Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
218100 THEVERGE 2021-10-14:
Missouri governor threatens reporter who discovered state site spilling private info
1.000 Find similar Compare side-by-side
218123 ARSTECHNICA 2021-10-14:
Missouri gov. calls journalist who found security flaw a “hacker,” threatens to sue
0.974 0.702 Find similar Compare side-by-side
218154 ZDNET 2021-10-14:
Missouri governor faces backlash and ridicule for threatening reporter who discovered exposed teacher SSNs
0.955 0.659 Find similar Compare side-by-side
217796 THEVERGE 2021-10-13:
OpenSea fixes vulnerabilities that could let hackers steal crypto with malicious NFTs
0.402 Find similar Compare side-by-side
217869 ZDNET 2021-10-13:
1 in 15 organizations runs actively exploited version of SolarWinds: Report
0.372 Find similar Compare side-by-side
218206 ZDNET 2021-10-14:
Acer confirms second cyberattack in 2021 after ransomware incident in March
0.369 Find similar Compare side-by-side
218377 VENTUREBEAT 2021-10-14:
More than 82M records exposed by an enterprise software developer
0.360 Find similar Compare side-by-side
218073 VENTUREBEAT 2021-10-14:
Battling new cyberthreats in your hybrid work environment (VB Live) (VB Live)
0.359 Find similar Compare side-by-side
218048 ARSTECHNICA 2021-10-14:
“Hacker X”—the American who built a pro-Trump fake news empire—unmasks himself
0.352 Find similar Compare side-by-side
218031 ZDNET 2021-10-12:
Biden signs school cybersecurity act into law
0.349 Find similar Compare side-by-side
218147 VENTUREBEAT 2021-10-14:
Whole Foods customer records among 82M exposed due to vulnerable database
0.348 Find similar Compare side-by-side
218188 ZDNET 2021-10-13:
Brazilian e-commerce firm Hariexpress leaks 1.75 billion sensitive files
0.347 Find similar Compare side-by-side
217890 VENTUREBEAT 2021-10-13:
Cyberattack response time averages 2 days, report finds
0.340 Find similar Compare side-by-side
218396 VENTUREBEAT 2021-10-17:
Report: Cybercriminals refine tactics to exploit zero-day vulnerabilities
0.338 Find similar Compare side-by-side
217990 TECHREPUBLIC 2021-10-12:
What it costs to hire a hacker on the Dark Web
0.338 Find similar Compare side-by-side
218133 ZDNET 2021-10-15:
Critical infrastructure security dubbed 'abysmal' by researchers
0.336 Find similar Compare side-by-side
218155 THEVERGE 2021-10-15:
Twitch says passwords weren’t exposed in massive data breach
0.330 Find similar Compare side-by-side
218117 ARSTECHNICA 2021-10-14:
Activision claims Call of Duty’s new anti-cheat system won’t look at your files
0.312 Find similar Compare side-by-side
217878 ZDNET 2021-10-13:
Bugs allowing malicious NFT uploads uncovered in OpenSea marketplace
0.311 Find similar Compare side-by-side
218475 ZDNET 2021-10-18:
This new phishing attack features a weaponized Excel file
0.306 Find similar Compare side-by-side
218114 ZDNET 2021-10-15:
Brazilian insurance giant Porto Seguro hit by cyberattack
0.306 Find similar Compare side-by-side
217855 TECHREPUBLIC 2021-10-13:
Dark Web: Many cybercrime services sell for less than $500
0.306 Find similar Compare side-by-side
218060 VENTUREBEAT 2021-10-15:
Cybersecurity report reveals critical business vulnerabilities
0.305 Find similar Compare side-by-side
217774 THEVERGE 2021-10-12:
Some of Verizon’s Visible cell network customers say they’ve been hacked
0.301 Find similar Compare side-by-side
218183 ZDNET 2021-10-14:
HP Wolf report highlights widespread exploitation of MSHTML, typosquatting and malware families hosted on Discord
0.296 Find similar Compare side-by-side

1

ID: 218100

URL: https://www.theverge.com/2021/10/14/22726866/missouri-governor-department-elementary-secondary-education-ssn-vulnerability-disclosure

Date: 2021-10-14

Missouri governor threatens reporter who discovered state site spilling private info

Missouri Governor Mike Parson is threatening legal action against a reporter and newspaper that found and responsibly disclosed a security vulnerability that left teacher and educational staffs social security numbers exposed and easily accessible. The St. Louis Post-Dispatch reports that it notified the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk. Despite the fact that the outlet waited until the tool was taken down by the state to publish its story, the reporter has been called a hacker by Governor Parson, who says hell be getting the county prosecutor and investigators involved. According to the Post-Dispatch, the tool that contained the vulnerability was designed to let the public see teachers credentials. However, it reportedly also included the employees SSN in the page it returned — while it apparently didnt appear as visible text on the screen, KrebsOnSecurity reports that accessing it would be as easy as right-clicking on the page and clicking Inspect Element or View Source. While the reporter followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teachers private information for nefarious purposes. In a press conference, Governor Parson described the reporters actions as decoding the HTML source code, which makes it seem suspicious and clandestine. He is, however, literally describing how viewing a website works — its the servers job to send an HTML file to your computer so you can view it, and anything included in that file isnt secret (even if its not physically visible on your screen when viewing that webpage). Governor Parson says that nothing on DESEs website gave users permission to access the SSN data, but it was being freely provided. You can view the governors full press conference below. The Verge has reached out to Missouri DESE to clarify whether the tool was publicly accessible or required logging in, and in response, the DESE says its only comment (due to the ongoing investigation) is that the data is now protected. Of course, it being accessible at all is an issue, regardless of whether it was behind a login. Missouris response is, to put it lightly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which theyll pay to hackers who find and responsibly disclose flaws like these. The reason these exist is that theyll make your systems safer — yes, people will look for and find vulnerabilities, but there was likely already somebody doing that anyways. With a bug bounty, theyre telling you so you can fix it rather than selling that info on the dark web or using it for personal gain. Obviously, those kinds of sums arent reasonable for school districts, which often have underfunded IT departments due to shrinking budgets, but therere a lot of options between paying out large sums of money and threatening legal action. Governor Parson says that the incident could cost the states taxpayers $50 million. If a malicious hacker had found the treasure trove of SSNs, it likely wouldve been even more expensive: the state still wouldve had to fix the system, and itd have teachers who would have solid claims against it if they needed identity protection services. Governor Parson (along with a press release by the Office of Administration) clarifies that the SSNs were only accessible one at a time — a list of all employees private info wasnt included in the HTML files. But as anyone whos watched the opening scene of The Social Network knows, it can be trivial for hackers to download all the pages from an application and strip specific pieces of information out of them. Just because the reporter didnt do it (it wouldve arguably been irresponsible if he had) doesnt mean that it wasnt possible and doesnt speak to good security practices. To be clear: prosecuting the reporter, news outlet, and anyone involved will only serve to put people in Missouri at risk because no one will want to report security flaws theyve found in public systems if the states response will be sending law enforcement after them. Security flaws like this are extremely unfortunate, but they will inevitably happen (the Post-Dispatch reports that the DESE was found to have been storing student SSNs by an audit in 2015). With public entities and companies alike, the real test isnt whether it happens but how you respond to it. Unfortunately, it seems like Governor Parson is failing that test. Updated October 14th, 5:52PM ET: Updated to reflect comment from the DESE.