Groups Similar Look up By Text Browse About



Similar articles
Article Id Title Prob Score Similar Compare
218123 ARSTECHNICA 2021-10-14:
Missouri gov. calls journalist who found security flaw a “hacker,” threatens to sue
1.000 Find similar Compare side-by-side
218154 ZDNET 2021-10-14:
Missouri governor faces backlash and ridicule for threatening reporter who discovered exposed teacher SSNs
0.946 0.737 Find similar Compare side-by-side
218100 THEVERGE 2021-10-14:
Missouri governor threatens reporter who discovered state site spilling private info
0.974 0.702 Find similar Compare side-by-side
218377 VENTUREBEAT 2021-10-14:
More than 82M records exposed by an enterprise software developer
0.380 Find similar Compare side-by-side
218147 VENTUREBEAT 2021-10-14:
Whole Foods customer records among 82M exposed due to vulnerable database
0.371 Find similar Compare side-by-side
218155 THEVERGE 2021-10-15:
Twitch says passwords weren’t exposed in massive data breach
0.362 Find similar Compare side-by-side
218133 ZDNET 2021-10-15:
Critical infrastructure security dubbed 'abysmal' by researchers
0.361 Find similar Compare side-by-side
218031 ZDNET 2021-10-12:
Biden signs school cybersecurity act into law
0.354 Find similar Compare side-by-side
218114 ZDNET 2021-10-15:
Brazilian insurance giant Porto Seguro hit by cyberattack
0.352 Find similar Compare side-by-side
218188 ZDNET 2021-10-13:
Brazilian e-commerce firm Hariexpress leaks 1.75 billion sensitive files
0.327 Find similar Compare side-by-side
217869 ZDNET 2021-10-13:
1 in 15 organizations runs actively exploited version of SolarWinds: Report
0.323 Find similar Compare side-by-side
218117 ARSTECHNICA 2021-10-14:
Activision claims Call of Duty’s new anti-cheat system won’t look at your files
0.317 Find similar Compare side-by-side
218401 VENTUREBEAT 2021-10-17:
Enterprises are scrambling to deploy zero trust security
0.316 Find similar Compare side-by-side
217990 TECHREPUBLIC 2021-10-12:
What it costs to hire a hacker on the Dark Web
0.302 Find similar Compare side-by-side
218206 ZDNET 2021-10-14:
Acer confirms second cyberattack in 2021 after ransomware incident in March
0.302 Find similar Compare side-by-side
218396 VENTUREBEAT 2021-10-17:
Report: Cybercriminals refine tactics to exploit zero-day vulnerabilities
0.301 Find similar Compare side-by-side
218183 ZDNET 2021-10-14:
HP Wolf report highlights widespread exploitation of MSHTML, typosquatting and malware families hosted on Discord
0.300 Find similar Compare side-by-side
217890 VENTUREBEAT 2021-10-13:
Cyberattack response time averages 2 days, report finds
0.299 Find similar Compare side-by-side
217891 ARSTECHNICA 2021-10-12:
Wisconsinites plan to sue “every school board” that ignores CDC’s COVID advice
0.295 Find similar Compare side-by-side
218475 ZDNET 2021-10-18:
This new phishing attack features a weaponized Excel file
0.293 Find similar Compare side-by-side
217989 TECHREPUBLIC 2021-10-12:
Top 5 tips for remote security
0.289 Find similar Compare side-by-side
218006 ZDNET 2021-10-11:
FBI arrests engineer for selling nuclear warship data hidden in peanut butter sandwich
0.284 Find similar Compare side-by-side
217863 VENTUREBEAT 2021-10-12:
Cloud-based data observability just became easier with Cribl
0.282 Find similar Compare side-by-side
218200 ZDNET 2021-10-14:
ACSC offers optional DNS protection to government entities
0.281 Find similar Compare side-by-side
218001 ZDNET 2021-10-11:
Tech giants expand Australian misinformation measures week after government criticism
0.280 Find similar Compare side-by-side

1

ID: 218123

URL: https://arstechnica.com/tech-policy/2021/10/missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue/

Date: 2021-10-14

Missouri gov. calls journalist who found security flaw a “hacker,” threatens to sue

Governor also threatens to sue paper for finding flaw that exposed teachers' SSNs. Missouri Gov. Mike Parson today threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees, claiming that the journalist is a "hacker" and that the newspaper's reporting was nothing more than a "political vendetta" and "an attempt to embarrass the state and sell headlines for their news outlet." The Republican governor also vowed to hold the Post-Dispatch "accountable" for the supposed crime of helping the state find and fix a security vulnerability that could have harmed teachers. Despite Parson's surprising description of a security report that normally wouldn't be particularly controversial, it appears that the Post-Dispatch handled the problem in a way that prevented harm to school employees while encouraging the state to close what one security professor called a "mind-boggling" vulnerability. Josh Renaud, a Post-Dispatch web developer who also writes articles, wrote in a report published yesterday that more than 100,000 Social Security numbers were vulnerable "in a web application that allowed the public to search teacher certifications and credentials." The Social Security numbers of school administrators and counselors were also vulnerable. "Though no private information was clearly visible nor searchable on any of the web pages, the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved," the report said. The Post-Dispatch seems to have done exactly what ethical security researchers generally do in these situations: give the organization with the vulnerability time to close the hole before making it public. "The newspaper delayed publishing this report to give the department time to take steps to protect teachers' private information and to allow the state to ensure no other agencies' web applications contained similar vulnerabilities," the article said. The news report was published one day after the "department removed the affected pages from its website. " As of this writing, the DESE's educator-credentials checker was "down for maintenance." Parson described the journalist as a "perpetrator" who "took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators" in an "attempt to steal personal information and harm Missourians." Major web browsers include options such as "view source" or "view page source" to look at a webpage's HTML, so anything in that code is easily available. The initial Post-Dispatch article didn't go into detail about how the Social Security numbers were obtained from HTML source code, but a follow-up article about Parson's legal threats today said that the "teachers' Social Security numbers were present in the publicly visible HTML source code of the pages involved. " The numbers weren't available in plain text but were easily converted, the Post-Dispatch continued: The data on DESE's website was encoded but not encrypted, said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis— and that's a key distinction. No one can view encrypted data without the specific decryption key used to hide the data. But encoded just means the data is in a different format and can be relatively easily decoded and viewed. "Anybody who knows anything about development—and the bad guys are way ahead—can easily decode that data," Khan said on Thursday. Parson spoke today ( see video) at a "press conference regarding [the] data vulnerability and [the] state's plan to hold perpetrators accountable," and he posted a condensed version of his remarks on Facebook. "It is unlawful to access encoded data and systems in order to examine other people's personal information, and we are coordinating state resources to respond and utilize all legal methods available.  My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol's Digital Forensic Unit will also be conducting an investigation of all of those involved," he said. Parson went on to say that state law "allows us to bring a civil suit to recover damages against all those involved." He cited Missouri code 569.095, which classifies "tampering with computer data" as a class A misdemeanor. Parson continued: Nothing on DESE's [the Department of Elementary and Secondary Education's] website gave permission or authorization for this individual to access teacher data. This individual is not a victim. They were acting against a state agency to compromise teachers' personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished, and we refuse to let them be a pawn in the news outlet's political vendetta. Not only are we going to hold this individual accountable but we will also be holding accountable all those who aided this individual and the media corporation that employs them. Parson further claimed that the incident "may cost Missouri taxpayers up to $50 million and divert workers and resources from other state agencies," though that number might be inflated by Parson trying to turn a simple report of a security vulnerability into a criminal hacking case.