security numbers were obtained via HTML source code, a Thursday follow-up article on Parson's legal threats stated that "teachers' Social Security Numbers" were found in the HTML source codes of the pages. The Post-Dispatch stated that the numbers were not available in plain text, but could be easily converted.
Shaji Khan, a University of Missouri-St. Louis cybersecurity professor, stated that the data on DESE's website had been encoded, but not encrypted. Without the decryption key, no one can view encrypted data. Encoded simply means that the data is in a different format, and can be easily decoded and viewed.
Khan stated that anyone who is knowledgeable about development and the bad guys are far ahead can easily decode this data.
Governor Notified Prosecutor for Crime Against Teachers
Parson spoke at a Thursday press conference (see video), about "data vulnerability and [the] plan of the state to hold perpetrators responsible" and posted a condensed version on Facebook.
"It is illegal to access encrypted data and systems to examine the personal information of other people. We are working with state resources to coordinate our response and use all legal options. My administration has informed the Cole County prosecutor about this matter. He said that the Missouri State Highway Patrol's Digital Forensic Unit would also conduct an investigation into all those involved.
